
Major sites including New York Times and BBC hit by 'ransomware' malvertising - oneeyedpigeon
http://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising
======
mdip
Sadly, I've always considered adblocking software a form of security software
rather than a mere convenience. Years ago I had to remove a mess of malware
from my parent's PC due to a malvertisement received via MSN[1]. Since that
point I've installed privoxy _and_ uBlock Origin or similar on all PCs that I
am asked to help with.

Despite all of the talk about "blocking the ad blockers", I've yet to receive
a phone call from anyone saying this or another web site didn't work, "Can you
fix it?" I'm guessing their usage is limited enough that they don't encounter
it (my dad does visit Forbes, but I haven't heard complaints).

There's no way I'd surf the internet these days without ad blocking enabled
and I rarely white-list sites out of concern for my data. It's becoming as
important as personal firewalls / antivirus once were.

[1] There was a brief period during the time that they received the malware
that MSN had been hit by malvertizing and they had that as their homepage, but
it could have come from elsewhere. The bottom line was that there were no
sites in the riskier categories that were in their browsing history and my
parent's proficiency does not include a good understanding of "incognito
browsing".

~~~
jlarocco
uBlock Origin, or some of its filters, can block whatever mechanism sites use
to detect blocking.

A while back I had a few sites warn me about ad-block, but I haven't seen it
in a while.

~~~
mdip
I just switched back to that, actually. Months ago, my default browser was
Firefox Developer Edition and uBlock Origin had a bug related to LastPass that
caused LastPass to hang the browser so I had switched to ABP.

Unfortunately, LastPass started acting up in FireFox a few weeks ago and I
decided to give in to Chrome, again, so I've happily returned to uBO.

I go back and forth on which to install for people that routinely come to me
for help (I'm a developer, not a helpdesk, dammit!). I'm not sure if it's
still the case, but months ago I _actually did_ receive a call from my father
when he attempted to install an open-source PDF creation tool that he uses at
work on his home PC. It was hosted by SourceForge which uBlock had large
swaths of in its blacklist. The installer _did_ contain a bull$#*+ toolbar
(several, actually), but he's familiar with avoiding crapware directly placed
within installers (and to avoid "Express Installations").

------
NelsonMinar
This kind of exploit is going to keep happening. The most egregious cases
involve PageFair, which offers a tool to publishers that circumvents ad
blockers. They too have served malware, for instance at The Economist.
[http://www.theverge.com/2015/11/6/9681124/pagefair-
economist...](http://www.theverge.com/2015/11/6/9681124/pagefair-economist-
malware-ad-blocker)

Sometimes I think we ought to have civil liability for software security. A
few lawsuits would shut stuff like PageFair down.

~~~
leggomylibro
It would be nice if the sites themselves took some responsibility. If your ad
contract includes strong SLAs with massive penalties for malware distribution,
the company providing you with ads will probably take a bit more time to vet
them.

It baffles me that that isn't already boilerplate in advertising contracts.
Sites whine about having their revenue impacted by ad blockers, but they make
no effort to ensure the security of their users. Why is nobody ever held
accountable for these sorts of breaches? Shifting risk to your customer is a
horrible idea - nobody would buy a new car without a warranty, so why on earth
are we expected to play Russian roulette with our bank accounts, personal
data, and often our employer's assets?

I guess the market will teach them sooner or later, but I really do not
understand why the current state of ads is so widely accepted by the people
who are trying to sell them.

~~~
thephyber
It seems like a circular argument you're having with the parent, but you
haven't yet realized it.

The profit motive is the ultimate incentive. If it takes too much time,
reduces revenue by too much, or increases expenses, the ad publishers and
networks will find ways to mitigate those issues.

If there aren't waves of lawsuits from users who received malware from ads,
there is no direct cost. If vetting ads before they are hosted costs money or
reduces the bids for those ad placements, networks are incentivized against
doing so.

In my experience, most ad networks have blacklists for bad actors but no
vetting and thus no whitelists. Blacklisting means there necessarily will be
end-users that get infected and only a percentage of them will know it, a
percentage of those will know where it came from, a percentage of them will
report it, and only a percentage of those reports will culminate in advertiser
blacklists.

It's a numbers game and currently the expenses from lawsuits (the only
perceived expense for publishers+networks) is much less than the revenue lost
+ expenses from pre-vetting all ads before they are used.

------
Rainymood
Another good reason to use ad-blockers. If I can't use your site with an ad-
blocker then bye bye ... looking at you Forbes.

~~~
tallanvor
Yes. It's funny how more and more sites act like it's morally wrong to block
ads, but obviously aren't willing to do the work to protect their visitors
from this sort of thing.

~~~
JorgeGT
They could deal with advertisers themselves and manually approve and display
text/image ads from their own domain (as it was done in printed newspapers),
but isn't it easier to just leave a div+javascript and have the right of
arbitrary code execution in a chunk of your page get auctioned off to the
highest bidder by several shady ad network?

Just go to www.bbc.com and look at what domains your ad-blocker denies:
edigitalsurvey.com, chartbeat.com, googletagservices.com,
scorecardresearch.com, effectivemeasure.net, iperceptions.com, krxd.net,
optimizely.com... now imagine if your printed newspaper shot at you a GPS
receiver with a mic, a cam, etc. Surely it wouldn't be morally wrong to duck
and avoid that bug?

~~~
stevesearer
You're still susceptible to ad-blocking if you serve an plain image ad from
your own domain though, which sucks for those of us who do it. If there is a
way to alert users that you vet, self-serve, and don't use animated ads, I'd
love to know about it :)

~~~
JorgeGT
Uhm, I use uBlock Origin and when going to the site in your profile I don't
see any image blocking (just google analytics and social media plugins). The
ads in the sidebar (id="ws_widget__ad_codes-3"?) display just fine, and I
would say that your site is the perfect example of how ads should be: highly
relevant, static, well designed, correctly integrated in the look and feel of
the page...

~~~
stevesearer
The last time I checked with Adblock or Adblock plus (I don't remember which)
I seem to remember it filtering out commonly used indicators of ads like divs
with ad-related names or filenames containing _300x250_ etc... I could be
mistaken though.

Thanks for the kind words too, I've really tried to make the site a place that
I would personally like to browse and am glad to hear other people feel the
advertising is nicely done.

~~~
oneeyedpigeon
I happen to disagree with that method of blocking ads because of false
negatives and false positives; isn't the solution simply to remove the
offending patterns from your filenames?

I'll add to the praise for your site. Your ads remind me somewhat of those
from The Deck [1], although yours are nicer because they're 1st-party. Are you
able to share any info. about the model? Do advertisers pay per click or per
impression? If the latter, how do you prove your traffic figures to them, or
have you built up a suitable level of trust?

[1] [http://decknetwork.net/](http://decknetwork.net/)

~~~
stevesearer
Yeah, filename changing is what I would end up doing.

As far as the model is concerned, a lot of the industry is familiar with
magazine advertising so I just go with a monthly rate to keep things simple.
There is trust involved, though most run a trial before committing to anything
longer-term so they are able to see if the level of generated activity meets
their expectations.

It is much easier to do this kind of advertising because the content itself is
so narrow that the readership ends up being narrow, whereas a general site
like BBC or CNN you end up having a wide audience and then end up needing
tracking tools to help narrow the audience into smaller groups.

------
PhasmaFelis
It's weird to me that we keep treating the sites that run malvertising as
victims instead of fully complicit. If the print edition of the New York Times
ran, say, a full-page ad for the KKK,* and responded to the outrage with
"haha, sorry, we outsourced our advertising to a third party with no
oversight," they'd be crucified. But somehow websites are exempt from
responsibility for the things that they publish.

Has anyone proposed getting sites that serve e.g. ransomware to pay the
ransoms for everyone affected? That seems entirely reasonable.

*Or insert your own offensive ad concept here.

------
oneeyedpigeon
Shocking that the BBC is affected by this, given that it should be
advertising-free. Presumably, this affected non-UK residents[1], but as a
public service the BBC should have much higher standards when it comes to
advertising.

[1] With the obvious caveat that a website can't reliably determine that.

~~~
tfm
Aren't all world-facing websites "a public service"? BBC within UK has a
special remit because of the funding structure (thanks to the increasingly-
inaccurately named "TV" licensing fees), but BBC [Worldwide] is just another
content provider in the big old crazy world.

It doesn't seem surprising that BBCW use an external advertising network: it
would be a pretty huge investment to operate their own advertising markets
throughout the world ... and surely if they did, they'd then on-sell those
services!

Seems that the notable part of this attack is that several high-profile
websites were affected, so BBC (and NYT, and AOL, etc) suffered some damage to
their brand, so they'll have to work on that. The article notes that "malware
was delivered through multiple ad networks", which speaks to failures by those
service providers. Reckon there will be some very heated conversations and
perhaps fee renegotiations with the networks happening over the next few weeks
;-)

~~~
oneeyedpigeon
> it would be a pretty huge investment to operate their own advertising
> markets throughout the world

It is becoming clearer and clearer to me that this is one of possibly two
options left for businesses wishing to make money online via advertising.
Self-hosted adverts are probably the best way to regain trust and circumvent
ad-blockers. A quality, trustworthy third-party network is the only other
possible option I can imagine, but that seems far less viable.

~~~
tfm
> A quality, trustworthy third-party network

I'm sure that most networks start off with such lofty ideals, maybe they even
believe them ... :-o

EDIT: To expand a little on the previous thought: you were shocked that the
BBC website was serving up dodgy ads, presuming maybe that they'd have their
own curated advertising portfolio. Closest comparison I can think of is
perhaps the Economist website, also London-based, and no small prestige
branding that they make sure to protect by only showing ads for Lexuses and
Rolices (Rolexen?). The major differences of course are that Economist is
somewhat more up-market, and the ads are seen locally in the UK.

I can't readily find any figures on how much cash BBCW makes off website ads,
but I'd have to assume that it's burger money -- a few quid here and there for
negligible effort, and after all who cares if the brand is tarnished abroad?!
If on the other hand BBCW went into the ad curation business, and even if it
happened to be profitable, there's every chance that voters or MPs would get
stroppy about it, and BBC gets a hard time going into the next licence fee
negotiations. Ultimately, BBC's brand outside the UK isn't something that the
UK public necessarily worries about.

------
matt_wulfeck
> The vector of attack, through compromised ad networks, will also serve to
> inflame the debate around adblockers.

This is the largest reason I install adblockers on my own laptop and phone as
well as everyone in my family. I allow zero exceptions for ads. I'm willing to
pay for content via other means (for example google contributor), but attack
surface is simply too large.

~~~
delecti
I actually use adblockers on my phones for a different reason. On my phone I'm
reasonably sure I won't be affected by malware (up to date Nexus and I know
not to install unknown applications), but ads take up data and slow down
browsing.

------
bphogan
I was wondering how long this would take.

One of the things I've long known as a programmer for the web is that when you
let a third party put content on your web site, you don't have control over
what they do.

Whether it's a person entering content and you fail to sanitize it, or pulling
in ads from an external network, the end result is that you get something like
this eventually.

I don't have a solution, really, because nobody wants to pay for content, so
sites have to use ad networks. But I'm surprised this hasn't happened much
sooner.

~~~
emodendroket
What are you talking about? This is far from the first time malicious software
has been delivered through advertising.

~~~
bphogan
Ransomeware on the NFL or NYT website has been done before?

~~~
emodendroket
Ransomware specifically, no. But malicious software on major, reputable Web
sites? Yes.

------
rwestergren
Interesting to note that a number of these sites were recently also serving
ads vulnerable to XSS: [http://randywestergren.com/widespread-xss-
vulnerabilities-ad...](http://randywestergren.com/widespread-xss-
vulnerabilities-ad-network-code-affecting-top-tier-publishers-retailers/)

------
bakhy
an example of the power of phrasing in journalism, perhaps? the title could
have also been: "Reckless media sites serve malware to visitors".

~~~
ta0967
_Major sites including New York Times and BBC caught peddling 'ransomware'
malvertising_?

------
delinka
If it's not served from the domain I've visited, I don't want it. If it is
served from the domain I've visited but not over SSL, I don't want it. Then
the certificate owner should be responsible for any damage resulting from the
stuff signed by their key.

~~~
matt_wulfeck
This gets tricky with things like imbedded youtube and twitter content. I
would be right with you blocking content not from the same domain, but I will
constantly be clicking off page to watch a video or view a tweet, etc.

~~~
CaptSpify
IMO: Those should just be offsite links anyway. I personally hate watching
youtube videos shrunk down to fit in a small blog-column. YMMV, of course

------
cm2187
One more example of why users should have:

\- an adblocker

\- javascript disabled

\- addins disabled (click to play)

~~~
pmlnr
I don't like the no JS approach, it kills an important part of the potential
in the web, including polyfills for things like srcset.

Instead, I'm using Policeman ( [https://addons.mozilla.org/en-
US/firefox/addon/policeman/;](https://addons.mozilla.org/en-
US/firefox/addon/policeman/;) similar to uMatrix
[https://github.com/gorhill/uMatrix/releases](https://github.com/gorhill/uMatrix/releases),
but the first is easier to use for me ) which blocks 3rd party anything by
default.

If they serve their own JS from their own servers, let it be. Others (Facebook
connect, GAnalytics an Twitter seems to be _everywhere_): walk away.

This obviously renders most of the sites to bare HTML due to the excessive and
unneeded use of CDNs, and is a massive pain to use for the first weeks, but
after a while the whitelist gets you to a friendly web level.

uBlock also runs in the background, just in case things leak through, or I
quickly want to check something and I need to turn Policeman off.

~~~
0xffff2
FYI, the first link is broken because the semicolon was included as part of
the hyperlink. Should have been [https://addons.mozilla.org/en-
US/firefox/addon/policeman/](https://addons.mozilla.org/en-
US/firefox/addon/policeman/)

------
rewrew
A lot of this has to do with these sites using ad networks instead of/along
with selling ads directly. Ad networks are very common with consumer sites,
but many B2B sites don't use any at all. When you work directly with the
agency or company (and you know they're a real agency or company), this
doesn't happen.

------
ufmace
Whenever I read stuff like this, I first wonder if my setup would be
vulnerable to the attack, and if not, how much stuff I would have to turn off
to be vulnerable? Chrome Stable + uBlock Origin + plugins disabled by default
seems to be safe from everything but targeted zero-days. At least, I hope.

------
jkot
Adblocking is immoral, but malware filtering is not :-)

~~~
LeoNatan25
Ad blocking is indeed very much moral.

------
tyingq
BBC's ads appear to come from Google's ad network. I'm curious how much effort
Google puts into monitoring/policing the landing urls for this sort of thing.

------
Geekette
I hope AdBlock (and/or similar) works out a deal with respective companies
involved (Mozilla, Apple, etc) in order to be pre-installed in future
downloads of major web browsers. In addition to visual chaos and privacy
concerns, the risk of compromised systems due to malware via ads is too damn
high and non-tech savvy users shouldn't have to suffer for it.

------
cafard
Yes, I tried to get around the WSJ paywall for the WeLive article and some
crummy site tried to hit me with a beastie.

