Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year (softpedia.com)

Posted by BeauHD on from the malicious-servers dept.

An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.

23 of 135 comments (clear)

  1. We knew this by Anonymous Coward · · Score: 5, Insightful

    Its why Ad-blocking has become a thing. So, yeah, we're gonna keep blocking ads to avoid this crap.

    Stop using Flash. Don't even allow it on your website.
    Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now and wants to advertise on it.
    Stop looking at those who block ads as your enemies. These are the smart consumers you want to engage with. Unless your shoveling shit of course.

    We warned you and warned you this was happening, but you were blinded by money and laziness. Now you're merely getting what was coming to you.

    1. Re:We knew this by TroII · · Score: 5, Insightful

      There is no evidence that suggests you're any safer with adblock

      The very article you're commenting about is proof that you're safer with an ad blocker.

      --
      "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
    2. Re:We knew this by johannesg · · Score: 2

      The telegraaf.nl site (biggest Dutch newspaper) has been running an anti-ad-blocker for a long time now. When you try to access the site you get instructions how to disable your adblocker, but not the articles or even the frontpage itself. In response I stopped reading telegraaf.nl, and in hindsight that feels like a good decision.

    3. Re:We knew this by stoatwblr · · Score: 2

      Virtually no ad blockers will filter 1st party advertising (ie, adverts directly from the site you're viewing).

      The problem isn't malvertising itself, it's that companies which used to closely vet what kind of ads went into their print/video/audio media are passing off the responsibility to 3rd parties who have repeatedly proven they aren't up to the task.

      IE: malvertising is asymptom of the security problem, not the cause.

  2. The answer to malvertising by jrumney · · Score: 5, Insightful

    Make sites responsible for the ads they carry. The address networks (Google and whoever is left that they haven't bought yet) will then be forced by the customers with enough power to start taking responsibility, which will incentivise them to do more about the problem. As long as we allow companies to pass the buck, advertising will remain an opportunity for criminals to exploit.

    1. Re:The answer to malvertising by mcmonkey · · Score: 2

      I support the sites I visit through memberships and services like Patreon. I buy CDs and BluRays for the artists I like. (Yes, I'm the one.)

      But I have web ads blocked every which way. Can't trust the ad networks.

    2. Re:The answer to malvertising by msauve · · Score: 2, Insightful

      "Make sites responsible for the ads they carry."

      I disagree. If a website is open, so visitors can protect themselves by using ad blockers or other filters, they should not be held responsible for third party content. They should only be responsible for the content they provide directly.

      But, if a website forces visitors to disable ad blockers (or filters of any sort) before using their site, they should then be held responsible for any malfeasance due to all content they provide, directly or indirectly.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:The answer to malvertising by WorBlux · · Score: 5, Interesting

      Control = responsibility. The ultimate decision weather to serve an advert or not, lies with the domain controller., and thus the ultimate responsibility. Make the primary site liable to malware served through it. In effect this will force ad networks to offer indemnification policies on their ads, and the pointy hair types will finally see a reason to properly screen and sandbox advertisements.

    4. Re:The answer to malvertising by Anne+Thwacks · · Score: 3, Insightful
      Common carrier protects ISPs. It does not protect website operators. It most certainly does not protect people who serve third party ads containing malware. They are in the same boat as people who sell contaminated food supplied by third parties.

      The consumer has right of redress against whoever supplies them.

      Except in America, where the criminal has the rights to whatever he can get away with.

      --
      Sent from my ASR33 using ASCII
    5. Re:The answer to malvertising by Aighearach · · Score: 4, Insightful

      Exactly. Just like on television; if a channel broadcasts an ad with boobies, it is the channel that gets fined, not the advertiser. Who paid for me to see Janet Jackson's nipple shield? Her? No, CBS.

    6. Re:The answer to malvertising by Cederic · · Score: 2

      No, it's like saying an answer to unwanted pregnancy is condoms.

      The media sites demanding you disable your protection are just like the Catholic church, worried a revenue stream might dry up.

  3. Obligatory by IWantMoreSpamPlease · · Score: 4, Funny

    There are ads on the internet?
    Who knew?

    --
    So rise up, all ye lost ones, as one, we'll claw the clouds.
  4. Thank you, Adblock! by elrous0 · · Score: 5, Insightful

    And, to think, several of those sites had the nerve to chastise me for using it.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  5. Nobody cares by guruevi · · Score: 2

    I didn't get infected (exclusively Linux and a few Mac since 1995) but I got several attempts of sites downloading Windows scripts/binaries, some weird interaction with a custom Chromium build. I reported them to Google and submitted the sample to a few AV vendors, nobody cares, large sites (think CNN, WaPo, ...) had the same ads attempting the same thing for weeks on end and the download never got recognized by AV. I stopped caring too, the ad sellers sell ads and that's all they care about. AV companies only care about the big threats because scary sells, some custom package that affects a few dozen of their customers doesn't matter.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  6. Re: Malvertising's nullified by this by Anonymous Coward · · Score: 4, Funny

    zAParKie, shut up and take your pills

  7. Re: No problem by Anonymous Coward · · Score: 4, Insightful

    "Like, I manage ad networks"

    And there it is. No one wants to see fucking ads you stupid mother fucker.

  8. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  9. Re: Yawn by Anonymous Coward · · Score: 4, Informative

    A lot more details are in the original write up: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight

  10. Re:No problem by Calydor · · Score: 2

    Okay, so that closes the malware vectors.

    Now we STILL have to remove the ads to reclaim the 50% or more of screen space they claim on many sites, allow sites to load faster (especially on slow or datacapped connections), and generally avoid having epileptic seizures from all the flashing gifs and other crap that still floats around out there.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  11. Re:Webmasters/Ad comps deserve it. by JaredOfEuropa · · Score: 2

    That's why I prefer script blockers over ad blockers: the static stuff and animated GIFs still get through, while blocking Flash ads and those ads that will animate and play a sound when you roll over them. If a lot of people start doing this, perhaps the ad networks will start to see a pattern, and adjust accordingly.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  12. Ad blocker blocker blocker? Eat DMCA. by tepples · · Score: 2

    There was a post two weeks ago on an adtech blog suggesting that some publishers* are about to go full DMCA/CFAA on developers of ad blockers that include an ad blocker blocker blocker. By this legal theory, an ad blocker blocker is an "access control" measure, and an ad blocker blocker blocker is a "circumvention device".

    Learning about this plan has led me to think of ways to provide a better experience on a metered Internet connection without specifically blocking ads. One is to set a cap on how much data an individual page loads, with a "Load More" button after each megabyte. Another is to block video content types, script content types, and things loaded from third-party domains. If this becomes common, advertisers will at least have to start making their "creative" leaner.

    * Operators of websites that carry advertising.

  13. You can't advertise on "the Internet" by tepples · · Score: 3, Informative

    Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now

    How do advertisers know which particular sites are "a thing", especially smaller sites that are too big to be run as a pure hobby but not yet big enough to be household names?

    and wants to advertise on it.

    But without an intermediary, you can't advertise on "the internet". Instead, you would have to advertise on individual publishers' sites, which is much more time-consuming for both advertisers and publishers.*

    Say you have 30 publishers, each of which wants to find relevant advertisers, and 30 advertisers, each of which wants to find relevant publishers. If there is an intermediary, this means 60 contracts to review and sign. If there is no intermediary, there are 900. How does a change from O(n) with an intermediary to O(n^2) without one improve the market?

    And even then, how will an individual publisher be able to reassure its advertisers that view and click statistics are accurate and not inflated? All other things being equal, an intermediary such as Google is considered more trustworthy because it has more to lose should a claim of fraud end up substantiated.

    * In the advertising market, a "publisher" is the operator of a site that carriers ads.

  14. Depends on extent of regulation by tepples · · Score: 2

    Banks I'll grant. They're unusual in that financial industry regulations mean they have the most to lose if a script is found to be unsafe. Healthcare sites are up there as well because of HIPAA (or foreign counterparts).

    For sites in less regulated industries, how should a user go about finding whether a site's scripts are safe to add to the user's whitelist?