Adware is a touchy topic.
Ask its opponents and they will tell you that adware is akin to malware and should be stopped in its tracks. Ask online advertisers and publishers and they will tell you it’s a mostly innocent way for developers to make a bit of money off of the free services they provide and by blocking ads we are effectively silencing freedom on the web.
The truth is though that no one likes to be bombarded with ads. Going to an ad-filled website is sort of like going to a disco – flashing lights, pulsating beat, and embarrassing design all around. Heavy ads take a toll on resources and slow down page loading time significantly.
And that’s just the beginning of the problem.
Malvertising is where the problems really start and it’s not all that uncommon. This is when ads get laced with malware by way of injected code. Infected ads can be switched for innocent ones on online advertising networks. Yahoo, TheNewYorkTimes.com and countless other websites have been victims of malvertising exploits.
It’s no small wonder that people choose to block ads. Nowadays you can install adblockers that can block ads on a granular level, meaning you have a choice in what gets filtered out or on a macro level which filters out all ad-related content. Either way, it’s bad news for developers to whom ads were a large part of their online revenue. So now there are anti-adblocking companies working on ad delivery models that in some way conform to the adblockers limited criteria to be considered acceptable. Got all that?
And now the irony
PageFair, an anti-adblocker, who creates “block-proof” ads (meaning they conform to the standards for acceptable ads by the adblockers who actually do let certain ads though) was the victim of a hack on, of all days, Halloween. For 83 minutes it exposed some of the websites running their service to malware all dressed up for the occasion as an Adobe Flash update.
According to theRegister.com “PageFair stated that attackers had successfully executed a spear-phishing attack against “a key email acccount” from whence a rapid password reset allowed them to hijack the company’s content distribution network account.” Once they had access to the account information the hackers were able to switch in their own infected code.
The hack, which was deployed on about 20 % of websites using the service, apparently only affected Windows users and due to page caching rules, only those visitors who had not been to the infected sites within 2 hours of when the attack started would have been infected. Then the target would have had to download the “Adobe Flash update”.
PageFair estimates that the scope of the damage is not too wide at about 2.3 % of people visiting websites using PageFair, but they have taken full responsibility for the breach and said they are committed to making sure this doesn’t happen again.(Note to Talk Talk CEO Dido Harding, you may want to call PageFair CEO Sean Blanchfield to take some notes on bedside manner when it comes to dealing with customers after hacks.)
Hard Lessons Learned
There are more than a few teachable moments here.
Clearly a hack like this doesn’t do wonders for those groups intent on keeping online ads alive. Even when they are safe, they aren’t necessarily so. Anything that isn’t native to the webpage itself can be a vulnerability.
And then there is the fact that PageFair was the victim of a spear phishing campaign. Hackers love to reel their victims in by way of emails asking for information. Don’t assume all phishing emails are as glaringly fake as the ones from His Highness, the King of Zimbabwe asking for your help in transferring large sums of money across oceans. Often times these are perfectly legit-seeming emails coming from legit-seeming sources. You really need to think long and hard before answering emails that come from your IT department or your bank.
A good rule of thumb, if someone asks for information in an email, call them to see if they really sent it. Oh, by the way, don’t use the number provided in the email, if it’s a fake, well, you can figure out that the phone number provided in the email is all part of the scam too. Look up the number on the internet or in *gasp* a phone book. Call the sender and make sure it’s legit.
The last thing to note from the fiasco is that users with RCS installed would have been spared from the the fake Adobe update. Speaking of how RCS would have protected targets here, we are happy to announce that we are now OPSWAT certified in the anti-malware category. We hope you’re never the target of malware attacks but if you are, with RCS installed you don’t have to sweat it because we got your back, blocking all rotten infiltrators.
It’s true that adblocking may not be nice but it may be the only option in an environment where hackers will use whatever they can to infiltrate pages. Can’t really blame people for wanting to stay safe, can you?