Slashdot Mirror
Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year (softpedia.com)
An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.
Only morons would browse the web without an adblocker anyway.
Yea- Ars Technica disappointed me in there ability to accurately report the news making it sound like the FCC hasn't undermined free software users.
Its why Ad-blocking has become a thing. So, yeah, we're gonna keep blocking ads to avoid this crap.
Stop using Flash. Don't even allow it on your website.
Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now and wants to advertise on it.
Stop looking at those who block ads as your enemies. These are the smart consumers you want to engage with. Unless your shoveling shit of course.
We warned you and warned you this was happening, but you were blinded by money and laziness. Now you're merely getting what was coming to you.
Make sites responsible for the ads they carry. The address networks (Google and whoever is left that they haven't bought yet) will then be forced by the customers with enough power to start taking responsibility, which will incentivise them to do more about the problem. As long as we allow companies to pass the buck, advertising will remain an opportunity for criminals to exploit.
This is one of the reasons I disable Javascript in my browsers (No script, or just flat out disable it.) I only enable it to get the content I need. It's a PITA, but it's safe and speeds up my browsing on everything...
Does it hurt free content providers like /. ? Yes, it does. Does it hurt ad companies? Yes, it does.
Do I give a shit? No, I don't. Am I one of those wacked out crazy anti-ad persons? No, I'm not. I don't mind most ads whatsoever...
So what should they do? Go back to the past. Sell static banners/small animated gifs. No javascript, no flash, no tracking, no malware. Simply sell static ad space for X amount of money per Y amount of time. And serve it to EVERYONE. No need to block it. As it doesn't interfere with the site performance.
But this won't happen. Ad companies make too much money targeting us. Website maintainers can run ads with minimal amount of effort. And client companies get better bang for the buck targeting (rather than just broad marketing campaigns.)
Oh well, I can dream can't I?
This is why I call them not "Adblockers" but "Malware Vector Blockers".
There are ads on the internet?
Who knew?
So rise up, all ye lost ones, as one, we'll claw the clouds.
And, to think, several of those sites had the nerve to chastise me for using it.
SJW: Someone who has run out of real oppression, and has to fake it.
so who is being held accountable for this? nobody? seems blocking ads is not only justifiable but also a moral imperative too.
Anons need not reply. Questions end with a question mark.
I didn't get infected (exclusively Linux and a few Mac since 1995) but I got several attempts of sites downloading Windows scripts/binaries, some weird interaction with a custom Chromium build. I reported them to Google and submitted the sample to a few AV vendors, nobody cares, large sites (think CNN, WaPo, ...) had the same ads attempting the same thing for weeks on end and the download never got recognized by AV. I stopped caring too, the ad sellers sell ads and that's all they care about. AV companies only care about the big threats because scary sells, some custom package that affects a few dozen of their customers doesn't matter.
Custom electronics and digital signage for your business: www.evcircuits.com
zAParKie, shut up and take your pills
Comment removed based on user account deletion
No, blacklists are a poor idea security wise, as it's the threat you don't know that you need to worry about. A default deny policy for ads and scripts from domains you don't explicitly trust is the better security policy.
The APK software isn't open source, so we don't know whether we can trust it or not. That means I won't trust it. I'm not going to run some random EXE file that gets spammed all over Slashdot. Besides, blocking at the DNS level is much more effective.
A lot more details are in the original write up: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight
...and why hasn't anyone sued any of the idiot companies that are showing the crapvertisements?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
When my customers wonder why so many internet sites are broken I explain that we don't allow java or javascript and any site that needs it needs to be looked at with a jaundiced eye.
Between noscript, requestblocker and adblock plus, I have not has a single customer fall victim to any of these web based malware packages.
Every time I talk to my bank they look askance at me for not banking online. This is why I don't.
There was a post two weeks ago on an adtech blog suggesting that some publishers* are about to go full DMCA/CFAA on developers of ad blockers that include an ad blocker blocker blocker. By this legal theory, an ad blocker blocker is an "access control" measure, and an ad blocker blocker blocker is a "circumvention device".
Learning about this plan has led me to think of ways to provide a better experience on a metered Internet connection without specifically blocking ads. One is to set a cap on how much data an individual page loads, with a "Load More" button after each megabyte. Another is to block video content types, script content types, and things loaded from third-party domains. If this becomes common, advertisers will at least have to start making their "creative" leaner.
* Operators of websites that carry advertising.
Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now
How do advertisers know which particular sites are "a thing", especially smaller sites that are too big to be run as a pure hobby but not yet big enough to be household names?
and wants to advertise on it.
But without an intermediary, you can't advertise on "the internet". Instead, you would have to advertise on individual publishers' sites, which is much more time-consuming for both advertisers and publishers.*
Say you have 30 publishers, each of which wants to find relevant advertisers, and 30 advertisers, each of which wants to find relevant publishers. If there is an intermediary, this means 60 contracts to review and sign. If there is no intermediary, there are 900. How does a change from O(n) with an intermediary to O(n^2) without one improve the market?
And even then, how will an individual publisher be able to reassure its advertisers that view and click statistics are accurate and not inflated? All other things being equal, an intermediary such as Google is considered more trustworthy because it has more to lose should a claim of fraud end up substantiated.
* In the advertising market, a "publisher" is the operator of a site that carriers ads.
So what should they do? Go back to the past. Sell static banners/small animated gifs. No javascript, no flash, no tracking, no malware. Simply sell static ad space for X amount of money per Y amount of time.
Sell ad space to whom? Your "no tracking" rule appears to rule out ad networks and ad exchanges in favor of each publisher* having to run its own ad sales department. So what can the publisher of a smallish site do to find enough advertisers to buy most of its inventory? And how can this publisher assure advertisers that the view and click statistics that it provides are accurate?
* Operator of an ad-funded site
Windows itself is proprietary and requires admin privilege to run.
But seriously: On Windows, writing to %windir%\system32\drivers\etc\hosts requires administrative privileges. You can instead have APK Hosts File Engine generate the hosts file in your own profile and then use File Explorer to copy it to %windir%\system32\drivers\etc\hosts.
For one thing, I do most of my shopping on smile.amazon.com so that Electronic Frontier Foundation. A source is somewhat less likely to attack that vector.
But even if it does, security is a process of which the hosts file is one layer and PKI is another. The server will have to present an X.509 certificate for names smile.amazon.com or www.amazon.com (as appropriate) when my browser connects to port 443. A fake server's certificate won't be issued by either A. a CA certified by Mozilla or B. a self-signed CA that the Perspectives extension reports as consistent.
APK Hosts File Engine is proprietary because APK fears that a malware author would rebrand it the way Chromium was rebranded as eFast.
Then why do you not have a little star next to your name on slashdot?
Because Slashdot hasn't sold subscriptions for well over a year. From subscribe.pl:
During the Dice Holdings era, Slashdot instead experimented with giving a "Disable Advertising" checkbox to users with Excellent (25-50) karma to encourage them to provide and moderate comments. After Slashdot and SourceForge were sold to BIZX six months ago, this ended as well.
The subscription page for the red site, on the other hand, is up and running:
Ads are supposed to hack brains, not computers. This is an outrage!
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Make the sites fully liable. Problem solved
Banks I'll grant. They're unusual in that financial industry regulations mean they have the most to lose if a script is found to be unsafe. Healthcare sites are up there as well because of HIPAA (or foreign counterparts).
For sites in less regulated industries, how should a user go about finding whether a site's scripts are safe to add to the user's whitelist?
Say you're researching a topic, and you end up hitting a bunch of dead links because the operator of their respective servers could no longer afford to keep the lights on. Then Somebody Else's Problem becomes your problem.
Two of them are easy. "Encrypted" means served through HTTPS. "Ad choice supported" means supporting the YourAdChoices control to turn interest-based ad delivery on and off.
The other two are a bit more vague, but Google iab non-invasive ads returns IAB Tech Lab Solutions with a bit more explanation. "Light" means a maximum data size, as specified in IAB Creative Guidelines. "Non-invasive" means that ads do not cover the body of the article, and ads other than an interstitial before a video body do not automatically play audio.
Dude, aren't you trying to promote your product here?
Fuck off APK, AD block is just fine, much better than your option, the 90's called, they want their ad blocking back.
Would WebAssembly be preferable to JavaScript? Because without JavaScript and without WebAssembly, the only possible interaction is following a link or submitting a form and getting a reload of the entire page. This rules out a lot of use cases.