Yesterday morning, while reading the New York Times online, I was confronted with an attempted security attack, apparently delivered through an advertisement. A window popped up, mimicking an antivirus scanner. After “scanning” my computer, it reported finding viruses and invited me to download a free antivirus scanner. The displays implied, without quite saying so, that the messages came from my antivirus vendor and that the download would come from there too. Knowing how these things work, I recognized it right away as an attack, probably carried by an ad. So I didn’t click on anything, and I’m fairly certain my computer wasn’t infected.
I wasn’t the only person who saw this attack. The Times posted a brief note on its site yesterday, and followed up today with a longer blog post.
What is interesting about the Times’s response is that it consists of security warnings, rather than journalism. Security warnings are good as far as they go; the Times owed that much to its users, at least. But it’s also newsworthy that a major, respected news site was facilitating cybercrime, even unintentionally. Somebody should report on this story — and who better than the Times itself?
It’s probably an interesting story, involving the ugly underside of the online ad business. Most likely, ad space in the Times was sold and, presumably, resold to an actual attacker; or a legitimate ad placement service was penetrated. Either way, other people are at risk of the same attack. Even better, the story opens issues such as the difficulties of securing the web, what vendors are doing to improve matters, what the bad buys are trying to achieve, and what happens to the victims.
An enterprising technology reporter might find a fascinating story here — and it’s right under the noses of the Times staff. Let’s hope they jump on it.
UPDATE (Sept. 15): As Barry points out in the comments below, the Times wrote a good article the day after this post appeared. It turns out that the booby-trapped ad was not sold through an ad network, as one might have expected. Instead, the ad space was sold directly by the Times, to a party who was pretending to be Vonage. The perpetrators ran Vonage ads for a while, then switched over to serving the malicious ads.
If anyone is interested in this subject, can I recommend the “Spyware Sucks” blog. Sandi often writes in great detail about these – and provides warning for ad-buyers about which companies to avoid. the NYT attack is just the highest profile one recently so has reached people who did not know that this has been going on for a long time.
http://msmvps.com/blogs/spywaresucks/default.aspx
Does adblock protect you from malware? If we assume it does its job perfectly and blocks 100% of ads and nothing else, you would still be vulnerable to malware not delivered through ads.
(Note: For all I know, Adblock might very well do its job 100% perfectly. I don’t use it so I wouldn’t know.)
Blocking only ads doesn’t remove hostile capability, so rigorous (paranoid?) people won’t see it as solving the problem.
It helps a lot with blocking hostile intent, though. Ads are a special case on the web, in that it’s content that doesn’t originate on the website you’re looking at. An ad-supported website usually isn’t out to harm you. They want you to keep coming back to see ads and make them money. So they’re probably not going to try to serve you malware. The ads typically don’t even come from their own servers, though, so they’re not audited and there’s no incentive to behave.
So yes, blocking ads (and just ads) protects from malware. It just doesn’t do it enough to make everyone comfortable.
How much more user-friendly do pop-up blockers have to become? I like youtube as well, so I’ve clicked on the menu item that tells my browser not to disable Flash from youtube. If I want to see flash content from anywhere else, I click on the picture/placeholder and then click “yes” when my browser asks me if I want to allow it.
What bugs me more is sites that use flash and javascript gratuitously and in obscure ways so that they don’t work properly unless you let all the popups and popunders and screaming high-volume animations play.
To protect themselves, users really have to disable Flash, and probably Javascript. This is the only solution that can work. There is no other approach that any user can take to defend themselves.
Many users, even some technically-informed ones that are aware of the risks, are not willing to do that. They want to see their youtube videos, so they need Flash. They want their DHTML sites to work, so they need Javascript. Thus, they choose to allow their web browser to blindly follow instructions that may possibly result in it doing things that are against their interests. The hope is that the benefits balance this out, because we haven’t had our “Pearl Harbor” yet, so people see the worst case as not very bad.
The second-line defense, which won’t solve the problem but will reduce it, is for web sites to always serve ads directly from their own servers (i.e. no script src=”some other server”) and for “compiled” ads (e.g. Flash) to be compiled by themselves after looking at the source. At that point, as long as a user trusts a website, they can visit it fairly safely. Then the burden is on the webmaster to audit carefully (and that’s not foolproof).
I don’t think that’s going to happen either, though. The standard practices in the ad business are that you include whatever javascript the advertiser wants. I’d love to hear stories about people who Just Said No and got away with it (i.e. they still had enough ad offers to fill their inventory and at a good CPM) but I’m not holding my breath. If anything, the ad business is a buyer’s market right now, where the sites do whatever they’re asked and smile.
It’s actually a pretty grim situation and I think things are going to get worse before they get better. This NYT story is the first (well, the hundredth) of many more.
Ed, you should use a safer browser, one that doesn’t allow popup windows unless you let it, that doesn’t run Javascript unless you let it, and that blocks ads that might carry malicious content.
At the risk of sounding like a zealot, try Firefox with the NoScript and AdblockPlus addons. Using these I never even see the ads, never mind about them popping up or trying to run Javascript code on my computer.
–Bob.
While I use a pop-up blocker, I don’t know if it’s technically feasible, I think sites that serve ads should block their content from people who use ad blockers.
Here’s their article on the topic:
http://www.nytimes.com/2009/09/15/technology/internet/15adco.html?_r=1