
Websites visited by millions of people daily
... aol.com ...
:-)
Top-flight US online publishers are serving up adverts that attempt to install ransomware and other malware on victims' PCs. Websites visited by millions of people daily – msn.com, nytimes.com, aol.com, nfl.com, theweathernetwork.com, thehill.com, zerohedge.com and more – are accidentally pushing out booby-trapped adverts via …
"Surely the huge majority of internet users are technically illiterate (although that term isn't really correct),"
<snip>
I agree and I tend to use the tern "naive users". Now let us all ponder the fact that these naive users have made many a comentard an affluent person God bless their cotton socks.
I think I'll stick with the 'protection racket' known as ad blockers, thank you very much, rather than suffer this nonsense.
Well yes, but it's racket upon racket, all founded on ignoring basic user security in search of The Almighty Buck™. It's 2016 and Windows STILL needs a separate anti-virus tool to be safe near the Internet, and the advertising problem is not exactly new either, is it? WTF are these people thinking not putting in basic security to stop this?
Personally I think that if big sites are serving up ads they are liable for the damage. Sure, they can then pass this on to their ad provider, but that's not my problem. You break my system, you are bloody well liable for the costs and efforts to recover it, and I'm not cheap.
Having said that, this is again fun I opted out of when I switched OS, but even then I had adblockers (now uBlock), a modified hosts file as well as anti-tracking installed (Ghostery). Damn. I would have had fun and be in all newspapers :).
Oh well. Back to work instead - my machine works fine..
"Personally I think that if big sites are serving up ads they are liable for the damage."
They ARE liable,unless they have a big ol "our ads may infect your computer" waiver you have to accept before entering the site... I don't think any lawyers have picked up the task yet, but its just a matter of time.
"Yup. They're running Mint or Ubuntu or Debian or Fedora or *BSD or......"
..... Gentoo. Sometimes I get my systems into a state whereby I wish that just a trojan or worm was involved. On the bright side, after 13 years of extreme system abuse I have skills akin to resurrection.
Somehow I have never managed to take a Linux system beyond repair unless the hard disc is buggered (BSD is the same - I'm told). Windows nerds - you'll never know the joy that is boot off something that is near enough, shuffle a few files and then chroot to put things back in order from the perspective of the patient. The best you (and I - I'm a Windows sysadmin as well) can do is boot off something, copy off data and reinstall from scratch. The recovery console on Windows doesn't even have a browser or an IP stack - rubbish.
If you are using Windows as a daily driver without ad-block, then good luck... So much of the malware stuff that is out there (many unknown) bypasses the AV products. For the last several years, the Pron sites are safer than the news sites for keeping your PC errr, well, umm, "CLEAN?". :) Thats really screwed up.
Ads should be straight up pics and text. Who the !@#$@ in their right mind (in the ad business) would allow ads to run Flash, Java, Javascript, etc etc etc... Idiots... I and many others started ad-blocking for security reasons. (oddly enough, it also means that sites SNAP now instead of draggggggging/struggling to render)
AV protects you from known signatures of known files. It wont protect you against a nasty using a 0-day flash vuln (or a known flash vuln on an out of date flash/java/IE/Silverlight etc). That's sort of the whole point of malware, it bypasses the protection and focuses on the holes.
If you use software that doesn't have the same holes (such as not using IE or flash or java etc) then you have a better chance of not being infected. In this case if you blocked adverts then again you'd be fine.
"Are there any PCs without anti-virus products which are not already infected?"
Yeah. Mine.
And no, I'm not running Linux or BSD. Running Windows 7.
Yes, I'm sure.
I think the OP meant systems actually connected to the Internet :)
Joking aside, you can secure any system. The difference is how much effort is takes to secure it and maintain that security, which is where you make your choices.
In one word, yes. Millions of them. It is not difficult to remain malware-free if you have some basic skills. Anti-virus software is much less effective than simple good hygiene - never use Internet Explorer, uninstall chronic malware vectors like Flash, block ads, you know this stuff if you read El Reg. Or you should.
Edit: "basic" skills for any IT person, I mean. I'm not expecting your Granny to have them. For most ordinary users an anti-virus package is worth the cost. (Not really money, the main cost is the performance hit.) But you centainly don't need one if you have an IT clue.
Yes, my windows 7 and windows 10 machines. Removing Adobe flash and Java gets one quite far, combined with using firefox, since it warns for dodgy sites.
I find it in fat incredible that:
- adobe is not put out of business by the government and its management is not in jail, they are worse than terrorists.
- youtube serves (me) adverts from Riverside soft (or something) asking me to install drivers from them, it had infected the pc of my kid with tons of malware, requiring complete reinstall.
It is an industry wide issue, and nobody cares, like with dangerous cars from the 60's until Ralph Nader came, who should have been given a Noble Prize for the millions of lives he saved since then.
I've noticed a large increase on the number of links in download sites that redirect to at least one link shortener/obfuscator that in turn open another browser window or tab with spoken(!) messages about my computer being infected, please call this number, etc.
These phishing attempts are not new, but I think those link shorteners are also being targeted.
Those stupid link shortners are open to this type of exploit.
I have never ever clicked on one and never ever will. Anyone who sends me one gets a standard email reply explaining why I won't follow their link.
Using a link shortener means that you have no idea where you are going to end up. Years ago I saw one used to take someone to a Pron site. It could have been a kiddie porn site which as we all know means a jail term for those of us in the UK even for just visiting one.
Back on topic.
I've just about had enough of MS pushing Silverlight as a optional patch ever to Server OS's. Hide it and it is like a bad penny and keeps coming back. Why don't they just can it once and for all eh?
As for Flash, you deserve everything you get for using it. The most bug ridden bit of software in history.
As for Flash, you deserve everything you get for using it. The most bug ridden bit of software in history.
Hmm. Given the TeraBytes of patching I have seen float past over the decades I think that specific honour goes by some distance to Microsoft and their products. I know, I know, it's hard to beat Adobe, but I think it still has to learn a lot about epic cockups and ignoring customer security from Microsoft. They're undisputed kings here IMHO to the point of having caused a whole ecosystem on its own just cashing in on the problems. Which, by the way, you pay for too.
The ad industry needs to get itself under control PDQ or face extinction.
Did anyone else read the following and have their head threaten to explode?
"It's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising. The only 'crime' here is being popular and having high volumes of traffic going through their sites daily."
What a crock! The site owners should be held responsible for any and everything they allow to come from their site. If they sub out their advertising, it does not absolve them from responsibility, it is just a convenient way to speed the process along. If you pay for someone for a service and don't at least verify it is being done in a non-criminal fashion, you are still to blame for your negligence.
this just is another nail in the head / and SHOVE A Cactus hard up the ASS of the Ad industry
Just install / run
Ad Blocker ( any is better than nothing )
Ghostery
any Script Blocker
Malwarebytes
Anti virus
the list goes on just block those WUCKIN ADDS
Pass A Law that makes any Site Responsible for any Collateral Damage caused by these add/ infections
Maybe if they end up paying they will clean up their own industry
. . . .nag me about my ad-blocker.
Tell you what: when your site serves malware-via-ad, and you take responsibility and LIABILITY for the malware you serve. . . . I'll consider white-listing you.
Unless, of course, you're Forbes or WIRED. Because you're being such utter assholes about it, Ad-block on your sites will stay until Doomsday + a week. . .
I did add Wired to my ABP white list but 1) it still complained that I was using an Ad-blocker 2) the site went from unusable because I was using an ad-blocker to just... unusable...
Sorry Wired, I won't be back - with or without an Ad-blocker and the rest of them can go swing, I'm not turning my ad-blocker off!
Add this blocking filter in Adblock Plus(without quotation marks):
"|http://www.wired.com/assets/load?scripts=true&c=1&load%5B%5D=jquery-sonar,wpcom-lazy-load-images,outbrain,blockadblock,tracking,ads,wired"
I am not reading them myself, frankly.... but Adblock Plus is good tool, it allows things like this one.
I use a list in my hosts files that I have traced back to here: http://winhelp2002.mvps.org/hosts.htm
Except I use 0.0.0.0 instead of 127.0.0.1. Dunno if this makes a difference. I use a Debian based distribution. Works brilliantly - much better than the ad blocker plugins. Only wish I could find an easy way of importing into ChromeOS and Android. Or has their distributor made it hard for a reason?
ChromeOS and Android are both designed by Google aka
the biggest spammer/advertiser out there.
Why would they let you to block one of their core business ? :)
To edit hosts on Android, you'd 1st need to root your android device
(by using towelroot as an example) but Google constantly updates
its software to patch the exploits making possible to use soft like towel
and to prevent you from rooting its' smartphones/tablets.
Other than that Android is like any other Linux OS in many respects.
"Except I use 0.0.0.0 instead of 127.0.0.1"
Judging by at least one response to your post the sarcasm/Fe (y) detectors are down in some parts of the world.
For best effect though, stop messing with a text file and use your firewall properly. Remember the kids could start using IP addresses directly thus bypassing your hosts file. A rule along the lines of (translate as required for your OS) src:0.0.0.0 dst:0.0.0.0 iface: all proto:all policy:reject should do the trick. Don't forget IPv6 as well. The policy:reject will avoid any nasty lockups and smooth the user experience.
Honestly, I have no idea why more browsers don't have script blockers like NoScript built into them. The web and Internet are so toxic, it's just pathetic. Turn off the capability to run scripts, and suddenly so many vulnerabilities just disappear.
Wanna build a botnet? Just buy some ad space, sit back and relax.
Well no. That kind of ship has sailed.
Any kind of interface that is not static, just-sitting-there-waiting for you-to-post-an-ugly-form-to-a-server-like-in-a-dsytopian-retro-noir-movie needs it. I do think even North Korea is happy to have left these behind...
If you don't want scripting, you might as well go back to green screen (and without curses). It has its uses...
CSS3 + HTML5 :-) No scripts are required to pretty up a page and validate form content. Send form data to a php page to do the validating. CSS3 does pretty cool animations too. CSS3 menus can also look identical to and perform better than Bootstrap. Yes scripting does have its purposes, I find Ajax particularly useful.
@adnim:
"Send form data to a php page to do the validating."
The point of using javascript to validate pre-send is to reduce submissions/processing server-side by rejecting bad/missing data client-side first.
You cite the best use of javascript actually: "Yes scripting does have its purposes, I find Ajax particularly useful." Now, what do you do with that AJAX JSON result? You create HTML content via javascript. Also, a common technique is to pass page data in javascript code and build it using javascript to prevent the need to send 100 table lines of pre-formatted (and highly repetitive) tr td tags. This optimizes data transfer and server-side processing as it uses the client's CPU to generate the necessary HTML to display.
NoScript is pretty good at stopping a fair bit of crap from coming down the pipe, but I'd always have an adblocker and Ghostery in the mix as well.
JavaScript: yes, it shouldn't be able to do anything outside the browser window it's in (including not being able to do anything with other tabs or windows). It can be useful for helping in some application-style web pages where some level of understanding of the user's selections on a page are required. Also there are a few things that in-browser HTML and CSS don't do yet that JS can, though I can't think of any right this minute...
I'm also inclined to agree that sponsor advertising is likely to be where the internet will end up, but it might take a while to get there.
"JavaScript: yes, it shouldn't be able to do anything outside the browser window it's in"
- This. Sandboxing things like script and flash and java plugins and plugins of any nature is perfectly possible. That some of the browser makers haven't done so, makes me think they have hidden reasons for not doing so.
The biggest problem with NoScript these days is lazy web developers who just fetch scripts from 50 fucking domains to build the page. This practice should be regulated if not made outright illegal on the grounds of facilitating malware distribution.
We've all seen it: you go to a site, only to be greeted with a blank page or an unreadable pile of text and colourbars splashed all over the place like a dog's breakfast. So you click NoScript's Options button, only to be confronted with a list of domains two screens high asking to be allowed to run javascript. Even worse, those domains run scripts that fetch more javascript from even more domains, so after you allow example.com, exmplimgs.com, exmplcdn.com, googletagmanager.com, googleapis.com, jquery.com, wordpress.com, joomla.com and gofuckyourself234567.cloudfront.net, you still have an undiminished list of domains asking to be allowed, that weren't there before, and the only change that's happened to the scrambled mess on your screen is that the Disqus comments are now visible and 3 images have appeared.
After which your site gets nulled at my router and I never go back there again.
I would love to skin alive every fucking idiot who does this. I can understand the need for javascript on today's interactive web apps, but FFS put your javascript on ONE domain. If you need to use cloud load-balancing then USE ONE GODDAMN SERVICE. I can go with allowing two or three domains at most, but this insane mess requiring me to incrementally enable javascript for the entire fucking internet just to read one bloody article that could easily be displayed by simple HTML has got to fucking stop.
"I have almost exactly the same experience but I've never yet managed to unblock enough shit to get Disqus to work."
That's different to what I've often seen. I mentioned Disqus because in my experience it's usually the first new thing to appear once you allow javascript for the primary domain. Its plugin requires you to inline its javascript in your page's HTML, so allowing javascript for the primary domain usually enables it.
One possibility is that since I have a Disqus account I've got disqus.com whitelisted in my NoScript. If you haven't, then it would no doubt be buried in the list of domains you haven't allowed yet which might explain why it hasn't appeared for you?
I feel your pain, as I am also a No Script user, and I have experienced that same bullshit on some sites.
BUT, I have seen one technique, which I will not describe, (so I don't give lazy web coders any ideas) that I consider downright NASTY.
It involves, as you have noted, javascript code pulling down even more javascript code in order to display the page. I can only take away this: some really sneaky fuck wanted to insure that their web page does not display well if ANY ad blocking is employed.
As a result, I have blacklisted their site for both my personal, and work related use. FUCK THEM!
It's about time the law stepped in. If websites that served up bad things were deemed to be culpable for any losses incurred then I'm sure website owners would soon increase their attention to the served product.
If they are happy to take the profits from the companies whose adverts they show then they should be made to pay for damage to visitors systems if they screw up.
That seems fair to me..
.. is selling the right to push arbitrary scripts and files via their site to the highest bidder.
That's a pretty serious crime and I'm surprised it took so many comments before someone suggested joint liability.
Given how serious this can be - damaging a hospital's operation FFS - let's extend it to the personal assets of the directors.
In my direct experience in having several times dealt with malware in ads on a website I ran, the problems have always occurred due to an industry-wide practice of webmasters allowing their ad zones to be re-sold to 3rd-parties. The Sales/Marketing boneheads don't give two craps wether or not the site gets blacklisted on "safe site" lists that browsers check before loading the page. So long as their monthly quota is reached, it's then a sysadmin problem to solve. Warning after warning got ignored.
What happens is this: Web sites have ad zones - place holders where banner ads go. The aforementioned Sales Boneheads sell those ad zones to companies who they know are wholesalers for website ad space. And they in turn sell them to (ALWAYS Chinese in my experience) malware people.
Perhaps if the industry collectively agreed that they will only sell their ad zones to FIRST PARTY customers - who they can vet, contact, etc, this won't happen nearly as much if at all, and the web would be a much safer place.
But that would chew into their quota, and their BMW payment.
Yeah. Accidentally. Sure.
They are accidentally absolutely not virus-checking the ads they push. They are accidentally not vetting the ads they accept because they accidentally didn't want anything to do with the notion called "responsibility" and made the whole ad chain deliberately obfuscated so as to be able to say, at each step, "I had no idea !"
Accidentally my ass. They don't give a rats ass, that's what. Well I'm actually happy about all this because it means bad headlines and damaged reputations and we all know that that means risk to the ever-so-important bottom line. And only when it hits there do companies decide that Something Must Be Done.
Looks like decision time is getting closer.
Interestingly, the big websites tend to run the big campaigns, which are usually pretty well vetted given the potential for backlash. But still they served up the bad ads.
May be tinfoil hattery, but this makes me suspicious. My bet is that somewhere down the line one of the Big Ones got one of their servers compromised.
Nice generic term....but what was the nature of the "malware"? Keylogger, botnet....ransomware? Sometimes I think that some click-happy users have it coming, but when the risk is there for just going to a site then the advertising model for web sites really needs an overhaul. Some of the sites are likely visited by very non-technical people who would not recognize when they were infected nor have the means (knowledge or funds) to have it corrected.
As we all know that will only happen when it hits business where it hurts....$$$$$$$$$$$. As other people have commented....the timing of this should be a pretty good argument against the companies who want to block the ad-blockers. And if they do force people to disable ad-blockers to access content, then they should be on the hook to fix grandma and grandpa's computers when they get loaded with crap.
I'm not exactly going along with the sites being "innocent victims". That's just posturing to disclaim responsibility.
I didn't go 'xxxsleazypornandmalware.com'. I went to NYTimes.com. They are the ones collecting subscription money. And the ones that selected the ad network. I didn't get to choose the ads delivered, or a warning about the unexpected risk from their poor choices.
http://www.theregister.co.uk/2015/11/23/liability_chain_malvertising_advertising/
23 Nov 2015: "The exploitation of online advertising networks by malware-flingers is expected to cause up to $1bn in damages by the end of this year, but despite ongoing regulatory efforts, it is not clear to whom the liability for these enormous losses will fall."
"Easy. It's the site you are connected to via its URL."
Websites that carry advertising, etc, will have something in their Ts and Cs absolving them of all responsibility - and until someone with enough clout (and/or money to sue) is affected and takes a high profile site to court as a result of their computer(s) being fucked up by something like this, and those Ts and Cs are shown to be the crap they are, they'll continue to operate with a hands-in-their-ears-"LALALALALA" approach to the problem.
"It's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising,"
The websites that use the ad space to make money... however piddly, should not cast blame... buy low, get low........... they need to vet their clients (ad idiots), just as we should vet someone who holds our balls in their hand.......
but, on the other hand, I welcome the money as the calls come in
Because internet crimes are largely invisible, nobody really sees the big picture. Certainly not users, and definitely not my friends or family. They just switch off whenever they hear me talk of the dangers of flash / java / etc....
But its clear, nobody should be elected to government, run the police / security services or be in charge of company, without a basic understanding of cyber crime.
But hey, when did that ever matter to the cronyists in charge. Politicians rarely fall on their sword or get fired, and so only few people realize just how toxic the internet has become... By the time they do, it'll be too late for a lot of people!
Unfortunately that doesn't work anymore. Ads are dynamically generate, ad space is sold down the line and there is no way you can tell that the adds served to your visitors are the same ads you saw when you tested.
There was a Register article fairly recently about malware ads that server up different content if they detect certain security tools :(
Someone needs to put down a test case. If a high street store had a mugger in the building for 30 minutes taking customers wallets then the shop would be liable. It would also get splashed over the news. The fact the guy was in the building for a noticeable length of time and security did nothing would get the shop in trouble. You expect a level of safety when in a shop.
So why do website owners get away with this? I have had a few clients over the years who visit big name sites, but happen to turn up during that couple of hours at the weekend when an infected advert was being run. The results of this have lead to those clients following down a rabbit hole towards infection. Thankfully, in most of those cases I had built enough paranoia in my clients that they stopped clicking when it started looking dubious...
So uBlock Origin or AdBlock all the way now. If a website wants me to turn off the adblocker, then they need to take responsibility for the data they serve to me in their name.
"The only 'crime' here is being popular and having high volumes of traffic going through their sites daily."
Dubious.
The "popular sites" could actually properly vet ads and maybe even fully quarantine & serve those ads only from their own domain (as that way you know its the same ad you originally vetted & no swaps made) instead of using dubious third parties, instead they just try to divest themselves of all responsibility.
If I was a corner shop that just sourced cheapest booze I could instead of making an effort to check quality of the drink supplied & ended up selling a customer liver & eye damaging methanol laced counterfeit "vodka" I would be in deep legal grief, these sites should be treated the same
Web ads which are anything more than a plain static image should be banned. Even if their only other function is to log a hit for analytics purposes, they should be banned. Literally nothing good comes from web advertising. At best they're annoying and intrusive, at worst they can pwn you.
I remember, many years ago, the suggestion that I take my efficient, fast, securely operating website and make unknown amounts of it come from some people I'd never met who are only interested in money..
I think all managers need to have a bronze plaque installed on their office wall for every time they ignore warnings and order a previously workable solution to install flaws. One plaque for each time the flaw breaks it. Two for each time they complain it's broken.