Malware in ads causes trouble for millions of people. But ad publishers still fight against ad blocking

A very careful user - in a gas mask.

Maybe you know a person like this. He or she will adamantly claim that they have never been to any suspicious or dangerous websites, have never opened an email attachment as long as they live and have never downloaded anything.

And yet they have a computer haunted by malware.

However, the time has come for exactly this to be possible. Even people who try to surf the net responsibly and safely can have their computers infected by a nasty malware.

Because of ads that spew the malicious code around.

Lately, this has been happening more and more often. And even on a large and established websites.

For example, recently millions of people could get their computers infected just by visiting portal of the New York Times, a website about American football NFL.com and even on a MSN.com, a portal owned by Microsoft. Apart from that, there was malware behind ads shown on websites of several American TV stations and earlier this month they were also on one of the most popular gossip sites, PerezHilton.

Regular users would probably presume that sites like these are safe to browse. They are owned mostly by huge corporations that surely keep a tight grip on anything they publish on their sites.

But they would be wrong.

Even though these websites are owned by big companies, they rent out their advertising space to ad publishing agencies. These then sell it on further, usually with only light oversight (or none at all). And so many ads come directly from malware spreaders.

Dangerous ads can look absolutely innocuous or even tempting. A banner on other recently infected sites answers.com and zerohedge.com showed a set of quite nice-looking ratchet wrenches from a Taiwanese tool company AOK. But it also contained over 12 thousand lines of Javascript code. This first checked that the user wasn’t using any method to detect the intrusion and then redirected them to another website that used the Angler kit to exploit vulnerabilities in their computer’s software. And then infected them with the Bedep Trojan and TeslaCrypt ransomware.

Most malware laden ads don’t even need to be clicked – they automatically redirect the user to the attacker’s website, check their browser for vulnerabilities, exploit them and download the malicious code. All without the user noticing at all. Experts call these attack vectors drive-by attacks and according to research, the whole process can be over in half a second.

Malware infected domains are on the rise

According tothe statistics by security firm Cyphort, this year could be the worst in malware-laden ads in recent history. The number shown for 2016 in the chart above is an estimate based on a number of infected domains in the first part of the year.

These tactics are becoming more and more common. For a simple reason – they work well for the attackers.

To defend against ads that are laden with malware is no easy task. In most cases, however, they can be defused by using a good blocking program or a browser plug-in against ads and self-executing scripts. People who care about internet security and their own privacy have used them for years now. As do people who just don’t care for being pestered by sale offers.

But ad publishers don’t like this trend.

Let’s get meta: If they’re blocking us, we’ll block their blocking

The ones fighting against the trend of ad blocking are some traditional media that live out of ad revenues and also ad publishers who can often claim ridiculous prices for “publishing” their ads.

Their fight-back is usually similar in character. Mostly they try it in courts and the most common target of their litigation is Adblock Plus and the German company Eyeo GmbH that runs the service. Thankfully, courts always rule that ad blocking is legal – users have the right to decide which content they want to see. Recently, this approach was once again tried by the newspaper Süddeutsche Zeitung , before them by German and French ad publishers. The result is always the same – the courts have ruled that users are within their rights to block ads and ad blocking software can continue to operate.

Because they regularly fail in court, ad publishers often try a different method. They add a chunk of code to the websites under their control that determines, whether or not a site’s visitor is blocking ads. And such users are prevented from accessing the site in question unless they disable their ad blocker. An often mentioned poster-child of this approach is the business news portal Forbes, but there are many others with the same policy. Not too long ago, this method was put to use en masse against their readers by Swedish publishers.

Even though, as it turns out, this technique is most probably against the law. At least in the European Union. A programmer and an internet privacy advocate Alexander Hanff recently posed several questions on the legality of blocking ad blockers to European Commission. And the verdict? According to existing European laws, the user must agree with any effort to store data by websites to his hardware, and detecting blocking mechanisms is therefore in conflict with the legislation.

So to sum it up: Ads can infect users with malware even on legitimate servers, so a lot of people decided to block them. This denies them access to some servers, because they refuse to see the “content” that gives them no value and instead can damage their computers. Do you care about security? “We don’t want this kind of customers,” say effectively ad agencies.

To block an ad is to attack the freedom of speech, ethnical minority groups and everything that is good in the world, says a president of ad association

They have a “good” reason for their protests.

Ads bring them a lot of money.

Agencies are trying to protect their goose laying the golden eggs and refuse any revision of the current situation.

The president of an international ad-publishing association IAB Randall Rothenberg went so far in his speech in January as to call the creators of AdBlock Plus “unethical, immoral, mendacious coven of techie wannabees” who “are stealing from publishers, subverting freedom of press, operating a business model predicated on censorship of content, and ultimately forcing customers to pay more money for less – and less diverse – information.” The work of ad agencies was in turn praised by Rothenberg as the thing driving the adoption of freedom of speech, diversity of thought and economic action.

His attack on the developers came only few minutes after he praised the ad agencies for bringing in overall profits from digital advertising in USA in 2015 to whooping 50 billion dollars. And expressed his delight as he waits for the next 50 billion dollars.

The ever growing trend of people avoiding ads through blocking is making a dent into these profits. According to a PageFair study, ad blocking bit off from the huge advertising pie almost 22 billion dollars.

That is the reason ad agencies are fighting the lost fight against it. But in doing so, they completely miss the point.

Solution? Either watch over the security of ads or change your financing models

The fact is that a great amount of ads is dangerous for the unsuspecting user. Many people pay the price every day with infected computer or lost data. The number of people who have had to fight ransomware – a malicious software that encrypts all data and threatens to throw away the key unless a ransom is paid to the attacker – grows every day.

And it’s the ad agencies that have to turn the situation around. As it stands, they are letting ads out with minimal to no oversight and help spread malware in the process. Experts offer two possible solutions.

Either the publishers buckle up and start to carefully monitor the ads they publish. Every banner, every pop-up window et cetera should ideally have its code checked and vetoed, otherwise it would not be published.

This recommendation stems from the assumption that safer ads would bother people less – they would in turn block them far less often, more people would see the ads or even click on them and the ad agencies and servers that publish ads could go back to their immense profits.

However, this solution would require investments of time and money, to build the infrastructure and establish rules. Even though this solution has been promoted for example by the authors of the PageFair research, the industry does nothing to follow the advice.

A second option that many experts consider easier to adopt, is paradoxically much more radical.

Websites that depend on advertising revenues – for instance news portals, hobby sites and so on – can move over to a whole another model of financing. Instead of showing ads, they can offer their visitors a chance to pay a small fee to help finance the site’s further operation. The confirmed assumption is that people don’t mind paying a small fee for a quality content.

Some servers have already adopted this form of financing – in the UK it’s offered by the news site Guardian, for example – but in most of these cases the new form of financing only exists as an add-on to the traditional ad-based model. This means that the channel for malware is still wide open.

If you run any sort of website that still uses digital ads, try to think your approach over. Consider whether the ads are really so important for financing the website. To have an internet presence is a must for companies today – there’s no need to try and recoup these costs on your customers, especially when you can also compromise their security with malware and ruin your reputation in the process. Even if you are just showing ads on our personal blog or a news site, consider another form of financing like accepting donations from satisfied visitors. You might be surprised how many people are willing to finance a high-quality content without superfluous troublesome and dangerous ads.

The right place for your data

OUR DATA CENTERS ARE LOCATED IN PRAGUE AND BRNO