Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year (softpedia.com) 135
An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.
Re: Yawn (Score:4, Informative)
A lot more details are in the original write up: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight
Re: (Score:2)
Ads targetting computers instead of brains (Score:2)
Ads are supposed to hack brains, not computers. This is an outrage!
No problem (Score:1, Informative)
Only morons would browse the web without an adblocker anyway.
Re: (Score:1)
Only morons use adblock in the first place. All you really need is to make flash click-to run, uninstall Java from the browser and you've closed off 100% of the malware vectors.
The amazing thing is how sophisticated "bad ads" have become. Legitimate networks run ads from trusted partners, and the partners still manage to get hacked, and the hacks persist for months because the target is so incredibly narrow that nobody actually knows where it's coming from.
Like, I manage ad networks, and when people report
Re: No problem (Score:4, Insightful)
"Like, I manage ad networks"
And there it is. No one wants to see fucking ads you stupid mother fucker.
Re: (Score:3)
Okay, so that closes the malware vectors.
Now we STILL have to remove the ads to reclaim the 50% or more of screen space they claim on many sites, allow sites to load faster (especially on slow or datacapped connections), and generally avoid having epileptic seizures from all the flashing gifs and other crap that still floats around out there.
Ad blocker blocker blocker? Eat DMCA. (Score:3)
There was a post two weeks ago on an adtech blog suggesting that some publishers* are about to go full DMCA/CFAA on developers of ad blockers that include an ad blocker blocker blocker. By this legal theory, an ad blocker blocker is an "access control" measure [blockadblock.com], and an ad blocker blocker blocker is a "circumvention device".
Learning about this plan has led me to think of ways to provide a better experience on a metered Internet connection without specifically blocking ads. One is to set a cap on how much data
Re: (Score:2)
Man, that iab.com article is total garbage.
Paragraph after paragraph of empty marketing drivel, and no explanation whatsoever about what 'LEAN' actually means.
Light, Encrypted, Ad choice supported, Non-invasive ads.
Ok, so... define 'light'.
IAB Creative Guidelines (Score:2)
Two of them are easy. "Encrypted" means served through HTTPS. "Ad choice supported" means supporting the YourAdChoices control [youradchoices.com] to turn interest-based ad delivery on and off.
The other two are a bit more vague, but Google iab non-invasive ads returns IAB Tech Lab Solutions [iab.com] with a bit more explanation. "Light" means a maximum data size, as specified in IAB Creative Guidelines [iab.com]. "Non-invasive" means that ads do not cover the body of the article, and ads other than an interstitial before a video body do not autom
Re: (Score:2)
A "Load More" button would only get you a bunch of ads, wouldn't it? Don't they tend to prioritize loading of ad data on a page?
Re: (Score:2)
Present adtech delivers the text of an article through the initial HTML document and advertisements through scripts loaded asynchronously. This means the text of the article is available to the user before the style sheet, images, ad delivery scripts, and the like. A full implementation of access control would encrypt everything in the article below the abstract or lead section so that cleartext isn't available until the ad delivery script has run.
Or should I shut up and not give publishers any ideas?
Re: Ad blocker blocker blocker? Eat DMCA. (Score:2)
Re: (Score:2)
And then as soon as the browser pauses the connection 1 MB into the page load, things on the page stop moving around.
Re: (Score:2)
My computer, my decision as to what gets downloaded and displayed on it.
Their site, their decision as to whether to replace articles with a "turn off your ad blocker" message.
Re: (Score:2)
Ultimately, this is untenable.
When push comes to shove, it should be possible to have a 'normal' ad-allowing browser fetch everything that is on the site, but which is 'invisible' to the actual user of the computer, and which *then* get transferred to the 'visible' browser, while - locally, as it were - the ads get removed.
In that way, there is no way for the site to know, because everything looks (and is) just fine on their side/site.
It would still mean you've got the ad-related overhead, since you fetched
Re: (Score:2)
When push comes to shove, it should be possible to have a 'normal' ad-allowing browser fetch everything that is on the site, but which is 'invisible' to the actual user of the computer, and which *then* get transferred to the 'visible' browser, while - locally, as it were - the ads get removed.
On which machine would this "'normal' ad-allowing browser" run? Are you describing something that won't do anything to keep autoplaying video ads in non-video articles from using an excessive fraction of a cellular or satellite Internet subscriber's monthly data transfer quota, or are you describing Opera Mini?
Re: (Score:2)
Since I said: "It would still mean you've got the ad-related overhead, since you fetched it all, but at least you wouldn't be visibly bothered by it.", it would be the former.
I don't know: maybe one can run that one in VM mode on your PC?
There might be other methods too, but the main point would be that the site in question could not tell whether you are running an adblocker or not.
I heard the Opera browser has native adblocking now, but I didn't try it out yet. Any good? That said, sites could just block O
Re: (Score:2)
All you really need is to make flash click-to run, uninstall Java from the browser and you've closed off 100% of the malware vectors.
[...]
I manage ad networks [...]
And with just that first sentence, you've managed to make it abundantly clear that you neither understand the threats that exist in your own field nor should you be entrusted with managing ad networks.
I'm far from being an expert (just some some graduate work in nearby topics), but off the top of my head I can think of nearly a half-dozen attack vectors that rely on neither Flash nor Java (e.g. Javascript drive-by downloads on machines set to auto-execute downloaded files; maliciously-crafted images/audio/P
Re: (Score:1)
Lots of flash ads get past "click-to-run". I'd love to know how as I always have that set, so they shouldn't.
Ars Technica haha (Score:1)
Re: (Score:2)
Ars Technica disappointed me in there ability to...
You've disapointed me in you're ability to speel correctly.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
No, his speling is fine, it is his gramar that has a problem...
I met his gramar, and she is a very nice lady, so quit picking on her.
Re: (Score:2)
Yea- Ars Technica disappointed me ...
What disappoints me is that if I go to the Ars of Tech site right now, there is no notice to their users of this, or any mention of the story.
You can count me in the "until somebody surfing with their pants down and no ad blocker actually sues the website that delivered it, nothing will change" camp.
We knew this (Score:5, Insightful)
Its why Ad-blocking has become a thing. So, yeah, we're gonna keep blocking ads to avoid this crap.
Stop using Flash. Don't even allow it on your website.
Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now and wants to advertise on it.
Stop looking at those who block ads as your enemies. These are the smart consumers you want to engage with. Unless your shoveling shit of course.
We warned you and warned you this was happening, but you were blinded by money and laziness. Now you're merely getting what was coming to you.
Comment removed (Score:4, Insightful)
Re: (Score:2)
If you disable JavaScript, you can no longer run web applications. Instead, you'll be limited to running only native applications made for your particular operating system. Want to use an app on your Windows PC, but it was made for a Mac? Too bad. Want to use an app on your Mac, but it was made for a Windows PC? Too bad.
If you disable JavaScript, you can no longer petition the government for the redress of grievances [fsf.org].
Re: (Score:2)
But with extensions like Scriptsafe you can selectively enable javascript only for hosts that SHOULD be trusted. like your bank.
Leaving Javascript enabled for all comers is insanely stupid.
Depends on extent of regulation (Score:3)
Banks I'll grant. They're unusual in that financial industry regulations mean they have the most to lose if a script is found to be unsafe. Healthcare sites are up there as well because of HIPAA (or foreign counterparts).
For sites in less regulated industries, how should a user go about finding whether a site's scripts are safe to add to the user's whitelist?
Re: (Score:2)
HTML5 doesn't need Javascript. Or Java.
Would WebAssembly be preferable? (Score:2)
Would WebAssembly be preferable to JavaScript? Because without JavaScript and without WebAssembly, the only possible interaction is following a link or submitting a form and getting a reload of the entire page. This rules out a lot of use cases.
Re: (Score:2)
+1. AdBlock (or uBlock Origin in my case) and NoScript means I'm highly unlikely to have been hit, since the stuff never even got to any of my systems.
Well, that and the fact that I'm using a fringe browser whose market share is so insignificant that it probably won't be much of a target for the bad guys. Firefox, that is.
Re: (Score:3)
The telegraaf.nl site (biggest Dutch newspaper) has been running an anti-ad-blocker for a long time now. When you try to access the site you get instructions how to disable your adblocker, but not the articles or even the frontpage itself. In response I stopped reading telegraaf.nl, and in hindsight that feels like a good decision.
Re: (Score:2)
Re: (Score:2)
to be fair, that nag screen can simply be closed and you can see all of the site just fine.
Re: (Score:2)
The telegraaf.nl site (biggest Dutch newspaper) has been running an anti-ad-blocker for a long time now.
Oh NO!
I don't want to live on this planet any more.
You can't advertise on "the Internet" (Score:4, Informative)
Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now
How do advertisers know which particular sites are "a thing", especially smaller sites that are too big to be run as a pure hobby but not yet big enough to be household names?
and wants to advertise on it.
But without an intermediary, you can't advertise on "the internet". Instead, you would have to advertise on individual publishers' sites, which is much more time-consuming for both advertisers and publishers.*
Say you have 30 publishers, each of which wants to find relevant advertisers, and 30 advertisers, each of which wants to find relevant publishers. If there is an intermediary, this means 60 contracts to review and sign. If there is no intermediary, there are 900. How does a change from O(n) with an intermediary to O(n^2) without one improve the market?
And even then, how will an individual publisher be able to reassure its advertisers that view and click statistics are accurate and not inflated? All other things being equal, an intermediary such as Google is considered more trustworthy because it has more to lose should a claim of fraud end up substantiated.
* In the advertising market, a "publisher" is the operator of a site that carriers ads.
Re: (Score:2)
How do advertisers know which particular sites are "a thing", especially smaller sites that are too big to be run as a pure hobby but not yet big enough to be household names?
And you can't.
But you have to remember, we never signed a contract with teh internetz that these folk have some sort of right to existence.
The model is broken, and needs fixed. And if some sites go out of business, well - insuring their right to deliver malware is not what we signed up for.
What is needed is "ethical advertising providers" as a service. With vetted ads checked for problems. Then I might consider turning off the programs I use to protect my systems.
In the meantime, if a site won't l
Re: (Score:2)
But you have to remember, we never signed a contract with teh internetz that these folk have some sort of right to existence.
You signed up for a Slashdot account, and Slashdot is ad-supported.
In the meantime, if a site won't let me in, I just look it as if I caught a 404.
If I see such a "404" in a story or comment on Slashdot, should I report it in a reply, as I've done here [slashdot.org]?
Re: (Score:2)
But you have to remember, we never signed a contract with teh internetz that these folk have some sort of right to existence.
You signed up for a Slashdot account, and Slashdot is ad-supported.
And if Slashdot goes away? I have no contract with Slashdot, and if eventually they go away, I won't be pleased, but I can find other ways to spend my time.
In the meantime, if a site won't let me in, I just look it as if I caught a 404.
If I see such a "404" in a story or comment on Slashdot, should I report it in a reply, as I've done here [slashdot.org]?
I do have a good idea that the inability to get into the site it is of my own doing. That's a choice I made. I do know now to not bother going to a forbes link in here. But anyone else is welcome to take a hike if they block me.
I have long said that the model is wrong. A website like say Forbes signs up with an ad provider. The provider populates the site with ads. So far so good.
But who is the ad provider, and do they provide responsible ad links?
And Forbes is the specific case illustrating that thi
Re:We knew this (Score:5, Insightful)
There is no evidence that suggests you're any safer with adblock
The very article you're commenting about is proof that you're safer with an ad blocker.
Re: (Score:2)
You can't bring advertising in-house unless you are the top 3 websites in the world. Everyone, and I mean absolutely everyone has to rely on a third party ad exchange, because Coke and Pepsi aren't going to go to a million websites and set up 100$ campaigns.
Sounds like a market opening for "ethical ad providers, with people who vet out the ads. I'd consider actually allowing ads onto my computer. If I was in the mood to create a company at the moment, I would look into that.
Re: (Score:3)
Virtually no ad blockers will filter 1st party advertising (ie, adverts directly from the site you're viewing).
The problem isn't malvertising itself, it's that companies which used to closely vet what kind of ads went into their print/video/audio media are passing off the responsibility to 3rd parties who have repeatedly proven they aren't up to the task.
IE: malvertising is asymptom of the security problem, not the cause.
Re: (Score:2)
There is no evidence that suggests you're any safer with adblock
Pretending for a moment this is true, there are other benefits, including bandwidth reduction and speed improvements. I was on a site just yesterday that was so slow every time I tried to scroll there was a 1-second delay, and the whole page was jumpy and difficult. At first I thought it was my computer, but other sites seemed fine. Then I realized this was a new-ish computer and I'd forgotten to put Adblock on, so I installed it. Instantaneously the site began to run quickly, with pages loading much faster
The answer to malvertising (Score:5, Insightful)
Re: (Score:3)
I support the sites I visit through memberships and services like Patreon. I buy CDs and BluRays for the artists I like. (Yes, I'm the one.)
But I have web ads blocked every which way. Can't trust the ad networks.
Re: (Score:2)
I support the sites I visit through memberships
Would you be willing to purchase a month's membership to a site for $4 just to be able to view one article past its abstract?
and services like Patreon
I've read reports in comments to an adtech blog that "please put some coins in our cup" isn't enough to fully fund a site's operation unless it puts donation nags in your face [blockadblock.com] like Wikipedia does: "If YOU do not donate, this site will have to SHUT DOWN."
Re: (Score:1)
I support the sites I visit through memberships
Then why do you not have a little star next to your name on slashdot?
Slashdot's subscription page is broken (Score:2)
Then why do you not have a little star next to your name on slashdot?
Because Slashdot hasn't sold subscriptions for well over a year. From subscribe.pl [slashdot.org]:
During the Dice Holdings era, Slashdot instead experimented with giving a "Disable Advertising" checkbox to users with Excellent (25-50) karma to encourage them to provide and moderate comments. After Slashdot and SourceForge were sold to BIZX six months ago [slashdot.org], this ended as well.
The subscription page for the [soylentnews.org]
Re: (Score:3, Insightful)
I disagree. If a website is open, so visitors can protect themselves by using ad blockers or other filters, they should not be held responsible for third party content. They should only be responsible for the content they provide directly.
But, if a website forces visitors to disable ad blockers (or filters of any sort) before using their site, they should then be held responsible for any malfeasance due to all content they provide, directly or indirectl
Re:The answer to malvertising (Score:5, Interesting)
Re:The answer to malvertising (Score:5, Insightful)
Exactly. Just like on television; if a channel broadcasts an ad with boobies, it is the channel that gets fined, not the advertiser. Who paid for me to see Janet Jackson's nipple shield? Her? No, CBS.
Re: (Score:1)
Re: (Score:2)
Re:The answer to malvertising (Score:4, Insightful)
The consumer has right of redress against whoever supplies them.
Except in America, where the criminal has the rights to whatever he can get away with.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Don't look down on the victims who weren't geek enough to know about Ad blockers.
I don't look down on them, I look down on the advertisers.
But they need to learn about ad blockers, for the good of all of us.
Re: (Score:3)
No, it's like saying an answer to unwanted pregnancy is condoms.
The media sites demanding you disable your protection are just like the Catholic church, worried a revenue stream might dry up.
Re: (Score:2)
How are you going to hold these sites to account? Many of them are outside your legal jurisdiction.
The only solution is to block ads, and all third party content in general.
Re: (Score:2)
Then put JavaScript on a whitelist, and have the UI for editing this whitelist geolocate the IP of each hostname so that you can be more cautious about servers in countries where you can't sue.
Re: (Score:2)
Re: (Score:1)
Webmasters/Ad comps deserve it. (Score:1)
This is one of the reasons I disable Javascript in my browsers (No script, or just flat out disable it.) I only enable it to get the content I need. It's a PITA, but it's safe and speeds up my browsing on everything...
Does it hurt free content providers like /. ? Yes, it does. Does it hurt ad companies? Yes, it does.
Do I give a shit? No, I don't. Am I one of those wacked out crazy anti-ad persons? No, I'm not. I don't mind most ads whatsoever...
So what should they do? Go back to the past. Sell static banner
Re: (Score:3)
How should a small site find advertisers? (Score:2)
So what should they do? Go back to the past. Sell static banners/small animated gifs. No javascript, no flash, no tracking, no malware. Simply sell static ad space for X amount of money per Y amount of time.
Sell ad space to whom? Your "no tracking" rule appears to rule out ad networks and ad exchanges in favor of each publisher* having to run its own ad sales department. So what can the publisher of a smallish site do to find enough advertisers to buy most of its inventory? And how can this publisher assure advertisers that the view and click statistics that it provides are accurate?
* Operator of an ad-funded site
Re: How should a small site find advertisers? (Score:1)
When linked to a closed site, it's your problem (Score:2)
Say you're researching a topic, and you end up hitting a bunch of dead links because the operator of their respective servers could no longer afford to keep the lights on. Then Somebody Else's Problem becomes your problem.
Malware Vector Blockers (Score:1)
Obligatory (Score:5, Funny)
There are ads on the internet?
Who knew?
Re: (Score:1)
Re: (Score:1)
On the internet, nobody knows you're an ad!
Thank you, Adblock! (Score:5, Insightful)
And, to think, several of those sites had the nerve to chastise me for using it.
Re: (Score:2)
Re: (Score:2)
Fuck off APK, AD block is just fine, much better than your option, the 90's called, they want their ad blocking back.
accountability (Score:2)
so who is being held accountable for this? nobody? seems blocking ads is not only justifiable but also a moral imperative too.
Nobody cares (Score:3)
I didn't get infected (exclusively Linux and a few Mac since 1995) but I got several attempts of sites downloading Windows scripts/binaries, some weird interaction with a custom Chromium build. I reported them to Google and submitted the sample to a few AV vendors, nobody cares, large sites (think CNN, WaPo, ...) had the same ads attempting the same thing for weeks on end and the download never got recognized by AV. I stopped caring too, the ad sellers sell ads and that's all they care about. AV companies only care about the big threats because scary sells, some custom package that affects a few dozen of their customers doesn't matter.
My customers wonder why so many internet sites are (Score:2)
When my customers wonder why so many internet sites are broken I explain that we don't allow java or javascript and any site that needs it needs to be looked at with a jaundiced eye.
Between noscript, requestblocker and adblock plus, I have not has a single customer fall victim to any of these web based malware packages.
Just say no to banking apps (Score:2)
Every time I talk to my bank they look askance at me for not banking online. This is why I don't.
Easy (Score:2)
Re: (Score:1)
Re: Malvertising's nullified by this (Score:4, Funny)
zAParKie, shut up and take your pills
Re: (Score:2)
Re: (Score:1)
The APK software isn't open source, so we don't know whether we can trust it or not. That means I won't trust it. I'm not going to run some random EXE file that gets spammed all over Slashdot. Besides, blocking at the DNS level is much more effective.
Re: (Score:2)
Windows itself is proprietary and requires admin privilege to run.
But seriously: On Windows, writing to %windir%\system32\drivers\etc\hosts requires administrative privileges. You can instead have APK Hosts File Engine generate the hosts file in your own profile and then use File Explorer to copy it to %windir%\system32\drivers\etc\hosts.
Remember eFast? (Score:2)
APK Hosts File Engine is proprietary because APK fears that a malware author would rebrand it [slashdot.org] the way Chromium was rebranded as eFast [malwarebytes.com].
X.509 certificates defeat DNS hijacking (Score:2)
For one thing, I do most of my shopping on smile.amazon.com so that Electronic Frontier Foundation. A source is somewhat less likely to attack that vector.
But even if it does, security is a process of which the hosts file is one layer and PKI is another. The server will have to present an X.509 certificate for names smile.amazon.com or www.amazon.com (as appropriate) when my browser connects to port 443. A fake server's certificate won't be issued by either A. a CA certified by Mozilla or B. a self-signed C
Re: Better than your illogic logic (Score:1)