Ad Networks Lay Path To Million-Strong Browser Botnet 105
jfruh writes "Every day, millions of computers run unvetted, sketchy code in the form of the JavaScript that ad networks send to publishers. Usually, that code just puts an advertiser's banner ad on a web page. But since ad networks and publishers almost never check the code for malicious properties, it can become an attack vector as well. A recent presentation at the Black Hat conference showed how ad networks could be used as unwitting middlemen to create huge, cheap botnets."
Re: (Score:2)
I just block the ad networks.
Yep, that. (Score:5, Informative)
Ghostery [wikipedia.org] and Adblock [wikipedia.org] FTW.
Re: (Score:2)
Or Abine DoNotTrackMe [abine.com], which I marginally prefer over Ghostery because the latter is run by the ad networks (of course, I'd prefer an OpenSource alternative...)
NoScript, Perspectives [perspectives-project.org], Flashblock, BetterPrivacy [mozilla.org] and HTTPS Everywhere [eff.org] round out the package.
And occassionally PrefBar [tuxfamily.org] so I can change my browser UserAgent on the fly, just to mess with 'em...
Agreed, DoNotTrackMe is better. (Score:2)
Its independent and doesn't slow my browser down like Ghostery does. The latter isn't really written with users in mind... its primary purpose is to give the ad industry a 'self-compliance' fig leaf.
Re: (Score:2)
Don't forget noscript. Very nice to have when you stumble across a compromised site directly serving malware.
Re: (Score:1)
What can Ghostery do that RequestPolicy can not ?
https://www.requestpolicy.com/ [requestpolicy.com]
It Ghostery just targetted as abusers of 1x1 img pixel and tracking cookies ? As RequestPolicy seems to be a generic solution from any information not coming from the target website you are visiting.
Re: (Score:1)
I just block the ad networks.
If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to be in your ad provider's face about this shit or I don't wanna hear any bitching.
Re: Disable JavaScript? (Score:1)
How do you disable Java or 3rd party ads on platforms like iPhone or iPad?
Re: (Score:2)
Java isn't support on iDevices.
You must be confusing Java with Javascript. Which ... ... IS NOTHING TO DO WITH JAVA AT ALL.
Please hand in your geek pass to the DHS official and make your way to gitmo. Oh wait. They only do that for leakers...
Re: (Score:2)
If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to stop using ad networks and host your own ads or I don't wanna hear any bitching.
FTFY
It stuns me that media operators who have run their own in-house advertising divisions for their dead-tree versions for decades, suddenly act like one-man amateur blogs for their online versions, needing third-party-hosted ad networks.
Re: (Score:2)
I think the reason for that is that they aren't just ads anymore - they're collecting intelligence on the visitors. It doesn't work as well when you host the ads on your own, you need a third party to be able to track what pages your visitors are navigating to when they navigate away from your own site (assuming of course the site they navigate to is within the ad provider's network) as the web browser isn't going to allow multiple domains to share information.
It's one thing to show sponsored messages to us
Re: (Score:2)
There are three metrics for ads online. Impressions, clicks and conversions. Ad companies get paid for each at different rates.
The ads may read a cookie set previously or will set a cookie using an iframe. It has a beacon gif to log impressions. The destination reads the cookie using an iframe with same domain as prior. It also uses a beacon to log impressions.
The cookie tells the ad network: this user came from campaign id xxxxx. That cookie will also be read again on an order confirmation or any conversi
Re: (Score:2)
And that is part of why people object to them (other trhan giving you cooties that is). No other medium has had the ability to automatically track people who read the ads and they have done fine. Some tracking for conversions can be done with discount codes or through the url in the ad.
I'll bet if the ad networks are held liable for malware they distribute, they'll suddenly be fine with those limitations.
Re: (Score:2)
Question from the less tech-y (Score:2)
From TFA:-
Assuming you're using the latest Firefox with Adblock and Noscript, how true is that claim?
Would it, for example, stop the ad network attack vector mentioned in TFA?
I used to assume running Noscript is sufficient protec
Re: (Score:2)
1. Disable third-party cookies
2. Install Adblock Plus + Element Hiding Helper
3. Install NoScript
4. Install DoNotTrackMe
5. Turn on the worthless "Do Not Track" header, if only just to further get the point across.
6. Clear cookies if you previously went to sites before disabling them, because you've likely got some Facebook tracking garbage on your machine.
Done.
No Script (Score:1)
For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.
Re: (Score:1)
For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.
It's called NoScript [noscript.net].
And there's no "NoScript equivalent" for Chrome folks [informaction.com], sadly.
Re: (Score:1)
Re:No Script (Score:4, Interesting)
Huh? (Score:2)
You mean there are other attack vectors, too?
Seems to be the main source of malware... (Score:1)
From what I've seen, it seems like ad networks are either the main form of malware vector, or at least close to it. It isn't true proof, but I have had no issues with infections when using AdBlock and an add-on blocker (even if it is Chrome's "click to play" item), but if I fire up a VM and go browsing without those utilities... all hell breaks loose. Antivirus utility? Yeah, right. Those are OK for maybe scanning an infected machine's HDD that is mounted on another box. However, rootkits, especially R
Somewhat scary (Score:2)
Well, it's scary enough to make me want to turn off Javascript (unless I'm running Firefox—and I'm not—and can't turn it off). But Javascript provides to web pages features and abilities that I'd rather like to keep. For example, I love AJAX and how it allows a sufficiently sophisticated browser to do something like what Google did with Gmail. When I first saw Gmail my jaw dropped. "WOW!" I knew then that the thick client's life was limited. But as things get more and more nasty I'm wonder
Re: (Score:3)
Thats the reason why I use adblock, I only block the adnetworks, not the local site served stuff.
If site operators want me to view ads, then they bloody well can vet them and host them themselves.
Re:Somewhat scary (Score:4, Insightful)
The problem is less that I need all the bells and whistles. The problem is more that a sizable portion of webpages simply doesn't work without its bells and whistles.
Re: (Score:1)
It's even worse than that. Basic navigation even breaks without JavaScript enabled.
Yesterday I tried visiting the websites of two electronic chain stores (owned by the same parent company) with JavaScript turned off. I couldn't get past their language selection page as the cookie that saves your selection is set by a JavaScript onclick handler!
This is why... (Score:2)
A whitelist of safe ad servers? (Score:2)
You trust Oracle Java and Adobe Flash enough to run them on your machine?
Re: (Score:2)
I have Java on my machine but it's not exposed to the web. Javascript is enabled on a site by site basis with the default setting being to deny all scripts. Usually sites will at least render well enough to read an article even if the layout is garbled. I can still get the content so that's good enough. None of their ad/tracking scripts get to run, ever. Sites like Slashdot get to run Javascript but right now I look and there are four domains on this page which have their scripts blocked: google-analytics.c
Like hell they do (Score:5, Informative)
If you care about security, you're running NoScript. And they do not run.
Re: (Score:3, Interesting)
If you care about security, you're running NoScript. And they do not run.
Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.
If you want to be safe from evil ad networks, just don't use the web. Problem solved.
But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.
Re: (Score:2)
Most javascript that aren't site related are third-party. So you can allow the site level javascript to run without all
Re: (Score:2)
You teach NoScript which sites you allow scripts to run on, or use the "allow this time" option. It takes a few weeks for it to learn your trusted sites, but once you get in the habit of clicking "allow this time" for one-off visits, it becomes second nature. As is frequently the case, there's a trade-off between usability and security.
NoScript is invaluable when you access a site that's been compromised and is directly serving malware via scripts.
For sites you have allowed in NoScript, filter out marketing
Uninformed (Score:1)
Nice to know BlackHat has finally caught up with 2007 when malvertising was publicly identified as an issue (see https://isc.sans.edu/diary/Malvertising/3727). Strange that people actually working in the anti-malvertising world have never heard of these researcher's work.
I guess we can ignore RiskIQ and Twitters purchase of Dasient. The tens of millions a year spent on prevent malvertising is clearly "nothing". The methods being used might not be as effective as some want, it isn't due to a lack of funding.
Re: (Score:2)
BlackHat ain't what it used to be...
Re: (Score:2)
And they're wondering... (Score:5, Insightful)
...why we use adblock and noscript, whining that we deprave them of income.
It's not that your ads are obnoxious, albeit even that alone would suffice as a reason. They're dangerous to us.
Re: (Score:2)
Do you pay Google for the electricity for their servers? And their bandwith?
Separate from that crappy scrips are not required to display an ad. Noscript is necessary and sufficient to prevent what the article is talking about.
Adblock isn't required and could be considered theft. If you don't want the site owner to be paid for the service he provides you then you can always choose not to use that site
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, I think it's OK to go to the bathroom during commercials, or prepare some food for the same reason I think it's OK to turn a page and not read an ad or not scroll all the way down to read all ads on a web page.
Where to draw the line? No matter were it's drawn there will be always people who consider it their right to block each and every ad. Like there are people who think it's OK to have a dog barking the whole day in their backyard while they are at work, etc.
Re: (Score:2)
But it is your choice, since it's your work. Not everyone feels like that. Some choose to ask money directly for their work, some choose to display advertising to pay for their work. That's also the choice of the creator.
If you don't want to pay for the work with advertising then you can simply not use it. There are plenty of websites that I don't use because I dislike the amount of adds they display. Their loss, because that does limit the income
Re: (Score:1)
For now adblock and noscript work well enough. What about after the other side develops NoBlock and AdScript?
The author is lying (Score:4, Informative)
I've worked with several ad networks, on a number of issues, and can say with absolute confidence that the author has no concept of how the technology actually works, which results in an outright lie in his thread-starter.
The JavaScript code originates with the ad delivery platform (DoubleClick, OpenX, 24/7, etc.), sometimes outsourced to the ad networks -- DoubleClick is a white label delivery platform for many ad networks. The JavaScript is tightly controlled and constantly subject to real-time auditing by several providers such as The Media Trust. The advertisers simply provide the assets -- the banner creative -- that is delivered by the ad network, optimization systems, and ad delivery platforms.
Currently, yes, it all sucks and is why we have had blockers, but is also the only option to monetize free content -- for now.
Re: (Score:1)
Audited by whom? Not developers with any care or consideration to best practises and standards. Or are you seriously suggesting that document.write and blocking code is just fine?
Re: (Score:2)
From your comment I'd say you have no clue how the ad networks are being used as a malware delivery system and since any number of the readers here have already attested "mouse over" attacks do exist....What I am hearing you say the ad networks have done absolutely nothing to prevent their networks being used as an attack vector... say something like vetting the URLs provided for the "banners"... I can tell you that at least 6 years ago I had a "mouse over" attack from a banner served on TheRegister.co.uk..
Re: (Score:3)
However, it is true that certain ad networks do
Re: (Score:2)
The only option?
Hardly.
You can accept donations. You can have freemiums. You can offer merchandise.
Re: (Score:2)
BULLSHIT.
1. There is no such thing as "free content" with ads. When it has ads, IT IS NOT FREE ANYMORE. It costs the most valuable thing I have: The freedom to think my own thoughts! You should read up on "mirror neurons" (the ability to put yourself in the shoes of others) and how the primitive parts of the brain can't tell the difference between imagination (like ads) and reality. But working in advertisement, you must already know that, and use the other thing everybody in advertisement is an expert in: Lying.
2. If your website got something of *actual value* (=not abundantly available for free everywhere else), then you can *always* do the same thing every other *service-based business (model)* is doing: You ask a fair price for it in *advance*. If the only way to "monetize" your site is via advertising, then you have to face the fact that YOUR HAVE NOTHING OF ANY WORTH TO OFFER WHATSOEVER! In that case, please just go bankrupt, and quit ripping us off with your meaningless worthless shit. And most of all: Quit bitching about it!
Get over yourself. This is the 21st Century. Lower Prices Every Day. Information wants to be Free.
Unless you have a very vertical product where you have limited competition, people are not going to pay to visit your site. You local ISPs and utility companies haven't got the memo yet, so they still expect to get paid, and they do have limited competition. Ergo, ads.
They Finally Notice. (Score:3)
We were using java, flash and javascript to do this sort of stuff as early back as 1996.
Massive DDOS attacks were generated this way.
Even played around with Distributed computing all from banners place on various web sites.
We were able to run stuff in browsers that was next to impossible to remove.
And with browsers restoring all the windows most common users would never figure out how to kill these things.
Good thing Firefox makes javascript obligatory (Score:1)
Damn good thing that Firefox 23 makes javascript obligatory:
http://news.slashdot.org/story/13/07/01/1547212/firefox-23-makes-javascript-obligatory [slashdot.org]
Re: (Score:2)
Re: (Score:3)
The old non-JS discussion system is still there. To enable it, follow these steps:
- Click your user name at the top of the page
- From the pop-up menu, click on Account
- From the pop-up dialog's top bar, click Discussions
- Select the Classic Discussion System (D1) radio button
- Click the Save button
Was this answer helpful: yes or no? Would you also like to send all information from your computer to assist us in improving the performance and responsiveness of our product?
It's been 20 years wth (Score:1)
Why don't they fix javascript, limit it to a handful of requests so it can download its data but not spam requests in a loop? Disable its popup ability, too. I have never needed it, and if I did, I'd be happy to click an open window approve box.
Paper trail (Score:2)
Unless they are paying for their ads using anonymized Bitcoins couldn't the ad company be served a warrant and the perpetrator found through the payment records?