How Malvertising Abuses Real-Time Bidding On Ad Networks

msm1267 writes Dark corners of the Internet harbor trouble. They're supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That's the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes. Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.

It's all automated

[Anonymous Coward]

The second you take the human out of the loop on who approves something going into production, you open up a huge avenue of risk: that the automation will put something you don't want out on the Web.

plagiarism

[sribe]

Direct copy-and-paste from an article should be quoted, to make it clear that in fact msm1267 wrote nothing at all.

Sigh, OTOH, at least the "summary" is not a gross misrepresentation, like so many others.

Re:plagiarism

[Noah Haders]

if it were my summary I would definitely attribute it to somebody else, because it makes absolutely no sense. what does this mean? "But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?" what does the rest of the summary mean?

Re:

[sribe]

if it were my summary I would definitely attribute it to somebody else, because it makes absolutely no sense.

Right. It makes no sense precisely because it is NOT in any way a summary, which would take a few moments' effort to write. It's just a copy and paste of the first few sentences of the article.

"But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?" what does the rest of the summary mean?

Exactly. The article goes on to explain that. A summary would at least give some idea. The copy & paste of the first few sentences, cut off at an arbitrary point, totally leaves you hanging.

Anonymous advertisers

[kurkosdr]

Ahh... The joys of having anonymous advertisers, even on well-known sites: Not only some of the ads are of questionable legality, but some of them may actually hurt you. THIS is why AdBlock Edge is a security policy, not an adblocking policy. Don't give me the "freeloader" talk. Either host your own ads and be responsible for them, or partner with reliable ad agencies (and maybe I will unblock them).

Re:

[tepples]

What makes an ad agency reliable to you?

And what solutions do you recommend for individual blog authors to implement "host your own ads"?

Re:

[kurkosdr]

"Host your own ads" is something only big sites can implement obviously. An ad agency is reliable if all the advertisers are non-anonymous, and hence responsible for the content they push through the ad agency. And don't tell me "it's not possible", there is this thing called HTTPS. Instead, as of now, anyone with a computer and internet connection can be an "advertizer". No eponymity or responsibilities, yay! This was good enough for the first years of the internet. "Freedom", easy, cheap blah blah, now it

Re:

[tepples]

Until September 2013, no major ad network supported HTTPS at all. That is when AdSense added HTTPS support. But for people who wish to avoid AdSense, which other ad networks have HTTPS now? Besides, it's still possible to serve a Flash Player exploit over HTTPS.

Re:

[innocent_white_lamb]

"Host your own ads" is something only big sites can implement obviously.
 
Obviously?
 
I can (and occasionally do) sell advertising to local businesses that want to advertise on my website.
 
No middleman, no profit-share, and I know exactly who and what I'm advertising on what is, after all, MY website.

No one cares

[Runaway1956]

Absolutely NO ONE cares that some individual blogger makes a dollar from his blogging. Not the readers, not the corporations, not your ISP/host, not even the government, NO ONE. None of us gives a small rat's ass. But, yes, you CAN negotiate with some advertiser whom you deem to be reputable, and not suck at the Google teat, or whatever. Host your own ads, or I won't see them, it's really that simple. All the big ad servers are blocked on my machines.

Reliable ad agency? Yeah, I gotta agree, that's kinda funny. It may even qualify as a full fledged oxymoron.

Re:

[kurkosdr]

"Reliable ad agency? Yeah, I gotta agree, that's kinda funny." If you can just sit back and be a middleman collecting his sweet cut (while pretending to care about user's security), why bother caring about who your advertisers are and expend effort to make sure they are non anonymous? After all, you have the disclaimer. Thank (insert name of deity here), users have adblock.

Re:

[tepples]

Then how should individuals recover the $120/yr for a VPS?

Re:

[Runaway1956]

Huh? Why should you recover it? ISP fees, VPN, VPS - all of those are something that YOU pay for, because YOU want to be "out there". Why SHOULD you recover it?

Of course, you could do what so many others do. Put your paypal account on your home page, and solicit funds in the form of "donations". I've actually sent donations now and then. I block the ads though.

Re:

[tepples]

$120 per year for one thing, $120 per year for another, and pretty soon all these recurring fees add up to real money that exceeds the income from an entry-level job.

Re:

[Anonymous Coward]

Why should a blog have ads on it? I write a blog too; I don't have any ads there. What makes you think I want to see ads when you write your drivel? (Mine's drivel too; I am not singling you out.). Get real; blogs shouldn't HAVE any ads. Random musings or the like don't need "monetization". They aren't worth anything anyway.

Re:

[tepples]

Why should a blog have ads on it?

To pay for the VPS that hosts the blog.

Re:

[gstoddart]

What makes an ad agency reliable to you?

One in which all of the employees are encased in carbonite, and whose computers and records have all been nuked from orbit.

Anything less and you have to assume they're still unreliable.

And what solutions do you recommend for individual blog authors to implement "host your own ads"?

Not Our Fucking Problem.

Sorry, but I will continue assuming all ads are crap I don't wish to see, served by companies who don't give a crap about my privacy or security and whom I therefore

Re:

[sjames]

Let's start with has effective controls to prevent ever serving malware. Add in no history of serving malware.

Much like the food industry, I don't care how the grocery store avoids selling arsenic as flour, only that they do. If they claim that they can't, they shouldn't expect to sell much flour.

"effective controls"

[tepples]

What would you define as "effective controls"? And for how many years is a well-known ad network going to be able to keep a spotless record? Which if any existing network qualifies?

Re:

[sjames]

Given the amount of malware served up by ad networks these days, I'd have to say better than they have now. I haven't really considered the question any further since that determination was all I needed to enable ad-blocking.

Let's just say it'll be up to them to make the case to me that they are now free and clear of malware. Since I have no actual desire to consume their content, the burden of proof will be quite high.

Please disable your ad blocker to view this page

[tepples]

Since I have no actual desire to consume their content

Until you hit a site that has Adblockblock. I've noticed that a lot of sites are doing this nowadays for videos and even for text beyond the first couple paragraphs.

Re:

[sjames]

I have seen a few of those. Just highlight a relevant bit of text and search it on google. It's rare that a page will have exclusive information anymore.

Advertisers reeling over this small fix!

[Billly Gates]

Slashdotters discover cure for malware from infected ad servers from this simple tool

https://adblockplus.org/ [adblockplus.org]

Advertisers & Malware writters HATE THIS!

Re:

[Noah Haders]

can I use HOSTS for this????

Re:

[ColaMan]

I'm afraid you're going to have to retire the "HATE THIS" meme.

From now on, you have to write the hooks to ad-laden drivel using the following as a guide:

<SUBJECT> <ACTION> <ACTION>. <NEXT ACTION> <MY DISPROPORTIONATE RESPONSE>

eg.

"He Downloaded Adblock And Installed. When He Reloaded The Page, I Was Amazed."

Ensure That You Capitalise Every Word For Maximum Impact.

Re:

[Billly Gates]

I'm afraid you're going to have to retire the "HATE THIS" meme.

From now on, you have to write the hooks to ad-laden drivel using the following as a guide:

<SUBJECT> <ACTION> <ACTION>. <NEXT ACTION> <MY DISPROPORTIONATE RESPONSE>

eg.

"He Downloaded Adblock And Installed. When He Reloaded The Page, I Was Amazed."

Ensure That You Capitalise Every Word For Maximum Impact.

SLASHDOT USERS DISCOVER SHOCKING WEBSITE. SEE WHY THIS SITE HAS GEEKS IGNORING THREATS

LOCAL USER COLAMAN SAVED BIG! CLICK NEXT AT www.adblockplus.com TO SEE HOW??!

How was that?

clean your own stable first

[Thud457]

I'm sorry. Please explain to me again how I'm stealing food from "content creator"'s mouths by running addblock. And why I hate freedom for making Flash click to play.

Re:

[sribe]

And why I hate freedom for making Flash click to play.

Because when you do that, your browser still reports to the sites that it supports Flash, which encourages them to continue using it. If you REMOVE Flash, then it's not reported as a supported type, and the statistics skew more and more toward showing Flash being unsupported, which contributes to the ultimate demise of Flash.

So, THAT is why I say you hate freedom for making Flash click to play ;-)

Why not restrict all ads to GIFs or JPGs?

[Anonymous Coward]

Users getting malware infection from ads is a really big problem even when you never click on them.
Why not restrict all ads to GIFs (static or animated) and JPGs?

Re:

[Fwipp]

Because flash/javascript ads pay way more.

Re:

[Intrepid imaginaut]

Do they? I know there's a premium on popup ads and interstitial pages, but I've never met anyone who said "wow, what an amazing ad jumping around and flashing lights at me, let's click on that instead of checking out the content I came for". Maybe some people pay more for them but I wouldn't call it a well advised move.

The most interesting part of the article for me is the idea of real time bidding - maybe web adverts will finally start paying as well as print adverts.

Re:

[Joshua Fan]

That's from your own anecdotal evidence. Advertisers use what statistics tells them works. They may even be happy with accidental clicks caused by javascript ads that jump under your cursor.

Re:

[ColdWetDog]

Do they? I know there's a premium on popup ads and interstitial pages, but I've never met anyone who said "wow, what an amazing ad jumping around and flashing lights at me, let's click on that instead of checking out the content I came for".

Apparently you don't interact with my family - it is a sad, strange world out there.

Re:

[Crashmarik]

What i have been seeing are the adds that disguise themselves and then make it impossible to navigate away from them. One of these days I would love to see one of these clowns in court explaining how it was just good business to trick the viewer and then trap them.

Re:

[YrWrstNtmr]

You fail to understand law talking guy speak

-So the user clicked on our ad. That means he wanted that content delivered.
-And then he clicked in the window again. That means he wanted the next level. So we delivered it to him.
-Your honor, it clearly states, "Click here if you want to exit" (said 'exit' looks completely different to a normal OS 'exit' thingie)

Meh

[grimmjeeper]

Reason number 48372534786 why it's better just to universally block advertisements on the internet.

Re:Meh

[Noah Haders]

Reason number 48372534786 why it's better just to universally block advertisements on the internet.

Apple has been leading on this front with several initiatives to protect users from malicious ads. One of them was a setting in Safari to only accept cookies from the first-party site, so when you go to cnn.com the browser accepts a cookie from cnn.com but not from malvertiser.com, who has a banner ad on the site.

This upset google because it cut into their business model of selling effective ad space. So google inserted malicious code [wired.com] into webpages to hack the safari browser and override security settings so it could download unwanted and potentially malicious files onto users computers. Because of this, google received the biggest fine in FTC history [ftc.gov] and is being sued for privacy violations [computerweekly.com] in the UK.

Think about this for a second, and what it means. A website overriding browser security settings to serve unwanted and possibly malicious files. This is outrageous and unethical, and if it were Microsoft then the entire internet community would be enraged. Also think about it in light of this article on malvertisements, which google was actively propagating.

Apple has since taken the cat and mouse game further, so the setting is "allow from current website only". I expect malvertisers to scramble to overcome this block, but I hope that legitimate respected top tier internet companies act a little more ethically.

Re:

[sconeu]

Yeah, Apple *really* led with that. Firefox has had a "block third party cookies" setting since day one.

Re:

[Anonymous Coward]

but never as the default.

Re:

[del_diablo]

This so fucking much. Fuck you too sconeu

Re:

[amicusNYCL]

A website overriding browser security settings to serve unwanted and possibly malicious files. This is outrageous and unethical

And a major security bug in Safari, apparently.

Re:

[Anonymous Coward]

Opera and Firefox have had such a setting (to allow only cookies from the server, and no third party cookies) since long before Safari. Curiously, they don't have the same security flaw that Safari has, and simply don't accept third party cookies when told by the user to do so.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Adblock+ (Or whatever your favorite variant/flavor/fork/alternative is) is the best security suite you can install on any computer.

Attack surface reduction is among the most basic and important of security practices.

Re:

[grimmjeeper]

Adblock+ by itself isn't enough. You need a script blocker, set up your browser to not accept third party cookies, and, most importantly, stop running flash.

Re:

[bhcompy]

ABP and NoScript basically handle most of that. Flashblock isn't necessary with NoScript unless you want to enable a website and keep Flash disabled until you want to use it

Re:

[grimmjeeper]

There's a reason I specifically called out getting rid of flash. Every legitimate website should be going to HTML5 if they aren't there already. There is no reason to be sticking with flash exclusively in 2015. It's vulnerable but at the same time doesn't give you anything you can't do in a more safe framework. It is a relic that needs to die sooner rather than later. If a website isn't switching over, you have to ask yourself why.

And yes, I know there is a huge code base for flash based games and the

Re:

[goose-incarnated]

I am intrigued by your ideas and would like to subscribe to your newsletter.

Why don't they recompress all the images?

[Ambassador Kosh]

Aren't most exploits removed by loading the image and then recompressing it? Why would you ever serve the raw binary for an image at least that was directly given to you by an advertiser? Isn't that just asking for an exploit?

I understand flash is much harder to deal with. Maybe the ad networks need some kind of template for allowed flash so they can take the flash file, take it apart, recompress all the images in and and then load it into their own template so that any exploits in it are probably removed.

Re:

[thsths]

Yes, the system as it is at the moment is just asking for trouble.

Google tends to host a lot of the ads themselves, which makes it slightly more reliable. But they have had their fair share of trouble, too.

Paging Samuel L Jackson...

[sunderland56]

Mr. Jackson: your editorial advice is clearly needed here at Slashdot. Article summaries have become a leading cause of frustration for those of us who can actually read and write English.

Re:

[6Yankee]

I have had it with these motherf*cking ads on this motherf*cking site!

Re:

[Spy Handler]

Javascript, motherfucker! Do you run it?

Liability

[Ryanrule]

Make sites FULLY liable for problems caused by malware they serve up. Problem solved.

Re:

[sunderland56]

If media sites become financially liable for the harm that their content does, Fox News is in deep trouble.

Re:

[sjames]

I swear the first time I glanced at your post I read it as 'media shites'. I may have been right the first time in light of the end of your sentence.

Re:

[kurkosdr]

Someone really needs to cast the first lawsuit, and see how those "disclaimers" and "terms of use" hold up.

Re:

[LessThanObvious]

As much as I'd hate to see a circus of lawsuits around this issue, it's clear there is an ethical obligation of sites to warranty their advertisements to do no harm. A user willingly goes to www.reputablesite.com, but they have no informed consent over all the advertisements and other links that site displays, they just load along with the requested page. If the requested page is loading third party content and getting paid to do so, then clearly they should make every effort to screen for malware or abuse.

There's a lot of filtering and checking

[Anonymous Coward]

All of the RTB platforms put a great deal of effort into validating adverts before they run, and are *very* responsive to anythingn which gets passed those filters and checks.

Security Assessments and 3rd party Ad providers

[mike2006]

No doubt these companies went through network, server and application security assessments and then completely ignored their 3rd party Ad provider that hosts their Ads on a hacked shared host.

Re:

[grimmjeeper]

The trouble is, how do you identify where the malware comes from? Sifting through the outrageous numbers of ads on so many of the random click-bait web pages full of kitten videos linked to on Facebook is hard enough. Trying to nail down exactly which ad gave you the infection would be pretty much impossible. So there's no way to really know who to sue.

The only solution is to approach the internet like you would approach a lady of the evening. Don as much protection as you can before you interact becaus

Re:

[account_deleted]

Comment removed based on user account deletion

Old news

[simplypeachy]

This article is about 15 years late. Malware via adverts/trackers has been around since before the word "phishing" was coined. If the advertising industry gave any shits about fixing this, they'd have done it by now as it's a very simple problem to fix. But surprise surprise - they don't care, and neither do the sites complicit in selling their users to the advertisers!

And THIS is why I run AdBlock

[jonwil]

Until ad networks can ensure that EVERY ad they run is 100% free of malware, I will continue to block their ads.