back to article Millions menaced as ransomware-smuggling ads pollute top websites

Top-flight US online publishers are serving up adverts that attempt to install ransomware and other malware on victims' PCs. Websites visited by millions of people daily – msn.com, nytimes.com, aol.com, nfl.com, theweathernetwork.com, thehill.com, zerohedge.com and more – are accidentally pushing out booby-trapped adverts via …

  1. Anonymous Coward
    Anonymous Coward

    Websites visited by millions of people daily

    ... aol.com ...

    :-)

    1. Roq D. Kasba

      Re: Websites visited by millions of people daily

      Maybe over pondleft?

    2. Anonymous Coward
      Anonymous Coward

      Re: Websites visited by millions of people daily

      The bad guys sure know their market. They target very popular sites, with a large proportion of technically illiterate people.

      1. admiraljkb
        Joke

        Re: Websites visited by millions of people daily

        "They target very popular sites, with a large proportion of technically illiterate people."

        You mean the illiterati?

        1. James Hughes 1

          Re: Websites visited by millions of people daily

          Surely the huge majority of internet users are technically illiterate (although that term isn't really correct), meaning the scammer don;t really 'know' the market, because the market is almost everyone.

          1. Bloakey1

            Re: Websites visited by millions of people daily

            "Surely the huge majority of internet users are technically illiterate (although that term isn't really correct),"

            <snip>

            I agree and I tend to use the tern "naive users". Now let us all ponder the fact that these naive users have made many a comentard an affluent person God bless their cotton socks.

          2. BillG
            Happy

            Re: Websites visited by millions of people daily

            Adblock Plus to the rescue!

  2. Alister
    Facepalm

    But no, ad-blockers are bad and should be banned...

    Any Swedish publishers care to comment??

    1. Anonymous Coward
      Anonymous Coward

      Beat me to it...

      ...have an upvote.

      1. Triggerfish

        Re: Beat me to it...

        and me.

        1. Nunyabiznes

          Re: Beat me to it...

          I would give you an upvote also, but you are at a perfect 42.

          EDIT: And then somebody screwed that up.

          1. Anonymous Coward
            Anonymous Coward

            Re: Beat me to it...

            .. and I just screwed up his 69 which, I'm sure you'll admit, was even more desirable.

            :)

            1. Ragarath

              Re: Beat me to it... @AC

              Hang on! You did what to his 69?

          2. Triggerfish

            Re: Beat me to it...

            C'mon who is the one lonely ad guy, who is downvoting all of these, show yourself. :D

  3. Tessier-Ashpool

    Online Ads, the gift that keeps on giving

    I think I'll stick with the 'protection racket' known as ad blockers, thank you very much, rather than suffer this nonsense.

    1. Anonymous Coward
      Anonymous Coward

      Re: Online Ads, the gift that keeps on giving

      I think I'll stick with the 'protection racket' known as ad blockers, thank you very much, rather than suffer this nonsense.

      Well yes, but it's racket upon racket, all founded on ignoring basic user security in search of The Almighty Buck™. It's 2016 and Windows STILL needs a separate anti-virus tool to be safe near the Internet, and the advertising problem is not exactly new either, is it? WTF are these people thinking not putting in basic security to stop this?

      Personally I think that if big sites are serving up ads they are liable for the damage. Sure, they can then pass this on to their ad provider, but that's not my problem. You break my system, you are bloody well liable for the costs and efforts to recover it, and I'm not cheap.

      Having said that, this is again fun I opted out of when I switched OS, but even then I had adblockers (now uBlock), a modified hosts file as well as anti-tracking installed (Ghostery). Damn. I would have had fun and be in all newspapers :).

      Oh well. Back to work instead - my machine works fine..

      1. admiraljkb

        Re: Online Ads, the gift that keeps on giving

        "Personally I think that if big sites are serving up ads they are liable for the damage."

        They ARE liable,unless they have a big ol "our ads may infect your computer" waiver you have to accept before entering the site... I don't think any lawyers have picked up the task yet, but its just a matter of time.

  4. Nik 2

    Checks for anti-virus?

    Are there any PCs without anti-virus products which are not already infected?

    1. Doctor Syntax Silver badge

      Re: Checks for anti-virus?

      "Are there any PCs without anti-virus products which are not already infected?"

      Yup. They're running Mint or Ubuntu or Debian or Fedora or *BSD or......

      1. Anonymous Coward
        Anonymous Coward

        Re: Checks for anti-virus?

        This year I finally exorcised the last Win install from our household boxen. I then trapped that malevolent Spawn of Hades within a virtual box, there to vainly struggle for all eternity...

      2. Comunicate Manifest

        Re: Checks for anti-virus?

        ... or Windows with a good hosts file.

        1. el_oscuro

          Re: Checks for anti-virus?

          The problem is Windows doesn't really honour your host file.

      3. Anonymous Coward
        Anonymous Coward

        Re: Checks for anti-virus?

        "Yup. They're running Mint or Ubuntu or Debian or Fedora or *BSD or......"

        ..... Gentoo. Sometimes I get my systems into a state whereby I wish that just a trojan or worm was involved. On the bright side, after 13 years of extreme system abuse I have skills akin to resurrection.

        Somehow I have never managed to take a Linux system beyond repair unless the hard disc is buggered (BSD is the same - I'm told). Windows nerds - you'll never know the joy that is boot off something that is near enough, shuffle a few files and then chroot to put things back in order from the perspective of the patient. The best you (and I - I'm a Windows sysadmin as well) can do is boot off something, copy off data and reinstall from scratch. The recovery console on Windows doesn't even have a browser or an IP stack - rubbish.

      4. admiraljkb

        Re: Checks for anti-virus?

        If you are using Windows as a daily driver without ad-block, then good luck... So much of the malware stuff that is out there (many unknown) bypasses the AV products. For the last several years, the Pron sites are safer than the news sites for keeping your PC errr, well, umm, "CLEAN?". :) Thats really screwed up.

        Ads should be straight up pics and text. Who the !@#$@ in their right mind (in the ad business) would allow ads to run Flash, Java, Javascript, etc etc etc... Idiots... I and many others started ad-blocking for security reasons. (oddly enough, it also means that sites SNAP now instead of draggggggging/struggling to render)

        1. Danny 14

          Re: Checks for anti-virus?

          AV protects you from known signatures of known files. It wont protect you against a nasty using a 0-day flash vuln (or a known flash vuln on an out of date flash/java/IE/Silverlight etc). That's sort of the whole point of malware, it bypasses the protection and focuses on the holes.

          If you use software that doesn't have the same holes (such as not using IE or flash or java etc) then you have a better chance of not being infected. In this case if you blocked adverts then again you'd be fine.

    2. Jeffrey Nonken

      Re: Checks for anti-virus?

      "Are there any PCs without anti-virus products which are not already infected?"

      Yeah. Mine.

      And no, I'm not running Linux or BSD. Running Windows 7.

      Yes, I'm sure.

      1. Fred Flintstone Gold badge

        Re: Checks for anti-virus?

        "Are there any PCs without anti-virus products which are not already infected?"

        Yeah. Mine.

        And no, I'm not running Linux or BSD. Running Windows 7.

        Yes, I'm sure.

        I think the OP meant systems actually connected to the Internet :)

        Joking aside, you can secure any system. The difference is how much effort is takes to secure it and maintain that security, which is where you make your choices.

    3. Tannin

      Re: Checks for anti-virus?

      In one word, yes. Millions of them. It is not difficult to remain malware-free if you have some basic skills. Anti-virus software is much less effective than simple good hygiene - never use Internet Explorer, uninstall chronic malware vectors like Flash, block ads, you know this stuff if you read El Reg. Or you should.

      Edit: "basic" skills for any IT person, I mean. I'm not expecting your Granny to have them. For most ordinary users an anti-virus package is worth the cost. (Not really money, the main cost is the performance hit.) But you centainly don't need one if you have an IT clue.

    4. naive

      Re: Checks for anti-virus?

      Yes, my windows 7 and windows 10 machines. Removing Adobe flash and Java gets one quite far, combined with using firefox, since it warns for dodgy sites.

      I find it in fat incredible that:

      - adobe is not put out of business by the government and its management is not in jail, they are worse than terrorists.

      - youtube serves (me) adverts from Riverside soft (or something) asking me to install drivers from them, it had infected the pc of my kid with tons of malware, requiring complete reinstall.

      It is an industry wide issue, and nobody cares, like with dangerous cars from the 60's until Ralph Nader came, who should have been given a Noble Prize for the millions of lives he saved since then.

  5. Anonymous Coward
    Anonymous Coward

    Not only that...

    I've noticed a large increase on the number of links in download sites that redirect to at least one link shortener/obfuscator that in turn open another browser window or tab with spoken(!) messages about my computer being infected, please call this number, etc.

    These phishing attempts are not new, but I think those link shorteners are also being targeted.

    1. Steve Davies 3 Silver badge

      Re: Not only that...

      Those stupid link shortners are open to this type of exploit.

      I have never ever clicked on one and never ever will. Anyone who sends me one gets a standard email reply explaining why I won't follow their link.

      Using a link shortener means that you have no idea where you are going to end up. Years ago I saw one used to take someone to a Pron site. It could have been a kiddie porn site which as we all know means a jail term for those of us in the UK even for just visiting one.

      Back on topic.

      I've just about had enough of MS pushing Silverlight as a optional patch ever to Server OS's. Hide it and it is like a bad penny and keeps coming back. Why don't they just can it once and for all eh?

      As for Flash, you deserve everything you get for using it. The most bug ridden bit of software in history.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not only that...

        As for Flash, you deserve everything you get for using it. The most bug ridden bit of software in history.

        Hmm. Given the TeraBytes of patching I have seen float past over the decades I think that specific honour goes by some distance to Microsoft and their products. I know, I know, it's hard to beat Adobe, but I think it still has to learn a lot about epic cockups and ignoring customer security from Microsoft. They're undisputed kings here IMHO to the point of having caused a whole ecosystem on its own just cashing in on the problems. Which, by the way, you pay for too.

        1. Danny 14

          Re: Not only that...

          to be fair, windows is an OS whereas flash is a browser plugin for video. The OS does a fair bit more. Flash is just horrid (don't get me started on Java)

    2. gollux
      Mushroom

      Re: Not only that...

      Yeah, run Privacy Badger to be enlightened. I've seen as many as 200 offsite links being blocked. Give me a break, no wonder your website loads slow and needs lazy loading to help increase the number of attack vectors... No thanks!

      1. Anonymous Coward
        Anonymous Coward

        Re: Not only that...

        +1 for Privacy Badger. It is an eye opener. I have to say I don't generally frequent the sort of sites that get your high score of 200 but some sites are horrendous.

  6. Doctor Syntax Silver badge

    The ad industry needs to get itself under control PDQ or face extinction. Personally I could live with the latter but not with all the sorting out I'm going to have to do for friends and family whilst one or the other happens.

    1. Robert Helpmann??
      Flame

      Who are the Victims?

      The ad industry needs to get itself under control PDQ or face extinction.

      Did anyone else read the following and have their head threaten to explode?

      "It's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising. The only 'crime' here is being popular and having high volumes of traffic going through their sites daily."

      What a crock! The site owners should be held responsible for any and everything they allow to come from their site. If they sub out their advertising, it does not absolve them from responsibility, it is just a convenient way to speed the process along. If you pay for someone for a service and don't at least verify it is being done in a non-criminal fashion, you are still to blame for your negligence.

  7. dorsetknob
    Mushroom

    this just is another nail in the head / and SHOVE A Cactus hard up the ASS of the Ad industry

    Just install / run

    Ad Blocker ( any is better than nothing )

    Ghostery

    any Script Blocker

    Malwarebytes

    Anti virus

    the list goes on just block those WUCKIN ADDS

    Pass A Law that makes any Site Responsible for any Collateral Damage caused by these add/ infections

    Maybe if they end up paying they will clean up their own industry

  8. Anonymous Coward
    Anonymous Coward

    Sponsored content

    Ads are living on borrowed time. In a few years everything will sponsored content.

    Just look at El Reg. Keeps trying to sell me something called "DevOps".

    1. Anonymous Coward
      Anonymous Coward

      'Keeps trying to sell me something called 'DevOps'...

      ...Or Flash / StorageBod something..............

      1. Wensleydale Cheese

        Re: 'Keeps trying to sell me something called 'DevOps'...

        And bacon sarnies.

        Just preaching to the converted, really.

    2. GBE

      Re: Sponsored content

      Just look at El Reg. Keeps trying to sell me something called "DevOps".

      Yea, someday I'll have to look up "DevOps" and find out what it is.

      Or not. It's probably just another one of those fads that'll go away if you ignore it for a few years.

  9. Keith Glass

    And yet many of these sites. . . .

    . . . .nag me about my ad-blocker.

    Tell you what: when your site serves malware-via-ad, and you take responsibility and LIABILITY for the malware you serve. . . . I'll consider white-listing you.

    Unless, of course, you're Forbes or WIRED. Because you're being such utter assholes about it, Ad-block on your sites will stay until Doomsday + a week. . .

    1. DaddyHoggy

      Re: And yet many of these sites. . . .

      I did add Wired to my ABP white list but 1) it still complained that I was using an Ad-blocker 2) the site went from unusable because I was using an ad-blocker to just... unusable...

      Sorry Wired, I won't be back - with or without an Ad-blocker and the rest of them can go swing, I'm not turning my ad-blocker off!

      1. annielinux

        howto: unblock blockadblock on WIRED

        Add this blocking filter in Adblock Plus(without quotation marks):

        "|http://www.wired.com/assets/load?scripts=true&c=1&load%5B%5D=jquery-sonar,wpcom-lazy-load-images,outbrain,blockadblock,tracking,ads,wired"

        I am not reading them myself, frankly.... but Adblock Plus is good tool, it allows things like this one.

    2. tempemeaty

      Re: And yet many of these sites. . . .

      Yeah, tell me about Forbes. I gave them the finger and wrote those ass hats off.

  10. chivo243 Silver badge

    Anybody have...

    ...a list of these Ad network IP addresses...

    1. Stuart 22

      Re: Anybody have...

      I use a list in my hosts files that I have traced back to here: http://winhelp2002.mvps.org/hosts.htm

      Except I use 0.0.0.0 instead of 127.0.0.1. Dunno if this makes a difference. I use a Debian based distribution. Works brilliantly - much better than the ad blocker plugins. Only wish I could find an easy way of importing into ChromeOS and Android. Or has their distributor made it hard for a reason?

      1. Steve Davies 3 Silver badge

        Re: Anybody have...

        Your method may well work (for now).

        I've recenrly seen a load of ads being served via a variable Cloudfront URL. Barstewards.

      2. annielinux

        Re: Anybody have...

        ChromeOS and Android are both designed by Google aka

        the biggest spammer/advertiser out there.

        Why would they let you to block one of their core business ? :)

        To edit hosts on Android, you'd 1st need to root your android device

        (by using towelroot as an example) but Google constantly updates

        its software to patch the exploits making possible to use soft like towel

        and to prevent you from rooting its' smartphones/tablets.

        Other than that Android is like any other Linux OS in many respects.

      3. Anonymous Coward
        Anonymous Coward

        Re: Anybody have...

        "Except I use 0.0.0.0 instead of 127.0.0.1"

        Judging by at least one response to your post the sarcasm/Fe (y) detectors are down in some parts of the world.

        For best effect though, stop messing with a text file and use your firewall properly. Remember the kids could start using IP addresses directly thus bypassing your hosts file. A rule along the lines of (translate as required for your OS) src:0.0.0.0 dst:0.0.0.0 iface: all proto:all policy:reject should do the trick. Don't forget IPv6 as well. The policy:reject will avoid any nasty lockups and smooth the user experience.

    2. cd / && rm -rf *

      Re: Anybody have...

      http://someonewhocares.org/hosts/

      Used in combination with uBlock and Ghostery on Firefox. Ads? What ads?

      1. Danny 14

        Re: Anybody have...

        use diladele and block ads at the entrypoint - this means it will block all the ads on mobiles, tablets, PCs regardless of browser or plugin. Assuming you are using a Linux firewall (and thus can install this on your Linux box).

  11. Brian Miller

    Firefox and NoScript

    Honestly, I have no idea why more browsers don't have script blockers like NoScript built into them. The web and Internet are so toxic, it's just pathetic. Turn off the capability to run scripts, and suddenly so many vulnerabilities just disappear.

    Wanna build a botnet? Just buy some ad space, sit back and relax.

    1. Neil Barnes Silver badge
      Mushroom

      Re: Firefox and NoScript

      Therein the problem.

      There is *very* little actual need for any scripting in a browser. Do away with the lot of it, and get back to a stateless system as originally designed.

      1. Destroy All Monsters Silver badge

        Re: Firefox and NoScript

        Well no. That kind of ship has sailed.

        Any kind of interface that is not static, just-sitting-there-waiting for you-to-post-an-ugly-form-to-a-server-like-in-a-dsytopian-retro-noir-movie needs it. I do think even North Korea is happy to have left these behind...

        If you don't want scripting, you might as well go back to green screen (and without curses). It has its uses...

        1. Snowy Silver badge

          Re: Firefox and NoScript

          Yes why should the script run in the browser be able to make any changes to the OS it is running on. Scripts should just change what is displayed inside the browsers window nothing else.

        2. adnim

          @Destroy all monsters ... Re: Firefox and NoScript

          CSS3 + HTML5 :-) No scripts are required to pretty up a page and validate form content. Send form data to a php page to do the validating. CSS3 does pretty cool animations too. CSS3 menus can also look identical to and perform better than Bootstrap. Yes scripting does have its purposes, I find Ajax particularly useful.

          1. Ammaross Danan

            Re: @Destroy all monsters ... Firefox and NoScript

            @adnim:

            "Send form data to a php page to do the validating."

            The point of using javascript to validate pre-send is to reduce submissions/processing server-side by rejecting bad/missing data client-side first.

            You cite the best use of javascript actually: "Yes scripting does have its purposes, I find Ajax particularly useful." Now, what do you do with that AJAX JSON result? You create HTML content via javascript. Also, a common technique is to pass page data in javascript code and build it using javascript to prevent the need to send 100 table lines of pre-formatted (and highly repetitive) tr td tags. This optimizes data transfer and server-side processing as it uses the client's CPU to generate the necessary HTML to display.

          2. Anonymous Coward
            Anonymous Coward

            Re: @Destroy all monsters ... Firefox and NoScript

            Ajax is obsoleted by a new web API called fetch.

            Ajax is as obsolete as your thinking.

          3. John Geek

            Re: @Destroy all monsters ... Firefox and NoScript

            um, html5 *is* javascript.

            and, without javascript, the whole AJAX world that enables stuff like Google Docs and Google Maps goes bye-bye.

      2. ecofeco Silver badge

        Re: Firefox and NoScript

        Thank you Neil. I've been saying this for years.

    2. Novex

      Re: Firefox and NoScript

      NoScript is pretty good at stopping a fair bit of crap from coming down the pipe, but I'd always have an adblocker and Ghostery in the mix as well.

      JavaScript: yes, it shouldn't be able to do anything outside the browser window it's in (including not being able to do anything with other tabs or windows). It can be useful for helping in some application-style web pages where some level of understanding of the user's selections on a page are required. Also there are a few things that in-browser HTML and CSS don't do yet that JS can, though I can't think of any right this minute...

      I'm also inclined to agree that sponsor advertising is likely to be where the internet will end up, but it might take a while to get there.

      1. Jagged

        Re: Firefox and NoScript

        "JavaScript: yes, it shouldn't be able to do anything outside the browser window it's in"

        - This. Sandboxing things like script and flash and java plugins and plugins of any nature is perfectly possible. That some of the browser makers haven't done so, makes me think they have hidden reasons for not doing so.

    3. Steven Roper
      Mushroom

      Re: Firefox and NoScript

      The biggest problem with NoScript these days is lazy web developers who just fetch scripts from 50 fucking domains to build the page. This practice should be regulated if not made outright illegal on the grounds of facilitating malware distribution.

      We've all seen it: you go to a site, only to be greeted with a blank page or an unreadable pile of text and colourbars splashed all over the place like a dog's breakfast. So you click NoScript's Options button, only to be confronted with a list of domains two screens high asking to be allowed to run javascript. Even worse, those domains run scripts that fetch more javascript from even more domains, so after you allow example.com, exmplimgs.com, exmplcdn.com, googletagmanager.com, googleapis.com, jquery.com, wordpress.com, joomla.com and gofuckyourself234567.cloudfront.net, you still have an undiminished list of domains asking to be allowed, that weren't there before, and the only change that's happened to the scrambled mess on your screen is that the Disqus comments are now visible and 3 images have appeared.

      After which your site gets nulled at my router and I never go back there again.

      I would love to skin alive every fucking idiot who does this. I can understand the need for javascript on today's interactive web apps, but FFS put your javascript on ONE domain. If you need to use cloud load-balancing then USE ONE GODDAMN SERVICE. I can go with allowing two or three domains at most, but this insane mess requiring me to incrementally enable javascript for the entire fucking internet just to read one bloody article that could easily be displayed by simple HTML has got to fucking stop.

      1. Mystic Megabyte
        FAIL

        Re: Firefox and NoScript @Steven Roper

        I have almost exactly the same experience but I've never yet managed to unblock enough shit to get Disqus to work.

        1. Steven Roper

          Re: Firefox and NoScript @Steven Roper

          "I have almost exactly the same experience but I've never yet managed to unblock enough shit to get Disqus to work."

          That's different to what I've often seen. I mentioned Disqus because in my experience it's usually the first new thing to appear once you allow javascript for the primary domain. Its plugin requires you to inline its javascript in your page's HTML, so allowing javascript for the primary domain usually enables it.

          One possibility is that since I have a Disqus account I've got disqus.com whitelisted in my NoScript. If you haven't, then it would no doubt be buried in the list of domains you haven't allowed yet which might explain why it hasn't appeared for you?

      2. Fatman
        FAIL

        Re: Firefox and NoScript

        I feel your pain, as I am also a No Script user, and I have experienced that same bullshit on some sites.

        BUT, I have seen one technique, which I will not describe, (so I don't give lazy web coders any ideas) that I consider downright NASTY.

        It involves, as you have noted, javascript code pulling down even more javascript code in order to display the page. I can only take away this: some really sneaky fuck wanted to insure that their web page does not display well if ANY ad blocking is employed.

        As a result, I have blacklisted their site for both my personal, and work related use. FUCK THEM!

  12. inmypjs Silver badge

    Paid for?

    Surely someone had to pay for these ads to be served and so there should be a money trail to follow?

    1. monty75

      Re: Paid for?

      All the way back to a stolen credit card I suspect.

  13. steamnut

    Culpability

    It's about time the law stepped in. If websites that served up bad things were deemed to be culpable for any losses incurred then I'm sure website owners would soon increase their attention to the served product.

    If they are happy to take the profits from the companies whose adverts they show then they should be made to pay for damage to visitors systems if they screw up.

    That seems fair to me..

    1. Ian 55

      'their only crime'

      .. is selling the right to push arbitrary scripts and files via their site to the highest bidder.

      That's a pretty serious crime and I'm surprised it took so many comments before someone suggested joint liability.

      Given how serious this can be - damaging a hospital's operation FFS - let's extend it to the personal assets of the directors.

  14. Destroy All Monsters Silver badge
    Windows

    We need a logo for this menace

    Meanwhile, bum ad-tack

  15. Glenn 6

    Re-sold ad spots usually the culprit

    In my direct experience in having several times dealt with malware in ads on a website I ran, the problems have always occurred due to an industry-wide practice of webmasters allowing their ad zones to be re-sold to 3rd-parties. The Sales/Marketing boneheads don't give two craps wether or not the site gets blacklisted on "safe site" lists that browsers check before loading the page. So long as their monthly quota is reached, it's then a sysadmin problem to solve. Warning after warning got ignored.

    What happens is this: Web sites have ad zones - place holders where banner ads go. The aforementioned Sales Boneheads sell those ad zones to companies who they know are wholesalers for website ad space. And they in turn sell them to (ALWAYS Chinese in my experience) malware people.

    Perhaps if the industry collectively agreed that they will only sell their ad zones to FIRST PARTY customers - who they can vet, contact, etc, this won't happen nearly as much if at all, and the web would be a much safer place.

    But that would chew into their quota, and their BMW payment.

    1. Doctor Syntax Silver badge

      Re: Re-sold ad spots usually the culprit

      "But that would chew into their quota, and their BMW payment."

      Nothing like as much as being held liable for the damage, should that happen.

  16. Pascal Monett Silver badge
    Flame

    "accidentally pushing out booby-trapped adverts via ad networks"

    Yeah. Accidentally. Sure.

    They are accidentally absolutely not virus-checking the ads they push. They are accidentally not vetting the ads they accept because they accidentally didn't want anything to do with the notion called "responsibility" and made the whole ad chain deliberately obfuscated so as to be able to say, at each step, "I had no idea !"

    Accidentally my ass. They don't give a rats ass, that's what. Well I'm actually happy about all this because it means bad headlines and damaged reputations and we all know that that means risk to the ever-so-important bottom line. And only when it hits there do companies decide that Something Must Be Done.

    Looks like decision time is getting closer.

    1. Grikath

      Re: "accidentally pushing out booby-trapped adverts via ad networks"

      Interestingly, the big websites tend to run the big campaigns, which are usually pretty well vetted given the potential for backlash. But still they served up the bad ads.

      May be tinfoil hattery, but this makes me suspicious. My bet is that somewhere down the line one of the Big Ones got one of their servers compromised.

    2. Ian 55

      Re: "accidentally pushing out booby-trapped adverts via ad networks"

      I would be surprised if the baddies didn't check for the publisher's IP addresses before pushing the bad stuff.

      Is this being looked at in the NYT network? Yes - show fluffy kittens; no - pwn them.

  17. wub

    Just update Flash...

    Love to, but running Linux here, so no more updates, ever.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just update Flash...

      >Love to, but running Linux here, so no more updates, ever.

      Google maintain and update Flash Player on Linux (for Chrome/Chromium browsers) - it's updated everytime the Win/OSX versions are.

    2. Doctor Syntax Silver badge

      Re: Just update Flash...

      "Love to, but running Linux here, so no more updates, ever."

      It's not updated to major versions beyond 11 but still gets regular security updates for 11.

  18. Someone Else Silver badge
    Flame

    OK, now explain to me again...

    ...why ad-blockers and javascript blockers are a bad thing?

  19. NBCanuck

    Malware?

    Nice generic term....but what was the nature of the "malware"? Keylogger, botnet....ransomware? Sometimes I think that some click-happy users have it coming, but when the risk is there for just going to a site then the advertising model for web sites really needs an overhaul. Some of the sites are likely visited by very non-technical people who would not recognize when they were infected nor have the means (knowledge or funds) to have it corrected.

    As we all know that will only happen when it hits business where it hurts....$$$$$$$$$$$. As other people have commented....the timing of this should be a pretty good argument against the companies who want to block the ad-blockers. And if they do force people to disable ad-blockers to access content, then they should be on the hook to fix grandma and grandpa's computers when they get loaded with crap.

    1. Kurt Meyer

      Re: Malware?

      @ NBCanuck

      "Nice generic term....but what was the nature of the "malware"? Keylogger, botnet....ransomware?"

      The title of the article: "Millions menaced as ransomware-smuggling ads pollute top websites".

  20. EveryTime

    I'm not exactly going along with the sites being "innocent victims". That's just posturing to disclaim responsibility.

    I didn't go 'xxxsleazypornandmalware.com'. I went to NYTimes.com. They are the ones collecting subscription money. And the ones that selected the ad network. I didn't get to choose the ads delivered, or a warning about the unexpected risk from their poor choices.

  21. annielinux

    This is exactly why I don't use no adblockers. Why would I ?

    Instead I have a hosts file sized almost 1MB

    and some 2000 lines in a firewall rule set to augment it.

    Never saw even one ad on neither on youtube or any other site

    out there... lol...

    1. Comunicate Manifest

      I use a nice hosts file too; and browsing is nicer, much quicker, less risky, and a more enjoyable experience because of it.

  22. Anonymous Coward
    Anonymous Coward

    Who's liable? El Reg tried to find out...

    http://www.theregister.co.uk/2015/11/23/liability_chain_malvertising_advertising/

    23 Nov 2015: "The exploitation of online advertising networks by malware-flingers is expected to cause up to $1bn in damages by the end of this year, but despite ongoing regulatory efforts, it is not clear to whom the liability for these enormous losses will fall."

    1. Anonymous Coward
      Anonymous Coward

      Re: Who's liable? El Reg tried to find out...

      Easy. It's the site you are connected to via its URL.

      If they allow content from a third party THEY are still responsible.

      1. VinceH

        Re: Who's liable? El Reg tried to find out...

        "Easy. It's the site you are connected to via its URL."

        Websites that carry advertising, etc, will have something in their Ts and Cs absolving them of all responsibility - and until someone with enough clout (and/or money to sue) is affected and takes a high profile site to court as a result of their computer(s) being fucked up by something like this, and those Ts and Cs are shown to be the crap they are, they'll continue to operate with a hands-in-their-ears-"LALALALALA" approach to the problem.

        1. Whitter

          Re: Who's liable? El Reg tried to find out...

          We are all in need of Team America: a class action vs nytimes or the like. They sold your security for their profit (profit = ease of "management" = no management 'cos that costs).

          1. Bloakey1

            Re: Who's liable? El Reg tried to find out...

            "We are all in need of Team America"

            Kaak al lak a lak? Bang.

            Please not Team America, Thunderbirds or Joe 90 would sort it out with no bloodshed and the resulting 20 years of anarchy.

  23. Herby

    We could...

    Get a lawyer involved. You know, the ones who are telling us about bad drugs, bad hip replacements, and the like.

    Yeah, that's the ticket.

    Problem is that finding the money is quite difficult.

    Sorry, never mind.

  24. bill 30

    Bullshit

    "It's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising,"

    The websites that use the ad space to make money... however piddly, should not cast blame... buy low, get low........... they need to vet their clients (ad idiots), just as we should vet someone who holds our balls in their hand.......

    but, on the other hand, I welcome the money as the calls come in

  25. ecofeco Silver badge

    Again?!

    Seriously. Again? AGAIN?

  26. Anonymous Coward
    Anonymous Coward

    "while these popular sites are involved ...they are, much like infected clients, victims.... "

    Victims??? Aren’t they ultimately shop-windowing the infected ads? Isn't the real crime about the popular websites not vetting or ad-virus-checking... such.... 'important user messages'?

  27. Anonymous Coward
    Anonymous Coward

    Invisible 'Toxic' internet...

    Because internet crimes are largely invisible, nobody really sees the big picture. Certainly not users, and definitely not my friends or family. They just switch off whenever they hear me talk of the dangers of flash / java / etc....

    But its clear, nobody should be elected to government, run the police / security services or be in charge of company, without a basic understanding of cyber crime.

    But hey, when did that ever matter to the cronyists in charge. Politicians rarely fall on their sword or get fired, and so only few people realize just how toxic the internet has become... By the time they do, it'll be too late for a lot of people!

  28. Anonymous Coward
    Anonymous Coward

    Simple Job Function

    Some years ago, I managed a few websites, where it was standard practice to visit, at least once, every advertiser, to know exactly what the visitor would see when they click through. A simple job function.

    1. Someone Else Silver badge
      Coat

      Re: Simple Job Function

      What? WHAT?? You want the likes of the NY Times to spend actual money hiring actual people to do ongoing work to protect their customers in what could never be considered a profit center???!???

      Shirely, you jest!

    2. Jagged

      Re: Simple Job Function

      Unfortunately that doesn't work anymore. Ads are dynamically generate, ad space is sold down the line and there is no way you can tell that the adds served to your visitors are the same ads you saw when you tested.

      There was a Register article fairly recently about malware ads that server up different content if they detect certain security tools :(

  29. John Geek

    uBlock Origin seems to keep all that stuff at bay. and when my local n00zpaper/fishwrapper installed some lame script that blocked the page view if I was running an adblocker, I blocked that script too.

  30. Joe Montana

    Adblockers

    You missed installing an ad blocker in the list of ways to prevent such attacks...

    The ad networks used by major sites push malware, and yet they still wonder why people run adblockers?

    1. FuzzyWuzzys
      Happy

      Re: Adblockers

      Ahem, The Reg ( or their financiers ) rely on ads on their website, they wouldn't be able to advise you install an adblocker.

  31. Mark Allen

    Someone needs to sue

    Someone needs to put down a test case. If a high street store had a mugger in the building for 30 minutes taking customers wallets then the shop would be liable. It would also get splashed over the news. The fact the guy was in the building for a noticeable length of time and security did nothing would get the shop in trouble. You expect a level of safety when in a shop.

    So why do website owners get away with this? I have had a few clients over the years who visit big name sites, but happen to turn up during that couple of hours at the weekend when an infected advert was being run. The results of this have lead to those clients following down a rabbit hole towards infection. Thankfully, in most of those cases I had built enough paranoia in my clients that they stopped clicking when it started looking dubious...

    So uBlock Origin or AdBlock all the way now. If a website wants me to turn off the adblocker, then they need to take responsibility for the data they serve to me in their name.

  32. Duffaboy
    Facepalm

    Ebay

    4years ago, I spotted that Ebay had infected ads, so I tried to report it to them, Not interested was the feeling i was getting.

    Reported it to The Register as it would be a scoop for them, not interested either

    1. Col_Panek

      Re: Ebay

      Um, you're the last to find out.

  33. DaddyHoggy

    Everybody who is on Twitter could Tweet this article to John Whittingdale - the dick who thinks Ad-blockers are protection racketeers...

    https://twitter.com/JWhittingdale

  34. tiggity Silver badge

    crimes

    "The only 'crime' here is being popular and having high volumes of traffic going through their sites daily."

    Dubious.

    The "popular sites" could actually properly vet ads and maybe even fully quarantine & serve those ads only from their own domain (as that way you know its the same ad you originally vetted & no swaps made) instead of using dubious third parties, instead they just try to divest themselves of all responsibility.

    If I was a corner shop that just sourced cheapest booze I could instead of making an effort to check quality of the drink supplied & ended up selling a customer liver & eye damaging methanol laced counterfeit "vodka" I would be in deep legal grief, these sites should be treated the same

  35. PassiveSmoking

    Web ads which are anything more than a plain static image should be banned. Even if their only other function is to log a hit for analytics purposes, they should be banned. Literally nothing good comes from web advertising. At best they're annoying and intrusive, at worst they can pwn you.

  36. quattroprorocked

    The publishers ARE at fault

    For allowing any idiot to take over their space.

    Simple rule - you want to advertise on my site, you give me your ad, I put it on my server once I've checked it.

    If publishers did that, malads would be history.

  37. Daggerchild Silver badge
    Flame

    WCPGW

    I remember, many years ago, the suggestion that I take my efficient, fast, securely operating website and make unknown amounts of it come from some people I'd never met who are only interested in money..

    I think all managers need to have a bronze plaque installed on their office wall for every time they ignore warnings and order a previously workable solution to install flaws. One plaque for each time the flaw breaks it. Two for each time they complain it's broken.

    1. Vic

      Re: WCPGW

      I think all managers need to have a bronze plaque installed on their office wall for every time they ignore warnings

      I think they need a lead plaque installed on their ankles every time they ignore warnings.

      Then, at month-end, we throw them in the canal.

      Vic.

  38. fedoraman
    Coat

    Using terns is deprecated, they have several well-known and exploitable vulnerabilities, such as a weakness for fish.

  39. Brian Allan 1

    Never used Silverlight, whatever it might be!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like