Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Advertising Security

Malvertising Up By Over 200% 174

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users' computers via 'drive by downloads,' which occur when a user innocently visits a web site, with no interaction or clicking required."
This discussion has been archived. No new comments can be posted.

Malvertising Up By Over 200%

Comments Filter:
  • by rossdee (243626) on Sunday May 18, 2014 @11:50AM (#47032373)

    And is expected to peak an the Monday before the first Tuesday in November

    • by Anonymous Coward

      Why is there a story about advertising in the mall?

  • by metrix007 (200091) on Sunday May 18, 2014 @11:51AM (#47032387)

    The others being performance and functionality related. I don't like ad's due to the security risk, and they can slow down my machine and make it very fucking hard to see the article.

    If your site has harmless ad's, that is one thing.

    On the other hand, if your site can only survive by being paid for with ads, you need a new business model.

    • by Threni (635302) on Sunday May 18, 2014 @12:07PM (#47032477)

      > On the other hand, if your site can only survive by being paid for with ads, you need
      > a new business model.

      Like Slashdot, you mean? Or is this site supported by the Bandwidth Pixies?

      • by pushing-robot (1037830) on Sunday May 18, 2014 @12:38PM (#47032655)

        I think he's saying all content needs to be either paywalled or made or sponsored by the wealthy and powerful.

        • by Threni (635302)

          Well that's a powerfully stupid idea.

        • by Burz (138833) on Sunday May 18, 2014 @05:30PM (#47034225) Journal

          No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.

          If a simple text article with a few associated photos causes my computer's fan to wheeze and slows it to a crawl, and the ads keep breaking my concentration, AND they pose a security threat that (over the years) has gone from significant to huge, then their business model is just attempting to use you as a pair of eyes with a wallet attached. FUCK THEM.

          Website operators like Ars Technica and Slashdot should be researching ways to deliver ads that are safe and sane -- there is no justification for a friggin' advertisement to be otherwise. Its just too bad the advertisers don't trust the content creators to serve the ads themselves. So what we get is a cycle of mistrust and negligence that puts their readers at risk of attack. Its sicko.

          • by Burz (138833)

            correction: 'with adblocking' should be 'without adblocking'

          • by dcollins117 (1267462) on Sunday May 18, 2014 @07:08PM (#47034757)

            No, he's implying ad servers need to start acting like a responsible industry. They pollute the web with malware and make a lot of sites unreadable with adblocking, owing to the moving, flashing and sometimes audible garbage that cover some sites.

            Google demonstrated all that is really needed are text-only ads.That's the correct ad model, IMHO. No distracting flash, no vectors for malware, and they only take a small amount of screen space. Everything else is Doing It Wrong. Again, just my opinion, but as it turns out I'm always right :P

            • by tlhIngan (30335)

              Google demonstrated all that is really needed are text-only ads.That's the correct ad model, IMHO. No distracting flash, no vectors for malware, and they only take a small amount of screen space. Everything else is Doing It Wrong. Again, just my opinion, but as it turns out I'm always right :P

              Given Google has a marketshare of approximately 98% of the online advertising space, that means we should be seeing text ads everywhere, right?

              No, Google didn't demonstrate it. They simply cashed in on the novelty of

      • The first rule of the bandwidth pixies is you do not talk about the bandwidth pixies.
      • Or is this site supported by the Bandwidth Pixies?

        At one point, yes. I was one of them. I worked at an ISP and we gave Rob Malda a Pentium Linux box (slackware, IIRC) to host images.slashdot.org when his T1 started getting full. We gave Slashdot free hosting and bandwidth for about 2-3 years, until he moved on to other servers.

      • by Anonymous Coward

        You can pay directly [slashdot.org] to get rid of ads here. You can't say that for most other sites.

        • You can pay directly [slashdot.org] to get rid of ads here. You can't say that for most other sites.

          Or just have high enough Karma that they'll let you turn the ads off for free.

    • by nurb432 (527695)

      On the other hand, if your site can only survive by being paid for with ads, you need a new business model.

      So you would rather them charge you directly?

      That model has worked pretty well for Google too.

      • by Splab (574204)

        When websites vet their advertisement and host the stupid things, I'll let them through (and in fact do so).

    • by erroneus (253617)

      Good, now I don't have to say it. I'll just be among those who agree with it.

      This is no different, in my opinion, than having a "smart TV" (or an xbox360/one) in your livingroom and having advertisers gaining access to your entertainment device. For many people, there is literally no distinction. We are not required to hand over our privacy and security to support someone else's business model. Some would say "if you consume, you are morally obligated" but I disagree.

      Someone needs to stand in front of c

    • by hairyfeet (841228)

      This is why I give ABP as SOP for all of my builds and by doing so? I've dropped infections right off the chart. people send their families and friends and business partners to me because "When he sets it up they don't 'slow down' and 'get buggy' which with modern OSes mean malware. As I have said before if you want to support your website with ads? Fine then follow best practices, site based only, no leasing out to ad farms, no flash or java, and if you follow best practices? ABP will even put you in the "

      • by Nethead (1563)

        I'm doing the same thing for work builds now. Because the Boeing and Airbus catalogs require IE8 or less I've taken the E off of the taskbar and put Firefox in with an adblocker. They have to click on the desktop icon that will take them to the exact site. Our GPO only lets IE visit the sites that we have vetted, and most of those are password protected sites to other vendors and manufacturers.

        Since rolling out that image I've had quite a few cow-orkers ask how to adblock at home. I'm only too glad to sh

    • by jez9999 (618189)

      The others being performance and functionality related. I don't like ad's due to the security risk

      Am I missing something here? How insecure does your browser have to be to allow insecure code to be run just by visiting a website? I thought we were past the days of IE6!

      • by Tom (822)

        I thought we were past the days of IE6!

        Yes, but so are the attackers.

    • by Flammon (4726)

      On the other hand, if your site can only survive by being paid for with ads, you need a new business model.

      Google needs a new business model?

  • According to any slashdotter as long as you do not run any AV software and don't run downloads you will be perfectly fine! This all is a scam to force us to buy Av software that's it and my ff 3.6 with +100 holes as of now running admin is perfectly save because I am cautious user

  • by Anonymous Coward

    testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations

    That has to be the most ridiculously long name for bullshit I've ever seen.

  • by slashmydots (2189826) on Sunday May 18, 2014 @12:36PM (#47032643)
    They're talking about 2 different things. Malware advertising is "your PC had errors. Click here to fix it" and it download some registry nagware bullshit. Drive by downloads are not ads at all. It's an exploit kit and it's what happens when the ad blocks get hacked. It's not like someone supplied exploit code to Google's advertising program. The article is talking about 2 completely different things.
    • by GIL_Dude (850471) on Sunday May 18, 2014 @01:49PM (#47033023) Homepage
      While your definitions are correct, a lot of drive by downloads happen when you visit otherwise trusted pages - because the ad network servers either got successfully breached or they didn't vet their advertisers well enough (again). For example - go to cnn.com today and view the source of the page. ads.indeed.com, doubleclick.com, etc. All of these ad networks have had serious issues with serving malicious advertisements from time to time. They will allow someone's ad that uses a malware kit attacking all the Java, Flash, Adobe Reader, etc. vulnerabilities that are out there. People shouldn't get drive by downloads just because they visited what should be a trustworthy site. So yes, drive by downloads can and do come from what are supposed to be ads. They are purchased via legitimate ad networks and run on many sites.
      • by Mashiki (184564)

        One of the largest thefts of gaming accounts occurred because of drive-by malware because the advertisers didn't vet well enough. It was one of the reasons why Blizzard switched to the launcher for World of Warcraft back in '06 or '07, and the launcher would look for the most common malware that would steal logins. And of course most of the infections came right from well known gaming networks.

  • When the culprits are found, remove their digits via guillotine. If that doesn't persuade, remove thy arm... Problem solved the digital way! ; )
  • Will it be protected by DRM?

  • by Anonymous Coward

    The usps should vet everyone that sends mail, to ensure consumers are protected. :-P

  • Too many resellers (Score:5, Insightful)

    by Animats (122034) on Sunday May 18, 2014 @01:44PM (#47033001) Homepage

    Too many web sites which run ads are buying them through a chain of multiple resellers. Under current law, the web site running the ad can usually disclaim responsibility for hostile ads. That may change. The article is about testimony before the U.S. Senate's committee on homeland security. [senate.gov]

    The site that displays the ads should be held responsible. Sites which run ads would then need to protect themselves by legal and technical means. For example, if you run ads on your site, your contract with the advertising provider should provide that they will indemify and defend you should a bad ad get through.

  • by Tom (822)

    There is non-malicious advertising?

    As far as I'm concerned, the only difference here is that regular advertisement attacks your mind (compare the old CIA PsyOps manuals with modern day advertisement psychology, you'll find quite a few similarities) while "malvertisement" attacks your computer.

    I'd rather have my computer attacked. It can be firewalled or, if that fails, reinstalled.

  • by CodeBuster (516420) on Sunday May 18, 2014 @03:12PM (#47033417)
    This is yet one more example illustrating precisely why ad blocking is necessary. The bloggers and others who make their living in the content business howl with righteous indignation at those of us who use these tools, but I submit that their anger is misdirected. On the contrary, it's the advertising networks who rightly deserve their wrath for allowing their business to become a cesspool of infectious viruses, worms and frankly worthless crap. Indeed, it seems that their motto is, "our advertising services are the right thing for anyone with a credit card, no questions asked." So I ask you, why should visiting your site without ad and script blocking enabled be akin to walking into the darkest corner of the bathhouse, bending over and letting everyone have their way with nary a condom nor a reach around in sight?
  • One of the things I do for friends computers is set the host files to auto-update from security malware sites. These update pretty regularly, unlike Adblock which, although useful, doesn't do everything. Noscript, Disconnect Me, Ghostery and the like are becoming defacto necessary security precautions. Were I running a consumer product's multi-million dollar ad campaign I'd be really pissed at the malware guys.

    • by ruir (2709173)
      The thing I do for family is telling them if they want to be better off just using facebook and skype, is to buy an iPad. Better take care of this issues.
  • by Opportunist (166417) on Sunday May 18, 2014 @05:47PM (#47034329)

    It's very simple: Make ad companies liable for any damage done by ads they show. Wanna bet they start auditing the shit out of every letter they show?

  • ALL ADVERTISING IS MALICIOUS
    • Re: (Score:2, Funny)

      by Anonymous Coward

      You should put that on a billboard.

    • by i.kazmi (977642)
      stop using ad-supported websites and the malicious advertising will go away...you do realise that these websites aren't free, right? if the website isn't paywalled and its not selling something, the owner of the site has to pay for hosting, bandwidth and maybe even development/maintenance (if they aren't developers themselves) somehow, care to propose a model which does not involve paywalling most of the internet and removes them malicious adverts at the same time? no? didn't think so!
  • "...companies 'should be afforded protection from regulatory oversight as well as frivolous lawsuits.'"

    This smacks of "tort reform" and "security through obscurity" and we all know how well both of those worked in favor of consumers.

Any given program, when running, is obsolete.

Working...