Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Spotify Ad Slipped Malware Onto PCs and Macs (techhive.com)

Posted by EditorDavid on from the Now-Playing dept.

An anonymous Slashdot reader quotes TechHive: Spotify's ads crossed from nuisance over to outright nasty this week, after the music service's advertising started serving up malware to users on Wednesday. The malware was able to automatically launch browser tabs on Windows and Mac PCs, according to complaints that surfaced online...the ads directed users' browsers to other malware-containing sites in the hopes that someone would be duped into downloading more malicious software.
It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem." And they're not the only company dealing with hidden malware in ads, since the same thing has happened to both Google and Yahoo.

20 of 96 comments (clear)

  1. How difficult can it be by Anonymous Coward · · Score: 5, Insightful

    to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

    1. Re:How difficult can it be by alvinrod · · Score: 4, Informative

      Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

      Most savvy users wouldn't which is why they use some kind of ad blocker or no script plugin. Even if asa weren't vectors for malware infection, video ads and trackers tend to chew through bandwidth and batteries as well.

      If websites limited themselves to static images without the massive number of trackers, I'd be far more likely to turn off the blocker. But for whatever reason, advertisers pay websites more if they use the world's most annoying shit.

    2. Re:How difficult can it be by nicolaiplum · · Score: 2

      to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

      This is often quite surprising to those who don't know how modern Internet advertising works, but that is what people do. To have advertising on your site, you load a JS library from the advertising network and call into it to display the advertisement, and it does what it wants to show an advert. You're trusting them not to do anything evil - and the advertising network maybe trusting the advertiser not to do anything malicious, but you are certainly trusting the advertising network to screen for bad content.

      You can have the above policy, but who will enforce it? You cannot, only the advertising network can, as they provide the content how they will. If a malicious advertiser can manage to sneak something in that passes whatever automated testing the advertising network uses, or exploits a bug in the browser, then the website operator can't do much about it.

      This is the Web (and apps) of today - this is the exchange you have all made for the "free" websites you like. All the users of websites, all the ones who don't want to pay, have made this advertising software backdoor surveillance monstrosity that is the WWW today.

      --
      "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
    3. Re: How difficult can it be by Anonymous Coward · · Score: 2, Insightful

      Oh yeah, blame the victim. I'm not even old but I remember the dot com boom and bust. The real reason we have this monstrosity is because the internet changed from hobby to business. What was supposed to be an information sharing network became a huge advertising platform. We have nothing to blame but corporate greed.

  2. Ads are bad by Anonymous Coward · · Score: 2, Insightful

    Ads are malware

  3. Shashdot has had this as well. by stfvon007 · · Score: 5, Insightful

    I have had something similar happen a couple times on slashdot - an ad redirects the whole page to a scam "You won a free apple laptop" page that tries to trick you into downloading malware. (for those who say it was a virus on the PC not slashdot, one of these times was on a fresh install of linux) This is why I have adblocker software and why slashdot is NOT whitelisted anymore. (Hint to slashdot's owners, Adopt the policy of the first poster and I may whitelist you again)

    --
    All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
  4. Re:for the 8979814th time... by Ol+Olsoc · · Score: 2

    Do NOT allow untrusted sources to run javascript (or any similar thing) on your computer. Sure, block ads too if you want, but the real problem here is letting totally unknown entities run scripts on your machine,

    Yeah, but bullshit. You're saying something like yeah, Jack in the box sold tainted hamburgers and it killed some people bgut hey - itwas their fault because they ate them. Sorry, you arent supposed to get that shit in the first place.

    You are begging for problems if you do that.

    Everything is the customers fault, eh? How bout this? Don't go to the sites that serve up this shit, or better yet, kill your computer. You can't get malware if you don't have a computer. If you have one and have a problem it is always your fault. Jerk

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  5. Yet another reason why Adblocking and Scriptblocki by Dr.+Crash · · Score: 4, Insightful

    Yet another reason why adblockers and scriptblockers are essential.

    Not just because ads chew up your pay-by-the-byte bandwidth, but because they are actively serving up malware.

    Sorry, all you ad-supported sites... find another business model. Your current methods are dying a very painful death.

  6. Enough of the IAB, ad networks and bad websites by StandardCell · · Score: 4, Insightful

    It is beyond unacceptable that:

    * Ad networks continue to be a vector for device infections both directly and indirectly
    * Ad networks track and profile users across websites without their consent
    * Websites use pop-over scripts to interrupt the viewing experience
    * Ad scripts and other ads use deceptive means to generate accidental clicks/taps
    * Websites redirect users unwittingly to app stores, particularly when said apps have nothing to do with the website content

    While I sympathize with website owners trying to monetize their content, they have left users with no choice but to block ads indiscriminately. The mobile browsing experience is particularly out of control now and shows what utter contempt or incompetence websites have regarding their user experience.

    The IAB and ad networks are complicit in allowing this situation to persist, yet focus all of their attention on trying to prevent ad blocking through technical and legal means rather than actually enforcing some standards of non-obtrusive advertising that doesn't threaten to direct you to some scummy malware site with a zero-day.

    Maybe it will take a few lawsuits, or boycotts, or just an overall drop in revenue for these deluded parties to stop this nonsense once and for all. Maybe it will be something else. Until the economics of serving and designing ads is tied to a positive UX, there will be an endless technological war to protect users from malicious ads.

    1. Re:Enough of the IAB, ad networks and bad websites by Anonymous Coward · · Score: 2, Interesting

      I've been on the Internet/Web for a long time. When Cantor and Siegel first spammed USENET, it had already been 15 years for me. I had been involved in the early protocol meetings concerning TCP/IP, (I brought donuts...), the Usenet "Great Renaming", and the creation of some of the first rec.(group.group) Newsgroups, some of which weren't meant to be taken seriously... (Dammit, the actual CFV for rec.humor.objectivism was supposed to be a joke in itself, and yet it roused so many humorless Objections...)

      "The IAB [wikipedia.org] and ad networks [wikipedia.org] are complicit in allowing this situation to persist..."
      They aren't just complicit, they are the very reason that this situation persists. Every time some Sanctimonious Bastard in Advertising or Marketing opens his mouth to address just about anything related to Advertising and the Internet, MY Internet, I want to wring their bloody neck until their eyes pop out of their sockets and green goo gushes from their ears.
      Enough of this mild talk...

      It's time to take blocking Advertising to the next level. It is no longer enough to just block it on our end. It has to be blocked at the Server level. There are several means of doing this, Dungeons Dragons or Snakes for instance, but these means shouldn't be addressed at the most egregious of offenders; no, the Sanctimonious Bastards are first in line. Just imagine what if... what if the IAB was held... I don't know of any other way of putting this... what if the IAB was held Ransom? All that they have to do is reign in the Worst of their Lot, or the Best will be obliterated. It's called their Taking Responsibility. And after all, _we_ killed Adobe Flash because of Abuse. This has happened before; there is no reason to stop now.

      Sir, (Nobody quite knows for sure who actually Knighted him, or why...), John Hawkwood and his Knights in White, the White Company, tore through Europe in the 14th Century, when they weren't otherwise engaging in the 100 Years War or the Crusades. At times, they brought Commerce to a literal crawl, because raising one's head meant that it might be chopped right off, before the Goods were requisitioned. And at times, they could be quite civilized- Pay a Ransom, or Else. Ah, the days and origins of the White Knights...

      I'm too old for all this nonsense of course; I might end up marooned in some distant land just like a distant Ancestor, Enguerrand VII, Sire de Coucy, dying from a Virus, (Or possibly the Plague.), while Hawkwood retired to fame and fortune, the ultimate Bribe, in what eventually became Italy.

      No, this is a task for the Younger Folk, Errant Knights all, eager for yet another Crusade. (And this isn't meant to be taken seriously either. Or is it?)

  7. Ad networks ARE infection vectors. by Anonymous Coward · · Score: 2, Insightful

    Ad networks ARE infection vectors.

    Stop blaming the goddamned users, it's the AD NETWORK that infected everyone.

    1. Re:Ad networks ARE infection vectors. by Ol+Olsoc · · Score: 2

      Ad networks ARE infection vectors.

      Stop blaming the goddamned users, it's the AD NETWORK that infected everyone.

      THIS! A million times this.We don't watch ads on Television that screw up our Televisions.

      Your computer is not supposed to be fucked up things that presumably reputable websites serve you. If a person's computr is bitched up that way, they aren't the guilty party.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  8. This will keep happening until someone is sued. by Leslie43 · · Score: 3, Insightful

    I'm amazed no big company has stepped up to do it yet, how much are companies spending fighting all of these?

    Microsoft only stepped up it's game to stop the fake updates when they wanted to display ads in the OS, which tells you exactly how much these companies really care about it, so long as it's not truly effecting their bottom line or putting them at risk of being sued they won't bother. There's a reason ads have such a bad reputation and it's one that's well deserved.

    Besides adblockers, switch your dns to OpenDNS, they block most ad networks so your blocker has less to do.

  9. Re:for the 8979814th time... by Zxern · · Score: 2

    Yeah this isn't the old day where visiting a porn or warez site and you got hit with a virus, you deserved it. Today visiting CNN can get you infected with a virus.

    Today you have to run ad blocks and no scripts to keep from getting infected, while the ad networks are actively working to undermine those same solutions while doing little to stop the malware.

  10. Re:for the 8979814th time... by Zxern · · Score: 2

    No this isn't on the users. Spotify is serving up the ads to make money. It's their responsibility to not infect their customers with malware by simply visiting the site.

  11. Re:Something I've wanted by geek · · Score: 2

    Install uMatrix, done

  12. Re: self defense by phorm · · Score: 2

    Apple tax? You realize that Macs were among the computers infected (per the fucking HEADLINE)

  13. And these idiots wonder why by Chas · · Score: 3, Interesting

    Seriously, the advertising industry wonders why we hate ads and ad delivery platforms so much.

    Because of shit like this.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:And these idiots wonder why by houghi · · Score: 2

      While I agree that this does not help, I just dislike ads in general. Be it on a website, on tv, on the street or on my underware. I just dislike ads.

      People are taking the piss out of you everyday. They butt into your life, take a cheap shot at you and then disappear. They leer at you from tall buildings and make you feel small. They make flippant comments from buses that imply youâ(TM)re not sexy enough and that all the fun is happening somewhere else. They are on TV making your girlfriend feel inadequate. They have access to the most sophisticated technology the world has ever seen and they bully you with it. They are The Advertisers and they are laughing at you.

      You, however, are forbidden to touch them. Trademarks, intellectual property rights and copyright law mean advertisers can say what they like wherever they like with total impunity.

      Fuck that. Any advert in a public space that gives you no choice whether you see it or not is yours. Itâ(TM)s yours to take, re-arrange and re-use. You can do whatever you like with it. Asking for permission is like asking to keep a rock someone just threw at your head.

      You owe the companies nothing. Less than nothing, you especially donâ(TM)t owe them any courtesy. They owe you. They have re-arranged the world to put themselves in front of you. They never asked for your permission, donâ(TM)t even start asking for theirs.
      http://readingfrenzy.com/ledge...

      --
      Don't fight for your country, if your country does not fight for you.
  14. Over half of website exploit kits... by sizzlinkitty · · Score: 2

    are delivered via advertising networks. I learned this in a presentation about angular and nuclear web exploit kits. On the backside, some, if not all, ad networks sell advert space in a bidding format with multiple delivery granular controls.