US telly stations fling malware-tipped web ads at unsuspecting surfers A rogue advertiser abused the Taggify self-serve ad platform to inject malware-installing code into browsers visiting the websites of two US TV stations. It was a textbook malvertising attack: to infect victims' PCs, the dodgy ads used the Angler Exploit Kit, which is a grab bag of code that exploits weaknesses in Adobe Flash …
There's your problem - Taggify allowed someone to upload malware-ridden payloads and didn't bother checking them before release.
Advertisers - When you clean up your act and stop wringing your hands every time you let stuff like this hit end-user systems, maybe people will take you seriously.
It's a tragedy of the commons. A slow motion train-wreck which they don't have the collective consciousness to avoid.
The industry is so convoluted that nobody has the power to ban arbitrary payloads or Flash applets.
And of course its convoluted by design, because if it was transparent, everyone would see the scam and the whole rotten pile would collapse.
The industry is so convoluted that nobody has the power to ban arbitrary payloads or Flash applets.
Since the "industry" won't take steps it's up to us as individuals do something. And yes, as IT types we get listened to by friends, family, and acquaintances. Despite the ad industry's insistence that they are the bringer of the bling, the best advertising is still word of mouth. Get the word out.
Maybe the non-techie types can't wrap their minds around No-Script, but ad-blockers... install and let 'em run.
And we should convince them to uninstall Flash. They won't miss any cat videos if they do.
Now roll the clock forwards 10 years if the IoT takes off and suddenly there are loads more attack vectors for this sort of thing. Will your fridge decide its time to take a pop at your lawn mower, or your kettle take a dislike to your kids voice activated doll ? Who's watching your home CCTV and logged into your home alarm ?
For fun, check out the Pen Partners hacking "Cayla" (a child's toy), which they demoed at Infosec last year, its on YouTube and no I don't work for them, it was just a good demonstration (like many of theirs)
I'm just counting down until the article that tries so desperately hard to convince us that blocking advertising is THEFT and how the entire digital economy will COLLAPSE and DevOps will FAIL, SEOs will STARVE and their children and their children's kittens will DIE, bloggers will be DEPRIVED of beer, and ... (insert your own Daily Express style headline here) ... if we don't watch and pay attention to every little potentially-malware-infested piece of crap for products nobody wants that turns a three second loading time into a 45 second one, and a twenty kilobyte page into a four megabyte page.
But, but, but... refusing to look at the adverts. Is theft, m'kay? Can't you see the begging bowl? How dare you! For shame! Oh! The humanity!
So... five...four...three..two......
It only increases advertising revenue in the short term. it just doesn't go to the people that expected it - the people that paid for the adverts.
By the way, we can help you fix that nasty virus you have on your computer if you just pay us £399 for 12 months support. You can check its there by looking for the C: name in explorer, if its present, then you are definitely infected.
The situation now:
Website operator: It was the ad company!
Ad company: It was a rogue contractor out of the hundreds we, um contract with!
Ad contractors: It was the other ad contractor! Or one of our sub contractors sold ad space to somebody dishonest, or was hacked!
Sub contractors (a mighty chorus of hundreds, including the original ad company and its contractors subbed out by the sub contractors): Yeah, That's it! But it was them >each points fingers at all the others<
Ad companies won't voluntarily clean up their act because it affects their bottom line. Every penny they don't spend on fixing the problem is another one in their pockets.
Website operators won't do anything but blame it on the ad companies, claiming there's nothing they can do while pocketing the money from the ad companies.
Quickest solution?
So take it to the end of the chain, and make each website owner legally liable for all damages caused by malware served by visiting their site. After all, they are the ones ultimately serving up the malware, it is their responsibility what they allow on their website.
The instant that becomes law, any sane website operator will drop ad companies immediately.
Only then when it actually hits their bottom line like a nuke, will the ad companies will actually try to clean up their act.
Websites that need advertising to survive? They just need to deal only with ad companies that will indemnify them for any/all damages caused by malware allowed on the site by the ad company.
Or the site operators can eliminate the middle man, and offer to do ads directly with companies wishing to advertise.
This.
100 times this.
I was just fondly remembering the days when consumer level commercial activity wasn't allowed onto the network and for whatever reason there was still a functional internet there. How could this be without having pop-up video ads for deoderant? Without flash banners spawning little UFO's and without even a blinking pulldown telling you that local girls want you right now?
Of course it might have been possible because page operators actually gave a shit about their content and wanted you to see it. They weren't trying, as the ads have told me, to earn $70,000/week from home just by doing whatever the ad wanted me to do that I obviously did not do since I've still got a day job.
I'm not against web commerce at all. I like Steam and Amazon and all the rest of their ilk. I just got sick of all the ads festooned overtop of, underneath, around and sometimes scrolling along to obscure the ONE bit of text that might have held some relevence on the site.
Maybe website operators could try giving a shit again. Only source ads from known companies that you would do business with and better yet, that have some relation to what you are displaying as content. Don't just reel in garbage from offsite agencies. Host the ads yourself like you used to and make sure they aren't something that would piss off your viewers.
Take note of how the children's network on TV doesn't run latenight dating service ads and Marlboro commercials during the Saturday cartoons. Even though those companies would probably pay very well to get into the early adopter market.
Failing that, perhaps a lot of these sites that make a living off all ads with little content need to fall off a cliff into blessed oblivion so the search results page looks cleaner.
It's a nice idea. I particularly like the bit about ad companies indemnifying websites...
... and when there's a claim against them, promptly folding up business.
No, you'd need the indemnity to be underwritten by - someone with credibly bottomless pockets. I.e. a bank. I.e., as we all discovered in 2007, effectively the taxpayer.
See where this is going?
"Quickest solution?
So take it to the end of the chain, and make each website owner legally liable for all damages caused by malware served by visiting their site."
I agree that that ought to be the case. But it's not the quickest solution. The quickest solution is ad-blockers.
Sounds like a great idea until you are serving hard time because your 3-year-old picked up a bird feather in a national park. Similarly, strict liability for a website operator sound like a good idea until their hosting provider or any of the folks writing software they use (e.g. ImageMagick) has a little problem and some doofus from the NSA leaves his laptop on the tram. You at least need an element of intent or negligence.
I personally do not have ads on any site I control (yeah, they are reference and vanity sites for somewhat obscure hobbies). One site is moribund. I keep it running (and its domain registered), because the vast majority of such sites don't update their links even when I use a redirect _and_ email the alleged webmaster at the referring site. So I noticed an interesting phenomenon. Other than the usual web spiders (most of whom honor robots.txt), there is a smattering of referrals from the aforementioned "can't be arsed to fix links" sites, and a storm of probes for various wp-admin pages.
I don't use WordPress, but I suspect a fair number of people do. One does not have to contract with a dodgy advertising broker to inadvertently attack ones visitors. And railing against website operators for being human may be more satisfying than using noscript and an ad blocker, but is is a lot less effective.
I'll ignore the irrelevant, and just go with meat of your argument:
"You at least need an element of intent or negligence."
And that's exactly what was suggested.
There's a big difference between having your site vandalized by a hacker, and deliberately letting someone put unvetted content on your site in exchange for money.
The first was a criminal act by another to the site.
The second is a deliberate act on the site owner's part.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
