US iOS Users Targeted by Massive Malvertising Campaign

A cyber-criminal group known as ScamClub has hijacked over 300 million browser sessions over 48 hours to redirect users to adult and gift card scams, a cyber-security firm revealed this week. From a report: The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads. In this particular case, the code used by the ScamClub group hijacked a user's browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam.

These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today. "On November 12 we've seen a huge spike in our telemetry," Jerome Dang, Confiant co-founder and CTO, told ZDNet in an email. Dangu says his company worked to investigate the huge malvertising spike and discovered ScamClub activity going back to August this year.

This is not anything new...

[ctilsie242]

It is not uncommon, if you don't have an ad blocker in place on iOS, especially if you use FB's browser, to wind up being dumped to a site offering free iPhones or gift cards. So much so, that an ad blocker is a must for browsing on iOS, otherwise, your browsing screeches to a halt by a redirect and a takeover for these scams. Even legit sites get these fairly commonly.

On Android, Dolphin Browser is the best way to browse, and that also gets rid of this problem with its innate ad-blocking.

Re:This is not anything new...

Even legit sites get these fairly commonly.

Which pretty much confirms there is no such thing as a 'legitimate' ad network, and that the only reasonable conclusion is to block all of them on the assumption they're corrupt and broken.

I say until such time as this problem is 100% solved, everyone who works for an internet ad agency is fair game for a beat down for every instance of shit like this, no matter what the ad agency responsible.

Either the ad companies find a workable solution, or eventually we run out of people who work for ad companies. It's a win-win either way.

And, sorry, but if you work in internet advertising, you really do deserve that beat down and I don't much care that you're doing it to pay the bills; that's not my problem. The people who helped the Nazis said the same thing.

Internet ad companies are parasites who don't give a fuck about your privacy or security. Which means I don't care about their privacy or safety.

Simple solution

[ceoyoyo]

Sites that serve ads are held responsible for damages if visitors get hijacked by those ads. In turn, those sites can hold ad providers liable. The online advertisers would tighten up their security in a hurry when the lawsuits started rolling in. We might even get to go back to plain image ads.

And this is why ...

This shit is why I have zero qualms with blocking all ads, and why I would never surf the web on a mobile device.

This "allow every third party to run script" mentality the advertisers want the internet to operate on so their business model isn't disrupted is basically the conduit to this shit, because it leaves you wide open to everything. This is like saying I should leave my doors unlocked in case someone I do want in my house comes by, it's stupid.

No, I'm not letting third party scripts execute, no you don't get to set a cookie, and if at all possible, my browser will ignore your domain ... you are an advertiser, you can fuck off and die for all I care, because I have no choice but to assume you're dishonest.

What needs to happen is mobile devices and browsers need to start from the position that you as a random web site should in no way be trusted, nor should whatever asshole third parties you link to. It's impossible for the average user to defend against this. If advertisers and web sites can't operate without requiring you essentially disable all reasonable security, that's their problem.

None of this blanket consent of "you agree to our ToS and the ToS of the 20 parasites we link to", but a straight up "no, that's OK, I'm not running third party code on your say so just because you're a greedy sack of shit".

Honest advertisers are like honest telemarketers ... they may exist, but I don't give a fuck, and it's not my job to sift out the good ones. I'm simply going to block all of them, because I don't care.

All of advertising on the internet is tainted with this shit. It's time to start changing things so this garbage isn't allowed to execute by default.

I don't care what website it is, I will ruthlessly block third party stuff. Your revenue model doesn't trump either my privacy or security.

Fuck advertisers, they're the reason why security on the internet is so fucking broken.

Re:And this is why ...

[Hallux-F-Sinister]

[...] I don't care what website it is, I will ruthlessly block third party stuff. Your revenue model doesn't trump either my privacy or security.

Fuck advertisers, they're the reason why security on the internet is so fucking broken.

It’s also the reason the internet exists. If all advertising went away, (and I hate it myself and wish 99% of it would disappear, then maybe I’d stop using ad blockers,) and all the money went with it, either every site you’d visit would have a paywall and you’d have to log in to use it, or it simply woulnd’t exist. Every name you typed in would give you a DNS error or 404 Not Found error.... you’d try to go to Google (or your favorite search engine if not Google,) and try to search around to see what happened, and it would be down too.

You’d think it was the apocalypse and would wander outside and see a bunch of other people wandering the street in housecoats or else underwear, staring blinkingly at the sky. What’s going on, you’d shout to a neighbor, who’d stare at an object far, far behind you, and say, in a hollow, broken voice, ‘there’s no Google. It’s just... gone...”

You’d look all around, the horror dawning on you... no web ads... no internet. No web ADS! No internet. No ads, no search providers. No ad revenue, no INTERNET! Then you’d but it all together and shout, NO INTERNET!

Then the pitchforks and torches get broken out, and you don’t want to know what happens after THAT