back to article Malware menaces poison ads as Google, Yahoo! look away

Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet's money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims. Malvertising, as poisoned ads are known, is as deadly as it is diverse …

  1. Anonymous Coward
    Pirate

    Fuck us.

    Yet another illustration of why we NEED granular 1st/2nd/3rd party controls for all content/MIME types built into browsers. allow-all/allow-but-blacklist/block-but-whitelist/block-all preferences for images/canvas/cookies/scripts/video/whatever. Simples.

    This wilful, contrived ad-slinger sponsored browser/web privacy & security clusterfuck HAS GOT TO BE BROUGHT TO AN END

    Yes it'd allow us to "break" some "features" of some websites (which are doing it WRONG) - that's the FUCKING POINT. I WANT to be allowed the ability to "break" the bastards' shit, if I choose to.

    https://support.mozilla.org/en-US/questions/1002062

    https://bugzilla.mozilla.org/show_bug.cgi?id=94035

    etc..

    /EADON-mode

    (yes, watching (and sometimes, back in my more naïve years, bashing my head against) this "game" has been one of my pet hates for the last FIFTEEN FUCKING YEARS)

    1. Anonymous Coward
      Anonymous Coward

      Re: Fuck us.

      Until the malvertisers start using the actual source websites as proxies, making them indistinguishable from the actual desired content. Then what?

      1. Anonymous Coward
        Pirate

        Re: Fuck us.

        It's an accountability/liability thing. Always has been.

        GigaBEEEEELION ad-slinger corporation spending loose change on twisting the arms "sponsoring" every browser project it can find to fuck up their security designs is their glorious capitalist duty... and it's certainly not their fault if when random third parties then use the situation to fuck us all over.

        However...

        Should some gigaBEEEEELION ad-slinger corporation start forcing malware from its servers into my browser, then it's cla$$$$ action time.

        Problemoid solved.

        The advertisers/miscreants will and do use the MOST AGGRESSIVE (sadly i.e. effective) mechanisms available to them. That's inevitable. Human nature. It's a sort of arms race. Taking away their bloated-cow-corpse loaded trebuchets and giving them all fiendishly sharp guava slices instead would NOT be the end of the world. Much as they'd squawk about it at the time. They could and would all simply fight on heroically with those guava slices. And what bliss it would be.

        This clusterfuck is NOT how it must be.

        This clusterfuck is NOT how it could have been.

        This clusterfuck is NOT how it need be tomorow.

    2. BlartVersenwaldIII
      Black Helicopters

      Re: Fuck us.

      > Yet another illustration of why we NEED granular 1st/2nd/3rd party controls for all content/MIME types built into browsers

      As much as I admire and agree with you sentiment... don't hold your breath. What with recent events...

      * W10 private-info slurping on by default, almost impossible to turn off without using a separate firewall, even if you're prepared to pay for your OS

      * Continued erosion of Firefox, the most popular open source browser, at the expense of slurping Chrome. Add to that the soon-to-become-extinct extensibility features used by a great deal of the add-ons.

      * Native advert-loading and tracking features being built into most major OSes

      * Opera, which had pretty nice content blocking natively (allowing javascript/plugin content on a per-domain basis was a great feature) has gone the way of the dodo, Vivaldi seems to be carrying on the tradition of a browser with actual features but nowhere near ready yet

      * ISPs getting in on the act and modifying traffic to include per-user identification in HTTP headers

      * Numerous companies providing "free" wifi and either data-mining them or injecting adverts into unencrypted connections

      * Resistance to non-backdoored encryption and firmware from governments and corporations

      * Seeming complete inability for most customer-focused companies to ship firmware with security better than "don't look at it funny"

      Best case scenario: people finally realise that most people hate advertising and that it doesn't really work, at least not for the vast amount of money being spent on it. Result: ad companies security gets even worse, adverts and data-mining become even more aggressive.

      Worst case scenario: ad companies and sundry data miners somehow earn vast coinage from exploiting their knowledge of your private info, resulting in a big pool of money being available to websites that promote advertising and data mining and better techniques to do it. Much of the web becomes essentially impossible to use for people using ad/script/tracker-blocking software and such outcasts become the new "That Weirdo Who Doesn't Have A Facebook Account And For Some Suspicious Reason Doesn't Want The Police Putting A Camera In His House".

      Now that all the pieces are being put in place, I think advertising and privacy is going to turn into a war zone soon.

      This unhealthy dose of paranoia brought to you by Fukitol Antidepressants.

  2. oldtaku Silver badge
    Meh

    Thanks for this in-depth look. It's the reason I run Ublock and NoScript even on sites I like, no Java, no Flash. Can't trust their ad network at all - not their fault, but whoever they're using for ads is less cunning and evil than the Russians (even Google) and nobody's really doing much about it because they just don't care that much. This article just really drives that home.

    In addition, even the non-malware ads are so bad as far as terrible scripts and bloat (like the Verge's 1000:1 crap:content ratio) that whenever I run without blockers on other people's crapboxes it's a whole new, terrible ghetto web. How can you people live like this?

    So subscriptions and Patreon are all I'm willing to do. Think about it, Reg.

    1. Neil Barnes Silver badge

      Exactly.

      There are half a dozen sites I'd cheerfully pay some small token value to use, and a hundred million I'd not miss if they never showed again. Twenty two billion in lost advertising revenue? My heart bleeds... I suppose they could always get a proper job?

      As before: shouting at me doesn't make me want to buy your product. If I want something, I'll search for it.

      1. Stuart 39

        Such tech already exists

        This long standing problem was fixed in a way by Flattr. Basically you load up your Flattr account with the amount of money you wish to spend in a month to reward sites. Each site that supports Flattr has a "thing" where you can decide what percentage of that monthly payment you want to go to the site in question.

        At the end of the month, the money in your accounts gets apportioned on the % allocated. Good idea, but it doesn't seem to go big because at the end of the day people are not prepared to pay if they don't have to. Sad but true. Someone has to pick up the bill for all this lovely content written by the authors or they would starve.

        1. asdf

          Re: Such tech already exists

          >Someone has to pick up the bill for all this lovely content written by the authors or they would starve.

          Or they can do what most modern media has done and become TMZ click bait 7 reasons why Justin Beiber ass humps your mom. Cost is much lower (because no real content).

    2. Anonymous Coward
      Anonymous Coward

      "In addition, even the non-malware ads are so bad as far as terrible scripts and bloat (like the Verge's 1000:1 crap:content ratio) that whenever I run without blockers on other people's crapboxes it's a whole new, terrible ghetto web. How can you people live like this?"

      Because more and more websites are making them a requirement just to see the content. They'll either redirect script-blockers to "TURN JS ON, DAMNIT!" pages or simply make the scripts a prerequisite to loading the actual content, leaving you a blank page instead. Sure, one can always walk away, but if it's the ONLY source of the content you want (say, an obscure driver), that means going without which may not be an option.

      1. GrumpenKraut

        > ...ONLY source of the content you want (say, an obscure driver),...

        Use one browser with crap turned off for daily surfing, have another browser with settings at "fuck me harder" to download from terminally stupid vendors. That's what I do.

        1. Anonymous Coward
          Anonymous Coward

          And that becomes the proverbial foot in the door, according to the article. One little slip, one necessary evil and the dark side comes rushing in. It's increasingly becoming a case where the ONLY way to get what you need is to bend over.

          1. Doctor Syntax Silver badge

            "And that becomes the proverbial foot in the door"

            Run it from its own VM that you fire up for the purpose and hose down when you've finished with it. Of course you still have to trust whatever you downloaded from it but you had that problem any way.

            1. Anonymous Coward
              Anonymous Coward

              And of course there's the possibility of a hypervisor attack that can break out of a VM...

              1. Destroy All Monsters Silver badge
                Paris Hilton

                And of course there's the possibility of a hypervisor attack that can break out of a VM...

                From JavaScript to out of the VM?

                This is like worrying about Iran's quasi-nonexistent self-repudiated nuclear program that is being inspected anyway.

                Not all attack paths are realistic. For more on this, see "Independence Day" (Roland Emmerich, 1996)

  3. Anonymous Coward
    Anonymous Coward

    Any industry that uses "creative" ad a noun can die in a fire as far as I am concerned.

    And yes, echoing oldtacu, if El Reg were to solicit subs, I'd pay up. But it hasn't, so I don't.

    1. Bronek Kozicki

      I'd pay as well, and there even is one thing that ElReg could offer me in exchange for my money: a daily copy of all articles in the form of Kindle news subscription, just like I receive other newspapers. Just something to read on my commute to work.

      I know it sounds like favouritism towards Amazon, however I have nothing against such a daily news delivery mechanism made available on other platforms/vendors where such paid-for news subscriptions are available. It's just that I already happen to use Kindle for my daily news review. I also know I could use Instapaper to scrap ElReg articles and copy them to my Kindle, but I'd rather let ElReg earn some money by preparing this for me - and making it appear just as a regular news from one source (called "The Register", rather than Instapaper).

      Even better if sister site ThePlatform implemented such a mechanism as well, they have some very interesting articles which I'd very much prefer to read on an ebook than from large screen (and I do not like wasting paper on printouts). Preferably at different time of the day than ElReg one, giving me something to read on the other direction of my commute ;)

      1. Anonymous Coward
        Anonymous Coward

        I'd pay as well,

        That's as maybe but there's two problems here.

        First there need to be enough people who will actually pay - the evidence is that many won't. And with the Reg, half the value is from the joy of being an unpaid member of the Commentariat. If they think I'm paying for the privilege of writing and reading stuff like this, they've got another think coming.

        Second, you need the content owner to stick by their side of the bargain, and offer you completely advert and spyware free content. I'm not sure I can claim any evidence here, but I'll wager that very quickly you'll be seeing "content from our trusted partners, tailored to your interests", and then you're in the bind of both paying for the content, and having the malvertising hosed even more specifically at you. I very much doubt that the content behind Murdoch's paywalls is advert free.

        1. Bronek Kozicki

          The thing is that Kindle edition of a newspaper is quite limited format - it would be difficult to put any ads into it. Well, at least in the edition that I can read on Kindle Paperwhite. And if they do that after all, I can cancel my subscription, shed a tear or two, and go back to reading on large screen.

        2. Antonymous Coward
          Gimp

          OK Ledswinger, I'l bite...

          "And with the Reg, half the value is from the joy of being an unpaid member of the Commentariat. If they think I'm paying for the privilege of writing and reading stuff like this, they've got another think coming."

          So, if you refuse to pay for things that bring you joy, what DO you pay for?...

          (moot curiosity: upvoted regardless)

          1. Anonymous Coward
            Anonymous Coward

            So, if you refuse to pay for things that bring you joy, what DO you pay for?...

            To be fair, I'm paying at the moment by not blocking adverts too aggressively, and in smaller part by my written contributions (as you are). If the Reg weren't making money they'd go bust, and there'd just be a "For Sale" sign up on the domain. But its difficult to have sympathy with those content owners who unfortunately have happily embraced the dark side of the force, preferring to take the money and ask no questions.

            What do I pay for? Anything that I value and need to pay for. But not always financially, and sometimes the price paid is low. You will follow that, as will all commentards, but we're the minority. In the case of Windows 10, punters are lapping it up because either they mistake a £0 price for free, or because they set no value on their own privacy. Microsoft, on the other hand, must have a very good idea of the worth of a user's privacy - and based on prior OS pricing it must be a present value of around £70.

            1. bep

              Paying for content

              My views on this have changed in recent months. Partly it's to do with the Playstore, where you pay a couple of bucks for the 'Pro' version and the ads go away (not talking about tracking etc here, just the ads) Google has prepared the ground by getting people to pay a little so we don't see ads, and in that respect they may have done everyone a favour. I think sites like El Reg should have another look at the subscription model, but the price has to be right and the quid pro quo is strictly no tracking and no ads.

            2. J 3
              Mushroom

              To be fair, I'm paying at the moment by not blocking adverts too aggressively

              I was too, until recently. As said in the bootnote to the article, and I agree, these sites need some revenue source. But I got fed up with The Register locking up my Firefox browser, sending RAM usage through the roof, stuff like that. I don't visit the site too regularly, so I can't estimate when it really started, but I first saw it happen in mid-August, I believe. If I loaded an article an very quickly pressed ESC to stop the loading, whatever code that was going to be loaded did not have time to load, and I could read and not have the browser lock for minutes at a time (until it showed a dialogue about that, which was useless). If I wasn't so agile, then I was screwed. In all article pages here.

              So I installed NoScript, and that problem disappeared. The footer bar right now says that it blocked 20 scripts. Really? WHT? I know some are for El Reg's own operations (the page looks and behaves differently in some little aspects), but come on...

              My daily online newspaper of choice (where this locking problem sometimes also occurred) is even worse: I see between 50 and 80 blocked scripts reported by NoScript. This MUST end, really.

              "The Register for its part goes to some length to pull ads from reputable entities."

              OK, but even if they are "reputable", in the sense that they are not serving purposeful malware... do they know how to code, or are their scripts going to lock my browser if I have the misfortune of trying to read an article here??

        3. Androgynous Cupboard Silver badge

          +1 for "Commentariat"

          Work "democratic" in there and you can have another.

  4. Pascal Monett Silver badge
    Holmes

    Looking at the problem backwards

    From this article I gather that the ad system is basically anyone foisting a program on ad companies who then push it out via Google (mostly).

    This is the easy way to do it, and puts all the tools in the hands of the entity making the ad, giving scum the possibility to wreak havoc like they are.

    So take the tools away from the ad makers and put them in the hands of the ad companies. Create a PHP-like ad-creation language. Ad makers will have to submit the code and content for their ads, and the ad company will be in charge of vetting and "compiling" the two into an actual ad before pushing it out. Simulators can be made to allow the ad maker to be sure that it will display as intended.

    In doing so, we do away with every single security nightmare we currently have without having to change a major part of the current infrastructure.

    I'm sure it's not difficult to do.

    1. Ralph B

      Re: Looking at the problem backwards

      Maybe that's what we'll get from Apple after their content blocking tech comes into play. Maybe the iAds that they (presumably) won't block will be better vetted than the malvertisiing that Google currently let through.

      There's hope for this, since the iOS apps are certainly better vetted than Android ones.

      Google et al certainly need to get their houses in order on this. They could get away with it while no-one else is doing it better, but that time is running out. Thankfully.

    2. Anonymous Coward
      Anonymous Coward

      Re: Looking at the problem backwards

      But that will take, labor, and most importantly money. Try getting this plan past the accountants...

      Not to mention the legal department may be up in arms since doing it this way means they become the scapegoat and the potential target of lawyers if something goes wrong like a rogue insider.

      1. Ralph B

        Re: Looking at the problem backwards

        > But that will take, labor, and most importantly money. Try getting this plan past the accountants...

        But the same argument can be made for vetting the apps. Having apps that can be trusted not to contain malware is a good sales argument for the platform. Same for the ads.

        Developers pay Apple for vetting for entry to the App Store. Same for the ads. (Or it will be, if content blocking makes iAds the only show in town.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Looking at the problem backwards

          "But the same argument can be made for vetting the apps. Having apps that can be trusted not to contain malware is a good sales argument for the platform. Same for the ads."

          No, because like with the ISPs as long as they're not acting in any kind of gatekeeping capacity they can always scapegoat and say, "Not our problem. Go after whoever made the ad." Remember, businesses carry a fiduciary duty to minimize risk, and legal responsibility is a risk.

          1. Ralph B

            Re: Looking at the problem backwards

            > No, because like with the ISPs as long as they're not acting in any kind of gatekeeping capacity

            And yet they (Apple) are acting as a gatekeeper for the apps, and are reaping the profits from having a more trusted platform. If they did the same for ads they would increase that trust and thereby increase their profits.

            1. Charles 9

              Re: Looking at the problem backwards

              The counter is that only a company like Apple, who has a uniquely sirenesque appeal (Apple's sorta like the Carrot Ironfounsersson of the computing world; you can't help but like the guy even with his strength and other quirks), could pull something like that off. Anyone else, and as Detritus would say, "We look in gutter for our heads..."

          2. td97402

            Re: Looking at the problem backwards

            "No, because like with the ISPs as long as they're not acting in any kind of gatekeeping capacity they can always scapegoat and say, "Not our problem. Go after whoever made the ad." Remember, businesses carry a fiduciary duty to minimize risk, and legal responsibility is a risk"

            I dislike people who spout legal premise like they're lawyers. Be that as it may, here are my two cents. ISPs get a pass as they fall under "common carrier" rules (at least in the U.S.). They are simply the "phone line" between you and the content publisher. Individual web sites and ad networks have no such protections. They are publishing the offending content and almost certainly can be held liable, Time will tell. Some greedy bastard lawyers are going to get the idea to do a class action lawsuit for negligence against Yahoo, Google et al. Once there is a $1 Billion verdict they will clean up their act.

      2. Sir Runcible Spoon

        Re: Looking at the problem backwards

        "Schultz says should vet and load content from their own domain."

        I was thinking this all along whilst reading the article, and this really is the weak link in the malware delivery cycle.

        Ensure the code for the adverts is sent to the publisher to be published. They can then automate the screening of the code for re-directions (and embedded malware).

        No re-directions, no malware.

        If the industry doesn't start regulating itself, ad-blockers will become the default and their business model will never recover.

        If they won't listen to the warnings, they will be too late to fix it later.

        1. Frumious Bandersnatch

          Re: Looking at the problem backwards

          Ensure the code for the adverts is sent to the publisher to be published. They can then automate the screening of the code for re-directions (and embedded malware).

          I was thinking of something like this myself. Recently I was bemoaning how Flash became such a cesspit because it allowed arbitrary code to be run, and how a more declarative programming language would have solved all the problems. That approach could still be the answer to the problem of "malvertisement". There would be sections for all the graphics "assets" and some basic scripting language that allowed for interactivity. In fact, SVG + this new scripting language would fit the bill nicely.

          The language spec and interpreter would have to be designed so that it was impossible to, eg, smash the stack or call itself recursively. As for redirects to an external website, these would have to be declared in a static part of the SVG file, so there would be no chance to modify them or obfuscate them. No other external assets would be loadable from the ad itself.

          Providing there's no underlying bug in the SVG or interpreter for the scripting language, then at least the ad itself would be easily vetted (both by the site that will embed the ad and the user who is being asked to view them). What happens after the redirect is, unfortunately, still beyond the control of the person showing the ad (if there is malware hosted there, it can be sensitive to context such as the HTTP referrer field or cookies stored on the viewer's machine) but at least the ad itself would be safe so long as nobody clicked through, and other means (such as black/whitelisting or some sort of trust rating) could be used to give some assurance that the target site won't be hosting malware.

          No re-directions, no malware

          Unfortunately, with a general-purpose language like ActionScript (ie, Flash) or Javascript, deciding what URL the ad ultimately redirects to is nearly impossible without actually running the code (thanks to their ability to obfuscate and 'exec' bits of code dynamically or implement self-modifying code). Further, even running through a simulator, if any external data/assets are involved, those parts can detect whether it's a real user (who they want to infect) or the simulator (in which case the malware side is disabled). So (a) ads have to redirect or else they're worthless to the advertiser, and (b) the current techniques or providing the redirect URL are fundamentally insecure.

      3. Pascal Monett Silver badge

        Re: Try getting this plan past the accountants

        Apparently, to get accountants to approve this plan, all you'll need to do is show them the trend in ad-blocking software.

        Yes, it will cost money. There is no such thing as a free lunch. But I do believe that something along the lines of what I said is the only viable solution to the problem the article outlined.

        Anything else is just going to cost more money for nothing. We have no way of tracking which ad shows up where, and if Google knows it ain't talking (as usual on this kind of matter).

        The industry urgently needs to inject some oversight on the whole ad publication process, and the logical place to put that oversight is where ads are accepted for publication. By removing the ad-creation tools from the hands of the ad makers, you straightjacket them into a scenario in which they simply cannot abuse the system any more.

        You nuke the problem from orbit. It's the only way to be sure.

        1. Charles 9

          Re: Try getting this plan past the accountants

          "Apparently, to get accountants to approve this plan, all you'll need to do is show them the trend in ad-blocking software."

          But that still won't appease the legal department, who could justify the additional expenses to keep it "Not Our Problem". The only way you can convince the legal department is to prove to them they can't keep the problem away from their desks no matter what they do, but lawyers are trained to prevents this.

          "You nuke the problem from orbit. It's the only way to be sure."

          That's assuming your problem is an Alien-type problem and not an Andromeda Strain (where nuking would only make it worse).

    3. Doctor Syntax Silver badge

      Re: Looking at the problem backwards

      An alternative - or maybe complementary - approach. The websites hosting the ads become liable. It's only fair after all, they want the income so they must accept responsibility. It would then be up to them to push the responsibility back onto the networks they allow to place the ads which then gives them an incentive to revise the whole technology involved so that either a kit approach, a trust system or whatever gets put into place. At present NOBODY has any incentive to do anything except the users who are actually aware of the problem. This needs to change and the only way to do that is to target the most easily accessible point.

      Maybe it could be handled by civil liability, maybe by criminal liability but somebody has got to be held responsible or no changes will be made until ad-blockers kill the entire advertising industry. Actually I wouldn't shed any tears were that to happen.

    4. Someone Else Silver badge
      Unhappy

      @ Pascal Monett -- Re: Looking at the problem backwards

      O, Pascal...

      Of course it's not difficult. but it would cost money. And you have to know that Google, YAY-hoo, et al, are strictly in the business of collecting money, not paying it out....

  5. Mystic Megabyte
    FAIL

    No whitelist here!

    Not only the ads but also the "one weird trick" or "Sponsored Stories" links. Obviously they are bogus click bait and I can only assume that bad things will happen if I click through.

    My ad blocker is on permanently for all sites, the advertising industry cannot be trusted.

    1. Charles 9

      Re: No whitelist here!

      So what happens when you get a false positive and it blocks something you actually WANT (or worse, NEED) to retrieve?

      1. James O'Shea

        Re: false positive

        If something I want is blocked, I'll know it, and unblock it, or I won't know it, and I'll live without it.

        I don't need anything associated with 'sponsored sites'.

    2. Anonymous Coward
      Anonymous Coward

      Re: No whitelist here!

      > Not only the ads but also the "one weird trick" or "Sponsored Stories" links.

      If you use ABP then "Fanboy's Social Blocking List" and "Fanboy's Annoyance List" kills most of these.

  6. naive

    Shooting the messenger feels good but does not help

    Perhaps Yahoo and Google should not be blamed for the problems with mainly fraudulent Flash ads to the extent as worked out in this excellent article.

    They do not have any part in the endless string of 9+ CVE's served up to an ignorant world by Adobe.

    They are not to blame for the fact Microsoft produces operating systems allowing rigged content of a website ending up as executable code in kernel mode.

    Going after the ad networks, or any other website, because user generated content abuses security holes in products SOLD by others is not helpful in solving the worlds issues with malware. The fact that this discussion even wasted the time of the honorable Senator McCain, is probably more an indication for effective lobbying by Microsoft, who successfully managed to divert the fire to others.

    Perhaps the only thing widely used websites could do is introducing a constant nag mode about outdated or unpatched software used by their users.

    1. Doctor Syntax Silver badge

      Re: Shooting the messenger feels good but does not help

      "Perhaps Yahoo and Google should not be blamed for the problems with mainly fraudulent Flash ads to the extent as worked out in this excellent article."

      Nope. They're part of the pipe-line. The whole foetid system, end to end, is the problem. Every part of it needs to do their bit, in fact needs to be made to do their bit.

  7. Zog_but_not_the_first
    Devil

    Blurred boundaries

    It seems the boundary between legitimate organisations marketing stuff that you may or may not want, and criminals attempting to steal your passwords, log keystrokes etc., is becoming increasingly blurred.

    After all, they both want your money. And that's all that counts, isn't it?

  8. POSitality
    Big Brother

    Mitigating the problem for end users

    I keep a copy of Visual Studio running on a virtual machine. It's a fairly hefty program to load up and, if my main PC went down (hardware fault, hackers, etc.) at least I could still work even if that meant using a landfill tablet with a Bluetooth keyboard! VS runs fine like this as long as the VM and RDP can keep up with my typing.

    So, keep my work safe... from what? What is the most dangerous thing on my PC? I must have loads of programs that access the Interwebs, e.g. on-line gaming, but the web browser is now the number one attack vector by a very large margin.

    I've been isolating the wrong application.

    From what I've seen of VM Ware, Virtual Box and Hyper-V recently, performance has gone up dramatically certainly enough to play YouTube vids - with audio - even over a LAN RDP connection. Hell, Hyper-V has some Direct X support to run games. Web browser, no problem.

    Okay, so I relegate the browser to a VM and as a side effect I could run my main machine through a much tighter firewall (as it'll barely need 'net access) mitigating some of the privacy issues in Windows 10 et al.

    Any thoughts on choice of VM, operating system and browser for "a rich web experience" ?

    1. Bronek Kozicki

      Re: Mitigating the problem for end users

      One way to do it, assuming you have the right mix of hardware (CPU with VT-d, enough cores and RAM, right kind of GPU) is to make your main machine a virtual machine with GPU passthrough, running on top of Linux hypervisor with stack kvm/vfio/qemu/libvirt.

      1. POSitality
        Happy

        Re: Mitigating the problem for end users

        Thanks for flagging that up. I'd looked at Hyper-V's GFX options for a project a while back, I may have a tinker with the Linux options for my main server.

        I was aiming to refine my idea to help out the sort of client who's paranoid about security but not capable enough to handle qemu and the like:

        - Download VirtualBox

        - Import Linux VM with Chromium or Firefox pre-installed

        - Don't surf from host machine

        - Profit!

        I'm looking at a minimalist Debian install and Chromixium, the latter also being an excellent choice for recycling old laptops.

  9. Doctor_Wibble

    Online Ads Not Malware???

    Much evilness is in the URL-rewriting (hover shows ultimate destination until you right-click and it is rewritten and you can see the ad/redirector/logging service URL, you never see the original URL again unless you click and it's 50-50 if you actually go there) which seems to happen on legitimate sites but as per the article is actually just an ad frame sold to someone who rented it out to someone else who did a short-term lease deal with that supplier of useless clickbait crap for bored people.

    It's partly a browser problem though - third party scripts are always going to be dependent on an entirely undependable chain of trust all the way down to whoever (re)wrote it.

    On the other hand, if ads help pay for the running costs of a site we can either put up with them or we can give the banks a transaction fee (at whichever end, to pay or receive) for every single website we end up subscribing to.

    The web ad industry just needs to stop blaming everyone else. Why blame anyone? Just get on with it.

    1. Frumious Bandersnatch

      Re: Online Ads Not Malware???

      Much evilness is in the URL-rewriting

      Google search results also do the same thing. Check it out and see.

      As a user of Google search, I've made the decision that letting them store (most of) my queries is an acceptable price to pay for the usefulness of the search results. I draw the line at them knowing which link(s) I've chosen from among the search results. To stop this URL-rewriting I use Greasemonkey and the "Google Link Cleanup" script.

      URL-rewriting is evil, Google.

  10. James O'Shea

    I advocate the nuclear option

    I'm typing this on Firefox running in Win 10. I have a 3rd-party firewall installed (Kaspersky) just to annoy Microsoft. Before I installed it, I turned off all the spy features I could, also to annoy them. I have AdBlockPlus installed. I have Ghostery installed. (Currently blocking DataPoint Media, DoubleClick, and Google Analytics. Naughty, naught, el Reg.) I have Privacy Badger installed, (Not showing anything. Better, el Reg.) I also have modded the HOSTS file heavily to blackhole certain notorious sites. Between them, I no longer see ads, 'sponsored sites', or any of that nonsense.

    Certain sites have complained about my blocking ads on them. I have ignored them. Some sites have gone so far as to block access until I whitelist ads on their site. I have declined to go back.

    1. Anonymous Coward
      Anonymous Coward

      Re: I advocate the nuclear option

      Privacy badger may be showing nothing due to you already blocking things e.g. on Reg it shows me various stuff from expected google ad related stuff such as google-analytics, googletagservices through to reg domains e.g. regmedia.co.uk.

      Caveat, my ad blocking severity rules vary by site, on sites I want to "support" I do not block all, so I browse reg with some (but not all) advertising blocked, the irritating too in your face stuff killed, but low visual impact ads allowed

  11. oneeye

    For Android users, there is help!

    Firefox for Android has all the major blocker add-ons and cookie destroyers. Plus there are now,NO-ROOT Firewalls available in playstore. Which I highly recommend "Lostnet no-root firewall" pro $.99 as it has the least permissions. Also has some unique features related to this article (-:

    With all the vulnerabilities in Android these days, it is prudent to mitigate as many avenues that could lead to a compromise.

    Great article by the way,and I am going to forward it to several complainers about those of us who want to protect ourselves from malvertizing.

  12. Anonymous Coward
    Anonymous Coward

    I just got one on the Register

    My antivirus just flagged you (or a redirect I didn't see) up as malicious site

    I'm at work, so using IE, no user installed blocks etc, just the enterprise antivirus.

    1. Anonymous Coward
      Anonymous Coward

      Re: I just got one on the Register

      Thanks for the heads up - forwarded to our ads op team.

      If you have time please ping them webmaster@theregister.co.uk and let them know what antivirus software your workplace is using.

  13. Wade Burchette

    There is one way to fix this problem forever

    Malvertising would die tomorrow if advertisers follow these rules. The internet became an essential part of life when my rules were being followed. So, if it worked in the past, it can work today. Following those 3 rules would block targeted malverts and remove the attack vectors.

    (1) Absolutely no javascript in the ads, no exception. A side benefit is that ads would not be allowed to track us without clicking on it. (2) No ads that require an add-on to the browser in any way. Thus no Flash or Java ads. An ad may play before these add-ons are allowed to load, but may not be a part of the applet itself. (3) No geolocation using an IP address, no exception.

    I use Ghostery+NoScript in my Firefox browser. A note to advertisers: I will happily turn off those add-ons once you obey my 3 rules above plus these additional rules: (4) Absolutely no tracking of any kind, no exception. (5) An advertisement may not block part or all a website at any time, no exception. (6) Videos may not autoplay except before a video I chose to watch; a video on a web page may not start playing until I push the play button and only then may the video ad begin.

    It worked once, it can work again.

    1. Charles 9

      Re: There is one way to fix this problem forever

      And if the advertisers go the other way and go Take It Or Leave It: simply bar you from seeing any content without submitting? Would you be willing to walk away, perhaps from most of the Internet if the stance spreads to the wider Net?

      1. Number6

        Re: There is one way to fix this problem forever

        I have indeed clicked on sites where I get a blank page due to NoScript blocking stuff and after trying and failing to guess which of the other weird domain names are relevant, I've gone elsewhere.

        I'm with Wade here, until they tone ads down to something harmless, I have no option but to block the lot. This even goes back to the animated gifs and the dreaded pop-up stuff. I know the advertisers want to get noticed, but if they irritate me by the method they use, they're even less likely to get my business.

        1. Anonymous Coward
          Anonymous Coward

          Re: There is one way to fix this problem forever

          And if they have the exclusive content you absolutely MUST have (like the driver for that obscure device you're trying to get to work)? I've had this happen personally and it's now a real matter of money since going without means the device won't work and I'll have to go out and buy one that does.

  14. channel extended

    I wonder?

    Question, does the NSA use malvertising to select their subjects?

    Just a thought.

    1. Anonymous Coward
      Anonymous Coward

      Re: I wonder?

      What do you think?

      They are PAID to come up with tricks like this.

      Also, fresh of the press: Unrestricted slurping of metadata in the US has been declared legal again.

  15. MikeGale

    Time to take charge of your own Internet usage

    Another article illustrating that it's a good idea to break away from settings designed for the Sheople and take charge.

    Altered host files

    Ghostery

    and more programmatic approaches

    should be within the reach of many in this audience.

  16. Anonymous Coward
    Anonymous Coward

    very clever approach by crooks

    Because nobody will do anything to keep the issue under control. News media won't warn the readers (but El Reg and a few others tech ones, maybe) and suggest blockers, because it will kill their own revenues stream. And the ad industry is now so big it can ignore the problem without risks of being rejected by customers. So crooks got a big chance to be able to continue operating without anybody doing nothing. They found a very, very weak spot, and could exploit it for a long time.

  17. ~mico
    Mushroom

    It's not a software problem

    Nor is it a security issue. It's a liability issue. Ad company has hosted and served a tainted ad due to botched vetting process or lack of one? Pay up! A site or a hosting platform has contracted a discreditable ad company? Pay up! Believe it or not, a single class action suit against an ad broker will end this issue much faster than best new antiviruses and securest browsers.

    1. pigor

      Re: It's not a software problem

      As soon as ad networks are mede liable for the quality of what they deliver and its damages, these problems eill go away.

      A few crippling fines or payouts will clean up the ecosystem from the bad players.

      Little by little only those that really screen ads for malware will remain.

      1. Charles 9

        Re: It's not a software problem

        Or they'll just move their operations out of the jurisdictions of these punitive districts. Ah, the beauty of the global village...

        1. ~mico
          Holmes

          Re: It's not a software problem

          Ah, if the ad brokers move to some tropical island or Siberian forest, then the websites that decided to use their services are liable. And if they too move there - at last, geo-IP blocking will become useful again.

          1. Charles 9

            Re: It's not a software problem

            Not unless they proxy through legitimate locations, making them indistinguishable.

  18. Someone Else Silver badge
    Facepalm

    Tell me again...

    ...why we're not all using AdBlock, NoScript, BetterPrivacy, etc. (No, that Insecure Exposer doesn't support them is not a good answer/excuse.)

  19. Mike Flugennock
    Thumb Up

    On the upside...

    "... PageFair statistics indicate some 198 million users operate ad blocking software, up by 41 percent globally since last year, and digging a $22 billion hole in the online ad industry..."

    Wow, 22 BEEEEELION dollars. Keep at it, gang.

    1. Anonymous Coward
      Anonymous Coward

      Re: On the upside...

      UNREALIZED POTENTIALLY POTENTIAL REVENUE!

      WE COULD HAVE HAZ IT!!!

  20. Mike Flugennock
    Thumb Up

    The roof, the roof, the roof is on fire...

    "...Blocking that source of revenue as a permanent solution only throws fuel on the already raging fire..."

    We don't need no water, let the motherfucker burn.

  21. Destroy All Monsters Silver badge
    Paris Hilton

    This is unclear

    We read:

    Independent French malware researcher Kafeine (@kafeine) points out operators on underground forums who are selling stolen traffic relating to malvertising with prices ranging from US$4000 for 100,000 multi-geographic hits (known in the marketplace as 'loads') to US$70 for 1000. By country, GrandClix sold United States traffic for the highest buck with US$500 for 1000 hits, and Australia and the United Kingdom attracting US$450 for the same amount.

    Hold, on, what is the "stolen traffic relating to malvertising"?

    Are we talking about malware installed into surfers' browsers generating fraudulent clicks to websites of the unethical customer of this "service", thus bumping iut up in Google PageRank and similar charts? This malware being installed by maldvertised exploits? So an uncalled-for tab/popup window would appear in the victim's browser?

    Also, here:

    "He buys ads for three bucks from an ad company and then defrauds them out of $1000s from ad fraud"

    How? When does the ad company pay out?

  22. Anonymous Coward
    Anonymous Coward

    Nice illustration

    Couldn't see an artist credit anywhere - who's it by?

  23. geeboh

    Block all ads, blackhole ad domains

    Advertisers poisoned the pot a long, long time ago with their abusive practices. This has worked out pretty well for those of us who have blocked ads for years. But just blocking ads isn't really enough - to really lock things down it's also important to block advertiser domains. Block the entire domain in either the router (if your router supports it), or in your firewall. Worst case null-route them in your hosts file.

    Sure, advertisers know that people are doing this and they buy new domains all the time. So it pays to every so often check random webpages for third-party content that may be advertisers, trackers, or anything else that doesn't directly provide useful content on a page. Blackhole those domains.

    Teach everyone you can about how to block ads and domains. If enough people did this then the advertisers would stop serving up malware, and either begin to act ethically or disappear entirely.

    1. Charles 9

      Re: Block all ads, blackhole ad domains

      Trouble is, they're also piggybacking legitimate domains and using actual websites as proxies, meaning you can't block them without collateral damage.

  24. Anonymous Coward
    Anonymous Coward

    Thank you for a very fine article.

  25. Joe Greer

    simple

    Your add will not work unless the DNS has been valid for 30 days... no content delivered if the time stamp is newer than x days.

    Why can't we sandbox the damn browser?

    1. Charles 9

      Re: simple

      Because sandboxing did a world of wonders for Java...NOT. They just developed escape exploits for them, making sandboxing a tissue-paper defense.

  26. mike_mcsp

    There is a better way! Palo Alto Networks' platform solves this problem two ways

    1) Use a File Blocking Profile on the Next-Gen Firewall rules that govern user web browsing behavior. The file blocking profile detects PE files (which is what most drive by downloads try to deposit without any visibility to the user). THEN the action on the detection of the file is “continue”. A real user CAN hit the continue page… A background process cannot. This is a very effective way to stop drive by’s.

    2) Traps endpoint protection - runs on the Window endpoint and when it sees a process employing one or more of the know exploitation techniques malware must use, it kills the process. Therefore it works on known and unknown (zero day) malware. No updates or signatures or browser plugins required!

    1. Anonymous Coward
      Anonymous Coward

      Re: There is a better way! Palo Alto Networks' platform solves this problem two ways

      This sounds like an ad, and there are ways around both methods:

      1) Encrypted payload, only decrypted once it's past the firewall. No way for the firewall to know what it is, and since it can be important stuff, you can't just block anything encrypted.

      2) Use a NEW exploitation technique, one not known to the trap.

      1. mike_mcsp
        WTF?

        Re: There is a better way! Palo Alto Networks' platform solves this problem two ways

        First not anonymous: My name is Mike and this is not an add. It is however, the truth, because there is a better way and the threat is REAL.

        1. The Palo Alto Networks NG firewall does SSL Decryption

        2. While malware files and attacks are growing exponentially, the new exploitation techniques are not. Name one NEW exploitation technique - memory corruption or software logic flow that has occurred in the past 6 months.

  27. ecofeco Silver badge

    Again?

    Why am I not surprised. This happened a few years ago as well.

    Again, this is why I run 3 levels of protection on my boxes PLUS script and ad blocking on my browsers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like