Ads aren’t all that bad. They’re designed for people that actually need the stuff they’re selling in case they see them. They help move the economy along by getting folks to buy something they don’t really need or already have. But for the rest of us, they’re slow-loading, bandwidth-eating, webpage-cluttering annoyances. But there are times when they’re useful. With just one click, ads take us to the sites where we can easily buy the stuff we do need and later delivered to our doorstep. Ads that deliver pizza? Cool. Ads that deliver that new PC or tablet? Check. Ads that deliver malware? Wait a minute.
The New York Times website, the BBC, MSN, Newsweek, websites you know you can trust, websites you know are safe to visit, last week have dished out ads with malware. Though most of the ads have been taken care of, some might still be there. Malware attacks have been going viral lately and by far, according to experts, this is the largest in two years. The attackers managed to involve several major websites that we would assume invest in major security at least for themselves. Unbeknownst to them, they were used and given ads that redirect users to websites that upload malware or even ransomware to unsuspecting users. It’s possible that tens of thousands of computers may already be infected.
The malicious ads work by connecting to servers that host an angler exploit kit which tries to find vulnerabilities in a user’s system. Once found, malware enters the system. What happened isn’t directly the fault of the websites nor the advertising companies which include Appnexus, Google, Rubicon, AOL and DoubleClick.
“We devote considerable financial resources to safeguarding our customers… Unfortunately, bad actors also invest considerably in new forms of malware,”
–Josh Zeist, VP of Communications, Appnexus
“These are the top ad networks in the world… For some reason, they were all affected. It was shocking, to be honest.”
–Jerome Segura, Senior Security Researcher, Malwarebytes, phone interview with PCWorld
It’s quite inevitable, even for large companies that invest in high-level-security. That goes for the government as well. No one is hack-proof, but it’s pretty rare for high-profile websites and large advertising companies to be infected all at once. The ads came from third-party ads providers. The process of ad sales and distribution is mostly automatic from third parties to ad networks to their customer websites. Though the ads are screened at every level, bad stuff can still get through.
“It’s hard to imagine, but a lot of ad networks don’t know each other very well and yet they’re doing business with each other.”
–Jerome Segura
Since the ads distribution process is mostly automatic, the various tiers of ad networks don’t exactly hold hands and sing Kumbaya. They don’t exactly profile the reputations of everyone. The big boys only know the bad egg through the bad ad. Appnexus says that they’ve largely stamped out the providers of the offending ads while the other major ad providers already cleared their offensive inventory after being notified by Trend Micro. Most have been removed, but some malicious ads may still be at large. The flow continues, and it appears that we may not know who to trust anymore.
The sites are still safe to visit, but users should probably refrain from clicking any ads unless their system is fully secure by having both anti-virus and anti-malware protection and probably an optional ad-blocker. If this news gets out more, people would start to view ad-blockers as another layer of security. Goodbye ads, most of them anyway. Google had better make a convincing statement soon, or the ads industry for the web faces a recession. An ads-free web would be nice if you don’t mind a tanking economy.
Unfortunately, this latest attack suggests that the internet is no longer safe to connect to, without some form of protection. Users can only be sure they’re safe when they use a new PC out of the box is by keeping that cord out of the Ethernet port or by turning off wi-fi but where’s the fun in that?