Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Advertising Music Security

A Spotify Ad Slipped Malware Onto PCs and Macs (techhive.com) 96

An anonymous Slashdot reader quotes TechHive: Spotify's ads crossed from nuisance over to outright nasty this week, after the music service's advertising started serving up malware to users on Wednesday. The malware was able to automatically launch browser tabs on Windows and Mac PCs, according to complaints that surfaced online...the ads directed users' browsers to other malware-containing sites in the hopes that someone would be duped into downloading more malicious software.
It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem." And they're not the only company dealing with hidden malware in ads, since the same thing has happened to both Google and Yahoo.
This discussion has been archived. No new comments can be posted.

A Spotify Ad Slipped Malware Onto PCs and Macs

Comments Filter:
  • by Anonymous Coward on Sunday October 09, 2016 @05:45PM (#53043943)

    to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

    • by alvinrod ( 889928 ) on Sunday October 09, 2016 @06:08PM (#53044023)

      Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

      Most savvy users wouldn't which is why they use some kind of ad blocker or no script plugin. Even if asa weren't vectors for malware infection, video ads and trackers tend to chew through bandwidth and batteries as well.

      If websites limited themselves to static images without the massive number of trackers, I'd be far more likely to turn off the blocker. But for whatever reason, advertisers pay websites more if they use the world's most annoying shit.

    • to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?

      This is often quite surprising to those who don't know how modern Internet advertising works, but that is what people do. To have advertising on your site, you load a JS library from the advertising network and call into it to display the advertisement, and it does what it wants to show an advert. You're trusting them not to do anything evil - and the advertising network maybe trusting the advertiser not to do anything malicious, but you are certainly trusting the advertising network to screen for bad conte

      • by Anonymous Coward

        Oh yeah, blame the victim. I'm not even old but I remember the dot com boom and bust. The real reason we have this monstrosity is because the internet changed from hobby to business. What was supposed to be an information sharing network became a huge advertising platform. We have nothing to blame but corporate greed.

      • I run a website, and it is free from ads.

        Had to disable a lot of rss feeds because the sites - like /. started to advertise on my website.

        The only RSS feed left is the bbc.

        I don't make money off of the site, but it's a hobby, and I enjoy doing it. Costs me less than a month of cable TV per year to do it.

      • So make it clear to the advertising networks that you want a "still image only" option. That'll be a huge improvement even if you're still using their JS to display it. And since a lot of them now seem to pay mostly per click (rather than per view), there's no need (or excuse) to offer a lower payout for banner-only ads.
      • by Falos ( 2905315 )
        >implying requisite ads
        Oh please, it's nothing more than opportunistic capitalism slurping every dollar in reach. It's the nature of the beast. They're going to cash in no matter what.
        See also: Cable television
  • Ads are bad (Score:2, Insightful)

    by Anonymous Coward

    Ads are malware

  • by stfvon007 ( 632997 ) <enigmar007@yaho[ ]om ['o.c' in gap]> on Sunday October 09, 2016 @05:59PM (#53043999) Journal

    I have had something similar happen a couple times on slashdot - an ad redirects the whole page to a scam "You won a free apple laptop" page that tries to trick you into downloading malware. (for those who say it was a virus on the PC not slashdot, one of these times was on a fresh install of linux) This is why I have adblocker software and why slashdot is NOT whitelisted anymore. (Hint to slashdot's owners, Adopt the policy of the first poster and I may whitelist you again)

    • (for those who say it was a virus on the PC not slashdot, one of these times was on a fresh install of linux)

      When the installer asks you if you want to install systemd-scamd you say no.

      For the Gentoo users: The openscamd project is set to announce their first release soon so you know what not to compile.

  • But unless the advertisements cann ot be a disease vector, the fuck your advertisements. I Want you to go out of business, and I wnat your CEO's to b in jail, and your stockholderd to lose every cent.

    So we have Forbes? Fuck you and go out of business, the world will celebrate

    Imagur? Fuck you and go out of business, the world will celebrate

    Spotify? Fuck you and go out of business, the world will celebrate

    Unyil you clean up your act, and quit fucking people's computers up, Fuck off, assholes. You'

  • And they want me to disable my Ad Blocker? I think not!!
  • by Dr. Crash ( 237179 ) on Sunday October 09, 2016 @06:40PM (#53044139)

    Yet another reason why adblockers and scriptblockers are essential.

    Not just because ads chew up your pay-by-the-byte bandwidth, but because they are actively serving up malware.

    Sorry, all you ad-supported sites... find another business model. Your current methods are dying a very painful death.

  • by StandardCell ( 589682 ) on Sunday October 09, 2016 @06:40PM (#53044145)
    It is beyond unacceptable that:

    * Ad networks continue to be a vector for device infections both directly and indirectly
    * Ad networks track and profile users across websites without their consent
    * Websites use pop-over scripts to interrupt the viewing experience
    * Ad scripts and other ads use deceptive means to generate accidental clicks/taps
    * Websites redirect users unwittingly to app stores, particularly when said apps have nothing to do with the website content

    While I sympathize with website owners trying to monetize their content, they have left users with no choice but to block ads indiscriminately. The mobile browsing experience is particularly out of control now and shows what utter contempt or incompetence websites have regarding their user experience.

    The IAB [wikipedia.org] and ad networks [wikipedia.org] are complicit in allowing this situation to persist, yet focus all of their attention on trying to prevent ad blocking through technical and legal means rather than actually enforcing some standards of non-obtrusive advertising that doesn't threaten to direct you to some scummy malware site with a zero-day.

    Maybe it will take a few lawsuits, or boycotts, or just an overall drop in revenue for these deluded parties to stop this nonsense once and for all. Maybe it will be something else. Until the economics of serving and designing ads is tied to a positive UX, there will be an endless technological war to protect users from malicious ads.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I've been on the Internet/Web for a long time. When Cantor and Siegel first spammed USENET, it had already been 15 years for me. I had been involved in the early protocol meetings concerning TCP/IP, (I brought donuts...), the Usenet "Great Renaming", and the creation of some of the first rec.(group.group) Newsgroups, some of which weren't meant to be taken seriously... (Dammit, the actual CFV for rec.humor.objectivism was supposed to be a joke in itself, and yet it roused so many humorless Objections...)

      "T

    • by AmiMoJo ( 196126 )

      Maybe if they went back to the old static image served from the same place as the rest of the page they could actually increase their profits. These days analytics have driven prices down, compared to the old model where you paid for a billboard or TV spot without really knowing much beyond roughly how much traffic the board/channel was getting at the time. Information is power and by giving too much of it to the ad buyers they were able to drive costs down.

  • by Leslie43 ( 1592315 ) on Sunday October 09, 2016 @07:33PM (#53044361)
    I'm amazed no big company has stepped up to do it yet, how much are companies spending fighting all of these?

    Microsoft only stepped up it's game to stop the fake updates when they wanted to display ads in the OS, which tells you exactly how much these companies really care about it, so long as it's not truly effecting their bottom line or putting them at risk of being sued they won't bother. There's a reason ads have such a bad reputation and it's one that's well deserved.

    Besides adblockers, switch your dns to OpenDNS, they block most ad networks so your blocker has less to do.
  • I've always wanted an option in my browser to only display items on a page if they are from *.domain.com of the site I'm looking at. Cross site anything would simply stop working. Then, if a site is hosting it's own ads, it would display. No ad blocker required. It would also stop third party cookies, javascript, etc..

    • by geek ( 5680 )

      Install uMatrix, done

    • Firstly, you'd end up blocking a lot of content on sites that use CDNs to host their content. Secondly, it would be easily subverted by the site setting up a subdomain such as adnetwork.example.com pointing to the desired ad network so their ads could slip by your filter.

      • by Pikoro ( 844299 )

        There is another solution to sites that use CDNs. They could host their own content. If you're at the point where you need a CDN, you have the income to afford it. I ran a (I thought) rather popular site from a dynamic IP in my house. Received over 1 million unique users per day, plus forums, downloads, source code hosting, mail, etc. I also hosted my own ad network on the same system. This was direct advertising that I hosted and vetted myself, on my server. Bandwidth costs are cheap. If I can optim

  • It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem."

    Yeah well, you fucked up people's computers. How about you offer to let the affected people contact you, so you can make sure and reimburse them to get their computers reinstalled?

  • by Chas ( 5144 ) on Monday October 10, 2016 @01:53AM (#53045495) Homepage Journal

    Seriously, the advertising industry wonders why we hate ads and ad delivery platforms so much.

    Because of shit like this.

  • are delivered via advertising networks. I learned this in a presentation about angular and nuclear web exploit kits. On the backside, some, if not all, ad networks sell advert space in a bidding format with multiple delivery granular controls.

Avoid strange women and temporary variables.

Working...