Slashdot Mirror
US iOS Users Targeted by Massive Malvertising Campaign (zdnet.com)
A cyber-criminal group known as ScamClub has hijacked over 300 million browser sessions over 48 hours to redirect users to adult and gift card scams, a cyber-security firm revealed this week. From a report: The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads. In this particular case, the code used by the ScamClub group hijacked a user's browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam.
These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today. "On November 12 we've seen a huge spike in our telemetry," Jerome Dang, Confiant co-founder and CTO, told ZDNet in an email. Dangu says his company worked to investigate the huge malvertising spike and discovered ScamClub activity going back to August this year.
These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today. "On November 12 we've seen a huge spike in our telemetry," Jerome Dang, Confiant co-founder and CTO, told ZDNet in an email. Dangu says his company worked to investigate the huge malvertising spike and discovered ScamClub activity going back to August this year.
Sites that serve ads are held responsible for damages if visitors get hijacked by those ads. In turn, those sites can hold ad providers liable. The online advertisers would tighten up their security in a hurry when the lawsuits started rolling in. We might even get to go back to plain image ads.
This shit is why I have zero qualms with blocking all ads, and why I would never surf the web on a mobile device.
This "allow every third party to run script" mentality the advertisers want the internet to operate on so their business model isn't disrupted is basically the conduit to this shit, because it leaves you wide open to everything. This is like saying I should leave my doors unlocked in case someone I do want in my house comes by, it's stupid.
No, I'm not letting third party scripts execute, no you don't get to set a cookie, and if at all possible, my browser will ignore your domain ... you are an advertiser, you can fuck off and die for all I care, because I have no choice but to assume you're dishonest.
What needs to happen is mobile devices and browsers need to start from the position that you as a random web site should in no way be trusted, nor should whatever asshole third parties you link to. It's impossible for the average user to defend against this. If advertisers and web sites can't operate without requiring you essentially disable all reasonable security, that's their problem.
None of this blanket consent of "you agree to our ToS and the ToS of the 20 parasites we link to", but a straight up "no, that's OK, I'm not running third party code on your say so just because you're a greedy sack of shit".
Honest advertisers are like honest telemarketers ... they may exist, but I don't give a fuck, and it's not my job to sift out the good ones. I'm simply going to block all of them, because I don't care.
All of advertising on the internet is tainted with this shit. It's time to start changing things so this garbage isn't allowed to execute by default.
I don't care what website it is, I will ruthlessly block third party stuff. Your revenue model doesn't trump either my privacy or security.
Fuck advertisers, they're the reason why security on the internet is so fucking broken.