back to article Anti-adblocker firm PageFair's users hit by fake Flash update

Ad-blocker blocker PageFair has announced that it was hacked over Halloween, exposing those visiting sites running its free analytics service (allowing those sites to see how many of their visitors were using ad-blockers, perhaps to prevent being served malware by a third-party) to an executable masquerading as an Adobe Flash …

  1. Blank-Reg


    ... deep breath ....


    Textbook example of everything that's hated with web ads:

    - Attempt to force me to whitelist? Yep

    - Flash used as attack vector? Yep

    - Malware? Yep.

    Plonkers all round.

    1. Anonymous Coward
      Anonymous Coward

      Maybe I've misread the article, but I don't think Flash was the attack vector:

      "PageFair stated that attackers had sucessfully executed a spear-phishing attack against "a key email acccount" from whence a rapid password reset allowed them to hijack the company's CDN account.

      "The attackers had a plan," Blanchfield told The Register. Once they had access to the email account, they modified the analytics' JavaScript tag to some JavaScript of their own."

      don't get me wrong - I wouldn't let Flash near any of my kit, but it wasn't a Flash exploit used in this case

      1. Sir Runcible Spoon

        What is it they say?

        Build it and they will come?

        Seems to apply to insecure methods of ad delivery and tracking too. Ironic.

      2. Blank-Reg

        True, it wasn't used as the main vector of infection, more used as a social engineering trick I suppose. Still, the point stands in that Flash is a crock and again its name or software used in the distribution of malware.

        1. John Brown (no body) Silver badge

          "True, it wasn't used as the main vector of infection, more used as a social engineering trick I suppose."

          Abso-bloody-lutely. Average users are so used to seeing almost weekly update alerts for Flash why would they be suspicious of yet another one?

  2. Doctor Syntax Silver badge

    Tl;Dr: Always use an adblocker.

    1. petur

      "Tl;Dr: Always use an adblocker."

      Well, maybe you should have read it, it would have informed you that your adblocker most probably didn't help since this attack came in over javascript. Always use NoScript ;)

      1. alain williams Silver badge


        That is why I do use NoScript and get it to block 3rd party (often == advertisers) javascript.

        I also don't run MS Windows which always helps a lot when it comes to security - for all sorts of reasons.

        1. Steven Roper

          Re: NoScript

          "That is why I do use NoScript and get it to block 3rd party (often == advertisers) javascript."

          The problem with NoScript these days though is that too many sites fetch content from fifty different domains to build the page. So you Allow for the main domain, and nothing happens except NoScript reloads with a two-screen-high list of domains the site also wants you to Allow in order to see anything at all.

          What needs to happen is a campaign (the people behind NoScript would be a prime driver for this) to let these bastards know that they're losing serious traffic because of this. Whenever I see a site that refuses to show me any content unless I enable Javascript for two dozen different trackers, I simply abandon it. That site has lost my traffic and any potential future business I might have brought. It also ends up on my blocklist so I never go there again.

          We need to let website owners know that this practice is unacceptable. We need to show them that it is costing them customers and traffic, and that their losses will only get worse. We need to send the lazy and incompetent buffoons passing themselves off as "web developers" these days the message to do the bloody work they're paid to do and set up the site properly on a single domain, instead of just throwing together a five-minute mashup of calls to half the internet fetching libraries and frameworks to do their job for them.

          1. dan1980

            Re: NoScript

            @Steven Roper

            I'm with you. I use NoScript and, while it's a pain to enable things selectively, for me it is better than the alternative. And I never enable trackers - even if the page won't load without them. I enable one thing at a time until the content I want comes up, but never trackers. (At least the ones I can identify.)

            I am no web developer but it is insane the number of websites that will just be unusable - in any way - without a half-dozen sets of JavaScript.

          2. alain williams Silver badge

            Re: NoScript

            What needs to happen is a campaign (the people behind NoScript would be a prime driver for this) to let these bastards know that they're losing serious traffic because of this.

            I would have hoped that the corporate website equivalent of Darwinian selection would happen here. The web site die through the lack of visitors. Unfortunately: most users have not heard of NoScript and probably never will, so these sites prey, and keep alive, on them but not more savvy visitors.

  3. nematoad


    "web pages increasingly use third party services to enhance functionality..."

    That's not in doubt. The trouble is the functionality is all for the benefit of the advertisers, not the users.

    Sod the fact that they are using up my bandwidth, slowing down my machine. It's, sell, sell sell.

    The biter bit!

    1. kryptonaut

      Re: Hah!

      The trouble is the functionality is all for the benefit of the advertisers, not the users.

      I enjoyed the irony of the article, but I don't think this comment is strictly true - or at least it's more nuanced than you paint it. Whilst the functionality is initially for the benefit of the advertisers, they in turn benefit the ad-brokers, who in turn benefit the content creators, who in turn benefit the users by providing websites.

      I know this is an unpopular thing to point out, but advertising finances a large chunk of the internet (including El Reg) and until someone comes up with a better (and fraud-resistant) way for micropayments to propagate from content users to content providers, ads are probably here to stay.

      1. GrumpenKraut

        Re: Hah!

        > ... but advertising finances a large chunk of the internet...

        That is _exactly_ the chunk of the internet I'd merrily get rid of. Yes, I'd pay for the Reg's value added snark.

        Advertisers: FU, FU, and FU very much. Thanks for listening.

      2. Grikath

        Re: Hah! @ kryptonaut

        You may have a point, but the problem is that the advertising industry is notoriously bad at any form of self-restraint, or for that matter scruples and morals. They can, will, and have used every available method at their means to slam whatever-they're-peddling into our faces, to the point where sites become un-navigable, unwatchable, and take ages to load. And that's for the RESPECTABLE sites..

        It's worse than the height of the pop-up era, and with the advances in scripting, carries even more risk.

        So yes, people with a bit of common sense will use ad-blockers. If websites are dependent on ads, let them convince me that they run a tight ship, and monitor what gets displayed. If so, I will whitelist that site, so my visit will generate that €0.001 for them. If not, tough for them. Blocking me because I use an ad-blocker? Not likely I'll ever stop by again, period.

        1. Little Mouse

          Re: Hah! @ kryptonaut

          @Grikath - They can, will, and have used every available method at their means

          You're not wrong there. I'm surprised they haven't forced Blipverts onto us yet.

          I suspect that the only reason they haven't is that everyone in Advertising is a twenty-something "The Apprentice" wannabe and far too young to have even heard of them.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hah! @ kryptonaut

            Well, I have always advocated that I PAY ALREADY for my Internet access. Now, if a site needs to pay for their offerings then the FIRST page should be a plain text page like this:


            Then nobody will see the bloody crap. Now-a-days, you go to some sites, and they just take SOOOOoooooo...... long to load with all the shit going going on I never bother no more.

            And it's getting worse.

            Bring back 33Kps modems, get web sites to wise up.

          2. Fungus Bob

            Re: Hah! @ kryptonaut

            @Little Mouse "I'm surprised they haven't forced Blipverts onto us yet."

            Are you sure they haven't? Blipverts *are* very short and easy to miss, you know.

      3. Infernoz Bronze badge

        Re: Hah!

        Sorry, it's too late to argue for sloppy design advert funding of sites now. Adverts streams, an insane flood of analytics streams, various bugs and other covert deceit are out of control, so no sympathy or mercy!

      4. Doctor Syntax Silver badge

        Re: Hah!

        "advertising finances a large chunk of the internet"

        Or, to put it another way, surely we can do better than this?

        1. kryptonaut

          Re: Hah! @Doctor Syntax

          "Or, to put it another way, surely we can do better than this?"

          As I said - "until someone comes up with a better (and fraud-resistant) way for micropayments to propagate from content users to content providers, ads are probably here to stay."

          An alternative would be great, but I don't know what it is - whoever comes up with it will probably do well for themselves. If you think you know how to do better than this, go ahead and do it!

          As things stand, content providers have little control over the particular ads that get served - they just say 'insert ad here' and get whatever google (or whoever) serve up.

          Personally I think the googles of the world should start taking more responsibility and vetting all ads they serve, giving them a list of characteristics (uses flash, autorunning video, sound, adult content, animation, text-only, static images, etc). Content providers could then specify which type of ads they would permit on their site. Undoubtedly the less wholesome ones would generate more revenue per impression, but it would be up to the content providers to trade off their earnings against their willingness to offend. As things stand at the moment, that degree of control doesn't really exist - google/adsense lets you choose between ads featuring a list of links, or text-only ads, or basically everything else. No way to choose between static images or jiggly animations, etc.

      5. NotBob

        Re: Hah!

        So how many more adverts to finance El Reg getting ssl figured out?

    2. Terry 6 Silver badge

      Re: Hah!

      I wouldn't expect other than (or even object to) the advertisers material being all for their benefit*. Why else would they do it. But I do object to advertising that uses " third party services", because that is like them opening the door for their friends to sneak in with them.

      *Yes I do use the usual ad-blocks. I said I didn't mind that it was all for their benefit. I didn't say I would let them get away with it. I do look at a few adverts from time to time, though. Or at least unblock and click on a few from time to time, which is not quite the same thing..

    3. dan1980

      Re: Hah!


      Regarding 3rd party services 'enhanc[ing] functionality', well, some of it is indeed for the visitors. a CDN can certainly make for a quicker and more responsive experience as well as faster downloads of files.

      Other third-party tools can be javascript libraries used to build portions of the site, such as jQuery, wForms/qForms and js Charts or DateJS and these can definitely be used to 'enhance' a website. That's subjective, of course, and a prettier menu does not necessarily equal a better experience but a website with well-built forms with good validation that are able to parse information in all the myriad ways that people may enter it, well, that is good for everyone.

      Other examples are pre-built engines for things like eCommerce, which can offer a far broader range of payment options and, generally, better security than many smaller sites could offer on their own.

      Yes, many third-party services benefit people other than visitor but it's far too general a statement to say that all third-party services do.

      1. John Brown (no body) Silver badge

        Re: Hah!

        "Yes, many third-party services benefit people other than visitor but it's far too general a statement to say that all third-party services do."

        Yeahbut, why do 3rd party scripts have to load from "home base" instead of being installed on the domain I'm visiting? Most of the so-called 3rd party scripts etc could just as easily work by being local to the domain and probably much faster since less DNS etc. I'm sick of waiting at some site because the 3rd party stuff is talking ages to load. Unless they have some unique information I want or the best possible price, then I'm out of there.

        I'm betting that the 3rd party providers do it this way because they also want their share of data collection/harvesting as well the cash from the site owners paying for the service (or it's "free" in exchange for harvesting data)

  4. Anonymous Coward
    Anonymous Coward

    Just need to see Kim Wrong-un fall down an uncovered manhole and that will complete a happy day.

  5. Richard 119

    And this is why my adblockers stay on all the time.

  6. Anonymous Coward
    Anonymous Coward


    I don't block text adverts on thereg.

    In the last few days I started using Firefox on Android with an adblocker though, it just got too annoying for me to continue with the adds. They were the last pieces of the page to arrive, content jumped about and the article:advert data size ratio was too high. A sub would be cheaper than the mobile bandwidth.

    Adverts on websites are dying, better look for another revenue stream.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hint...

      Yeah. good point - and how many times do you think it's all done, click on a link, and then it all moves again and you end up some where else.... Grrrrrrrrrr

    2. Grade%

      Re: Hint...

      I pointed my mouse to the Cash'n'Carrion and spread large (um, does that sound right?) for a nice El Reg tshirt that I strut around in in our burg. I figure that absolves me from feelings of guilt over my adblocker. Amen.

  7. Old Handle


    I hope the people who visited those sites were using NoScript to stay safe.

  8. Anonymous Coward

    BTW, thought here

    I was 56 last month - and I have never ever bought anything in my life being prompted seeing an advert. How many other people have done that? How do adverts work? To me, it seems a dead end, yet they make {b/m}illions from it.

    1. Grease Monkey Silver badge

      Re: BTW, thought here

      I'm with you on that (although seven years younger) however I think one of the reasons so much is spent on advertising is the way market research works. How often have you be en resented with a questionaire like this:

      Where did you see our advert:

      a) internet

      b) television

      c) magazine

      d) other

      There's seldom a box for - I've never seen your adverts and certainly wouldn't pay attenstion if I did. In other words so many retailers start from the assumption that we are incapable of making a purchase without advertising, so they continue to spend fortunes on advertising because their research via questionaires shows them it works.

      Of course those questionaires are probably written for them by market research firms who are part of the advertising industry.

      The massive uptake on ad blockers should show that people find online advertising intrusive. Instead it seems to make the industry push even more online advertising at those who don't use an ad blocker, which in turn makes even more people install one. Targeted advertising is so much worse as it seems to work on advertising stuff that you already own. Of course this means that the ideal product to advertise would be an ad blocker since it would never be advertised to somebody who already has one.

    2. Martin an gof Silver badge

      Re: BTW, thought here

      I have never ever bought anything in my life being prompted seeing an advert

      Are you sure about that? Adverts come in all shapes and sizes and while I personally would contend that I have never (for example) bought a particular brand of breakfast cereal having just driven past a billboard advert, I cannot honestly say that I have never been influenced by things such as Amazon's "customers who bought this also bought" - which is definitely a type of advert.

      Then there are the more subtle things. Is it "advertising" when I go to a retailer such as Misco or Dabs or CPC and click on "computers... hardware... components... hard discs..." and there is a list of "best sellers" at the top, followed by a list of hard drives sorted by "relevance"? (and how come they can remember my preference for prices with/without VAT but not my preference for lists sorted by price?) At the very least this is "promotion", and what is promotion if not a form of advertising?

      What about when I go to the supermarket to buy my usual "Brand A" but find that "Brand B" which is usually more expensive has a "promotional offer" which makes it cheaper? The promotion is a cost to the manufacturer in the hope of persuading me to change my buying habits so in all but name it is exactly the same as an advert.

      Can you still say with such certainty that you have never been influenced by an advert into buying something?

      I like NoScript and I have it installed on all copies of Firefox. I do not use a specific ad-blocker, but I do try to avoid some trackers using Ghostery. NoScript is, however, a bit of a pain when you first start using it as there are so many things that just do not work without Javascript. Google Maps "When you have eliminated the Javascript, whatever remains must be an empty page" is a particular gripe, but getting some e-commerce sites to work when they embed SagePay and it doesn't immediately show up as being blocked is a pain. Eventually I work these things out and get some things whitelisted. Other things I just "temporarily allow".

      Certain other people I could mention just avoid the issue and continue to use the well-past-its-sell-by-date copy of Safari that Apple won't update because the Mac is too old.

      What I can say for certainty is that I have never "clicked-through" a third party advert on any website I visit...


    3. captain veg Silver badge

      Re: BTW, thought here

      Disclosure: advertising pays my salary.

      It's not all about prompting an immediate purchase. There's this subtler thing called brand awareness such that when at some point in the future you are considering a purchase, you tend towards the brands that you know.... possibly because of the ads you saw.

      But yeah, for myself I only ever notice ads that make me *less* likely to buy the product.

      There's billions in advertising, and it only exists because it works. The paradox is that when you buy an advertised brand, you are paying for the adverts that may well have influenced the purchase. It's a kind of tax, but one which you are free to avoid. When it comes to the products in the category of "long ago solved problems", like detergents and toothpaste, the only factor that I take into account is the price. There's no technical differentiator to justify paying a premium.


      1. nijam Silver badge

        Re: BTW, thought here

        > There's billions in advertising, and it only exists because it works

        It only exists because it works when ad agencies are marketing their advertising services to their (potential) customers. Which is not quite the same thing.

        1. captain veg Silver badge

          Re: BTW, thought here

          Au contraire. Companies like Unilever and Procter & Gamble are essentially advertising companies. Or if you prefer, brand farms that contract out the messy business of actually placing copy. They know much better than the agencies exactly what they want out of the campaigns.

          You could make a case that Apple is mostly an ad-supported brand, given that Foxconn et al actually make the stuff.


  9. Cincinnataroo

    Block the sods

    We need something like:

    and maybe all their minions.

    I tried to post this on their site but it failed (blocked?)

    "I prefer choice.

    In my case I don't want ads. I'm happy to pay a small amount for worthwhile content. (There must be fairness too, with click-bait rubbish.)

    So you have come down on the dark side for me. In the name of fairness I suggest you publish all domains / end points that you serve from and that serve your spyware. Those who care, can then simply block all of you. Let's see whether you are really for fairness or just after your own profit? You can put the list here and on your web site, from a top level menu item."

  10. Mark 85

    A bit of irony...

    A company who is against adblockers (supposedly they are working for non-intrusive ads - hahahhaha) gets spear-fished, attacked, and their site starts serving malware. And they wonder why we use adblockers and No-Script.

    No irony icon but this is hilarious..... so...maybe I should bill them for a new keyboard --------------->

  11. Mark Wilson


    Not sure if it was the same attack but I did witness something like this, the other night on the Telegraph's website. Told me my Flash was out of date and I had to update to continue. As I don't use Flash anyway I didn't download it.

    1. Grease Monkey Silver badge

      Re: Telegraph

      You visited the Telegraph website? Wow!

  12. Your alien overlord - fear me

    "the company was full of security enthusiasts " - the very worst kind of security bods. They need to employ security *professionals* to do the grown-ups security work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon