Anti-adblocker firm PageFair's users hit by fake Flash update Ad-blocker blocker PageFair has announced that it was hacked over Halloween, exposing those visiting sites running its free analytics service (allowing those sites to see how many of their visitors were using ad-blockers, perhaps to prevent being served malware by a third-party) to an executable masquerading as an Adobe Flash …
Maybe I've misread the article, but I don't think Flash was the attack vector:
"PageFair stated that attackers had sucessfully executed a spear-phishing attack against "a key email acccount" from whence a rapid password reset allowed them to hijack the company's CDN account.
"The attackers had a plan," Blanchfield told The Register. Once they had access to the email account, they modified the analytics' JavaScript tag to some JavaScript of their own."
don't get me wrong - I wouldn't let Flash near any of my kit, but it wasn't a Flash exploit used in this case
"That is why I do use NoScript and get it to block 3rd party (often == advertisers) javascript."
The problem with NoScript these days though is that too many sites fetch content from fifty different domains to build the page. So you Allow for the main domain, and nothing happens except NoScript reloads with a two-screen-high list of domains the site also wants you to Allow in order to see anything at all.
What needs to happen is a campaign (the people behind NoScript would be a prime driver for this) to let these bastards know that they're losing serious traffic because of this. Whenever I see a site that refuses to show me any content unless I enable Javascript for two dozen different trackers, I simply abandon it. That site has lost my traffic and any potential future business I might have brought. It also ends up on my blocklist so I never go there again.
We need to let website owners know that this practice is unacceptable. We need to show them that it is costing them customers and traffic, and that their losses will only get worse. We need to send the lazy and incompetent buffoons passing themselves off as "web developers" these days the message to do the bloody work they're paid to do and set up the site properly on a single domain, instead of just throwing together a five-minute mashup of calls to half the internet fetching libraries and frameworks to do their job for them.
@Steven Roper
I'm with you. I use NoScript and, while it's a pain to enable things selectively, for me it is better than the alternative. And I never enable trackers - even if the page won't load without them. I enable one thing at a time until the content I want comes up, but never trackers. (At least the ones I can identify.)
I am no web developer but it is insane the number of websites that will just be unusable - in any way - without a half-dozen sets of JavaScript.
What needs to happen is a campaign (the people behind NoScript would be a prime driver for this) to let these bastards know that they're losing serious traffic because of this.
I would have hoped that the corporate website equivalent of Darwinian selection would happen here. The web site die through the lack of visitors. Unfortunately: most users have not heard of NoScript and probably never will, so these sites prey, and keep alive, on them but not more savvy visitors.
"web pages increasingly use third party services to enhance functionality..."
That's not in doubt. The trouble is the functionality is all for the benefit of the advertisers, not the users.
Sod the fact that they are using up my bandwidth, slowing down my machine. It's, sell, sell sell.
The biter bit!
The trouble is the functionality is all for the benefit of the advertisers, not the users.
I enjoyed the irony of the article, but I don't think this comment is strictly true - or at least it's more nuanced than you paint it. Whilst the functionality is initially for the benefit of the advertisers, they in turn benefit the ad-brokers, who in turn benefit the content creators, who in turn benefit the users by providing websites.
I know this is an unpopular thing to point out, but advertising finances a large chunk of the internet (including El Reg) and until someone comes up with a better (and fraud-resistant) way for micropayments to propagate from content users to content providers, ads are probably here to stay.
You may have a point, but the problem is that the advertising industry is notoriously bad at any form of self-restraint, or for that matter scruples and morals. They can, will, and have used every available method at their means to slam whatever-they're-peddling into our faces, to the point where sites become un-navigable, unwatchable, and take ages to load. And that's for the RESPECTABLE sites..
It's worse than the height of the pop-up era, and with the advances in scripting, carries even more risk.
So yes, people with a bit of common sense will use ad-blockers. If websites are dependent on ads, let them convince me that they run a tight ship, and monitor what gets displayed. If so, I will whitelist that site, so my visit will generate that €0.001 for them. If not, tough for them. Blocking me because I use an ad-blocker? Not likely I'll ever stop by again, period.
@Grikath - They can, will, and have used every available method at their means
You're not wrong there. I'm surprised they haven't forced Blipverts onto us yet.
I suspect that the only reason they haven't is that everyone in Advertising is a twenty-something "The Apprentice" wannabe and far too young to have even heard of them.
Well, I have always advocated that I PAY ALREADY for my Internet access. Now, if a site needs to pay for their offerings then the FIRST page should be a plain text page like this:
WE SERVER ADVERTS - CLICK HERE TO PROCEED IF YOU ACCEPT THIS.
Then nobody will see the bloody crap. Now-a-days, you go to some sites, and they just take SOOOOoooooo...... long to load with all the shit going going on I never bother no more.
And it's getting worse.
Bring back 33Kps modems, get web sites to wise up.
"Or, to put it another way, surely we can do better than this?"
As I said - "until someone comes up with a better (and fraud-resistant) way for micropayments to propagate from content users to content providers, ads are probably here to stay."
An alternative would be great, but I don't know what it is - whoever comes up with it will probably do well for themselves. If you think you know how to do better than this, go ahead and do it!
As things stand, content providers have little control over the particular ads that get served - they just say 'insert ad here' and get whatever google (or whoever) serve up.
Personally I think the googles of the world should start taking more responsibility and vetting all ads they serve, giving them a list of characteristics (uses flash, autorunning video, sound, adult content, animation, text-only, static images, etc). Content providers could then specify which type of ads they would permit on their site. Undoubtedly the less wholesome ones would generate more revenue per impression, but it would be up to the content providers to trade off their earnings against their willingness to offend. As things stand at the moment, that degree of control doesn't really exist - google/adsense lets you choose between ads featuring a list of links, or text-only ads, or basically everything else. No way to choose between static images or jiggly animations, etc.
I wouldn't expect other than (or even object to) the advertisers material being all for their benefit*. Why else would they do it. But I do object to advertising that uses " third party services", because that is like them opening the door for their friends to sneak in with them.
*Yes I do use the usual ad-blocks. I said I didn't mind that it was all for their benefit. I didn't say I would let them get away with it. I do look at a few adverts from time to time, though. Or at least unblock and click on a few from time to time, which is not quite the same thing..
@nematoad
Regarding 3rd party services 'enhanc[ing] functionality', well, some of it is indeed for the visitors. a CDN can certainly make for a quicker and more responsive experience as well as faster downloads of files.
Other third-party tools can be javascript libraries used to build portions of the site, such as jQuery, wForms/qForms and js Charts or DateJS and these can definitely be used to 'enhance' a website. That's subjective, of course, and a prettier menu does not necessarily equal a better experience but a website with well-built forms with good validation that are able to parse information in all the myriad ways that people may enter it, well, that is good for everyone.
Other examples are pre-built engines for things like eCommerce, which can offer a far broader range of payment options and, generally, better security than many smaller sites could offer on their own.
Yes, many third-party services benefit people other than visitor but it's far too general a statement to say that all third-party services do.
"Yes, many third-party services benefit people other than visitor but it's far too general a statement to say that all third-party services do."
Yeahbut, why do 3rd party scripts have to load from "home base" instead of being installed on the domain I'm visiting? Most of the so-called 3rd party scripts etc could just as easily work by being local to the domain and probably much faster since less DNS etc. I'm sick of waiting at some site because the 3rd party stuff is talking ages to load. Unless they have some unique information I want or the best possible price, then I'm out of there.
I'm betting that the 3rd party providers do it this way because they also want their share of data collection/harvesting as well the cash from the site owners paying for the service (or it's "free" in exchange for harvesting data)
I don't block text adverts on thereg.
In the last few days I started using Firefox on Android with an adblocker though, it just got too annoying for me to continue with the adds. They were the last pieces of the page to arrive, content jumped about and the article:advert data size ratio was too high. A sub would be cheaper than the mobile bandwidth.
Adverts on websites are dying, better look for another revenue stream.
I'm with you on that (although seven years younger) however I think one of the reasons so much is spent on advertising is the way market research works. How often have you be en resented with a questionaire like this:
Where did you see our advert:
a) internet
b) television
c) magazine
d) other
There's seldom a box for - I've never seen your adverts and certainly wouldn't pay attenstion if I did. In other words so many retailers start from the assumption that we are incapable of making a purchase without advertising, so they continue to spend fortunes on advertising because their research via questionaires shows them it works.
Of course those questionaires are probably written for them by market research firms who are part of the advertising industry.
The massive uptake on ad blockers should show that people find online advertising intrusive. Instead it seems to make the industry push even more online advertising at those who don't use an ad blocker, which in turn makes even more people install one. Targeted advertising is so much worse as it seems to work on advertising stuff that you already own. Of course this means that the ideal product to advertise would be an ad blocker since it would never be advertised to somebody who already has one.
I have never ever bought anything in my life being prompted seeing an advert
Are you sure about that? Adverts come in all shapes and sizes and while I personally would contend that I have never (for example) bought a particular brand of breakfast cereal having just driven past a billboard advert, I cannot honestly say that I have never been influenced by things such as Amazon's "customers who bought this also bought" - which is definitely a type of advert.
Then there are the more subtle things. Is it "advertising" when I go to a retailer such as Misco or Dabs or CPC and click on "computers... hardware... components... hard discs..." and there is a list of "best sellers" at the top, followed by a list of hard drives sorted by "relevance"? (and how come they can remember my preference for prices with/without VAT but not my preference for lists sorted by price?) At the very least this is "promotion", and what is promotion if not a form of advertising?
What about when I go to the supermarket to buy my usual "Brand A" but find that "Brand B" which is usually more expensive has a "promotional offer" which makes it cheaper? The promotion is a cost to the manufacturer in the hope of persuading me to change my buying habits so in all but name it is exactly the same as an advert.
Can you still say with such certainty that you have never been influenced by an advert into buying something?
I like NoScript and I have it installed on all copies of Firefox. I do not use a specific ad-blocker, but I do try to avoid some trackers using Ghostery. NoScript is, however, a bit of a pain when you first start using it as there are so many things that just do not work without Javascript. Google Maps "When you have eliminated the Javascript, whatever remains must be an empty page" is a particular gripe, but getting some e-commerce sites to work when they embed SagePay and it doesn't immediately show up as being blocked is a pain. Eventually I work these things out and get some things whitelisted. Other things I just "temporarily allow".
Certain other people I could mention just avoid the issue and continue to use the well-past-its-sell-by-date copy of Safari that Apple won't update because the Mac is too old.
What I can say for certainty is that I have never "clicked-through" a third party advert on any website I visit...
M.
Disclosure: advertising pays my salary.
It's not all about prompting an immediate purchase. There's this subtler thing called brand awareness such that when at some point in the future you are considering a purchase, you tend towards the brands that you know.... possibly because of the ads you saw.
But yeah, for myself I only ever notice ads that make me *less* likely to buy the product.
There's billions in advertising, and it only exists because it works. The paradox is that when you buy an advertised brand, you are paying for the adverts that may well have influenced the purchase. It's a kind of tax, but one which you are free to avoid. When it comes to the products in the category of "long ago solved problems", like detergents and toothpaste, the only factor that I take into account is the price. There's no technical differentiator to justify paying a premium.
-A.
Au contraire. Companies like Unilever and Procter & Gamble are essentially advertising companies. Or if you prefer, brand farms that contract out the messy business of actually placing copy. They know much better than the agencies exactly what they want out of the campaigns.
You could make a case that Apple is mostly an ad-supported brand, given that Foxconn et al actually make the stuff.
-A.
We need something like:
0.0.0.0 Playfair.com
and maybe all their minions.
I tried to post this on their site but it failed (blocked?)
"I prefer choice.
In my case I don't want ads. I'm happy to pay a small amount for worthwhile content. (There must be fairness too, with click-bait rubbish.)
So you have come down on the dark side for me. In the name of fairness I suggest you publish all domains / end points that you serve from and that serve your spyware. Those who care, can then simply block all of you. Let's see whether you are really for fairness or just after your own profit? You can put the list here and on your web site, from a top level menu item."
A company who is against adblockers (supposedly they are working for non-intrusive ads - hahahhaha) gets spear-fished, attacked, and their site starts serving malware. And they wonder why we use adblockers and No-Script.
No irony icon but this is hilarious..... so...maybe I should bill them for a new keyboard --------------->
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
