Malvertising: How the ad model makes crime pay The exploitation of online advertising networks by malware-flingers is expected to cause up to $1bn in damages by the end of this year, but despite ongoing regulatory efforts, it is not clear to whom the liability for these enormous losses will fall. The increasingly sophistication with which online advertisers profile users …
If you drive the getaway car for a burglary, don't try telling the police they should let you off because it's a first offence. But if you are an agency that allows malware advertising, you need special treatment?
If the rules were in place - allow malware advertising and you will be suspended for a certain amount of time - the agencies would have to get their act together and perhaps adopt a system not so open to abuse. Of course this might lead to a lot less advertising. But that would possibly bring in more, not less, money, because fewer adverts means people more likely to read them, so the price you can charge goes up. Currently it's a Gresham's Law world with bad advertising driving out good; exactly the same as with any other currency. Serious regulation could be good for the more reputable parts of the industry, just as serious bank regulation (when we had it) gave people confidence in banks and so promoted trade.
> But if you are an agency that allows malware advertising, you need special treatment?
Sounds like that's what they want - and then we also have to see who is the agency and who is the client because the client may also be an agency.
But as far as the hidden-registrant thing goes, if someone wants my business they can tell me who they are or they can piss off. Unfortunately advertisers are in that limbo where they depend on us for money but we are not the customer, and we are expected to trust their scripts and trust their animations as part of the sort-of-contract with the website we are on - so the blame ends up being spread a bit thin and it usually takes something fairly major before there is any incentive to get much done.
If you drive the rent someone a getaway car for a burglary, don't try telling the police they should let you off because it's a first offence.
FTFY. And yes, unless you are wilful and complicit. If it you keep renting getaway cars for burglars, that would be a different matter.
Often, the advertisers involved in a malvertising incident may not be the malicious actor themselves. Segura stated: "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"
I'm sorry, that's not good enough. I'll bet if the third-party advertisers were required to either step up their game and vet advertisers, or be terminated when they resell malvertising, the problem would diminish significantly.
Right now third-party advertisers do very little for the money they make. I've worked with some that don't know what JavaScript is, but email it in an attachment for website insertion. When there is an issue they make a very very big deal out of not understanding anything even remotely technical about their job, they just sign a contract over the web and forward the code off to me for insertion on my website. Any issue at all, they seem to painstakingly make a deliberate point that they do not understand anything technical about anything.
They need to be technically competent enough to know when they are doing something wrong or face the consequences, just like everyplace else on the web.
Hold the advertising network/platform financially responsible for all damages. They are facilitating the malware, so it is up to them to stop it and it is up to them to compensate those affected. They made the deal with the bad actor and took money to load the malware on unsuspecting visitors' PCs.
'Often, the advertisers involved in a malvertising incident may not be the malicious actor themselves. Segura stated: "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"'
Point taken. So suspend them for negligence. The entire chain, website & all. Even better, make them all jointly and severally liable for damages by reason of negligence. Then we'll find out just how quickly they can either track down the bad actors or put a trustable chain in place. PDQ I suspect.
"Ad networks report to potential advertisers on the presence of antivirus on the target machines - what's the legitimate purpose for that behaviour?"
The "we're all innocent, advertising is wonderful, love us, LOVE US" answer is to identify a need for (and to try to sell the user of the target machine) anti-virus software.
"How can they claim to be innocent of doing harm when they're performing vulnerability scans on behalf of the malware peddlers?"
Quite.
The criminals exploiting the weaknesses in the ad networks third-party, fourth-party et cetera's security or the criminals running these ad networks who merely shrug when millions of visitors are served malware because they are making so much money?
Ad blockers, pop-up blockers, ad blocker blocker detector obfuscating script, ghostery, the whole nine yards because I give as much fucks about you losing ad revenue from me as you give when I get infected from your malvertising.
"Ad blockers, pop-up blockers, ad blocker blocker detector obfuscating script, ghostery, the whole nine yards because I give as much fucks about you losing ad revenue from me as you give when I get infected from your malvertising."
Agreed, however, you might also consider adding CryptoPrevent to that mix on a WinX system. It has mitigated quite alot of unwanted programs that have gotten through my defences as you have a similar security approach.
Malvertising would die right now if the ad networks followed these simple rules, rules that were the de-facto standard when the internet became a necessity: Absolutely no javascript in ads, absolutely no tracking in ads, and absolutely no ads that require a plug-in. No exceptions will be allowed.
Those rules worked once, they can work again. But I already know the advertising companies won't listen. These same companies have no respect for my privacy so why do you think they would have any respect for my security? Greed is a powerful force.
Yep. Marketing bosses only care about privacy as much as the typical windows user. They DO care when they realize ad+tracking+analytics bloat is driving away users and lowering their SEO scores. OTOH, doing anything about it seems to be a low priority even for the move-fast-n-break-things hotshot startups.
So, back in reality... BLOCKING, not prosecution, is the solution. Everyone should use ad blockers. All of us should be preaching the gospel of ad blocking, installing it every time we see a friend's computer without it, and, heh, adding popups to our websites to complain if a user's NOT using adblock. Muahahaha.
This post has been deleted by its author
Honest your honor it's the 'scum r us' company that are the guilty ones. We just sold thier ads. No we have no way of tracking the source, but we can track the users all day long. Look thier money is just as good as anyone's right, Surely you don't expect us to care, er check, any closer once the check clears! You can't possibly blame us for sloppy security it was the 'Stupid C**nts Using Malware R US', you know, customers.
"They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"
There is no "Simply" about it, There is no unexpected about it. This is a risk in their business model that they choose not to account for, knowing they themselves are not at risk. Indeed; they get paid for delivery regardless.
Time to stop it where it stands and require all such third-party injection to be pre-edited.
Think of it as an ecosystem.
Some toxic (predatory) ads exist in the same system as the "product" (customer/prey) who visits, along with many other, similar-seeming ads of a harmless yet annoying nature.
The question becomes whether you want to poison the entire system (reducing the population) to cut down on the number of these advertisements, barring those who adapt to survive.
Ideal scenario, you kill every single predatory ad and leave only the harmless kind. Impossible.
Best possible scenario involves a maximum of predatory death and a minimum of unintended harm. Some damage results but the system repairs itself.
Worst case scenario, and the most likely, is that you instead wipe out almost everything, leaving massive damage across an entire section of ecosystem that depended on those things you find annoying. Not as likely as it just proving ineffective, but still possible.
Bottom line is, if you destroy it all, you wind up annihilating more than you expected thanks to so much interdependence. Either careful legislation is needed, or none at all. Of course, you could just nuke it all from orbit and start over fresh...
"Of course, you could just nuke it all from orbit and start over fresh..."
Good idea. Except maybe the last bit.
But to take your analogy further: I suppose what you're really saying is that sites that depend on advertising would be damaged along with the advertisers.
The advertisers themselves, as they currently operate, are no great loss. In fact, they're really no loss at all; their MO is to poke their fingers into user's eyeballs and maybe also ears. The rest of us would be better off without them. They may be doing themselves more harm than good in any case so they might actually be better off if their advertising channels were nuked.
So let's look at the sites. Under your Darwinian notion they have choices, adapt or die. They could adapt by allowing adverts in page and exercising direct control over what goes there. If they succeed in that they survive, if they allow the usual slow-loading, animated, screaming crud they die & if they allow malware they get sued to oblivion. But yes, they can survive.
value = current income + potential income
current income = All of (valuation * hits) for all known income sources
potential income = All possible current incomes * factor (< 1) of them which will likely be used
to maximize value:
individual valuation: maximize possible value for each
hits: retain and gain many customers
possible incomes: make the pool of possible sources as large as possible
likely use: maximize potential advertisement
hits / likely use
ind. value / possible
Strike a balance as appropriate. As of right now, the system favors maximizing the pool of advertisements and ad space simply because humans are fickle (hit-based) and advertisers are stingy (individual value) as well. Essentially, the potential income from future sources vastly outweighs the current income in almost any case.
Sadly, one cannot simply order humans to stop being fickle and stingy, so the spam will continue. Either you attempt to increase the other side until it becomes viable, reducing spam as appropriate, which some have chosen to try, or destroy the spam entirely and wipe yourself out because of human nature, with few exceptions.
I can't wait to see a government try to tackle this one. Because you aren't getting rid of advertisements until you can make spam unprofitable.
Ecosystem-thinking: Yep. But if internet users are prey animals, then some of us make it hard for the predators to get us.
The malware guys aren't interested in breaking into a Linux machine running NoScripted/uBlocked/Ghosteried/etc Firefox inside a Firejail sandbox, it's too much trouble for a very few possible wins.
It's a sweet spot right now -- all the Web to roam, with few of the dangers to worry about. Selfish, in a way, but anyone can do it.
Everything will change in a few years, probably. The web is nothing if not an evolving system.
Segura stated: "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"
So he's saying that being assigned a job, passing off to an unmonitored third party that behaves maliciously absolves all guilt?
Ahem, if I hire someone to look after my dog while I'm away, and he sends over someone he found on the street to do it for him, and that person mistreats my dog; Guess who I'm blaming when I find out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
