A Spotify Ad Slipped Malware Onto PCs and Macs (techhive.com) 96
An anonymous Slashdot reader quotes TechHive:
Spotify's ads crossed from nuisance over to outright nasty this week, after the music service's advertising started serving up malware to users on Wednesday. The malware was able to automatically launch browser tabs on Windows and Mac PCs, according to complaints that surfaced online...the ads directed users' browsers to other malware-containing sites in the hopes that someone would be duped into downloading more malicious software.
It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem." And they're not the only company dealing with hidden malware in ads, since the same thing has happened to both Google and Yahoo.
It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem." And they're not the only company dealing with hidden malware in ads, since the same thing has happened to both Google and Yahoo.
How difficult can it be (Score:5, Insightful)
to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?
Re:How difficult can it be (Score:5, Informative)
Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?
Most savvy users wouldn't which is why they use some kind of ad blocker or no script plugin. Even if asa weren't vectors for malware infection, video ads and trackers tend to chew through bandwidth and batteries as well.
If websites limited themselves to static images without the massive number of trackers, I'd be far more likely to turn off the blocker. But for whatever reason, advertisers pay websites more if they use the world's most annoying shit.
Re: How difficult can it be (Score:2)
I'm more likely to click on text only ads. Even if that's a rare event too.
Re: (Score:2)
I usually click in empty space in order to set the focus to the browser, only to discover that there's a ad link there. So plenty of inadvertent ad clicking here.
Re: (Score:3)
to have as a policy and requirement, that adverts only come as still images, or movie sequences? Why the f*ck would you allow actual 3rd party code to run inside your own software, to display an advert?
This is often quite surprising to those who don't know how modern Internet advertising works, but that is what people do. To have advertising on your site, you load a JS library from the advertising network and call into it to display the advertisement, and it does what it wants to show an advert. You're trusting them not to do anything evil - and the advertising network maybe trusting the advertiser not to do anything malicious, but you are certainly trusting the advertising network to screen for bad conte
Re: How difficult can it be (Score:2, Insightful)
Oh yeah, blame the victim. I'm not even old but I remember the dot com boom and bust. The real reason we have this monstrosity is because the internet changed from hobby to business. What was supposed to be an information sharing network became a huge advertising platform. We have nothing to blame but corporate greed.
Re: (Score:1)
I run a website, and it is free from ads.
Had to disable a lot of rss feeds because the sites - like /. started to advertise on my website.
The only RSS feed left is the bbc.
I don't make money off of the site, but it's a hobby, and I enjoy doing it. Costs me less than a month of cable TV per year to do it.
Re: (Score:2)
Re: (Score:2)
Oh please, it's nothing more than opportunistic capitalism slurping every dollar in reach. It's the nature of the beast. They're going to cash in no matter what.
See also: Cable television
Ads are bad (Score:2, Insightful)
Ads are malware
Shashdot has had this as well. (Score:5, Insightful)
I have had something similar happen a couple times on slashdot - an ad redirects the whole page to a scam "You won a free apple laptop" page that tries to trick you into downloading malware. (for those who say it was a virus on the PC not slashdot, one of these times was on a fresh install of linux) This is why I have adblocker software and why slashdot is NOT whitelisted anymore. (Hint to slashdot's owners, Adopt the policy of the first poster and I may whitelist you again)
Re: (Score:2)
(for those who say it was a virus on the PC not slashdot, one of these times was on a fresh install of linux)
When the installer asks you if you want to install systemd-scamd you say no.
For the Gentoo users: The openscamd project is set to announce their first release soon so you know what not to compile.
Re: (Score:3)
Do NOT allow untrusted sources to run javascript (or any similar thing) on your computer. Sure, block ads too if you want, but the real problem here is letting totally unknown entities run scripts on your machine,
Yeah, but bullshit. You're saying something like yeah, Jack in the box sold tainted hamburgers and it killed some people bgut hey - itwas their fault because they ate them. Sorry, you arent supposed to get that shit in the first place.
You are begging for problems if you do that.
Everything is the customers fault, eh? How bout this? Don't go to the sites that serve up this shit, or better yet, kill your computer. You can't get malware if you don't have a computer. If you have one and have a problem it is always your fault. Jerk
Ad networks ARE infection vectors. (Score:2, Insightful)
Ad networks ARE infection vectors.
Stop blaming the goddamned users, it's the AD NETWORK that infected everyone.
Re: (Score:3)
Ad networks ARE infection vectors.
Stop blaming the goddamned users, it's the AD NETWORK that infected everyone.
THIS! A million times this.We don't watch ads on Television that screw up our Televisions.
Your computer is not supposed to be fucked up things that presumably reputable websites serve you. If a person's computr is bitched up that way, they aren't the guilty party.
Re: (Score:2)
Your television is not a general purpose computation device.
A computer is, and it does what you tell it to. If what you tell it is to let someone else give it orders, then it will do that. If the other party gives it malicious orders, well, it will obey.
It's not a difficult concept.
Whooshes for pretty damn big whooshes.
The point you apparently don't get isn't about how software is written, or what Lda Lovelace or the abacus ever had to do with Windows 10 or the Intel line of microprocessors is that television ads don't screw up your television, that the "ads" served up mandatorily by websites do screw up your computer.
To attempt to take your silly missing of the point to it's logical conclusion, that makes television much superior to the intertoobz and the machines used to access
Re: (Score:2)
Your television is not a general purpose computation device.
This is like arguing a cell phone isn't a computer, about ten years ago. It's well on its way to getting there. Our "SmartTV"s even get updates, but I'm sure it's all for the users' benefit, yes?
Re: (Score:2)
Yeah this isn't the old day where visiting a porn or warez site and you got hit with a virus, you deserved it. Today visiting CNN can get you infected with a virus.
Today you have to run ad blocks and no scripts to keep from getting infected, while the ad networks are actively working to undermine those same solutions while doing little to stop the malware.
Re: (Score:2)
I used to use noscript (which sort of works like an ad-blocker itself), and it was getting to be too much of a pain, so switched to uBlock Origin (which also blocks known malware domains by default as a bonus). Even though scripting is used to perform the infection, these days, disabling scripting just isn't feasible for many modern websites. It seems like it's scripting in ads that are the most typical delivery vector, and even then, it often depends on known, unpatched exploits (like Flash or Java plugi
Re: (Score:2)
No this isn't on the users. Spotify is serving up the ads to make money. It's their responsibility to not infect their customers with malware by simply visiting the site.
Re: (Score:2)
To keep on using a site the user has to open their computer to infection.
Re: for the 8979814th time... (Score:2)
Today not many sites are trusted.
Re: Jango (Score:2)
Jango Fett? Isn't he dead?
Nothing personal (Score:2)
So we have Forbes? Fuck you and go out of business, the world will celebrate
Imagur? Fuck you and go out of business, the world will celebrate
Spotify? Fuck you and go out of business, the world will celebrate
Unyil you clean up your act, and quit fucking people's computers up, Fuck off, assholes. You'
Disable Ad Blockers? (Score:1)
Yet another reason why Adblocking and Scriptblocki (Score:4, Insightful)
Yet another reason why adblockers and scriptblockers are essential.
Not just because ads chew up your pay-by-the-byte bandwidth, but because they are actively serving up malware.
Sorry, all you ad-supported sites... find another business model. Your current methods are dying a very painful death.
Enough of the IAB, ad networks and bad websites (Score:5, Insightful)
* Ad networks continue to be a vector for device infections both directly and indirectly
* Ad networks track and profile users across websites without their consent
* Websites use pop-over scripts to interrupt the viewing experience
* Ad scripts and other ads use deceptive means to generate accidental clicks/taps
* Websites redirect users unwittingly to app stores, particularly when said apps have nothing to do with the website content
While I sympathize with website owners trying to monetize their content, they have left users with no choice but to block ads indiscriminately. The mobile browsing experience is particularly out of control now and shows what utter contempt or incompetence websites have regarding their user experience.
The IAB [wikipedia.org] and ad networks [wikipedia.org] are complicit in allowing this situation to persist, yet focus all of their attention on trying to prevent ad blocking through technical and legal means rather than actually enforcing some standards of non-obtrusive advertising that doesn't threaten to direct you to some scummy malware site with a zero-day.
Maybe it will take a few lawsuits, or boycotts, or just an overall drop in revenue for these deluded parties to stop this nonsense once and for all. Maybe it will be something else. Until the economics of serving and designing ads is tied to a positive UX, there will be an endless technological war to protect users from malicious ads.
Re: (Score:2, Interesting)
I've been on the Internet/Web for a long time. When Cantor and Siegel first spammed USENET, it had already been 15 years for me. I had been involved in the early protocol meetings concerning TCP/IP, (I brought donuts...), the Usenet "Great Renaming", and the creation of some of the first rec.(group.group) Newsgroups, some of which weren't meant to be taken seriously... (Dammit, the actual CFV for rec.humor.objectivism was supposed to be a joke in itself, and yet it roused so many humorless Objections...)
"T
Re: (Score:2)
Maybe if they went back to the old static image served from the same place as the rest of the page they could actually increase their profits. These days analytics have driven prices down, compared to the old model where you paid for a billboard or TV spot without really knowing much beyond roughly how much traffic the board/channel was getting at the time. Information is power and by giving too much of it to the ad buyers they were able to drive costs down.
Re: (Score:1)
Remember how that didn't work with premium cable channels? Someone noticed there was a drop in ad revenue (ignoring the increase in subscription revenue) or they just wanted more money so there's ads where you've specifically paid to not have them.
This will keep happening until someone is sued. (Score:4, Insightful)
Microsoft only stepped up it's game to stop the fake updates when they wanted to display ads in the OS, which tells you exactly how much these companies really care about it, so long as it's not truly effecting their bottom line or putting them at risk of being sued they won't bother. There's a reason ads have such a bad reputation and it's one that's well deserved.
Besides adblockers, switch your dns to OpenDNS, they block most ad networks so your blocker has less to do.
Something I've wanted (Score:2)
I've always wanted an option in my browser to only display items on a page if they are from *.domain.com of the site I'm looking at. Cross site anything would simply stop working. Then, if a site is hosting it's own ads, it would display. No ad blocker required. It would also stop third party cookies, javascript, etc..
Re: (Score:3)
Install uMatrix, done
Re: (Score:2)
Firstly, you'd end up blocking a lot of content on sites that use CDNs to host their content. Secondly, it would be easily subverted by the site setting up a subdomain such as adnetwork.example.com pointing to the desired ad network so their ads could slip by your filter.
Re: (Score:2)
There is another solution to sites that use CDNs. They could host their own content. If you're at the point where you need a CDN, you have the income to afford it. I ran a (I thought) rather popular site from a dynamic IP in my house. Received over 1 million unique users per day, plus forums, downloads, source code hosting, mail, etc. I also hosted my own ad network on the same system. This was direct advertising that I hosted and vetted myself, on my server. Bandwidth costs are cheap. If I can optim
Re: self defense (Score:2)
Apple tax? You realize that Macs were among the computers infected (per the fucking HEADLINE)
So Spotify, how about you reimburse people? (Score:2)
It didn't last long -- Spotify quickly posted that they'd identified "the source of the problem."
Yeah well, you fucked up people's computers. How about you offer to let the affected people contact you, so you can make sure and reimburse them to get their computers reinstalled?
And these idiots wonder why (Score:4, Interesting)
Seriously, the advertising industry wonders why we hate ads and ad delivery platforms so much.
Because of shit like this.
Re: (Score:3)
Re: (Score:1)
And they can't hear your complaints over the ching's of money entering their pocket book.
Over half of website exploit kits... (Score:2)
are delivered via advertising networks. I learned this in a presentation about angular and nuclear web exploit kits. On the backside, some, if not all, ad networks sell advert space in a bidding format with multiple delivery granular controls.