back to article Malvertising: How the ad model makes crime pay

The exploitation of online advertising networks by malware-flingers is expected to cause up to $1bn in damages by the end of this year, but despite ongoing regulatory efforts, it is not clear to whom the liability for these enormous losses will fall. The increasingly sophistication with which online advertisers profile users …

  1. Anonymous Coward
    Anonymous Coward

    So basically

    If you drive the getaway car for a burglary, don't try telling the police they should let you off because it's a first offence. But if you are an agency that allows malware advertising, you need special treatment?

    If the rules were in place - allow malware advertising and you will be suspended for a certain amount of time - the agencies would have to get their act together and perhaps adopt a system not so open to abuse. Of course this might lead to a lot less advertising. But that would possibly bring in more, not less, money, because fewer adverts means people more likely to read them, so the price you can charge goes up. Currently it's a Gresham's Law world with bad advertising driving out good; exactly the same as with any other currency. Serious regulation could be good for the more reputable parts of the industry, just as serious bank regulation (when we had it) gave people confidence in banks and so promoted trade.

    1. Doctor_Wibble

      Re: So basically

      > But if you are an agency that allows malware advertising, you need special treatment?

      Sounds like that's what they want - and then we also have to see who is the agency and who is the client because the client may also be an agency.

      But as far as the hidden-registrant thing goes, if someone wants my business they can tell me who they are or they can piss off. Unfortunately advertisers are in that limbo where they depend on us for money but we are not the customer, and we are expected to trust their scripts and trust their animations as part of the sort-of-contract with the website we are on - so the blame ends up being spread a bit thin and it usually takes something fairly major before there is any incentive to get much done.

    2. Anonymous Coward
      Anonymous Coward

      Re: So basically

      If you drive the rent someone a getaway car for a burglary, don't try telling the police they should let you off because it's a first offence.

      FTFY. And yes, unless you are wilful and complicit. If it you keep renting getaway cars for burglars, that would be a different matter.

      1. big_D Silver badge

        Re: So basically

        @AC no, the advertising platform is driving the getaway car. They are "moving" (facilitating) the malware from its secret hideout to the target.

      2. BillG
        FAIL

        Re: So basically

        Often, the advertisers involved in a malvertising incident may not be the malicious actor themselves. Segura stated: "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"

        I'm sorry, that's not good enough. I'll bet if the third-party advertisers were required to either step up their game and vet advertisers, or be terminated when they resell malvertising, the problem would diminish significantly.

        Right now third-party advertisers do very little for the money they make. I've worked with some that don't know what JavaScript is, but email it in an attachment for website insertion. When there is an issue they make a very very big deal out of not understanding anything even remotely technical about their job, they just sign a contract over the web and forward the code off to me for insertion on my website. Any issue at all, they seem to painstakingly make a deliberate point that they do not understand anything technical about anything.

        They need to be technically competent enough to know when they are doing something wrong or face the consequences, just like everyplace else on the web.

    3. big_D Silver badge

      Re: So basically

      Hold the advertising network/platform financially responsible for all damages. They are facilitating the malware, so it is up to them to stop it and it is up to them to compensate those affected. They made the deal with the bad actor and took money to load the malware on unsuspecting visitors' PCs.

  2. Doctor Syntax Silver badge

    'Often, the advertisers involved in a malvertising incident may not be the malicious actor themselves. Segura stated: "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"'

    Point taken. So suspend them for negligence. The entire chain, website & all. Even better, make them all jointly and severally liable for damages by reason of negligence. Then we'll find out just how quickly they can either track down the bad actors or put a trustable chain in place. PDQ I suspect.

  3. Anonymous Coward
    Anonymous Coward

    Hence ad blockers

    Not much more to add.

  4. Anonymous Coward
    Anonymous Coward

    They do what?

    Ad networks report to potential advertisers on the presence of antivirus on the target machines - what's the legitimate purpose for that behaviour? How can they claim to be innocent of doing harm when they're performing vulnerability scans on behalf of the malware peddlers?

    1. VinceH

      Re: They do what?

      "Ad networks report to potential advertisers on the presence of antivirus on the target machines - what's the legitimate purpose for that behaviour?"

      The "we're all innocent, advertising is wonderful, love us, LOVE US" answer is to identify a need for (and to try to sell the user of the target machine) anti-virus software.

      "How can they claim to be innocent of doing harm when they're performing vulnerability scans on behalf of the malware peddlers?"

      Quite.

    2. jonathanb Silver badge

      Re: They do what?

      In theory so that you don't advertise Norton AV to someone who already has it

  5. Joe Drunk
    Mushroom

    Who's more unsavory...

    The criminals exploiting the weaknesses in the ad networks third-party, fourth-party et cetera's security or the criminals running these ad networks who merely shrug when millions of visitors are served malware because they are making so much money?

    Ad blockers, pop-up blockers, ad blocker blocker detector obfuscating script, ghostery, the whole nine yards because I give as much fucks about you losing ad revenue from me as you give when I get infected from your malvertising.

    1. WankerYank

      Re: Who's more unsavory...

      "Ad blockers, pop-up blockers, ad blocker blocker detector obfuscating script, ghostery, the whole nine yards because I give as much fucks about you losing ad revenue from me as you give when I get infected from your malvertising."

      Agreed, however, you might also consider adding CryptoPrevent to that mix on a WinX system. It has mitigated quite alot of unwanted programs that have gotten through my defences as you have a similar security approach.

  6. Wade Burchette Silver badge

    There is an easy fix

    Malvertising would die right now if the ad networks followed these simple rules, rules that were the de-facto standard when the internet became a necessity: Absolutely no javascript in ads, absolutely no tracking in ads, and absolutely no ads that require a plug-in. No exceptions will be allowed.

    Those rules worked once, they can work again. But I already know the advertising companies won't listen. These same companies have no respect for my privacy so why do you think they would have any respect for my security? Greed is a powerful force.

    1. Pascal Monett Silver badge

      Agreed - ads need to be simple

      An image, eventually a slideshow, and a web link, end of.

      And don't tell me you need script to do a slideshow; HTML5 is here.

    2. Anonymous Coward
      Windows

      Re: There is an easy fix

      Yep. Marketing bosses only care about privacy as much as the typical windows user. They DO care when they realize ad+tracking+analytics bloat is driving away users and lowering their SEO scores. OTOH, doing anything about it seems to be a low priority even for the move-fast-n-break-things hotshot startups.

      So, back in reality... BLOCKING, not prosecution, is the solution. Everyone should use ad blockers. All of us should be preaching the gospel of ad blocking, installing it every time we see a friend's computer without it, and, heh, adding popups to our websites to complain if a user's NOT using adblock. Muahahaha.

  7. This post has been deleted by its author

  8. Unep Eurobats
    Joke

    Criminal actors

    Go after their [user] agents, I say.

  9. channel extended
    Flame

    SCUM R US

    Honest your honor it's the 'scum r us' company that are the guilty ones. We just sold thier ads. No we have no way of tracking the source, but we can track the users all day long. Look thier money is just as good as anyone's right, Surely you don't expect us to care, er check, any closer once the check clears! You can't possibly blame us for sloppy security it was the 'Stupid C**nts Using Malware R US', you know, customers.

  10. Whitter
    Flame

    The business model is knowingly at risk

    "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"

    There is no "Simply" about it, There is no unexpected about it. This is a risk in their business model that they choose not to account for, knowing they themselves are not at risk. Indeed; they get paid for delivery regardless.

    Time to stop it where it stands and require all such third-party injection to be pre-edited.

  11. Prst. V.Jeltz Silver badge
    Joke

    got it

    Ah so if you want to get your malware out you just ask the Agency to target a knuckle dragging idiot with no tech savvy who will click anything to see a pair of breasts. Wrestling fans perhaps.

  12. PsiAC
    Mushroom

    Ad Ecosystem

    Think of it as an ecosystem.

    Some toxic (predatory) ads exist in the same system as the "product" (customer/prey) who visits, along with many other, similar-seeming ads of a harmless yet annoying nature.

    The question becomes whether you want to poison the entire system (reducing the population) to cut down on the number of these advertisements, barring those who adapt to survive.

    Ideal scenario, you kill every single predatory ad and leave only the harmless kind. Impossible.

    Best possible scenario involves a maximum of predatory death and a minimum of unintended harm. Some damage results but the system repairs itself.

    Worst case scenario, and the most likely, is that you instead wipe out almost everything, leaving massive damage across an entire section of ecosystem that depended on those things you find annoying. Not as likely as it just proving ineffective, but still possible.

    Bottom line is, if you destroy it all, you wind up annihilating more than you expected thanks to so much interdependence. Either careful legislation is needed, or none at all. Of course, you could just nuke it all from orbit and start over fresh...

    1. Doctor Syntax Silver badge

      Re: Ad Ecosystem

      "Of course, you could just nuke it all from orbit and start over fresh..."

      Good idea. Except maybe the last bit.

      But to take your analogy further: I suppose what you're really saying is that sites that depend on advertising would be damaged along with the advertisers.

      The advertisers themselves, as they currently operate, are no great loss. In fact, they're really no loss at all; their MO is to poke their fingers into user's eyeballs and maybe also ears. The rest of us would be better off without them. They may be doing themselves more harm than good in any case so they might actually be better off if their advertising channels were nuked.

      So let's look at the sites. Under your Darwinian notion they have choices, adapt or die. They could adapt by allowing adverts in page and exercising direct control over what goes there. If they succeed in that they survive, if they allow the usual slow-loading, animated, screaming crud they die & if they allow malware they get sued to oblivion. But yes, they can survive.

      1. PsiAC
        Holmes

        Re: Ad Ecosystem

        value = current income + potential income

        current income = All of (valuation * hits) for all known income sources

        potential income = All possible current incomes * factor (< 1) of them which will likely be used

        to maximize value:

        individual valuation: maximize possible value for each

        hits: retain and gain many customers

        possible incomes: make the pool of possible sources as large as possible

        likely use: maximize potential advertisement

        hits / likely use

        ind. value / possible

        Strike a balance as appropriate. As of right now, the system favors maximizing the pool of advertisements and ad space simply because humans are fickle (hit-based) and advertisers are stingy (individual value) as well. Essentially, the potential income from future sources vastly outweighs the current income in almost any case.

        Sadly, one cannot simply order humans to stop being fickle and stingy, so the spam will continue. Either you attempt to increase the other side until it becomes viable, reducing spam as appropriate, which some have chosen to try, or destroy the spam entirely and wipe yourself out because of human nature, with few exceptions.

        I can't wait to see a government try to tackle this one. Because you aren't getting rid of advertisements until you can make spam unprofitable.

    2. Palpy
      Happy

      Re: Ad Ecosystem

      Ecosystem-thinking: Yep. But if internet users are prey animals, then some of us make it hard for the predators to get us.

      The malware guys aren't interested in breaking into a Linux machine running NoScripted/uBlocked/Ghosteried/etc Firefox inside a Firejail sandbox, it's too much trouble for a very few possible wins.

      It's a sweet spot right now -- all the Web to roam, with few of the dangers to worry about. Selfish, in a way, but anyone can do it.

      Everything will change in a few years, probably. The web is nothing if not an evolving system.

  13. Mr Dogshit

    Why is there a picture of a gavel?

    Is there an auction involved somehow?

    1. Ian 55

      Re: Why is there a picture of a gavel?

      There's reading involved too. If you read the article, you'd know the answer...

  14. Cincinnataroo

    Protect yourself

    You can protect yourself against a lot of this:

    www5.smartadserver.com, pixel.mathtag.com, beacon-us-iad2.rubiconproject.com can be sinkholed.

    Maybe www.shoebuy.com too.

  15. Captain DaFt

    If it smells like bullshit

    Segura stated: "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"

    So he's saying that being assigned a job, passing off to an unmonitored third party that behaves maliciously absolves all guilt?

    Ahem, if I hire someone to look after my dog while I'm away, and he sends over someone he found on the street to do it for him, and that person mistreats my dog; Guess who I'm blaming when I find out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021