back to article Ad bidding network caught slinging ransomware

Attackers are using Flash exploits and foisting ransomware through real time advertising bidding networks, FireEye researchers say. The attacks link to malicious or compromised advertising sites which participate in real time bidding systems in which ad inventory is sold to and by publishers. More than 1700 malicious …

  1. Dan 55 Silver badge
    Megaphone

    Sort your shit out advertisers

    Real time bidding systems trading Flash and JavaScript code... What could possibly go wrong?

    Stories like this make me AdBlock with extreme prejudice again after I've had a crisis of conscience and decided to unblock them for a while.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sort your shit out advertisers

      Like that will happen voluntarily. Nothing will change until a few marketing dweebs are sent to Syria "for a holiday".

    2. Mystic Megabyte
      Linux

      Re: Sort your shit out advertisers

      I switched Adbolock off for a while and kept seeing images of some woman with hideous surgically enhanced lips. Also all these "weird tips" click bait shit.

      It's switched back on for good now. Sorry ElReg but I would not be buying a sever anyway.

      My Firefox is locked down tighter than a very locked down thing :)

      For sites that don't play well I'll use Chrome and then delete all history etc.

    3. Anonymous Coward
      Anonymous Coward

      Re: Sort your shit out advertisers

      I think we give the advertisers way too much latitude.

      Years ago, when the medium was restricted to print, ads were static, didn't do anything when you poked them, and if you were lucky, were printed in colour with reasonable resolution.

      Then the web came along, and so we could have ads that you could click on to take you to another site. Image maps meant different portions inside the ad could take you to different pages.

      Then GIF89a came along, and the web became this flashing mess of distracting adverts. Thankfully Java never caught on as an advertising platform.

      Then we got Shockwave Flash, which Adobe eventually acquired when they swallowed up Macromedia. So now ads could not only move, they could also play sound and video and be interactive!

      Great. The underlying technologies have also been found to be egregious security holes.

      Time to turn back the clock I say. If advertisers can't get their message across in a single STATIC hyperlinked image, they don't deserve the advertising space.

      If I think your ad looks interesting, I'll click on it to have a look. Otherwise just accept that I'm not interested and move on.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sort your shit out advertisers

        > Years ago, when the medium was restricted to print

        Years ago, advertisers spammed your fax machine with lists of 'sale' items, causing it to run out of paper. They were just as shitty then as they are now.

        1. Mark Allen
          Flame

          Re: Sort your shit out advertisers

          At least with fax machines you had the fun of replying with solid black pages to use up all of the advertiser's toner as revenge.

          I heard a rumour that it would be possible to get some fax machine's to overheat and catch light if you sent them 50+ pages of solid all black. Not that I ever tried this out with annoying fax spamming spammers... innocent whistle....

          Back in 2000 it used to get so bad for our fax machine it could print through half a ream of paper overnight!

        2. Anonymous Coward
          Anonymous Coward

          Re: Sort your shit out advertisers

          Years ago, when the medium was restricted to print

          Years ago, advertisers spammed your fax machine with lists of 'sale' items, causing it to run out of paper. They were just as shitty then as they are now.

          Years ago I didn't own a fax machine. Our first "fax" machine was a multi-function printer, prior to this if we wanted to send a fax, we used a scanner and a modem attached to a computer.

          That said, unsolicited commercial communication, whether it be by telephone, fax, email, post or other means, is a different matter to what is being discussed here in that it is unsolicited: you have not made prior contact with the sender. In many countries, this is covered by existing legislation.

          As for The Register and other ad-supported sites, your browser made a "GET http://forums.theregister.co.uk/…" request to this site, ergo, you chose to receive that page and the ads are part of it. I think it's the collateral damage that some of these ads are doing which we're objecting to, whether it be visual distractions, unwelcome sounds or malware.

          A move to ban all formats apart from (baseline) PNG and JPEG images which are then either imagemapped or hyperlinked to one or more destination pages would not only address the above issues, but would also allow the ad to be shown to a wider audience.

          I'm yet to see a graphical web browser made post-1998 that does not support the formats I'm suggesting. Malware isn't impossible with these formats, but relies on vulnerabilities in specific implementations which are wide and varied, unlike Flash for which there are only a small handful of implementations (I know of two: Adobe's implementation and Gnash) that seem to be universally exploitable.

    4. A Non e-mouse Silver badge

      Re: Sort your shit out advertisers

      Installing AdBlock Plus is always part of installing a browser on a new computer for me. When I see the crap that people put up with when browsing without AdBlock Plus, I'm amazed people still use the web. When I show people how the web looks with AdBlock installed they're amazed at the difference.

      I do feel guilty for some of the sites I read a lot (e.g. El Reg.) I don't know how much El Reg looses by me not seeing adverts, but I'd be quite happy to make a donation/payment/subscription to compensate. (remember children, there's no such thing as a free lunch)

      1. Crisp

        Re: Feeling guilty

        You can add El Reg to a whitelist on Adblock to allow advertising on the site. You get to read El Reg guilt free and they still get their ad revenue.

        You still get to surf the rest of the web ad free and El Reg still has an income. Everyone wins! :)

        1. This post has been deleted by its author

    5. Richard Jones 1
      Flame

      Re: Sort your shit out advertisers

      Does anyone outside of 'care in the community' still allow Flash on their machines?

      Or does removing flash not stop the main cause of issues?

      If a site or entry demands Flash, then I pass by and get on with something useful.

      The problem with such as Adblock is that they have been allowing crap advertisers to pay to have their beloved spam and malware pass through onto users machines.

      If the advertisers are so damned stupid that they encourage this crap, they have only themselves to blame when we try to block their desires.

      1. Robert E A Harvey

        Re: Flash

        >If a site or entry demands Flash, then I pass by

        ... as have I for about a decade

      2. Anonymous Coward
        Anonymous Coward

        @Richard Jones 1 - The problem with such as Adblock

        I used to use Adblock Plus but got tired of having to set the option to block ALL ads and not allow the paid for advertisers through whenever I did an install on a new browser/machine.

        There are alternatives though, Adblock Edge for Firefox or (Adblock Latitude for Palemoon which is what I use), don't have the whitelist that Adblock Plus has.

        1. gazthejourno (Written by Reg staff)

          Re: @Richard Jones 1 - The problem with such as Adblock

          obligatory "El Reg is supported by ads, please whitelist us to continue reading more top-notch tech news" post

          1. big_D Silver badge

            Re: @Richard Jones 1 - The problem with such as Adblock

            I don't use AdBlock, I used FlashBlock for a long time, and I still use NoScript.

            I uninstalled Flash in January and I haven't missed it yet - I only really used it for YouTube, but they've gone HTML5 Video for everything now, so I just didn't need it.

            The ad networks can serve me images, but no JavaScript and no Flash.

            1. Anonymous Coward
              Anonymous Coward

              @ big_D

              Like you I binned Flash (late last year) and only have come across a few sites that won't work without it and they get bypassed. Also using Noscript but find the Adblock forks such as I mentioned before useful for selectively blocking images. For instance a custom filter removes all the junk from the homepage of the Reg but leaves any subsequent pages/articles images displayed.

              1. This post has been deleted by its author

                1. Anonymous Coward
                  Anonymous Coward

                  @ Larry F54

                  Just open blockable items and choose one of the images then choose custom filter - *&crop=1. Basically backspace out all but the end of the filter (&crop=1) and add * at the beginning. Save and hit refresh page and all the images should be gone.

                  1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            @ gazthejourno

            As another poster said above "If advertisers can't get their message across in a single STATIC hyperlinked image"

            So, stop trying to run scripts on my machine via adverts and I'll let them (ads) through.

          3. This post has been deleted by its author

            1. Vimes

              Re: @Richard Jones 1 (regarding new design)

              The staff here seem to think that everything is fine and dandy with the new design.

              Think otherwise? Why not comment in the following thread?

              http://forums.theregister.co.uk/forum/23/2014/12/11/Drewc_El_Reg_Redesign_leave_your_comment_here/#c_2451058

              1. This post has been deleted by its author

          4. Vimes

            Re: @Richard Jones 1 - The problem with such as Adblock

            obligatory "El Reg is supported by ads, please whitelist us to continue reading more top-notch tech news" post

            And yet this site seems to have gone overboard with the advertising in recent years, going as far as giving more prominence to an ad at the top of the page even before the page title itself. On a widescreen monitor only ~50% of the page seems to be displaying actual content - and the less said about the amount of content space within that 50% taken up by that bloody big headline image the better.

            Perhaps if more thought was given to how people wanted to use this site rather than how you'd like them to use it you'd find that less people installed that sort of thing?

          5. Alan Brown Silver badge

            Re: @Richard Jones 1 - The problem with such as Adblock

            "Please whitelist us to continue reading more top-notch tech news"

            You'd get more sympathy if the ads weren't so obnoxious that they get in the way of reading the news.

            1. This post has been deleted by its author

          6. Anonymous Coward
            Anonymous Coward

            Re: @Richard Jones 1 - The problem with such as Adblock

            I have whitelisted the reg but still don't see any ads because I also use no script. I am willing to look at an advert but not to run scripts from advertisers.

    6. Anonymous Coward
      Anonymous Coward

      Re: Sort your shit out advertisers

      No need to install anything to block this sort of crap if like about 35% of desktop users, you use IE9 or later. Just enable the Easy List 'Tracking Protection List':

      https://easylist.adblockplus.org/en/

  2. Neil Barnes Silver badge

    Regarding F**kAdblock

    I find it rather amazing that while the parasites, er, fine upstanding advertisers have access to a tool which can tell if I'm blocking their adverts (hint: I am), important sites that still insist on flash and/or cross-site scripting (e.g. banks, and pretty much anywhere if you want to pay online) don't seem to be able to detect that you're not running them until it's too late...

  3. Anonymous Coward
    Anonymous Coward

    F**k AdBlock

    f**k me, I agree! Having heard how the AdBlock people profiteer from de-adblocking certain advertisers, yeah, f**k AdBlock, there are better alternatives.

    p.s. please don't weep how the (digital) world would collapse and millions of developers, website owners, and ebay sweatshops would collapse because they're entirely dependent on advertising revenue.

    1. Alan Brown Silver badge

      Re: F**k AdBlock

      "Having heard how the AdBlock people profiteer from de-adblocking certain advertisers"

      Who'd you hear that from?

      https://adblockplus.org/en/acceptable-ads

      https://adblockplus.org/en/acceptable-ads-agreements

      "Whitelisting is free for all small- and medium websites and blogs."

      https://adblockplus.org/blog/acceptable-advertising-before-and-after

      Methinks a bridge somewhere is missing its troll.

      1. Vimes

        Re: F**k AdBlock

        "Whitelisting is free for all small- and medium websites and blogs."

        But equally, from the agreements page you linked to:

        That's why we are being paid by some larger properties

        Playing devil's advocate: so it's not free for anybody else? Profiteering is OK as long as you're selective about it?

  4. adnim
    Meh

    F**kAdblock

    seems to require Javascript.

    I block Javascript by default and if an unknown site requires Javascript to function I look elsewhere for the information I require. If I find a huge list of scripts from umpteen different domains are required to access site content I never visit that site again.

    I did enable Javascript for http://sitexw.fr/fuckadblock/ out of interest and was informed that Adblock was not active, so I enabled session cookies (although in the source code, cookies are not referenced) and my Adblock was still not detected. <shrug>

    I really don't care because if ever an advertising network finds a way around adblock, they will certainly find a way into my hosts file.

    My Amiga got infected once... that taught me to move the write tab on my floppies, I had do disinfect dozens. It was a lesson well learned and got me into studying viruses. I have never had a virus on a production PC I have owned and my first PC was an Epson PCe. (I have purposely infected many in the course of research)

    Of course I could have been and could still be riddled with many undetectable ones all fighting for dominance... I just don't know I am not that smart.

    If in doubt run suspect code in a VM using Sysinternals wonderful tools. I guess I am preaching to the wise. It is the average user that needs to learn this, not IT professionals that read an IT news site.

    I wanted to use a smiley face but that makes me feel I am trying to be smug and I am not, I am just constantly vigilant, so I Meh in the advertisers and malvertisers general direction.

  5. Alan Brown Silver badge

    Hmmm.

    "Researchers probing deeper discovered the studied advertising sites used a tool dubbed 'F**k AdBlock' designed to detect 'nasty' ad blockers across popular web browsers."

    Can anyone say "misuse of computers act" ?

    If the ad companies do business in the UK, or any of the advertisers in question are, it might be an interesting question.

  6. Anonymous Coward
    Anonymous Coward

    If it's the adserver that's been hacked then all bets are off really.

    It, however, is probably a stupid DSP who's sold a campaign to some crafty bastards. The DSP should be identifiable from the traffic traces, and publically named and shamed.

    1. Alan Brown Silver badge

      "If it's the adserver that's been hacked then all bets are off really."

      no need. Malware pushers have been haunting banner ads since forever (I first saw them in 1997)

      The usual MO is to buy into a banner-ad vendor with a campaign featuring benign content for several months, then start slipping noxious items in later.

      You don't need a hacked adserver when the payload is 100% in the content.

  7. volsano

    I would not run random code on a server. So why should I run it on my personal machine?

    If (it's a very big if) that random code came with a certificate proving it had been extensively tested, that it was believed by reputable authorities to be harmless, and that I was covered by ad-industry insurance in case it did any damage, then only only then might I allow it to put a big flashing distraction in the corner of my screen.

    But until that happens, Adblock is an essential layer in my security perimeter.

  8. Neil Barnes Silver badge

    The first thing on a new windows machine

    Install firefox

    Install noscript

    Install adblock+

    On a linux machine, the same, except that firefox is probably already installed.

  9. Omgwtfbbqtime
    Facepalm

    Fuck em.

    Use Lynx.

    Then again, do you realise how hard it is to find good quality ASCII porn?

    1. Steve Foster
      Happy

      @omg...

      Hmmm, sounds like you may have identified a gap in the market...

    2. Crisp
      Go

      Do you realise how hard it is to find good quality ASCII porn?

      Challenge Accepted.

      1. Neil Barnes Silver badge

        Re: Do you realise how hard it is to find good quality ASCII porn?

        Does X still have an ascii-video driver?

    3. Anonymous Coward
      Linux

      Re: Fuck em.

      I use elinks. This shows not only the GET and POST data you're giving away but allows you to see the occasional image if you want. Text only means fast, fast, very fast page loads and no java.

      BTW: have you seen an ASCII text movie?

  10. Anonymous Coward
    Anonymous Coward

    I suspect that a lot of ad networks are run by sketchy people, so it's no surprise if they allow outright criminals to use their services to distribute spam and malware.

    So ought there be more laws against this? No, we just need more secure systems/networks.

  11. Indolent Wretch

    "malvertising"

    Really, that's a word now? Who is responsible for this?

    1. Fred Flintstone Gold badge

      Really, that's a word now? Who is responsible for this?

      Given the crud I have had levied at me by some sites, I would say advertisers themselves. The criminals simply carried it further later.

    2. BlartVersenwaldIII
      Headmaster

      Iti's thye rulaw - allvery innoveloped vocablords havst to bis portmantificated.

      1. Florida1920
        Angel

        Re: BlartVersenwaldIII

        Iti's thye rulaw - allvery innoveloped vocablords havst to bis portmantificated.

        This is what happens to you after too much exposure to the El Reg redesign.

  12. Anonymous Coward
    Anonymous Coward

    Sort your shit out advertisers

    What you *really* want is Adblock Edge rather than Adblock Plus. Edge forked from Plus and has no whitelisting for 'trusted' adverts as Plus does.

    1. Florida1920

      Re: Sort your shit out advertisers

      All you have to do in AdBlock Plus is click the ABP stop sign, click Filter preferences, and uncheck the Allow some non-intrusive advertising box.

  13. Anonymous Coward
    Anonymous Coward

    Adpimps death wish

    Once again, by not keeping their own house in order, the ad networks act as a better recruiting sergeant for Adblocking than comments, forum posts and word of mouth ever could. I don't think I've ever encountered another industry with such poor regard for its own survival.

    Stop the flashing, jumping shouty stuff, stick to static images or text at a reasonable ratio of screen acreage to content and maybe I'll start unblocking a few regularly used sites I actually like. Till then its Adblock on every new install, with all options on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like