Urk!
I was expecting things to get hardcore-dangerous the end of next year, perhaps a bit earlier. Wrong guess, -5.
Malwarebytes researcher Jerome Segura says malvertisers have served the world's most dangerous exploit kit - Angler - through compromised advertisements run on LiveJournal.com and news service Likes.com. The attacks are the latest in a string of brazen and successful malvertising campaigns that are smashing the web's most …
Simply hold the sites responsible for the security of all site visitors. If I visit a hotel and the staff rob me, the hotel incurs the liability for their actions, it should be no different. Sure it may drive up the cost of hosting and delivering online ads but surely that could be a good thing as then subscription based offerings might get a chance to survive and the number of ads overall would drop.
When the source of the advert is so far removed from the site displaying it, and is capable of being modified on the fly with no apparent confirmation from any one other than the "advert originator" themselves.
In other news, Ad blockers are apparently an organized mafia who are a threat to online commerce...
Or maybe that was the advertisers!
-- about old paradigms and reactive security.
"Just stay away from dodgy sites" won't help. Running antivirus and antimalware won't help. Disabling JavaScript will in the case mentioned, but not in other attack cases (phishing, for instance: http://www.theregister.co.uk/2016/03/30/angler_malvertising_livejournal/. And no, you no longer get to laugh at the "Nigerian prince" because, well, the phishing email looks exactly like an invoice from your utility company, spelled correctly and everything).
I think everyone who writes "Blimey, if they'd just do xxxxx then it would all be fine" is probably seeing only the pinky finger or the left ear of the problem. The whole ogre is bigger and more complicated than its parts. There is no "just do this" solution. IMHO.
It seems to me that regular software dev cycles often work through incremental innovation. That's what our current enviro offers malware crims: incremental changes in security, which encourage reciprocal incremental innovation in malware programming.
The future is bleak, bleak I tell you. O, tempora! It's a hard rain gonna fall.
Myself, I have the luxury of being able to move my home machines to relatively secure and fairly obscure OSes. But those who need Windows on the desktop and Android on their mobes may be somewhat stuck. I just don't know. And businesses which rely on Windows are probably stuck badly.
I'm not a techie so don't understand how it attacks, but it's frustrating knowing this can happen via a web-browser without any prompts about the page wanting to go above and beyond what most users want it to do.
All I want to do is read websites and see pictures of cats, not even upload anything.
An ad / script blocker is a necessary part of your basic browsing security kit these days, I would say malware via ads is the biggest attack vector I face these days as decent mail filters and av mail scans mean I see almost no spam / phishing / malicious payload emails.
Despite various ad revenue dependent sites whinging, as no ad can be trusted with the current broken model of ad brokering / minimal vetting of ads then computer security must take precedence over unwanted ads..
Still waiting for micropayments!
Content providers try to make money from advertising, opening the door to these exploits. Ironically, their sites could be the front line in a public campaign in support of ad and script blocking. But content providers would be cutting off their revenue streams, so they won't. Maybe Reg scribes could take turns on a soapbox in Hyde Park?