Malvertising Up By Over 200%

An anonymous reader writes "Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users' computers via 'drive by downloads,' which occur when a user innocently visits a web site, with no interaction or clicking required."

Malvertising

[rossdee]

And is expected to peak an the Monday before the first Tuesday in November

Re:

[Anonymous Coward]

Why is there a story about advertising in the mall?

It's one of many reasons why Adblocking is moral

[metrix007]

The others being performance and functionality related. I don't like ad's due to the security risk, and they can slow down my machine and make it very fucking hard to see the article.

If your site has harmless ad's, that is one thing.

On the other hand, if your site can only survive by being paid for with ads, you need a new business model.

Re:It's one of many reasons why Adblocking is mora

[Threni]

> On the other hand, if your site can only survive by being paid for with ads, you need
> a new business model.

Like Slashdot, you mean? Or is this site supported by the Bandwidth Pixies?

Re:It's one of many reasons why Adblocking is mora

[pushing-robot]

I think he's saying all content needs to be either paywalled or made or sponsored by the wealthy and powerful.

Re:

[Threni]

Well that's a powerfully stupid idea.

Re:It's one of many reasons why Adblocking is mora

[Burz]

No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.

If a simple text article with a few associated photos causes my computer's fan to wheeze and slows it to a crawl, and the ads keep breaking my concentration, AND they pose a security threat that (over the years) has gone from significant to huge, then their business model is just attempting to use you as a pair of eyes with a wallet attached. FUCK THEM.

Website operators like Ars Technica and Slashdot should be researching ways to deliver ads that are safe and sane -- there is no justification for a friggin' advertisement to be otherwise. Its just too bad the advertisers don't trust the content creators to serve the ads themselves. So what we get is a cycle of mistrust and negligence that puts their readers at risk of attack. Its sicko.

Re:

[Burz]

correction: 'with adblocking' should be 'without adblocking'

Re:It's one of many reasons why Adblocking is mora

[dcollins117]

No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.

Google demonstrated all that is really needed are text-only ads.That's the correct ad model, IMHO. No distracting flash, no vectors for malware, and they only take a small amount of screen space. Everything else is Doing It Wrong. Again, just my opinion, but as it turns out I'm always right :P

Re:

[tlhIngan]

Google demonstrated all that is really needed are text-only ads.That's the correct ad model, IMHO. No distracting flash, no vectors for malware, and they only take a small amount of screen space. Everything else is Doing It Wrong. Again, just my opinion, but as it turns out I'm always right :P

Given Google has a marketshare of approximately 98% of the online advertising space, that means we should be seeing text ads everywhere, right?

No, Google didn't demonstrate it. They simply cashed in on the novelty of

It's why Adblocking is Necessary

[billstewart]

Back when I was reading the Internet on a 14.4-kbps modem, the bandwidth used by ad banners was annoying, but you could block some of them with a hosts file, and the others weren't really that annoying unless they were using blink tags or animated GIFs. (Popups were annoying enough that most people blocked them pretty quickly.)

But sorry, if my browser is going to run random Javascript or Flash, it means my browser is going to run slowly and unreliably, and there's a risk of malicious content, and it's not

Re:

[Jody Bruchon]

The first rule of the bandwidth pixies is you do not talk about the bandwidth pixies.

Re:

[K. S. Kyosuke]

Especially when they can speak for themselves [slashdot.org]? ;-)

Re:It's one of many reasons why Adblocking is mora

[Nethead]

Or is this site supported by the Bandwidth Pixies?

At one point, yes. I was one of them. I worked at an ISP and we gave Rob Malda a Pentium Linux box (slackware, IIRC) to host images.slashdot.org when his T1 started getting full. We gave Slashdot free hosting and bandwidth for about 2-3 years, until he moved on to other servers.

Re:

[Anonymous Coward]

You can pay directly [slashdot.org] to get rid of ads here. You can't say that for most other sites.

Re:

[abhi_beckert]

You can pay directly [slashdot.org] to get rid of ads here. You can't say that for most other sites.

Or just have high enough Karma that they'll let you turn the ads off for free.

Re:

[nurb432]

On the other hand, if your site can only survive by being paid for with ads, you need a new business model.

So you would rather them charge you directly?

That model has worked pretty well for Google too.

Re:

[Splab]

When websites vet their advertisement and host the stupid things, I'll let them through (and in fact do so).

Re:

[erroneus]

Good, now I don't have to say it. I'll just be among those who agree with it.

This is no different, in my opinion, than having a "smart TV" (or an xbox360/one) in your livingroom and having advertisers gaining access to your entertainment device. For many people, there is literally no distinction. We are not required to hand over our privacy and security to support someone else's business model. Some would say "if you consume, you are morally obligated" but I disagree.

Someone needs to stand in front of c

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Nethead]

I'm doing the same thing for work builds now. Because the Boeing and Airbus catalogs require IE8 or less I've taken the E off of the taskbar and put Firefox in with an adblocker. They have to click on the desktop icon that will take them to the exact site. Our GPO only lets IE visit the sites that we have vetted, and most of those are password protected sites to other vendors and manufacturers.

Since rolling out that image I've had quite a few cow-orkers ask how to adblock at home. I'm only too glad to sh

Re:

[Man On Pink Corner]

(Shrug) DRAM is a lot cheaper than my time.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jez9999]

The others being performance and functionality related. I don't like ad's due to the security risk

Am I missing something here? How insecure does your browser have to be to allow insecure code to be run just by visiting a website? I thought we were past the days of IE6!

Re:

[Tom]

I thought we were past the days of IE6!

Yes, but so are the attackers.

Re:

[Flammon]

On the other hand, if your site can only survive by being paid for with ads, you need a new business model.

Google needs a new business model?

Re:

[metrix007]

Google sells far more than just adspace. Google sells information.

ah uh

[Billly Gates]

According to any slashdotter as long as you do not run any AV software and don't run downloads you will be perfectly fine! This all is a scam to force us to buy Av software that's it and my ff 3.6 with +100 holes as of now running admin is perfectly save because I am cautious user

Re:

[the real darkskye]

We updated the mantra to include "and keep your plug-ins and browser up to date"

WTF?

[Anonymous Coward]

testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations

That has to be the most ridiculously long name for bullshit I've ever seen.

Re:

[pubwvj]

It is an anagram for BULLSHIT. They threw in a few extra letters to confuse you.

what a stupid article

[slashmydots]

They're talking about 2 different things. Malware advertising is "your PC had errors. Click here to fix it" and it download some registry nagware bullshit. Drive by downloads are not ads at all. It's an exploit kit and it's what happens when the ad blocks get hacked. It's not like someone supplied exploit code to Google's advertising program. The article is talking about 2 completely different things.

Re:what a stupid article

[GIL_Dude]

While your definitions are correct, a lot of drive by downloads happen when you visit otherwise trusted pages - because the ad network servers either got successfully breached or they didn't vet their advertisers well enough (again). For example - go to cnn.com today and view the source of the page. ads.indeed.com, doubleclick.com, etc. All of these ad networks have had serious issues with serving malicious advertisements from time to time. They will allow someone's ad that uses a malware kit attacking all the Java, Flash, Adobe Reader, etc. vulnerabilities that are out there. People shouldn't get drive by downloads just because they visited what should be a trustworthy site. So yes, drive by downloads can and do come from what are supposed to be ads. They are purchased via legitimate ad networks and run on many sites.

Re:

[Mashiki]

One of the largest thefts of gaming accounts occurred because of drive-by malware because the advertisers didn't vet well enough. It was one of the reasons why Blizzard switched to the launcher for World of Warcraft back in '06 or '07, and the launcher would look for the most common malware that would steal logins. And of course most of the infections came right from well known gaming networks.

Digital justice invocation

[Atl Rob]

When the culprits are found, remove their digits via guillotine. If that doesn't persuade, remove thy arm... Problem solved the digital way! ; )

"security"

[melchoir55]

Will it be protected by DRM?

Mail-vertising

[Anonymous Coward]

The usps should vet everyone that sends mail, to ensure consumers are protected. :-P

Too many resellers

[Animats]

Too many web sites which run ads are buying them through a chain of multiple resellers. Under current law, the web site running the ad can usually disclaim responsibility for hostile ads. That may change. The article is about testimony before the U.S. Senate's committee on homeland security. [senate.gov]

The site that displays the ads should be held responsible. Sites which run ads would then need to protect themselves by legal and technical means. For example, if you run ads on your site, your contract with the advertising provider should provide that they will indemify and defend you should a bad ad get through.

Re:Ok - but. it's not THEIR code... apk

[sjames]

I'm not sure that the site owners are necessarily where the liability should fall, but it certainly need not be restricted to whoever paid for the ad. For example, if I accept $100 to "go put this box under that car", I will likely face some consequences if I can't articulate a good reason I didn't think it was a bomb.

The ad companies have some duty not to publish malware. Now that it's common enough to have news articles written about it, they can no longer pretend that it's not something they might expect to happen.

It's a bit disturbing that they haven't taken steps on their own since it provides a very good reason why people should block ads.

Re:

[sjames]

If they were smart and had foresight, they would do anything to avoid giving people an ironclad ethical reason why it is their absolute right to block ads in self defense.

That ship has sailed now.

but...

[Tom]

There is non-malicious advertising?

As far as I'm concerned, the only difference here is that regular advertisement attacks your mind (compare the old CIA PsyOps manuals with modern day advertisement psychology, you'll find quite a few similarities) while "malvertisement" attacks your computer.

I'd rather have my computer attacked. It can be firewalled or, if that fails, reinstalled.

Why Ad Blocking is Necessary

[CodeBuster]

This is yet one more example illustrating precisely why ad blocking is necessary. The bloggers and others who make their living in the content business howl with righteous indignation at those of us who use these tools, but I submit that their anger is misdirected. On the contrary, it's the advertising networks who rightly deserve their wrath for allowing their business to become a cesspool of infectious viruses, worms and frankly worthless crap. Indeed, it seems that their motto is, "our advertising services are the right thing for anyone with a credit card, no questions asked." So I ask you, why should visiting your site without ad and script blocking enabled be akin to walking into the darkest corner of the bathhouse, bending over and letting everyone have their way with nary a condom nor a reach around in sight?

And companies complain about script/ad blocks

[sandbagger]

One of the things I do for friends computers is set the host files to auto-update from security malware sites. These update pretty regularly, unlike Adblock which, although useful, doesn't do everything. Noscript, Disconnect Me, Ghostery and the like are becoming defacto necessary security precautions. Were I running a consumer product's multi-million dollar ad campaign I'd be really pissed at the malware guys.

Re:

[ruir]

The thing I do for family is telling them if they want to be better off just using facebook and skype, is to buy an iPad. Better take care of this issues.

Re:

[Opportunist]

This is America. CEOs are not executed. At worst, they're "moving on to new ventures" or, if they burned enough bridges "they decide to take a step back from the limelight and concentrate more on their family life".

All, of course, with a fat severance paycheck.

A liability solution

[Opportunist]

It's very simple: Make ad companies liable for any damage done by ads they show. Wanna bet they start auditing the shit out of every letter they show?

ALL ADVERTISING

[napulist]

ALL ADVERTISING IS MALICIOUS

Re:

[Anonymous Coward]

You should put that on a billboard.

Re:

[napulist]

You should put that on a billboard.

touche

Re:

[i.kazmi]

stop using ad-supported websites and the malicious advertising will go away...you do realise that these websites aren't free, right? if the website isn't paywalled and its not selling something, the owner of the site has to pay for hosting, bandwidth and maybe even development/maintenance (if they aren't developers themselves) somehow, care to propose a model which does not involve paywalling most of the internet and removes them malicious adverts at the same time? no? didn't think so!

Perhaps the most chilling statement in the article

[oDDmON oUT]

"...companies 'should be afforded protection from regulatory oversight as well as frivolous lawsuits.'"

This smacks of "tort reform" and "security through obscurity" and we all know how well both of those worked in favor of consumers.

Re:

[Katatsumuri]

I find NoScript extension convenient.

Re:Disable Javascript already!

[Scutter]

It's useful, I don't know if it's convenient. Most sites won't even load anymore if you have Javascript turned off.

Re:

[Arker]

"It's useful, I don't know if it's convenient. Most sites won't even load anymore if you have Javascript turned off."

It's a huge timesaver. If they are not returning a webpage I figure that out immediately and move on to another site that does. With default settings on a modern browser you can only figure that out later through more subtle clues, and in the meantime you have infected your machine.

Re:

[GNious]

NoScript allows you some measure of control - obnoxious Flash ads, Javascript-driven ads and other bits can often be turned off (due to separate origins) while the main functionality stays on.

Re:

[StarFace]

Only a small minority of sites flat out won't work without scripting. Just cruise past those idiot webmasters (they were probably making Flash only sites back in the day) and find an analogous site, there are usually many.

Then there are some that bitch if you have it off, like YouTube (they cannot track you as well without it, which is why they whine). But they are still functional. I can make full use of YouTube without scripting, with a Flash downloader. I get better performance than with their shitty str

Re:

[HiThere]

If you're running flash, you have no need to worry about javascript, you're already vulnerable.

Re:

[StarFace]

Indeed, I'm not running Flash either. I don't even have it installed. That is why I mentioned using a download utility to acquire videos from websites rather than viewing them in page.

Re:

[StarFace]

Yeah, I tend to switch around plug-ins, as Google changes things to mess up downloaders, downloaders adapt, but not at an equal rate. Right now this one seems to be working (so long as 720p is fine):

https://addons.mozilla.org/en-... [mozilla.org]