Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Advertising Security Privacy

Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year (softpedia.com) 135

An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.
This discussion has been archived. No new comments can be posted.

Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year

Comments Filter:
  • No problem (Score:1, Informative)

    by Anonymous Coward

    Only morons would browse the web without an adblocker anyway.

    • by Anonymous Coward

      Only morons use adblock in the first place. All you really need is to make flash click-to run, uninstall Java from the browser and you've closed off 100% of the malware vectors.

      The amazing thing is how sophisticated "bad ads" have become. Legitimate networks run ads from trusted partners, and the partners still manage to get hacked, and the hacks persist for months because the target is so incredibly narrow that nobody actually knows where it's coming from.

      Like, I manage ad networks, and when people report

      • Re: No problem (Score:4, Insightful)

        by Anonymous Coward on Friday July 29, 2016 @10:25PM (#52610349)

        "Like, I manage ad networks"

        And there it is. No one wants to see fucking ads you stupid mother fucker.

      • by Calydor ( 739835 )

        Okay, so that closes the malware vectors.

        Now we STILL have to remove the ads to reclaim the 50% or more of screen space they claim on many sites, allow sites to load faster (especially on slow or datacapped connections), and generally avoid having epileptic seizures from all the flashing gifs and other crap that still floats around out there.

        • There was a post two weeks ago on an adtech blog suggesting that some publishers* are about to go full DMCA/CFAA on developers of ad blockers that include an ad blocker blocker blocker. By this legal theory, an ad blocker blocker is an "access control" measure [blockadblock.com], and an ad blocker blocker blocker is a "circumvention device".

          Learning about this plan has led me to think of ways to provide a better experience on a metered Internet connection without specifically blocking ads. One is to set a cap on how much data

          • Man, that iab.com article is total garbage.

            Paragraph after paragraph of empty marketing drivel, and no explanation whatsoever about what 'LEAN' actually means.

            Light, Encrypted, Ad choice supported, Non-invasive ads.

            Ok, so... define 'light'.

            • Two of them are easy. "Encrypted" means served through HTTPS. "Ad choice supported" means supporting the YourAdChoices control [youradchoices.com] to turn interest-based ad delivery on and off.

              The other two are a bit more vague, but Google iab non-invasive ads returns IAB Tech Lab Solutions [iab.com] with a bit more explanation. "Light" means a maximum data size, as specified in IAB Creative Guidelines [iab.com]. "Non-invasive" means that ads do not cover the body of the article, and ads other than an interstitial before a video body do not autom

          • by qeveren ( 318805 )

            A "Load More" button would only get you a bunch of ads, wouldn't it? Don't they tend to prioritize loading of ad data on a page?

            • by tepples ( 727027 )

              Present adtech delivers the text of an article through the initial HTML document and advertisements through scripts loaded asynchronously. This means the text of the article is available to the user before the style sheet, images, ad delivery scripts, and the like. A full implementation of access control would encrypt everything in the article below the abstract or lead section so that cleartext isn't available until the ad delivery script has run.

              Or should I shut up and not give publishers any ideas?

      • All you really need is to make flash click-to run, uninstall Java from the browser and you've closed off 100% of the malware vectors.

        [...]

        I manage ad networks [...]

        And with just that first sentence, you've managed to make it abundantly clear that you neither understand the threats that exist in your own field nor should you be entrusted with managing ad networks.

        I'm far from being an expert (just some some graduate work in nearby topics), but off the top of my head I can think of nearly a half-dozen attack vectors that rely on neither Flash nor Java (e.g. Javascript drive-by downloads on machines set to auto-execute downloaded files; maliciously-crafted images/audio/P

      • by doccus ( 2020662 )

        Lots of flash ads get past "click-to-run". I'd love to know how as I always have that set, so they shouldn't.

  • Yea- Ars Technica disappointed me in there ability to accurately report the news making it sound like the FCC hasn't undermined free software users.
    • Ars Technica disappointed me in there ability to...

      You've disapointed me in you're ability to speel correctly.

    • Yea- Ars Technica disappointed me ...

      What disappoints me is that if I go to the Ars of Tech site right now, there is no notice to their users of this, or any mention of the story.

      You can count me in the "until somebody surfing with their pants down and no ad blocker actually sues the website that delivered it, nothing will change" camp.

  • We knew this (Score:5, Insightful)

    by Anonymous Coward on Friday July 29, 2016 @08:55PM (#52610073)

    Its why Ad-blocking has become a thing. So, yeah, we're gonna keep blocking ads to avoid this crap.

    Stop using Flash. Don't even allow it on your website.
    Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now and wants to advertise on it.
    Stop looking at those who block ads as your enemies. These are the smart consumers you want to engage with. Unless your shoveling shit of course.

    We warned you and warned you this was happening, but you were blinded by money and laziness. Now you're merely getting what was coming to you.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Friday July 29, 2016 @10:36PM (#52610397)
      Comment removed based on user account deletion
    • +1. AdBlock (or uBlock Origin in my case) and NoScript means I'm highly unlikely to have been hit, since the stuff never even got to any of my systems.

      Well, that and the fact that I'm using a fringe browser whose market share is so insignificant that it probably won't be much of a target for the bad guys. Firefox, that is.

      • The telegraaf.nl site (biggest Dutch newspaper) has been running an anti-ad-blocker for a long time now. When you try to access the site you get instructions how to disable your adblocker, but not the articles or even the frontpage itself. In response I stopped reading telegraaf.nl, and in hindsight that feels like a good decision.

        • It's odd, I sometimes get complaints about AdBlock from sites, but can usually proceed anyway, presumably uBlock Origin does something sufficiently different that AdBlock-blockers don't quite work on it.
        • by radja ( 58949 )

          to be fair, that nag screen can simply be closed and you can see all of the site just fine.

        • The telegraaf.nl site (biggest Dutch newspaper) has been running an anti-ad-blocker for a long time now.

          Oh NO!

          I don't want to live on this planet any more.

    • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Saturday July 30, 2016 @06:43AM (#52611343) Homepage Journal

      Bring advertising in-house. Its not 1997 anymore, there is no reason to rely on 3rd party platforms for advertising. Everyone knows the internet is a thing now

      How do advertisers know which particular sites are "a thing", especially smaller sites that are too big to be run as a pure hobby but not yet big enough to be household names?

      and wants to advertise on it.

      But without an intermediary, you can't advertise on "the internet". Instead, you would have to advertise on individual publishers' sites, which is much more time-consuming for both advertisers and publishers.*

      Say you have 30 publishers, each of which wants to find relevant advertisers, and 30 advertisers, each of which wants to find relevant publishers. If there is an intermediary, this means 60 contracts to review and sign. If there is no intermediary, there are 900. How does a change from O(n) with an intermediary to O(n^2) without one improve the market?

      And even then, how will an individual publisher be able to reassure its advertisers that view and click statistics are accurate and not inflated? All other things being equal, an intermediary such as Google is considered more trustworthy because it has more to lose should a claim of fraud end up substantiated.

      * In the advertising market, a "publisher" is the operator of a site that carriers ads.

      • How do advertisers know which particular sites are "a thing", especially smaller sites that are too big to be run as a pure hobby but not yet big enough to be household names?

        And you can't.

        But you have to remember, we never signed a contract with teh internetz that these folk have some sort of right to existence.

        The model is broken, and needs fixed. And if some sites go out of business, well - insuring their right to deliver malware is not what we signed up for.

        What is needed is "ethical advertising providers" as a service. With vetted ads checked for problems. Then I might consider turning off the programs I use to protect my systems.

        In the meantime, if a site won't l

        • by tepples ( 727027 )

          But you have to remember, we never signed a contract with teh internetz that these folk have some sort of right to existence.

          You signed up for a Slashdot account, and Slashdot is ad-supported.

          In the meantime, if a site won't let me in, I just look it as if I caught a 404.

          If I see such a "404" in a story or comment on Slashdot, should I report it in a reply, as I've done here [slashdot.org]?

          • But you have to remember, we never signed a contract with teh internetz that these folk have some sort of right to existence.

            You signed up for a Slashdot account, and Slashdot is ad-supported.

            And if Slashdot goes away? I have no contract with Slashdot, and if eventually they go away, I won't be pleased, but I can find other ways to spend my time.

            In the meantime, if a site won't let me in, I just look it as if I caught a 404.

            If I see such a "404" in a story or comment on Slashdot, should I report it in a reply, as I've done here [slashdot.org]?

            I do have a good idea that the inability to get into the site it is of my own doing. That's a choice I made. I do know now to not bother going to a forbes link in here. But anyone else is welcome to take a hike if they block me.

            I have long said that the model is wrong. A website like say Forbes signs up with an ad provider. The provider populates the site with ads. So far so good.

            But who is the ad provider, and do they provide responsible ad links?

            And Forbes is the specific case illustrating that thi

  • by jrumney ( 197329 ) on Friday July 29, 2016 @09:03PM (#52610095)
    Make sites responsible for the ads they carry. The address networks (Google and whoever is left that they haven't bought yet) will then be forced by the customers with enough power to start taking responsibility, which will incentivise them to do more about the problem. As long as we allow companies to pass the buck, advertising will remain an opportunity for criminals to exploit.
    • by mcmonkey ( 96054 )

      I support the sites I visit through memberships and services like Patreon. I buy CDs and BluRays for the artists I like. (Yes, I'm the one.)

      But I have web ads blocked every which way. Can't trust the ad networks.

      • by tepples ( 727027 )

        I support the sites I visit through memberships

        Would you be willing to purchase a month's membership to a site for $4 just to be able to view one article past its abstract?

        and services like Patreon

        I've read reports in comments to an adtech blog that "please put some coins in our cup" isn't enough to fully fund a site's operation unless it puts donation nags in your face [blockadblock.com] like Wikipedia does: "If YOU do not donate, this site will have to SHUT DOWN."

      • by Anonymous Coward

        I support the sites I visit through memberships

        Then why do you not have a little star next to your name on slashdot?

    • Re: (Score:3, Insightful)

      by msauve ( 701917 )
      "Make sites responsible for the ads they carry."

      I disagree. If a website is open, so visitors can protect themselves by using ad blockers or other filters, they should not be held responsible for third party content. They should only be responsible for the content they provide directly.

      But, if a website forces visitors to disable ad blockers (or filters of any sort) before using their site, they should then be held responsible for any malfeasance due to all content they provide, directly or indirectl
      • by WorBlux ( 1751716 ) on Friday July 29, 2016 @10:38PM (#52610411)
        Control = responsibility. The ultimate decision weather to serve an advert or not, lies with the domain controller., and thus the ultimate responsibility. Make the primary site liable to malware served through it. In effect this will force ad networks to offer indemnification policies on their ads, and the pointy hair types will finally see a reason to properly screen and sandbox advertisements.
    • The US government and various others have gone after Google for letting through prescription drugs and the likes. They have even gone after Craigslist. It doesn't work. The UK government has gone after advertisers in the piracy fight as well. It's not going to work.
      • by jrumney ( 197329 )
        It doesn't work because they use the "common carrier" defense, as there is no law making them responsible. That is why we need such a law, so that they cannot wash their hands of this and pass the buck to anonymous criminals outside the reach of countries with effective legal systems.
        • by Anne Thwacks ( 531696 ) on Saturday July 30, 2016 @01:27AM (#52610811)
          Common carrier protects ISPs. It does not protect website operators. It most certainly does not protect people who serve third party ads containing malware. They are in the same boat as people who sell contaminated food supplied by third parties.

          The consumer has right of redress against whoever supplies them.

          Except in America, where the criminal has the rights to whatever he can get away with.

    • The answer to malvertising is ad block (of some kind). Use it. You're negligent if you don't.
      • by jrumney ( 197329 )
        That's a bit like saying the answer to rape is condoms. Don't look down on the victims who weren't geek enough to know about Ad blockers.
        • Don't look down on the victims who weren't geek enough to know about Ad blockers.

          I don't look down on them, I look down on the advertisers.
          But they need to learn about ad blockers, for the good of all of us.

        • by Cederic ( 9623 )

          No, it's like saying an answer to unwanted pregnancy is condoms.

          The media sites demanding you disable your protection are just like the Catholic church, worried a revenue stream might dry up.

    • by AmiMoJo ( 196126 )

      How are you going to hold these sites to account? Many of them are outside your legal jurisdiction.

      The only solution is to block ads, and all third party content in general.

      • by tepples ( 727027 )

        Then put JavaScript on a whitelist, and have the UI for editing this whitelist geolocate the IP of each hostname so that you can be more cautious about servers in countries where you can't sue.

    • Why aren't they? Has this been tested in court?
    • Why not just go a step further and make Adobe/Microsoft/Oracle/Google/Apple etc liable for the bugs in their software ? Make the companies who supply the software liable. That will incentivise them into making it safer.
  • by Anonymous Coward

    This is one of the reasons I disable Javascript in my browsers (No script, or just flat out disable it.) I only enable it to get the content I need. It's a PITA, but it's safe and speeds up my browsing on everything...

    Does it hurt free content providers like /. ? Yes, it does. Does it hurt ad companies? Yes, it does.
    Do I give a shit? No, I don't. Am I one of those wacked out crazy anti-ad persons? No, I'm not. I don't mind most ads whatsoever...

    So what should they do? Go back to the past. Sell static banner

    • That's why I prefer script blockers over ad blockers: the static stuff and animated GIFs still get through, while blocking Flash ads and those ads that will animate and play a sound when you roll over them. If a lot of people start doing this, perhaps the ad networks will start to see a pattern, and adjust accordingly.
    • So what should they do? Go back to the past. Sell static banners/small animated gifs. No javascript, no flash, no tracking, no malware. Simply sell static ad space for X amount of money per Y amount of time.

      Sell ad space to whom? Your "no tracking" rule appears to rule out ad networks and ad exchanges in favor of each publisher* having to run its own ad sales department. So what can the publisher of a smallish site do to find enough advertisers to buy most of its inventory? And how can this publisher assure advertisers that the view and click statistics that it provides are accurate?

      * Operator of an ad-funded site

  • This is why I call them not "Adblockers" but "Malware Vector Blockers".
  • Obligatory (Score:5, Funny)

    by IWantMoreSpamPlease ( 571972 ) on Friday July 29, 2016 @09:26PM (#52610157) Homepage Journal

    There are ads on the internet?
    Who knew?

  • by elrous0 ( 869638 ) on Friday July 29, 2016 @09:43PM (#52610237)

    And, to think, several of those sites had the nerve to chastise me for using it.

  • so who is being held accountable for this? nobody? seems blocking ads is not only justifiable but also a moral imperative too.

  • by guruevi ( 827432 ) on Friday July 29, 2016 @09:48PM (#52610253)

    I didn't get infected (exclusively Linux and a few Mac since 1995) but I got several attempts of sites downloading Windows scripts/binaries, some weird interaction with a custom Chromium build. I reported them to Google and submitted the sample to a few AV vendors, nobody cares, large sites (think CNN, WaPo, ...) had the same ads attempting the same thing for weeks on end and the download never got recognized by AV. I stopped caring too, the ad sellers sell ads and that's all they care about. AV companies only care about the big threats because scary sells, some custom package that affects a few dozen of their customers doesn't matter.

  • When my customers wonder why so many internet sites are broken I explain that we don't allow java or javascript and any site that needs it needs to be looked at with a jaundiced eye.

    Between noscript, requestblocker and adblock plus, I have not has a single customer fall victim to any of these web based malware packages.

  • Every time I talk to my bank they look askance at me for not banking online. This is why I don't.

  • Make the sites fully liable. Problem solved
    • With sites, its not their software. Its Adobe, Oracle, Microsoft, Apple, Google, etc who write the software, make them liable. Your example is like making Toyota liable for an accident caused by a pot hole in the road.

We are each entitled to our own opinion, but no one is entitled to his own facts. -- Patrick Moynihan

Working...