SoylentNews is people
SoylentNews
from the do-not-run-YOUR-code-on-MY-machine dept.
Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.
The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.
If you haven't installed a good ad blocker on all your friends' and family's computers, now is the time.
takyon: The article includes an update from Malwarebytes, which found malvertising on the likes of msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com.
(Score: 3, Insightful) by Sir Finkus on Wednesday March 16 2016, @07:50AM
What I don't understand is why websites don't host the ads on their own servers and on domains they control. It'd solve a lot of the problems with sneaky redirects and targeted attacks.
I suppose that wouldn't let the advertisers track you across sites though, <sarcasm>which would be a tragedy.<sarcasm>If The New York Times, MSN, and all these other sites actually respected my security, they'd adopt this measure (and some standards ie: no video etc), I'd honestly consider unblocking ads on their sites. Until then ABP it is.
Join our Folding@Home team! [stanford.edu]
(Score: 3, Insightful) by Capt. Obvious on Wednesday March 16 2016, @07:59AM
In fairness, it also would be difficult for the advertisers to verify that they are getting an honest count of eyeballs. Fraud in which was an issue earlier.
(Score: 2) by Pino P on Wednesday March 16 2016, @12:53PM
True, perceived reliablility of reach metrics is part of why advertisers trust established ad networks. But print ads in newspapers and magazines don't even have an eyeball count. Or is eyeball counting a big part of the reason that advertisers switched from print to online?
(Score: 2) by maxwell demon on Wednesday March 16 2016, @02:38PM
However they have a circulation, which is roughly proportional to the number of eyeballs, as both printing too many and printing too few costs the publisher money (in the first case the additional printing cost, in the second case the cost of lost sales).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Wednesday March 16 2016, @03:58PM
The proportionality constant between circulation and eyeballs is hard to predict, as not every reader reads every page of a publication. Some pages get skipped more often than other pages.
(Score: 2) by Capt. Obvious on Wednesday March 16 2016, @08:38PM
Yeah, but there is a lot of research that let that become approximated. In much the same way that not every ad served is an eyeball.
Also, it's easy to verify the number of WSJ's printed/sold. Even for little town papers. It gets a lot harder to verify the numbers of "some guy on the internet" on orders of magnitude more sites.
(Score: 3, Interesting) by isostatic on Wednesday March 16 2016, @08:05AM
Because that's not how the advertising networks work.
The bigger question is why Google, which relies so much on advertising, allows these rogue adverts. They must know that it drives adoption of advert countermeasures.
The vast majority of ads, certainly on mobile sites, are scams that try to trick you into clicking on any case.
(Score: 5, Informative) by Anonymous Coward on Wednesday March 16 2016, @08:05AM
What I don't understand is why websites don't host the ads on their own servers and on domains they control.
Because it's cheaper and less hassle to outsource it.
It'd solve a lot of the problems with sneaky redirects and targeted attacks.
There's no legal liability, so no one cares.
(Score: 2) by c0lo on Wednesday March 16 2016, @09:55AM
Maybe the ad-agencies don't trust the owner of the website (e.g msn, nytimes, etc) which delivers the ads in regards with:
* the exposure
* the click-throughs
Also, hosting the ads by themselves may result in a lower price as charged by the delivery site - the later needs only to deliver the link, all the traffic related with the actual ad delivery hits the agency's site (probably hosted by a CDN cloudy thingy) - buy hosting in bulk from the cloud, save the cost with the delivery site.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by maxwell demon on Wednesday March 16 2016, @02:43PM
Since click-through necessarily leaves the site, it should be trivial to measure that even in case the ad is hosted locally: The ad just has to link to a redirector of the ad network, instead of directly to the advertised site.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by mcgrew on Wednesday March 16 2016, @11:25AM
What I don't understand is why websites don't host the ads on their own servers and on domains they control.
It's simple. They have no financial incentive to clean up their act so they're certainly not going to spend money or effort to. Bottom line: THEY DON'T CARE.
No ads or scripting at all on my site.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by Pino P on Wednesday March 16 2016, @12:55PM
Say you want to advertise on 30 sites, and researching sites costs time, and time is money. Do you A. find 30 sites to advertise on, or B. find one ad network?
Say you want to sell your site's ad space to 30 advertisers, and researching advertisers costs time, and time is money. Do you A. find 30 advertisers to buy your ad space, or B. find one ad network?
Answer in practice: B. Ad networks lower transaction costs.
(Score: 2) by Whoever on Wednesday March 16 2016, @03:46PM
There was an article about this a little while ago. While the page is loading, the website runs a mini-auction to find the ad that will pay the most. It's done real-time every time a page is loaded.
(Score: 0) by Anonymous Coward on Wednesday March 16 2016, @04:39PM
> why websites don't host the ads on their own servers
Let's say Microsoft does that.
Then someone gives Microsoft a .jpg that causes libjpeg to exploitably crash on some architectures, but it's a 0-day, and no existing heuristic catches it. Or suppose they find that .jpg.html can be saved as an ad.
Now suddenly https://microsoft.com [microsoft.com] is signing and serving that malware as an image, or allowing xss via the .jpg.html.
Do you see, now, why this is more dangerous?
(Score: 2) by Capt. Obvious on Wednesday March 16 2016, @08:43PM
I gotta say, if a major ad network doesn't notice the ad serves malware, "Betty's Favorite Pie Recipes" is not going to notice either.
(Score: 2) by el_oscuro on Thursday March 17 2016, @01:29AM
To use a car analogy, some websites like thirdgen.org [thirdgen.org] do. That tirerack ad gets past my /etc/hosts, adblock, ghostery and everything else I use to keep shit out of my browser. That is because it is a link to the ACTUAL tirerack site, not some shitty 3rd party adwarez.
This would work for every other site that specializes in any subject. Sites that serve malware like washingtonpost.com and cnn.com could use it too, as local DC businesses could contract with the Washington post and national chains could contract with CNN. But that would break the "track everyone everywhere" model of the adwarez sites.
SoylentNews is Bacon! [nueskes.com]