Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malvertising Campaign Hits MSN, NY Times, BBC, AOL

Posted by msmash on from the news-outlets-offering-ransomware dept.

An anonymous reader quotes an article on Help Net Security: In the last couple of days, visitors of a number of highly popular media outlets including the NY Times, the BBC, and Newsweek have been targeted with malicious adverts that attempted to install malware (mostly ransomware, but also various Trojans) on their systems. The websites themselves weren't compromised as the problem was with the ad networks these sites use -- Google, AppNexus, AOL, Rubicon. The ad networks were tricked into serving malicious ads to the visitors.

12 of 159 comments (clear)

  1. Ad Blocking by Anonymous Coward · · Score: 5, Insightful

    And then they'll tell us to please unblock them so they can make money on our misfortune.

    1. Re:Ad Blocking by Sax+Russell+5449D29A · · Score: 5, Insightful

      I always thought their pleas to unblock their sites should reflect reality: "Please let us serve you malware!"

      Malware distribution via ad networks is a very old an well-known scheme. It would be stupid not to block all ads. As no point can effectively be made without a car analogy; would you not wear your seatbelt if the owner of the road came to you with such plea?

      --
      -SR
  2. And they wonder why I use an adblocker.... by QuietLagoon · · Score: 4, Insightful
    I need to protect myself from their security incompetence.

    The websites themselves weren't compromised

    The ads appeared when I visited those websites, therefore it appears the websites are responsible for spreading the malware.

    1. Re:And they wonder why I use an adblocker.... by Aighearach · · Score: 4, Insightful

      These companies forget why google exists, why they are successful. In the 90s, there were 2 choices; use an add aggregator and get lots of malware, or manage all the ads in-house and lose money because it isn't your core competency and is hard. Google was the one that didn't shop the ads out to fourth parties, they didn't let advertisers choose the HTML code. That meant no malware.

      Users who don't have their own protection will rightly blame the website who exposed them. The scammers basically "are" the NY Times. It is like signing an "online power of attorney" when you let external ad networks choose what HTML you'll serve from your site. They won't ask for that ability in the first place because they have good intentions. If they had good intentions, they'd just want to provide their media, instead of code.

      Not only are they responsible for what they serve, they explicitly chose to give these people the power to do this.

    2. Re:And they wonder why I use an adblocker.... by tnk1 · · Score: 3, Insightful

      It is sort of a Catch-22 for the providers. They get money from the ad networks, who are all compromised, but have no way of stopping what is served themselves.
      So, the right solution is to block ads.

      However, if the ad blockers aren't turned off, they get no money from the ad networks.

      Ultimately it is the ad networks who are responsible, and no one is able to hold them accountable except maybe some top flight content providers.

      It would be better for the content providers if they could just shut off ads and find another way to pay for creating their content, but no one wants to reach into their wallets and pay money to do so.

      The one thing that the ad networks do is that they do tend to make getting money to content providers a more simple matter than attempting to obtain and keep subscribers. Subscribers aren't sticker shocked for paying $10 for a site that they just wanted to read one story on, so the general public is paying indirectly by buying products and paying into a pool of advertising money.

  3. Re:BBC? by Richard_at_work · · Score: 3, Interesting

    Adverts are shown to users visiting from non-UK IP addresses on all participating BBC websites.

  4. So, Forbes, Wired, et all by Snotnose · · Score: 4, Interesting

    wanna tell me again why it's wrong of me to run an ad-blocker? Try to use bigger words this time, cuz when you use the smaller ones I understand 100% what you're telling me and my Deja-Moo detector goes off.

    Deja-Moo - that feeling you've heard this bull before.

  5. Adblocker = Malware blocker by Anonymous Coward · · Score: 5, Interesting

    Adblocker & related tools should change their marketing from 'helping you to block ads' to 'helping you avoid Malware/trojans etc.'...e.g. they should advertise & promote themselves as a 'security tool'...everything out of their mouths, on their website etc should be focused on that use case. Any time some politician opens their mouth about how adblockers are 'stealing' or 'ruining' some business the makers of adblocking tools should retort with statements about 'helping users security' etc.

  6. By what definition were they not compromised? by Anubis+IV · · Score: 5, Insightful

    The websites themselves weren't compromised as the problem was with the ad networks these sites use

    If you've configured your site to allow arbitrary content from unknown third-parties, your site is compromised by design. If the mere act of rendering the content that your site is sufficient to get malware, then, yes, your page is compromised. Doesn't matter if the source of the malware was in somebody else's ad service. If that service feeds data directly into your site that you then present to your visitors without any sort of vetting or filtering, then you've allowed that malware to compromise your site.

    Take responsibility, show some respect for your viewers, and stop making excuses. Vet your ads. Serve them from your own servers. Make them first-party. Compelling us to turn off ad-blockers to access your content while not taking steps on your end to protect us from malicious content is sloppy, negligent, and shows an utter and complete disregard for your customers.

    1. Re:By what definition were they not compromised? by Anubis+IV · · Score: 3, Insightful

      The sites' customers are not you; you are the fucking product, dipshit. You are what they are selling to the advertisers, durrr.

      Setting aside the silly ad hominem, let's go ahead and approach it from that angle, since I agree that it's a valid way to view the situation (it's the view I typically espouse, in fact). Our attention is a limited resource, and it's the product that these sites are packaging up and delivering to their actual customers. But just as loggers or fishermen will quickly find themselves in an untenable position if they show a complete and utter disregard for the natural resource they collect, so too will these sites find themselves in a similar position if they do the same. Even if they don't pay me the attention I'm due as a customer, they should still show a proper regard for me as the resource that they deliver to their customer. Or, at least, that's what they should do if they want to stay in business.

      Incidentally, you've mistaken my thinking poorly of their design decisions for outrage. I think it's their prerogative to serve third-party ads if they want, just as it's my prerogative to block third-party content by default. I think it's their prerogative to block me because I'm blocking their ads, just as it's my prerogative to stop visiting their site in response to that block. They're acting within their rights, but as with pretty much any business decision, there are consequences, and I believe that they haven't yet weighed the pros and cons correctly.

  7. Re:Maybe by RavenLrD20k · · Score: 5, Funny

    Has anyone found a Forbes Link on this? I can't search there because I won't turn off my ad-blocker and Forbes won't let me past their page requesting that I turn off the blocker. It just goes through an endless loop.

  8. Running Ad Blocker like running Antivirus by Chas · · Score: 5, Insightful

    Seriously.

    Sure, some people can (and do) run for extended periods of time without getting compromised without ad blockers or AV.
    In the end, it's just a matter of time before they're infested.

    And yes, compromises on large ad networks like Google may be somewhat rare. But that doesn't help me when a website using their network gives me a drive-by install of Locky or or something that totally hoses all my (or my company's) data.

    As such, there is NO negotiation about ad blocking. It's happening. PERIOD.

    Until the entire ad industry formulates an acceptable ad policy that people can live with, that DOESN'T pose a danger to its users, ad blocking will continue.

    Now content providers are free to take their ball and go home. I don't much give a shit. If given a choice between having my personal and company data destroyed/stolen and watching every content provider on the Internet crash and burn due to lack of ad revenue? Let the fuckers crash and burn!

    --


    Chas - The one, the only.
    THANK GOD!!!