SoylentNews is people
SoylentNews
Ad blockers, our last hope against the onslaught of malvertising campaigns, appear to have fallen, as today, Malwarebytes published new research detailing a malvertising campaign that successfully bypasses ad blockers to deliver their malicious payload.
This malvertising campaign is named RoughTed based on the initial malicious domain at which it was found back in March 2017, but Jérôme Segura, the Malwarebytes security researcher who came across it, says there are clues to show that RoughTed has been active for over a year.
The campaign is very complex and well designed (from a crook's standpoint), as it leverages multiple tricks of the trade, most of which have allowed it to grow undetected in the shadows for so much time.
The word that describes RoughTed the best is "diversity." The operators of this malvertising campaign not only feature traffic from different types of sources, but also include different user fingerprinting techniques, and very different malicious payloads.
Source: BleepingComputer. Segura's original blog posting and analysis.
(Score: 2) by MichaelDavidCrawford on Sunday May 28 2017, @06:02AM (1 child)
But isn't the software industry trying to become more diverse?
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Funny) by Anonymous Coward on Sunday May 28 2017, @06:07AM
One might say the notion is spreading like a virus.
(Score: 3, Touché) by Anonymous Coward on Sunday May 28 2017, @06:35AM
Once more with feeling.
(Score: 1, Informative) by Anonymous Coward on Sunday May 28 2017, @06:40AM (8 children)
Loads of hot air but not a word on how it actually gets past ad blockers.
(Score: 2) by MichaelDavidCrawford on Sunday May 28 2017, @06:49AM (7 children)
will they figure out how to block it, now that it's been discovered?
I'm quite happy with Ublock Origin.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Sunday May 28 2017, @07:54AM (4 children)
If you had RTFA you'd know it gets past ublock origin.
But the whole thing relies on JavaScript so it's trivial to snip in the bud.
I only browse with JavaScript disabled, the only real negative is my bookmarklets won't work. I guess I could fiddle with NoScript to fix this but I rather enjoy my fairly bullet proof existence online and the knowledge 99% of zero days will be ineffective against me.
(Score: 0) by Anonymous Coward on Sunday May 28 2017, @08:11AM
You could disable all javascript with ublock/umatrix, and then add your own userscripts which are not affected.
(Score: 2) by t-3 on Sunday May 28 2017, @08:25AM
If you block all scripts with uBlock Origin, how does it get past? I block everything by default and only whitelist sites that I trust on an as needed basis...
(Score: 3, Insightful) by anubi on Sunday May 28 2017, @08:27AM (1 child)
Thanks for the JavaScript tidbit.
As I have said here before, I do not run ad blockers. Never have. I run Script blockers.
For the exact reason this topic is all about.
N.B. I run the full "web experience" on my phone. Its damned near useless for surfing the net... Ever tried to read a page that takes five minutes to load? ( Keeps jumping around ).
If anything, I was hoping more web metrics might result in the following conversation in the executive suite:
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 4, Interesting) by zocalo on Sunday May 28 2017, @10:32AM
The problem with that idea is the necessary feedback loop doesn't seem to exist, especially where the ads are outsourced to an external provider that simply isn't going to provide the necessary stats because it would kill their business. Lies, damn lies, and "your marketing campaign via our service is doing really well, despite many users never seeing it." Except for those really obnoxious sites that won't work at all without some real time feedback that the ads were served, Ad and Script blockers are good enough to allow people to continue using the site, and so the site gets enough page impressions and revenue from those that don't run blockers to avoid that kind of discussion in the executive suite.
I just don't see that happening until either enough people start using Ad and Script blockers that the ad-companies can't really fudge the stats any more, and/or more site viewers start making it clear to the site operators that the only way they will consider white listing their site would be if they would accept liability (or punt it to their ad-provider) for any damage due malvertising that might get served up. That's where it breaks down - I'd glady provide that feedback before clicking away from a site, but it's simply not something that sites facilitate, despite it being as potentially simple as including a basic form on their "This site requires JavaScript" version of the home page. Most ad-supported sites seem well aware of the issue, but very few of them seem to be prepared to accept that they are need to be part of any solution - they can't rely on the ad-networks to "sort it all out" for them - and until that changes, I'm going to continue blocking scripts and finding alternative sites to those that insist I enable them.
UNIX? They're not even circumcised! Savages!
(Score: 1, Insightful) by Anonymous Coward on Sunday May 28 2017, @08:04AM (1 child)
Also (like stated in the article) blacklisting is a losing proposition. It's almost security theater to operate under the fool me once paradigm.
(Score: 1) by anubi on Tuesday May 30 2017, @09:58AM
Blacklisting is too much like playing whack-a-mole.
Whitelisting seems to be the way to go. There is a very short list of people I want to talk to anyhow on my personal phone.
My area is presently experiencing a rash of threatening IRS/Unpaid Debt phone scamming. Some of these guys have enough info on us already to start a credible conversation. Its to the point I just as soon not give anyone I don't know the courtesy of even an answered call anymore. If they have a scam to pull, put it in a letter and mail it. I know good and well they are going to act like a businessman threatening to sue me, and claiming this phone call is his due diligence to contact me, and my blowing him off is just the proof he needs to demonstrate my lack of good faith in front of a judge, or that sort of thing. Once the connection is made, his head will spew off higher and higher amounts of damages it will sue for in an effort to make me pay off a more modest amount now to get the head to go away. It will use lots of legal type terminology to give me the illusion that I am in big trouble, and best to pay now to settle the matter in a timely manner before exorbitant charges begin to accrue.
I know its a scam. I don't owe anything at all, but neither do I want to spend several days in court trying to explain to a judge that I have never done business with this guy, no matter what papers he says he has. No phone contact? His headfull of bullshit gets delivered to someone else who still gives unknown callers the courtesy of an answered call.
I am honest with the people I do involve myself with so things do not come to this.
So, if they need to contact me, use the US Postal Service. They know my address.
( Yeh, they won't do that. Big penalties for involving the Post Office in a scam, but its quite OK to involve the Telephone Company in one.)
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Sunday May 28 2017, @07:57AM
...I call it a successful digital campaign.
(Score: 2) by pgc on Sunday May 28 2017, @01:46PM (1 child)
And what audience are they trying to reach? Do they really expect that those who employ ad-blockers will be happy to see their commercial?
(Score: 0) by Anonymous Coward on Sunday May 28 2017, @02:49PM
As with bullets, the ultimate recipients are not customers.