Hackers Use Banner Ads on Major Sites to Hijack Your PC 268
The worst-case scenario used to be that online ads are pesky, memory-draining distractions. But a new batch of banner ads is much more sinister: They hijack personal computers and bully users until they agree to buy antivirus software. And the ads do their dirty work even if you don't click on them.The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick's DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory." CT: Link updated to original source instead of plagerizer.
What are these "ads" you're talking about ? (Score:5, Insightful)
Never Experienced This (Score:4, Insightful)
who is to blame (Score:2, Insightful)
Ah, let the blame game begin (Score:5, Insightful)
The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal.
...and since those sites outsource to Doubleclick, they'll point a finger at them. Doubleclick will no doubt point the finger at some previously-unheard-of company that "solicits advertisements for the Doubleclick network", and they'll point the finger at their "client."
Meanwhile, The Economist, MLB, Canada.com, etc won't take responsibility for the content they present on their website (after all, they chose to use Doubleclick, they chose to put advertisements on the website, they chose not to require approval of ads before they were shown on their website, etc.) Funny how everyone is trigger-happy when it comes to copyright, but when it comes to content they present causing harm, it ain't theirs, eh? :-)
Doubleclick, of course, won't accept responsibility for vetting advertising distributed via their channel (which seems like a standard business procedure for, oh, an advertising network?) The only comfort is the mechanism of the free market: if website users get pissed enough, said websites might put pressure on Doubleclick or leave them altogether. That's bad for Doubleclick business, so maybe Doubleclick will consider vetting ads better, or run checks to see that flash code doesn't do certain things, etc. Then again, if the malicious banner ad suppliers are paying good enough money, Doubleclick may be perfectly happy to issue a press release "apologizing" and keep right on doing business as usual.
Re:I only found these ads on.... (Score:1, Insightful)
BTW these ads are not directly dangerous unless you are running on some old browser/old Windows system, but yes, they are annoying as hell.
Terrible relationships with their advertisers (Score:4, Insightful)
Re:The evils of Javascript (Score:2, Insightful)
Re:Never Experienced This (Score:4, Insightful)
Re:Not exactly new (Score:3, Insightful)
F the Flash garbage (Score:1, Insightful)
Unfortunately, I think a lot of folks get talked into using flash on their sites by web designers who just want to maximize billable hours. Often their sites fail at the basic function of conveying information because they don't include HTML versions of the information people are looking for. A great example are bands with tour information in Flash only. Most of the artists don't even know about the problem. Unfortunately the people who answer webmaster@site are often those reaping the cash rewards of flash-only implementations.
I don't allow flash in my primary browser and also disable javascript. I won't visit websites that require Flash. Just say no.
Why aren't we blaming the browser? (Score:4, Insightful)
Are you surprised? Risks of client-side scripting (Score:1, Insightful)
Doubleclick could fix this in 2 seconds (Score:5, Insightful)
All Doubleclick has to do is require the actionscript source code for all ads. There is *no good reason* for an advertiser to hide anything from doubleclick. Send doubleclick your sourcecode. They will compile it into a
Problem solved.
Re:Why aren't we blaming the browser? (Score:5, Insightful)
Yeah sure (Score:3, Insightful)
Re:Very stupid idea (Score:3, Insightful)
Like it or not, but advertising generates (directly and indirectly) the revenue that drives the Internet. When advertisement is passive, and does not attempt to hijack your computer, it is theoretically an win-for-all scenario: the advertisers get their clients, the consumers get their products, and the sites that host the advertisement get their costs and expenses covered.
You are very much mistaken. Advertising seeks good mediums to exploit, and always shows up AFTER the medium has established itself. Advertising funds garbage content.
Advertising does NOT generate the revenue that drives the internet, and without it, the internet would not only continue to thrive, but would improve. You're probably too young to remember it, but the internet existed long before anyone thought of using it for advertising. HTML existed long before anyone thought of using it for advertising. If every single ad-supported site vanished from the webernets overnight, things would be better. People with something worthwhile to publish would continue to publish, and those who spout useless drivel and subsist on advertising would have to crawl back to the holes from whence they came.
chain of responsibility (Score:5, Insightful)
And speaking of "trigger-happy", you seem to point the finger right back at the Web sites for not inspecting the ads and the underlaying code. Well, that's what they hire DoubleClick for,
And who decided to hire DoubleClick, instead of (as you mention) Google AdSense or a hundred other advertising networks, all of varying reputation, levels of annoying-ness, etc? Who negotiated the terms of the contract, which could have required vetting of ads by Doubleclick? Who had the power to chose between text, GIF, and Flash based ads? Who benefits financially from the presentation of those ads?
So, again tell me who is responsible for ME getting an infected PC visiting that website? If GM makes a car and the wheel falls off because Bob's Bolts sold them defective bolts, I can still sue GM for selling me a car on the reasonable assumption that GM would test bolts before putting them in a hundred thousand vehicles...and GM made the decision to buy from that particular supplier.
The way the world works is: I sue GM. GM then sues Bob's Bolts for damages (ie to reputation, the money they had to give me and spend on legal defense, cost of recall, etc.) Bob's Bolts then may sue Smith's Steel for selling them crappy steel.
Or, in this case: I sue The Economist for infecting my machine. The Economist turns around and sues Doubleclick for providing malicous ads. Doubleclick may then turn around and sue the company that made the malicious ads, for violating the terms of contract with Doubleclick specifying no malicious content...
Re:AdBlock and NoScript (Score:3, Insightful)
When you have (inevitably) imperfect software paired with untrusted content providers, there is no guaranteed way to be safe. Which is what makes Doubleclick such a menace - you can't even trust reputable sites anymore, because they're serving ads from unknown and untrusted sources via Doubleclick.
Adding insult to disgust to injury... (Score:5, Insightful)
Here's the rub - when you click on the "Download Now" button, it actually sends you to DoubleClick.net site. Then the DoubleClick.net site redirects you back to the PayPal site and starts downloading the application. If you have DoubleClick.net blocked in your hosts file, like I do, then you can't download the software.
Why?
It is so that DoubleClick.net can plant a first-party cookie, spy on your activities, direct advertisements to you... PayPal has just submitted ALL your information AND the fact that you use PayPal, AND the fact that you purchase stuff online, AND, AND, AND... Then DoubleClick.net can target you for highly targeted advertisements.
This is just unconscionable. PayPal deserves all the flame they're gonna get over this one.
Re:I only found these ads on.... (Score:4, Insightful)
Anyone who has done some VB programming, etc is well aware that the labels on dialogue boxes can say most anything and be assigned to most anything - problem here is that most Window's users don't know that "Cancel" can be assigned to the same function as "Yes", etc
Ron
just another reason to go to Linux (Score:2, Insightful)
Linux Mint
Firefox
Adblock Plus
No Script
Customize Google
Safe Cache
Safe History
Couldn't be happier with Mint, Open Office, Compiz, Thunderbird, etc.!
Re:Adding insult to disgust to injury... (Score:3, Insightful)
My point is that any trust PayPal had was destroyed the moment they redirected my browser... What else are they doing with my financial information?
Re:I only found these ads on.... (Score:2, Insightful)
If it can run the code to 'ask you repeatedly', it can run other code.
Or if you insist that there is no possible way in Windows to do this (I'm sure someone could post a half a dozen IE security holes that allow arbitrary execution of code), then how about popping up a window with the 'OK' and 'Cancel' buttons reversed? [cancel], [cancel],[cancel],[ok] oh, shit.
Re:Doubleclick could fix this in 2 seconds (Score:2, Insightful)