For two years, criminals stole sensitive information using malware hidden in individual pixels of ad banners


#1

Originally published at: http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html


#2

Which is an excellent example of why unapologetic and rabidly aggressive ad-blocking (e.g., ublock) is friggin’ awesome. Likewise script-blocking (e.g., NoScript) is friggin’ awesome.


#3

[Spoiler]This is apparently a real thing. Whatever it is. [/Spoiler]


#4

Yes, this.

To all the journalists who maintain that adblocking is somehow immoral: you are wrong. Ad blocking is self-defense. If that has a negative impact on your paycheck, then maybe you need to find a different method of making money. Because internet advertising is made of evil.


#5

Oh look it’s Flash hello old friend it’s been a long time.


#6

“Please disable ad-block”


#7

I use chrome to visit sites that still haven’t gotten the memo about mobile devices and continue to insist on using flash. I use Firefox to visit everyplace else. My cpu’s fan thanks me, and I almost never have to deal with autoplaying videos anymore.


#8

Related talk from Sarah Jeong on adblockers and journalism: https://www.youtube.com/watch?v=bltoTMJZetc


#9

Why is it called malvertising?

Shouldn’t it be badvertising?


#10

And this is why I happily use an adblock. Until the content providers hold the ad companies feet to the fire over this shit I will keep using an adblock.


#11

With a caveat, though. Ads aren’t the problem! It is how the ads are served up with scripting and flash access that is the problem. Pictures and/or text only ads? Not a problem. This is why the Boing Boing Store native advertising for all of it’s many faults is an improvement in some ways over embedded ads served up by 3d party networks.


#12

Yeah, because pics cannot be exploited. Oh wait

The only solution is for websites to be made legally responsible for all ads they serve, no exception, no excuses, with steep penalties - every exploit they serve should cost them $1000 per impression. That runs up to millions pretty fast. The penalty should be paid by the final website, not the ad network or other middlemen.

This would likely solve the problem overnight.


#13

Well, I should always be careful about giving absolute statements. :wink: However, the exploit you posted is from 12 years ago, and the attack in the OP only used photos as a passive storage media for obfuscated code, scripting and Flash were required for the actual attack. So, in general, I stand by my statement that pictures and text aren’t the issue. If they were you’d browse text only, which I presume you do not.

I do think more accountability is key in the long run, though. And it needs to start at the OS level, but we need to also consider the un-intended consequences that could kill open source software.


#14

That’s the exploit we know of. We know there are plenty of bad actors stockpiling exploits, and this sort of attack is so effective that I would expect most people to keep it under wrap until absolutely necessary.

I do crank up my adblockers to 11, blocking images and adwords, and hope that websites I patronise don’t actively try to fuck me. Unfortunately the XXI century web is completely unusable as text-only – just the other day I was trying to log on Google via terminal browser and simply had to give up. (Protip for developers out there: never assume the user will have a browser on the same machine your code has to run.)


#15


#16

Says you.

I hope you never see a use-after-free in a jpeg image parser library that your browser uses. They exist. Trust me on that. Really. Do.


#17

then later:

So, if I run XYZ Ads Corp and want to drive ABC Corp out of business, all I have to do is purchase a stockpiled exploit from BadActor LLC, send it up to ABC Corp’s servers for a couple of months, and then anonymously turn them in? Brilliant!


#18

Yes, absolutely. So publishers will stop trusting XYZ Ads Corp and only run ads they produce themselves.


#19

Sigh… Oh, for the good old days when infecting a computer required hand delivering a stack of punch cards…


#20

Deliciously erotic