An article this week by the Wall Street Journal blares out that “Hackers Can Now Deliver Viruses via Web Ads”. It’s not like the WSJ to go the sensationalist route, so we can only assume that the reporter doesn’t usually cover the Internet security beat.
“Web ads are becoming a delivery system of choice for hackers seeking to distribute viruses over the Internet,” says the article.
“In a development that could threaten the explosive growth of online advertising, hackers have started to exploit security holes in the online-advertising chain to slip viruses into ads,” it predicts.
Poppycock. Viruses don’t end up in ads!
Reading the article, at least if you don’t read between the lines, or don’t know much about Internet security, you might be lead to believe that if you click on any online advertisement, the very act of clicking the ad will cause a virus to be downloaded to your computer.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Hogwash.
Generally speaking, it just ain’t so. That isn’t to say that it couldn’t happen – but generally speaking it would be vanishingly unlikely for you to click on an advertisement from any of the Yahoo, Google, or MSN advertising networks, for example, and have something bad happen to your computer. That is because they give the website the code to publish the ads. The ads that you see on many websites out there (and this one included, in fact) are generate by code provided by Google (or Yahoo, or MSN, etc.).
For the most part, the only way that the very act of clicking on a link in an ad could cause something to be downloaded to your computer would be if the source code for the ad was provided by some 3rd party, not one of the trusted online advertising vendors.
And that’s exactly what happened to TomsHardware.com, the one and only example of this happening known to date, and the poster child for this misleading piece from the Wall Street Journal. Tom’s Hardware accepted a banner advertisement from a 3rd party, and it turned out that the code for that ad contained a bit which caused anyone viewing the ad’s computer to automatically switch over to another site, and once the computer landed on the other site, then it downloaded the virus to the user’s computer.
So even in that single, isolated instance, it took more than just engaging the ad to get the virus.
Simply put, you cannot get a virus from a link. Just like you can’t get an STD from a kiss. In both cases, it takes far more direct contact to get the bug.
Now, this may seem like a blatant attempt to get you to feel comfortable with clicking the ads on our own site. It’s not. But there are millions of sites out there where the ads they display from Google, or Yahoo, etc., are the only source of funding to maintain the site that they have. And for the Wall Street Journal to publish such a slanted, sensationalist (and uninformed) piece, without at least qualifying it a whole lot more (such as to make clear that this just ain’t gonna happen with legitimate ad vendors like Google) is perhaps the most irresponsible piece of fear mongering journalism I’ve ever seen from an otherwise generally upstanding news publication.
The original WSJ article is: Hackers Can Now Deliver Viruses via Web Ads.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Let’s say it’s not the “code” then, but the ad units themselves. Most of the code is just hrefs and object embedding. It’s the ad units, be they flash, java, or other formats which can exploit security vulnerabilities.
Let’s say that a network accepts an ad from me and lets me serve it. I source that ad from .
On whatever.com, I have an .htaccess file telling to treat ad.jpg as a script instead of a JPEG. Then I create a PHP script with the filename of ad.jpg which delivers a compromised WMF with a WMF mimetype in the header.
If the ad network is letting me source the ad from my servers, even if it’s a 1×1 web bug that I demand (and a lot of advertisers do) so I can do my own independent tracking, it allows me the ability to perform some mischief.
The only trustworthy network is one that delivers the ad units from their servers and audits them to make sure that there’s nothing malicious embedded in the applets or images. But when they’re taking rich media, to be 100% sure of that, they’d have to reverse engineer or decompile rich media applets. The costs for them to rigorously security audit rich media applications would basicalle end their lower-cost advertising programs.
It does require a vulnerability in your browser or the helper plug-in that runs the applet. But “code” can extend beyond the HTML and Javascript that the ad network controls.
>>Exactly one year ago, you posted “MySpace Ads Infect Millions with Spywareâ€?. Now you’re stating that Tom’s Hardware is the only place this happened and that it only happens when the code is provided by third parties.< < Actually, Greg, in the case of the MySpace ad, it was absolutely *not* a security hole in the 'ad', as the Wall Street Journal article is claiming is the case in their article - in the case of the MySpace ad, it was a security hole in Internet Explorer - the well-known WMF vulnerability - that was taken advantage of six ways to Sunday on a multitude of websites (600 at least) by having the code on the website. The code was *not ad-specific*. It just happens that in that instance, the way that the criminals got the code onto the Myspace website was by including it in a banner ad. Yes, the story is about an ad on MySpace that downloaded malware - but it could have just as easily been about any page on MySpace that downloaded malware - the code was not "ad code" per se, unlike what the WSJ is claiming in their article. Your other points, about keeping your computer programs patched and up-to-date are, of course, good and vital points! By the way, I believe that the vast majority of ads - banner ads too - come from trusted advertising vendors, such as Google, CJ, etc.. Certainly the ads that I see come from such sources. Anybody else see differently?
Exactly one year ago, you posted “MySpace Ads Infect Millions with Spyware”. Now you’re stating that Tom’s Hardware is the only place this happened and that it only happens when the code is provided by third parties.
In most network ad cases where you have anything other than the plain text ads of Google AdSense, the code is always provided by third parties to the site or the ad network.
It’s then a question of whether or not the site or the network properly audits the code and ensures its safety and quality. In the MySpace issue, it was improperly audited code.
So let’s not call the WSJ article patently absurd. There are ways of making “Rich Media” ads exploit known browser vulnerabilities to use the ad view itself (without a click) to install malware on your machine.
While sites and networks that accept rich media ads need to be on their guard to prevent this, sometimes they mess up.
The answer is to keep up to date on browser and OS updates so you’re patching those holes as soon as possible and not leaving yourself open to bad ads.