Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Spotify Ad Slipped Malware Onto PCs and Macs (techhive.com)

Posted by EditorDavid on from the Now-Playing dept.

An anonymous Slashdot reader quotes TechHive: Spotify's ads crossed from nuisance over to outright nasty this week, after the music service's advertising started serving up malware to users on Wednesday. The malware was able to automatically launch browser tabs on Windows and Mac PCs, according to complaints that surfaced online...the ads directed users' browsers to other malware-containing sites in the hopes that someone would be duped into downloading more malicious software.
It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem." And they're not the only company dealing with hidden malware in ads, since the same thing has happened to both Google and Yahoo.

41 of 96 comments (clear)

  1. How difficult can it be by Anonymous Coward · · Score: 5, Insightful

    to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

    1. Re:How difficult can it be by alvinrod · · Score: 4, Informative

      Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

      Most savvy users wouldn't which is why they use some kind of ad blocker or no script plugin. Even if asa weren't vectors for malware infection, video ads and trackers tend to chew through bandwidth and batteries as well.

      If websites limited themselves to static images without the massive number of trackers, I'd be far more likely to turn off the blocker. But for whatever reason, advertisers pay websites more if they use the world's most annoying shit.

    2. Re:How difficult can it be by nicolaiplum · · Score: 2

      to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

      This is often quite surprising to those who don't know how modern Internet advertising works, but that is what people do. To have advertising on your site, you load a JS library from the advertising network and call into it to display the advertisement, and it does what it wants to show an advert. You're trusting them not to do anything evil - and the advertising network maybe trusting the advertiser not to do anything malicious, but you are certainly trusting the advertising network to screen for bad content.

      You can have the above policy, but who will enforce it? You cannot, only the advertising network can, as they provide the content how they will. If a malicious advertiser can manage to sneak something in that passes whatever automated testing the advertising network uses, or exploits a bug in the browser, then the website operator can't do much about it.

      This is the Web (and apps) of today - this is the exchange you have all made for the "free" websites you like. All the users of websites, all the ones who don't want to pay, have made this advertising software backdoor surveillance monstrosity that is the WWW today.

      --
      "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
    3. Re: How difficult can it be by Anonymous Coward · · Score: 2, Insightful

      Oh yeah, blame the victim. I'm not even old but I remember the dot com boom and bust. The real reason we have this monstrosity is because the internet changed from hobby to business. What was supposed to be an information sharing network became a huge advertising platform. We have nothing to blame but corporate greed.

    4. Re:How difficult can it be by the_Bionic_lemming · · Score: 1

      I run a website, and it is free from ads.

      Had to disable a lot of rss feeds because the sites - like /. started to advertise on my website.

      The only RSS feed left is the bbc.

      I don't make money off of the site, but it's a hobby, and I enjoy doing it. Costs me less than a month of cable TV per year to do it.

      --
      _ _ _ Go for the eyes Boo! GO FOR THE EYES!
    5. Re: How difficult can it be by Z00L00K · · Score: 1

      I'm more likely to click on text only ads. Even if that's a rare event too.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    6. Re: How difficult can it be by tinkerton · · Score: 1

      I usually click in empty space in order to set the focus to the browser, only to discover that there's a ad link there. So plenty of inadvertent ad clicking here.

    7. Re:How difficult can it be by JaredOfEuropa · · Score: 1

      So make it clear to the advertising networks that you want a "still image only" option. That'll be a huge improvement even if you're still using their JS to display it. And since a lot of them now seem to pay mostly per click (rather than per view), there's no need (or excuse) to offer a lower payout for banner-only ads.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    8. Re:How difficult can it be by Falos · · Score: 1

      >implying requisite ads
      Oh please, it's nothing more than opportunistic capitalism slurping every dollar in reach. It's the nature of the beast. They're going to cash in no matter what.
      See also: Cable television

  2. Ads are bad by Anonymous Coward · · Score: 2, Insightful

    Ads are malware

  3. Shashdot has had this as well. by stfvon007 · · Score: 5, Insightful

    I have had something similar happen a couple times on slashdot - an ad redirects the whole page to a scam "You won a free apple laptop" page that tries to trick you into downloading malware. (for those who say it was a virus on the PC not slashdot, one of these times was on a fresh install of linux) This is why I have adblocker software and why slashdot is NOT whitelisted anymore. (Hint to slashdot's owners, Adopt the policy of the first poster and I may whitelist you again)

    --
    All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
    1. Re:Shashdot has had this as well. by Jesus_666 · · Score: 1

      (for those who say it was a virus on the PC not slashdot, one of these times was on a fresh install of linux)

      When the installer asks you if you want to install systemd-scamd you say no.

      For the Gentoo users: The openscamd project is set to announce their first release soon so you know what not to compile.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  4. Nothing personal by Ol+Olsoc · · Score: 1
    But unless the advertisements cann ot be a disease vector, the fuck your advertisements. I Want you to go out of business, and I wnat your CEO's to b in jail, and your stockholderd to lose every cent.

    So we have Forbes? Fuck you and go out of business, the world will celebrate

    Imagur? Fuck you and go out of business, the world will celebrate

    Spotify? Fuck you and go out of business, the world will celebrate

    Unyil you clean up your act, and quit fucking people's computers up, Fuck off, assholes. You're the problem, not the solution. Goout of business already.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  5. Re:for the 8979814th time... by Ol+Olsoc · · Score: 2

    Do NOT allow untrusted sources to run javascript (or any similar thing) on your computer. Sure, block ads too if you want, but the real problem here is letting totally unknown entities run scripts on your machine,

    Yeah, but bullshit. You're saying something like yeah, Jack in the box sold tainted hamburgers and it killed some people bgut hey - itwas their fault because they ate them. Sorry, you arent supposed to get that shit in the first place.

    You are begging for problems if you do that.

    Everything is the customers fault, eh? How bout this? Don't go to the sites that serve up this shit, or better yet, kill your computer. You can't get malware if you don't have a computer. If you have one and have a problem it is always your fault. Jerk

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  6. Disable Ad Blockers? by rholtzjr · · Score: 1

    And they want me to disable my Ad Blocker? I think not!!

  7. Yet another reason why Adblocking and Scriptblocki by Dr.+Crash · · Score: 4, Insightful

    Yet another reason why adblockers and scriptblockers are essential.

    Not just because ads chew up your pay-by-the-byte bandwidth, but because they are actively serving up malware.

    Sorry, all you ad-supported sites... find another business model. Your current methods are dying a very painful death.

  8. Enough of the IAB, ad networks and bad websites by StandardCell · · Score: 4, Insightful

    It is beyond unacceptable that:

    * Ad networks continue to be a vector for device infections both directly and indirectly
    * Ad networks track and profile users across websites without their consent
    * Websites use pop-over scripts to interrupt the viewing experience
    * Ad scripts and other ads use deceptive means to generate accidental clicks/taps
    * Websites redirect users unwittingly to app stores, particularly when said apps have nothing to do with the website content

    While I sympathize with website owners trying to monetize their content, they have left users with no choice but to block ads indiscriminately. The mobile browsing experience is particularly out of control now and shows what utter contempt or incompetence websites have regarding their user experience.

    The IAB and ad networks are complicit in allowing this situation to persist, yet focus all of their attention on trying to prevent ad blocking through technical and legal means rather than actually enforcing some standards of non-obtrusive advertising that doesn't threaten to direct you to some scummy malware site with a zero-day.

    Maybe it will take a few lawsuits, or boycotts, or just an overall drop in revenue for these deluded parties to stop this nonsense once and for all. Maybe it will be something else. Until the economics of serving and designing ads is tied to a positive UX, there will be an endless technological war to protect users from malicious ads.

    1. Re:Enough of the IAB, ad networks and bad websites by Anonymous Coward · · Score: 2, Interesting

      I've been on the Internet/Web for a long time. When Cantor and Siegel first spammed USENET, it had already been 15 years for me. I had been involved in the early protocol meetings concerning TCP/IP, (I brought donuts...), the Usenet "Great Renaming", and the creation of some of the first rec.(group.group) Newsgroups, some of which weren't meant to be taken seriously... (Dammit, the actual CFV for rec.humor.objectivism was supposed to be a joke in itself, and yet it roused so many humorless Objections...)

      "The IAB [wikipedia.org] and ad networks [wikipedia.org] are complicit in allowing this situation to persist..."
      They aren't just complicit, they are the very reason that this situation persists. Every time some Sanctimonious Bastard in Advertising or Marketing opens his mouth to address just about anything related to Advertising and the Internet, MY Internet, I want to wring their bloody neck until their eyes pop out of their sockets and green goo gushes from their ears.
      Enough of this mild talk...

      It's time to take blocking Advertising to the next level. It is no longer enough to just block it on our end. It has to be blocked at the Server level. There are several means of doing this, Dungeons Dragons or Snakes for instance, but these means shouldn't be addressed at the most egregious of offenders; no, the Sanctimonious Bastards are first in line. Just imagine what if... what if the IAB was held... I don't know of any other way of putting this... what if the IAB was held Ransom? All that they have to do is reign in the Worst of their Lot, or the Best will be obliterated. It's called their Taking Responsibility. And after all, _we_ killed Adobe Flash because of Abuse. This has happened before; there is no reason to stop now.

      Sir, (Nobody quite knows for sure who actually Knighted him, or why...), John Hawkwood and his Knights in White, the White Company, tore through Europe in the 14th Century, when they weren't otherwise engaging in the 100 Years War or the Crusades. At times, they brought Commerce to a literal crawl, because raising one's head meant that it might be chopped right off, before the Goods were requisitioned. And at times, they could be quite civilized- Pay a Ransom, or Else. Ah, the days and origins of the White Knights...

      I'm too old for all this nonsense of course; I might end up marooned in some distant land just like a distant Ancestor, Enguerrand VII, Sire de Coucy, dying from a Virus, (Or possibly the Plague.), while Hawkwood retired to fame and fortune, the ultimate Bribe, in what eventually became Italy.

      No, this is a task for the Younger Folk, Errant Knights all, eager for yet another Crusade. (And this isn't meant to be taken seriously either. Or is it?)

    2. Re:Enough of the IAB, ad networks and bad websites by AmiMoJo · · Score: 1

      Maybe if they went back to the old static image served from the same place as the rest of the page they could actually increase their profits. These days analytics have driven prices down, compared to the old model where you paid for a billboard or TV spot without really knowing much beyond roughly how much traffic the board/channel was getting at the time. Information is power and by giving too much of it to the ad buyers they were able to drive costs down.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  9. Ad networks ARE infection vectors. by Anonymous Coward · · Score: 2, Insightful

    Ad networks ARE infection vectors.

    Stop blaming the goddamned users, it's the AD NETWORK that infected everyone.

    1. Re:Ad networks ARE infection vectors. by Ol+Olsoc · · Score: 2

      Ad networks ARE infection vectors.

      Stop blaming the goddamned users, it's the AD NETWORK that infected everyone.

      THIS! A million times this.We don't watch ads on Television that screw up our Televisions.

      Your computer is not supposed to be fucked up things that presumably reputable websites serve you. If a person's computr is bitched up that way, they aren't the guilty party.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Ad networks ARE infection vectors. by Ol+Olsoc · · Score: 1

      Your television is not a general purpose computation device.

      A computer is, and it does what you tell it to. If what you tell it is to let someone else give it orders, then it will do that. If the other party gives it malicious orders, well, it will obey.

      It's not a difficult concept.

      Whooshes for pretty damn big whooshes.

      The point you apparently don't get isn't about how software is written, or what Lda Lovelace or the abacus ever had to do with Windows 10 or the Intel line of microprocessors is that television ads don't screw up your television, that the "ads" served up mandatorily by websites do screw up your computer.

      To attempt to take your silly missing of the point to it's logical conclusion, that makes television much superior to the intertoobz and the machines used to access them.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Ad networks ARE infection vectors. by uniquegeek · · Score: 1

      Your television is not a general purpose computation device.

      This is like arguing a cell phone isn't a computer, about ten years ago. It's well on its way to getting there. Our "SmartTV"s even get updates, but I'm sure it's all for the users' benefit, yes?

  10. This will keep happening until someone is sued. by Leslie43 · · Score: 3, Insightful

    I'm amazed no big company has stepped up to do it yet, how much are companies spending fighting all of these?

    Microsoft only stepped up it's game to stop the fake updates when they wanted to display ads in the OS, which tells you exactly how much these companies really care about it, so long as it's not truly effecting their bottom line or putting them at risk of being sued they won't bother. There's a reason ads have such a bad reputation and it's one that's well deserved.

    Besides adblockers, switch your dns to OpenDNS, they block most ad networks so your blocker has less to do.

  11. Re:for the 8979814th time... by Zxern · · Score: 2

    Yeah this isn't the old day where visiting a porn or warez site and you got hit with a virus, you deserved it. Today visiting CNN can get you infected with a virus.

    Today you have to run ad blocks and no scripts to keep from getting infected, while the ad networks are actively working to undermine those same solutions while doing little to stop the malware.

  12. Re:for the 8979814th time... by Zxern · · Score: 2

    No this isn't on the users. Spotify is serving up the ads to make money. It's their responsibility to not infect their customers with malware by simply visiting the site.

  13. Something I've wanted by Pikoro · · Score: 1

    I've always wanted an option in my browser to only display items on a page if they are from *.domain.com of the site I'm looking at. Cross site anything would simply stop working. Then, if a site is hosting it's own ads, it would display. No ad blocker required. It would also stop third party cookies, javascript, etc..

    --
    "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
    1. Re:Something I've wanted by geek · · Score: 2

      Install uMatrix, done

    2. Re:Something I've wanted by CastrTroy · · Score: 1

      Firstly, you'd end up blocking a lot of content on sites that use CDNs to host their content. Secondly, it would be easily subverted by the site setting up a subdomain such as adnetwork.example.com pointing to the desired ad network so their ads could slip by your filter.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    3. Re:Something I've wanted by Pikoro · · Score: 1

      There is another solution to sites that use CDNs. They could host their own content. If you're at the point where you need a CDN, you have the income to afford it. I ran a (I thought) rather popular site from a dynamic IP in my house. Received over 1 million unique users per day, plus forums, downloads, source code hosting, mail, etc. I also hosted my own ad network on the same system. This was direct advertising that I hosted and vetted myself, on my server. Bandwidth costs are cheap. If I can optimize a core 2 duo with 1Gb of ram to run that kind of traffic, using a CDN just seems lazy to me. Some months, I cleared around $5k. My cost, not counting my own time? About $50/mo. This was in 2004/5.

      --
      "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
  14. Re:for the 8979814th time... by AHuxley · · Score: 1

    The problem is that sites now detect the lack of ads been allowed to run and lock up content and comments with a static demand to whitelist.
    To keep on using a site the user has to open their computer to infection.

    --
    Domestic spying is now "Benign Information Gathering"
  15. Re: self defense by phorm · · Score: 2

    Apple tax? You realize that Macs were among the computers infected (per the fucking HEADLINE)

  16. So Spotify, how about you reimburse people? by cerberusss · · Score: 1

    It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem."

    Yeah well, you fucked up people's computers. How about you offer to let the affected people contact you, so you can make sure and reimburse them to get their computers reinstalled?

    --
    8 of 13 people found this answer helpful. Did you?
  17. Re: for the 8979814th time... by Z00L00K · · Score: 1

    Today not many sites are trusted.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  18. And these idiots wonder why by Chas · · Score: 3, Interesting

    Seriously, the advertising industry wonders why we hate ads and ad delivery platforms so much.

    Because of shit like this.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:And these idiots wonder why by houghi · · Score: 2

      While I agree that this does not help, I just dislike ads in general. Be it on a website, on tv, on the street or on my underware. I just dislike ads.

      People are taking the piss out of you everyday. They butt into your life, take a cheap shot at you and then disappear. They leer at you from tall buildings and make you feel small. They make flippant comments from buses that imply youâ(TM)re not sexy enough and that all the fun is happening somewhere else. They are on TV making your girlfriend feel inadequate. They have access to the most sophisticated technology the world has ever seen and they bully you with it. They are The Advertisers and they are laughing at you.

      You, however, are forbidden to touch them. Trademarks, intellectual property rights and copyright law mean advertisers can say what they like wherever they like with total impunity.

      Fuck that. Any advert in a public space that gives you no choice whether you see it or not is yours. Itâ(TM)s yours to take, re-arrange and re-use. You can do whatever you like with it. Asking for permission is like asking to keep a rock someone just threw at your head.

      You owe the companies nothing. Less than nothing, you especially donâ(TM)t owe them any courtesy. They owe you. They have re-arranged the world to put themselves in front of you. They never asked for your permission, donâ(TM)t even start asking for theirs.
      http://readingfrenzy.com/ledge...

      --
      Don't fight for your country, if your country does not fight for you.
    2. Re:And these idiots wonder why by sizzlinkitty · · Score: 1

      And they can't hear your complaints over the ching's of money entering their pocket book.

  19. Re:for the 8979814th time... by Dutch+Gun · · Score: 1

    I used to use noscript (which sort of works like an ad-blocker itself), and it was getting to be too much of a pain, so switched to uBlock Origin (which also blocks known malware domains by default as a bonus). Even though scripting is used to perform the infection, these days, disabling scripting just isn't feasible for many modern websites. It seems like it's scripting in ads that are the most typical delivery vector, and even then, it often depends on known, unpatched exploits (like Flash or Java plugins) or simple social engineering. So, just blocking the ads is probably enough, unless you're a "belt and suspenders" type. Good for you if you're willing to put up the inconvenience of trying to selectively unblock domains until a site works again, but if you're making the suggestion for normal users, I'd recommend just the ad-blocker.

    Incidentally, I really have nothing against ads themselves, unless they're intrusive and obnoxious (they were edging more and more this way, unfortunately). I block ads only because they're potentially dangerous. Once the industry figures out a way to create bulletproof-safe ads, I'll consider selectively unblocking sites I wish to support and which are useful or entertaining to me.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  20. Re:What ads? by mrbester · · Score: 1

    Remember how that didn't work with premium cable channels? Someone noticed there was a drop in ad revenue (ignoring the increase in subscription revenue) or they just wanted more money so there's ads where you've specifically paid to not have them.

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  21. Re: Jango by Z00L00K · · Score: 1

    Jango Fett? Isn't he dead?

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  22. Over half of website exploit kits... by sizzlinkitty · · Score: 2

    are delivered via advertising networks. I learned this in a presentation about angular and nuclear web exploit kits. On the backside, some, if not all, ad networks sell advert space in a bidding format with multiple delivery granular controls.