The Economist's anti-ad-blocking tool was hacked and infected readers' computers


#1

[Read the post]


#2

I appreciate notification of stuff like this, because I try to always respond to the Koch-funded idiocy I get from business colleagues with something fact-based, and this will hit home for those types.

Except, I’ll probably have to send it to their secretaries, since most of them won’t actually understand the implications.

But they know more than young people, who are Socialists, of course.


#3

While the damage appears to be limited…

How do you know? How would PageFair know if they unwittingly infected five computers or five million? This is not a trivial question - victims of even a hypothetical hack can suffer millions of dollars in harm. Consider the Target hack, or the OPM. Those entities were required to offer identity protection services to the individuals whose information was hacked, and that had to cost tens of millions of dollars, at the very least.

If nobody ever pursues damages, corporations’ clever subversions of internet security will continue and escalate until nobody is able to trust any website, ever. I know some old folks who feel that way already - maybe they’re not fools.


#4

I was trying to figure out how they got around ad-blocking software, so I could counter-block them. At least one vector they used to circumvent was just paying the Ad-Block Plus folks to end up on their “trusted” list.

! Text ads by PageFair (https://adblockplus.org/forum/viewtopic.php?f=12&t=20718)
@@||pagefair.net^$third-party
@@||tracking.admarketplace.net^$third-party
@@||imp.admarketplace.net^$third-party

One place to start is making sure you have ABP’s supposedly “non-intrusive” advertising disabled, if you haven’t already switched over to a better product or ABP fork*. Kicking the allowed domains over to a 127.0.0.1 in the hosts file might not be a bad idea either.

*ETA: Other suggestions for adblockers that aren’t taking bribes from advertisers would be Adblock Edge or uBlock


#5

anybody who does not fall in line with a money-making scheme becomes the enemy.


#6

Thanks @Woodchuck45

[quote=“Woodchuck45, post:4, topic:68900”]
@@||pagefair.net^$third-party
@@||tracking.admarketplace.net^$third-party
@@||imp.admarketplace.net^$third-party[/quote]
How do these work? Or more to the point, how to I disable their, uh, disablement.

I found the ||pagefair.net^$third-party entry in my adblock filters, but it didn’t have the @@ preceding it - does the || symbol indicate exceptions (or ‘allowed’ ads)? (I also came across ##.pagefair-acceptable and ||pagefair.com/static/adblock_detection/js/d.min.js$domain=majorleaguegaming.com … which sounds like exactly the kind of think I want Adblock to, well, block)

I didn’t find either of the admarketplace entries, although I did find ###AdMarketplace, and ||admarketplace.net^$third-party

It’s disappointing that Adblock is failing in this way. Disappointing, but not surprising. It’s like a classic protection racket; build up some solid trust by being useful, then abuse that trust for profit by destroying the usefulness.


#7

It’s worth noting that, as best I’ve been able to gather, the compromise of ‘Pagefair’ affected anyone attempting to view any of the sites embedding Pagefair-provided material, regardless of whether they were attempting any sort of adblocking or not;.

Pagefair’s payload may have been considered more valuable than a basic sleazy ad network’s, since more effort is put into ensuring delivery even in the presence of user defenses; but it isn’t triggered by attempted adblocking, just takes more care than usual to make sure that it still makes it through.

According to Arstechnica’s piece ~500 sites(helpfully undisclosed by Pagefair’s disclosure; because we all know who the real customer is) of various levels of prominence were among those affected. Unfortunately, The Economist appears to be well above average with their lousy non-apology, since that number of sites is distinctly higher than the number of disclosures-to-readers, in any form, that the incident spawned.

I’m pretty sure that Weather.com is one of them, based on the correlation with the timeline and attack type to a frantic-family tech support call; but comprehensive lists appear a trifle hard to come by; despite everyone being oh-so-sorry(most notably; Pagefair’s own “exposure checker” is an agonizingly snide, condescending, and uninformative document even by the low standards of adversarial technical documentation; and notably avoids mentioning any ‘what web sites should I be concerned about?’ or ‘I run a network here; I want to check the logs for a list of URLs and/or IPs within a given timespan; stop shoving goddamn screenshots in my face?’ related information. Just a drippingly condescending ‘did you click on the malware and cause your own problems?’ guide.)


#8

If he knew, he wouldn’t have written “appears.”


#9

Heh heh, didn’t affect me because my adblocking is better than their anti-adblocking. There is no such thing as a good or safe ad network.

Now is a great time to drop AdBlock Plus for uBlock Origin (not the same as uBlock - too much drama to dive into or care about there, but Origin gets more and better updates).


#10

@@ means “allow from”
|| is a type of wildcard:

Sometimes one wants to block http://example.com/banner.gif as well as https://example.com/banner.gif and http://www.example.com/banner.gif. This can be achieved by putting two pipe symbols in front of the filter which makes sure the filter matches at the beginning of the domain name: ||example.com/banner.gif will block all these addresses while not blocking http://badexample.com/banner.gif or http://gooddomain.example/analyze?http://example.com/banner.gif


#11

Nobody should trust any site ever. At least, not on the first visit. The smart thing to do is disable all scripting right from the start and only allow the minimal necessary scripting on a case by case basis.

To do otherwise is to invite disaster.


#12

Seconding that. I visit several of the affected sites but as best I can tell no PageFair script ever ran. NoScript FTW. (When they figure out how to serve it from same-origin that’ll be different, but not a problem yet.)


#13

Good points! I think that it’s also wise to not listen to new people you run into until they build up enough trust with you, as they could be thieves or murderers, and to do otherwise is to invite disaster. Same thing with new restaurants or stores in town - who knows if they’re run by ruffians, and I heard from my sister’s father’s boyfriend’s daughter that someone found a rat in their soup at that place!

I mean, the only other thing that could be done was to follow even a basic modicum of computer knowledge to let you know that a website suddenly downloading a program and then you disregarding all warnings to install it would be a bad thing, but that’s literally crazy talk.


#14

You know what’s funny about default settings for most web scripting languages on most browsers? They never warn you, they don’t ask your permission, and they run whatever script is served up by default.

This isn’t like refusing to talk to people. It’s more like refusing to let random people stick hypodermic needles in your arm. Don’t be a smartass, it’s far easier to compromise a computer without the user noticing than it is to inject someone with a needle full of bleach.

The whole point here is that, if you just let anyone run code on your machine without actually vetting them, they’re more than likely going to take advantage of that, and increasingly they themselves will end up compromised and try to make your computer execute crap that isn’t in your interest.

For instance all advertising is not for your benefit. You are the product. Not the customer. And I prefer to decide myself what runs on my computer. Instead of letting other people decide what my computer should run.


#15

Infection methods via computer often rely on security loopholes, not default behaviors. Someone can’t just toss ‘ELITEHAX0R=TRUE’ into a website and pwn your machine with impunity.

In the article you can see that this wasn’t an elaborate and hidden stuxnet-style virus, this was a popup that said 'OMG UR FLASH IS OUT OF DATE!!!" and then downloaded an executable when you clicked yes (25% of the time, because even internet hackers can’t get good availability numbers), and then when you ran that executable, it would install a remote access program. A subtle attack, this was not - it’s actually surprising they didn’t bother waiting for a 0day or something with some real kick to it instead of a super old trick.

That all being said, sure disable scripting, whatever, but you can also just browse safely, take a modicum of precaution and not break a bunch of sites in a manner that probably wouldn’t have fixed this problem anyway, assuming you trusted the site to some degree and allowed any advertising.


#16

What reason do I have to trust sites and adnetworks? If I want to see something that specifically needs code to run on my machine, then I may allow it.

But just letting arbitrary code run on my machine isn’t wise. “Safe browsing” definitely helps. But you know what? It’s just not good enough. And anyway using stuff like NoScript, and ad blockers that haven’t been compromised by monied interests is just one part of safe browsing. It’s not like I’m being paranoid. People get malware installed on their machines all the time. And in some cases malware can run just on the site gobbling up whatever cookies you have, so they can better follow you around the web. That’s not something I think is useful to me. And I doubt they’re doing it for my own good. If they want to know about me, they can ask me questions in person, or ask me to volunteer information, instead of just taking it.

I’m sure you’d be just pleased as punch being followed around town every day by a few dozen people videoing you, taking photos and picking up every scrap you’ve touched, digging through your trash, and putting gps trackers on your clothes and vehicles and personal belongings, right? Because without stuff like script blocking, that’s what’s happening on the web.


#17

Ublock is so light it can run on your phone


#18

This seems like as good a place to ask this question as any.

Let’s say I’ve got a shiny, new, out-of-the-box laptop. Mac, PC, whatever–we can stipulate it’s not some obscure hand-coded version of Linux or my artisan revival of BeOS. I update my browser (Chrome, Firefox, whatever–again, something mainstream) so that my software is at most a few seconds old. Default settings all around. Then I start loading web pages.

Under those circumstances–current software, but no special precautionary measures–how might my computer get compromised, if I don’t do anything that makes me actively complicit? That is to say, assume I heed all warnings my computer or browser or ISP might throw up on my screen and back away when I’m told to back away. Given all that, could I navigate to whatever.com and be instantaneously and successfully hit by malware? I realize that’s a fuzzy concept, but I’m talking about stuff worse than the now-normal trackers or super-cookies that every web page (including this one) attempts to use.

What this boils down to is this: does the current infrastructure mean that its baseline assumed user is being plagued by bad computer juju every single day? Or does all that rely on the user making at least one sin of commission (clicking a download button, ignoring a browser warning, installing a plug-in that later gets corrupted, etc.).


#19

Good question.

Paging @albill


#20

If you’re running Flash, Java, or similar binary plugins, these will be the vehicle through which most malware shows up (mostly Flash). Chrome has its own included build of Flash, which is better, but still Flash. At the very least, you make all binary browser plugins “click to play” before they run. Ideally, you just remove Flash and Java if they’re on the system.

Beyond that, I recommend running things like uBlock Origin to block a lot of advertising related stuff, which is the network through which most malware arrives that isn’t overly targeted at one individual.

The way most folks get compromised is:

  1. Old Binary plugins (usually Flash) that are out of date and have known security issues
  2. Old Browsers (that are out of date with known security issues)
  3. Old versions of their operating system (that are out of date with known security issues)
  4. Being idiots, downloading, and then running software they find on the Internet that comes with malware in it. That pirated copy of Office or Photoshop? Well…
  5. Social engineering to install malware because people aren’t security conscious

You can sense a theme in 1-3. Keep your software up to date, don’t put off installing current versions. Don’t install dodgy software whose origin is unknown to you. Don’t run Flash if you can avoid it. If you do run it, run it only when you have to with human interaction.