back to article Malvertisers slam Forbes, Realtor with world's worst exploit kits

Malvertisers have hit prominent websites Forbes and Realtor.com, redirecting victims to two of the world's worst exploit kits. FireEye threat bods J. Gomez and Genwei Jiang reported eight Forbes URLs attached to news stories from 2012 and 2015, in one of the attacks. Those pages bounced readers to a HTML file and onwards to …

  1. graeme leggett

    responsibilities

    If one was to visit a legit website like Forbes.com and caught something nasty off an advert served to you, whose fault?

    The advertising broker for not checking ads

    The webpage owner for not checking ad broker

    You for not having all relevant updates installed

    Your OS manufacturer for not having provided patch

    The plug-in provider for not having patched

    Your AV/anti malware vendor for not having latest signature

    Excluding any claims of deniability from EULAs or T&Cs as not worth the paper they're printed on, does it come down to foreseeable risk in each case? A reputable big business ought to be more aware and capable of providing resources to mitigate malverts than a self published site.

    1. dan1980

      Re: responsibilities

      @graeme leggett

      The website owner - i.e. Forbes & Realtor in this case.

      Why? Try translating it to television.

      Let's say you are watching a program with your kids on a Sunday morning and an ad comes on full of naked, sweary humans advertising alcohol*. Who would you blame?

      You might say that TV stations book and vet their ads in-house but that's almost proving the point - TV stations have to review and vet advertising because they are responsible for what they show. They can't just throw up their hands and say: "we just provide ad space and a third-party sells that space to the highest bidder."

      That's just not going to fly and so it shouldn't here.

      If the ads on your site aren't being verified and vetted then you should find a different provider of ads - one that does ensure that only legitimate, virus-free ads are shown.

      * - For this exercise, let's ignore music videos . . .

    2. Tromos

      Re: responsibilities

      Whose fault?

      Don't forget to add the BBC to the list for encouraging people to load the main entry point for malware, i.e. 'Download Flash Player now'

    3. Terje

      Re: responsibilities

      You did forget the most obvious ones.

      The ...ing bastards who make the exploitkits.

      The ...ing bastards who use the malvertisment to install abovementioned exploitkits.

      The ...ing bastards who run and profit from the botnets created and maintained by abovementioned exploitkits and malvertisements.

      I can't help but feel that if just a fraction of all the money spent by moronic politicians on saving us all from terrorists this would be a non issue.

      1. dan1980

        Re: responsibilities

        @Terje

        Well, yes, but that's not exactly the point. There will always be people doing the wrong thing and yes, ultimate blame lies with them, but that doesn't absolve everyone else.

        The question is whether a website is responsible for the ads shown through its page. I believe that, by and large, they should be.

        Depending on how you compare the situation to other, more every-day scenarios, it can be a bit of a grey area. Take a restaurant found to be serving food that makes their customers ill. If it's in the handling and storing and preparation of the food then the case is clear - it's the restaurant's fault. But what if the cause was bad produce from the supplier?

        That's less clear but it is still reasonable to expect the restaurant to do its best to ensure that the produce they are purchasing is coming from a reputable supplier and is fresh and of good quality. In some instances it may be very difficult to tell is some particular piece of produce is 'bad' and I would be reluctant to assign blame to the restaurant in that case, though I would be surprised if they didn't apologise profusely and offer complimentary meals to all those affected - that's just good sense.

        HOWEVER, what has happened in the case of these malware-laden ads is not quite the same. To translate what has happened back into the restaurant analogy, it would be as though the restaurant just accepted whatever rocked up on their back steps, without question or inspection and dumped it on a plate. That's not a reasonable level of care - it's an utter abdication of responsibility.

        And, while the ads are not the content that site visitors are looking for, it is something essential forced upon the BY THE SITE. With that in mind - that the content is not something user is searching for but is pushed onto them by the site, alongside the content, that clearly puts a responsibility on the site to ensure that what they are forcing upon their visitors is safe.

        1. Terje

          Re: responsibilities

          I say that the very argument you put forward here is wrong. To continue with your restaurant analogy. The restaurant orders a box of icecream cones to offer to children this is the equivalent to the advertisements. Now we have to possible assumptions to make.

          1. The icecream maker supposedly make ice cream and the icecream is probably good because it is when we sample it so we serve it complete with the wrapping paper to the kids.

          2. The icecream maker is either evil or someone in the chain is evil so before serving every icecream we unpack it and analyse every part of it to make sure there's no poisons in any part of it.

          I for one believe it's entirely unreasonable to expect a restaurant to follow the later alternative.

          1. dan1980

            Re: responsibilities

            @Terje

            I never claimed it was a perfect analogy and that, as it is a grey area, the responsibility (and therefore the potential liability) isn't always clear-cut.

            The problem with the counter-scenario you put forward is that the website is not 'offering' the potentially dangerous content (ice-cream) to the visitors; it is offering some wanted content and then more-or-less forcing the visitor to be exposed to some other, unregulated, potentially-dangerous content.

            As I said, it's not a perfect analogy and I used it only to explain how determining responsibility is very dependent on the specifics of the situation.

            It matters not one whit that the content on the site is free to consume - the site can still be liable. To pull another (imperfect) analogy out, consider a marquee setup in some public place - a mall or thoroughfare perhaps. On the outside are signs directing people inside where they will receive free tax advice. Once inside, you find that there are television screens all around displaying explicit ads for porn sites.

            Upon complaint by people who walked in and were offended - perhaps with their children - do you really think it would be an acceptable defence for the stall owners to say that they don't decide on the advertising content and leave it up to some third-party?

            I apologise for the continued analogies but the simple truth is that these things have precedent in the 'real' world and the idea of holding a company responsible in situations like this is far from unusual.

            The standard legal protection is to put a in disclaimer - the way video games do with warnings that the "experience may change during online play". If you gave out a free DVD advertised as having childrens' cartoons on it and then, half-way through, an advertisement for an R-rated movie - complete with 'violence', 'nudity', 'coarse language' and, of course, 'adult themes' came on, you would be right to complain. Unless, that is, the DVD was clearly marked that it may contain adult content, in which case you bloody well wouldn't pop it in the player for your 6 year old.

            Likewise, if sites like this are going to rent UNREGULATED space on their pages for ads that may contain malware then they should be required to have a disclaimed displayed before you get into the site that clearly states that it contains unregulated content that may include malware served as advertisements.

            The expectation is that, if you go to the Forbes site, the content on that site will be controlled and regulated by Forbes. It isn't bloody 4chan, after all.

            1. Anonymous Coward
              Anonymous Coward

              Re: responsibilities

              I'd actually see ad serving more like the following (using a pub, this time).

              You go into a pub and the beer and food is fine.

              The pub lets a bloke come in every Friday to sell some some fruit and veg and takes a tiny percentage of the takings

              After years of nothing happening, the bloke unknowingly sells some apples laced with Arsenic.

              Is the pub owner liable for letting this bloke use his premises to sell his goods?

              1. dan1980

                Re: responsibilities

                @Lost all faith...

                I see your point but this fails to capture the salient point, which is that the ads come as part-and-parcel of the content you are actually there to view.

                With the pub and beer analogy, it is more like going into a pub for a beer but before you drink the beer, you have to drink a shot. The shot is poured by some chap not directly affiliated with the pub and their the bartender not the person pouring the shot know what is in it - it was given to them by someone else who paid them money to serve it to customers buying a beer.

                Again, it falls down because no one is 'buying' anything but the important point is that the questionable, unverified content is streamed in with the desired content - it's not something people have the option to say no to. (Adblockers aside.)

        2. Don Dumb
          Boffin

          Re: responsibilities

          dan1980 - "Take a restaurant found to be serving food that makes their customers ill. If it's in the handling and storing and preparation of the food then the case is clear - it's the restaurant's fault. But what if the cause was bad produce from the supplier?"

          The analogy is a good one but there is a bit of a flaw when think about who the customer is in each situation.

          Putting aside criminal responsibilities for a moment, the responsibility a restaurant has is between itself and those it enters into a contract with (the customers and suppliers), the supplier is merely a subcontractor in the contract to provide its customers with a meal. Therefore, if you have been given dodgy food in a restaurant, it is the restaurant that should reimburse you. The restaurant might then attempt to get those damages back from its supplier (who may then go to its supplier, etc) but that isn't the concern of the customer. The customer doesn't have any contract with the food supplier.

          So yes, the restaurant should have standards about the quality of the food supplied as they are expected to deliver a standard of quality to their customers. Basic supply chain and subcontracting.

          However, the problem with this is what is the contract that is being entered into? You're not paying for the website like you are a meal.

          I'm sure the websites would claim that they are not delivering adverts to their readers, they are delivering news stories to the readers and eyeballs to *their* customers (advertisers). This would be like the restaurant giving you food free of charge but in return they just simply play the radio (and the radio pays them for this) and if your ears are damaged by the adverts on the radio, well that's not their responsibility its the radio station's.

          I think a better lever to encourage websites to do their job properly is criminal responsibility - do websites have a legal responsibility to ensure that the Computer Misuse Act (or non-UK equivalent) is not violated by content delivered on their site? I would argue that they do and that malvertising is very much a violation of 'anti-hacking' laws. If torrent sites are considered responsible to not link to torrents that violate copyright then news websites are even more responsible for adverts that their pages direct the reader's browser to download. If Cyber is the big national security threat then why aren't police forces prosecuting websites that assist in unlawful computer hacking. A few prosecutions and I can guarantee any major website will be vetting advert agencies very closely.

          1. Doctor Syntax Silver badge

            Re: responsibilities

            @Don Dumb

            I take your point about the sites' contractual arrangements being with the advertisers not the public who visit them. However, to continue with the restaurant...No, let's just say that the sites also have a duty of care to the public, as we all have. If, by negligence, they cause public harm then they must surely be liable.

            Apart from that they must surely have concerns for their reputation. Are they really content that their sites are bait to be used by criminals?

  2. Mark 85 Silver badge

    When El Reg says "the ad bounce visitiors" or "redirect"...

    is this an automatic thing or does the user have to click on the ad? I think this might be a factor in placing blame.

    And Terje is quite correct but I go a step further. The NSA in the States is given the task of protecting the country and to have the intel to prevent attacks. I would think that malvertising is an attack....

    1. Crazy Operations Guy Silver badge

      Re: When El Reg says "the ad bounce visitiors" or "redirect"...

      Indeed, I figure that since the NSA already has taps on all the lines going in and out of the US, they could easily slip a firewall or two in there to block malware...

      1. Anonymous Coward
        Anonymous Coward

        Re: When El Reg says "the ad bounce visitiors" or "redirect"...

        It'd almost certainly up their defense which has a reputation for being weak. Offense is their Forte, both in capabilities and what they are perceived to give.

  3. paulc
    Mushroom

    and they wonder why

    so many people are using ad-blockers these days...

  4. Spanky_McPherson

    Adblocking is now a basic security requirement.

    Sorry websites, I adblock everything. Provide a one-click method for me to pay you directly (and anonymously) for your content and I'll be happy to pay.

    Note I'm talking fractions of a penny per page, not a monthly subscription.

    1. Tree

      Re: Adblocking is now a basic security requirement.

      The installation of u-block or other adblocker saves time and bandwidth as well as making the websites less ugly. Security is a benefit, too. NoScript works well to prevent loud music playing and videos. I hate videos automatically playing. Using Palemoon fork of Firefox.

  5. The Travelling Dangleberries
    Facepalm

    In a related story, Advertising Age editor Ken Wheaton once said...

    “Sorry ad-blockers, I assume you mean well and you have a point about page-load times and ads junked up with tracking tools and Trojan horses and the like,”...

    Yet again another good reason to keep blocking ads. I mean we are talking about the Forbes website, not some badly maintained Wordpress blog running on an old server in a basement flat in Basingstoke.

    1. Doctor Syntax Silver badge

      Re: In a related story, Advertising Age editor Ken Wheaton once said...

      Is Basingstoke really that bad?

  6. channel extended

    In thier own house.....

    Advertizers are crapping in their own house and screaming about the mess. As for me I say you crapped , you clean it up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020