Credit to Author: Adam McNeil| Date: Mon, 09 Jul 2018 15:00:00 +0000
This post may ruffle a few feathers. But we’re not here to offer advice to publishers on how to best generate revenue for their brand. Rather, we’re here to offer the best advice on how to maintain a safe and secure environment.
If you’re not blocking advertisements on your PC and mobile device, you should be! And if you know someone who isn’t blocking ads, then forward this post to them. Because in this two-part series, we’re going to dispel some of the myths surrounding ad blocking, and we’ll cover the reasons you should be blocking ads on your network and devices.
We’ll then follow-up in Part 2 of this series by discussing common tools and configurations to help get the most of your browsing experience.
You’ve heard the talk and seen the messages in online banners. You’re aware of the disputes and the provocation from publishers and advertisers that ad blocking is a morally unconscionable act whose users deserve outright banishment from the web. Maybe you’ve been swayed by the pleas from website owners and have empathy towards the fragile budgetary constraints of your favorite sites. Or maybe you don’t understand the risks associated with online tracking and advertising and think that if you don’t click ads you’ll be fine.
Don’t be fooled. Ad blocking provides a vital security layer that not only severs a potential vector for online malvertising attacks, but also blocks privacy-invading tracking plugins from collecting and harvesting your personal information. Not only that, but blocking online ads and trackers has the added benefit of conserving bandwidth and battery life, boosting website response times, and generally improving the overall user experience. So using an ad blocker not only protects your device, but also provides better a better overall user experience. What’s not to love?
It’s all a bunch of hullabaloo!
Advertisers, publishers, and website owners despise talk of blocking the pesky advertisements that appear on their webpages—especially the ads that more aggressively vie for attention (and thus pay the website owners’ bills). We’ve all seen them. We’re talking about the ads that auto-play commercials or news clips as soon as the page is loaded. Bright, flashy popups, and page overlays that have to be clicked before seeing the desired content. Even the sponsored results that appear in search listings. They are everywhere!
Hundreds of billions of ad impressions occur each month, and digital ad revenue for online advertising is estimated to top $237 billion in 2018. With so many impressions to be served, it’s no wonder that website operators are clearing space and making way for advertisers to clutter the website landscape.
And we get that ad impressions are the lifeblood of many website operators and publishers who rely on clicks as the primary mechanism to create revenue. Some may even argue that ‘clicks create jobs’.
But let’s face it. In most cases, ads suck! Advertisers like to push the notion of “acceptable ads,” “non-intrusive advertising,” and “reasonable number of impressions,” but this is rhetoric designed to sway the opinion of an impressionable society—and it’s all a bunch of poppycock if you ask me.
Most people don’t like advertisements. They never have. That’s why VCRs became popular back in the `80’s. The devices allowed users to set up recordings and then skip commercials at their convenience later. It’s why DVRs became mainstream years ago, and why people flock to streaming services like Netflix now. It’s even the reason why people skip the first few minutes of a movie.
Ads diminish the overall user experience by forcing the attention of the consumer elsewhere, and creating a delay or nuisance in the ability to ingest the preferred content. A website’s “sponsored” listings often consume much more of the page landscape than actual content, which causes more time to be spent searching for desired items. This can lead to consumers paying more than would have been paid with a non-sponsored competitor. And then there are the ads that are purposefully obnoxious or play reoccurring sounds in a small box in the corner of the window. These are all just terrible to endure.
If it were a matter of simply not enjoying the content, then this point would be debatable. But, online advertisements pose a threat and provide an infection vector for malicious actors to launch targeted malware attacks. This can turn even the most reputable websites into potential delivery systems for malware authors.
Malware can be delivered inside that ad
Advertisements allow for fun little flashy ads that can play games and ask quizzes, but at the same time this functionality poses great risk to consumers.
Malvertising has the ability to affect even the most careful of users due to the nature of how advertisements are designed to automatically run code when they are loaded. Attackers may (and do) attach craftily hidden exploit code to otherwise innocuous looking ads for well-known products and then submit these ads for publication to known and reputable websites.
While many of the large ad networks perform due diligence and scan for such malicious content prior to publication, there are dozens, if not hundreds of ad networks to which a criminal can submit their malicious code. And not all of those companies possess the same standards as their multi-billion dollar counterparts. Taking into account the speed and nature of the real-time bidding process for online ads (a fascinating process that deserves a post unto its own) it’s not surprising that bad ads can get past even the most well-intentioned ad networks.
Consider for a moment this blog post released by Google earlier this year, which sheds some light on the number of malicious ads that were blocked through the ad ecosystem. In the post, Google stipulates that 3.2 billion ads were removed in 2017 for violating advertising policies. That translates to 100 advertisements for every single second, of every day, for the entire year! Of these ads, 79 million were pushing malware-laden websites. And that’s in addition to the more than 320,000 publishers that were blacklisted, and over 1 million websites and apps that were removed or blocked.
That’s a lot of bad ads!
Setting aside Google’s ability to block malicious content as it appears on their network, some may contend that with so much bad stuff out there, some things are bound to slip through the cracks every once in a while.
And, lest we forget, there are a plethora of other website, news, and advertising companies without the means or desire to police the content. Malicious actors can launch highly-targeted campaigns, which may only be visible to no more than a small handful of people, and which can often fly under the radar of security mechanisms and systems. Who out there wants to be the guinea pig and offer up their computer to the attackers when such lapses occur?
Don’t track me, bro
We’re all familiar with the Cambridge Analytica scandal involving the collection of approximately 87 million Facebook records. The highly-publicized event has led to insolvency proceedings against the company (though Cambridge Analytica may have been recently resurrected under the name Data Propria). People were outraged in part because the company had covertly collected and stored information on large swaths of the population without their consent. But what those same people may not understand is that Cambridge Analytica is not alone in this practice.
There are numerous organizations ranging from small one and two person operations, all the way up to mega-million dollar corporations that are involved in the process of collecting and selling consumer data. Data brokers, data warehouses, and data exchange platforms all provide tools and services to not only collect information, but also sort and organize the information in a manner that allows advertisers to target specific groups of users.
Few of these organizations have the express consent from users to harvest and store their information, and many lack even the most basic of security protocols to protect and maintain the information after it’s collected.
Consider the recent database exposure surrounding data broker, Exactis. The company has recently been accused of having a poorly=secured server, which compromised nearly 340 million individual records containing everything from addresses, telephone numbers, and email addresses, to more than 400 different data points for habits, interests, and hobbies. All sorts of other personal details are tracked, harvested, and stored in these databases; everything from age all the way down to a person’s clothing size and shopping history. Do you smoke, drink, or enjoy gambling? That’s in there, too.
And who exactly is Exactis? The company claims to be a leading compiler and aggregator of business and consumer data. The information collected by the company is used for customer profiling and to assist marketers in identifying descriptive traits and customer segments to help better understand behavior. This information can then be used to direct targeted advertising to specific groups.
The company website claims to possess 3.5 billion records on 218 million individuals and 110 million households. When asked where the information originated, Night Lion Security founder Vinny Troia was quoted as saying, “It seems like this is a database with pretty much every US citizen in it. I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
While we may not know for certain, it’s probably a safe assumption that at least some of those records are obtained through the use of online trackers, and services that run silently in the background, tracking and logging your behavior each time you browse online.
Why do we continue to tolerate this sort of illicit data collection? Don’t be like Steve Huffman, the Reddit CEO who allowed himself to be targeted by a Facebook advertisement for the purpose of an employment solicitation. Instead, use an ad blocker, which not only blocks the targeted trackers that are compromising your personal information and divulging your secrets to the highest bidder, but will also prevent the targeted ad from being shown, thus, reducing your exposure to infection and solicitation.
No, it’s not morally unconscionable to use an ad blocker
Despite the notices, pleas from website owners, and the position from advertisers and publishers that ad-blocking will destroy the internet as we know it, there are no laws against using an ad blocker to prevent objectionable content from appearing on any device that you own or use.
In a long-followed case that transcended all the way to the German Supreme Court, European publisher Axel Springer was defeated in a years-long battle against Adblock Plus publisher Eyeo, after failing to persuade the court that the ad blocker violated competition law and was engaging in legally-dubious business policies. (Their business model allowed for unblocking ads deemed as “acceptable,” as well as those who paid for such distinction.)
The court ruling puts an end to Springer’s quest of having ad blocking deemed illegal. The ruling also vindicates users continued use of blocking software to prevent unwanted or objectionable content from being shown.
Americans are likely to have equally strong, if not stronger, ad blocking protections than our German friends.
When searching through dockets and filings provided by Justia.com, Eyeo, the parent company of AdBlock Plus, shows not a single case which the company has been required to defend due to its practice of blocking advertisements. And really, it’s almost a bit of a stretch to envision an American jury being persuaded by the argument of advertisers having the right to display content, but consumers not possessing the right to block said content when they don’t approve.
Therefore, with no laws preventing the use of an ad blocker, and with the counter argument simply reduced to the corporate mantra of “maximizing profits,” consumers are free to choose the security policy that best fits their needs.
We’ve seen that ads not only diminish the user experience of ingesting content, but that they also pose a substantial risk to consumers.
The potential for malvertising to successfully deploy a nasty payload to your machine, which may compromise your system and jeopardize your financial security, is real. Worse yet, these types of attacks don’t even require user interaction and can execute merely by visiting the page.
And if the threat of financial ruin is of no concern, then the privacy-invading act of data harvesting should be.
The array of data collectors and data brokers out there is mind boggling, and they are all struggling to associate your actions and behaviors to groups and other individuals for no other purpose than to create targeted ads and increase profits. The information collected by these organizations may be poorly secured and is a potential gold mine for any cybercriminal.
And if the moral conviction of blocking the advertisements of your favorite websites has thus-far prevented the adoption of ad-blocking technology, then the knowledge of an ever-growing advertising ecosystem and the lack of laws preventing ad-blocking mechanisms should ease those concerns. Yes, we all want to generate revenue for our brand, but personally I’d rather not help do that at the sake of potential identity theft, or worse, having my PC compromised by a malware attack originating from a rogue advertisement on a popular website.
In Part 2 of this series, we’re going to have a look at some of the common ad-blocking utilities and how to configure those tools to fit the needs of the individual user. We’ll show how to navigate user-friendly settings that are simple enough to use on Grandma’s computer. We’ll also take a deep dive into some more advanced configurations and tools that may require a shift in user mind-set, usage, and understanding before fully realizing the benefits such configurations provide.
We’ll cover blocking ads on both mobile and PC devices, as well as configuring a network solution to block ads throughout your entire environment.
So stay tuned to the Malwarebytes blog, or follow this post and we’ll update it with links once available.
The post Everybody and their mother is blocking ads, so why aren’t you? appeared first on Malwarebytes Labs.