twitter facebook rss

Ad blocking is good security practice

Posted by on March 16, 2016.

The combination of malvertising and ransomware is particularly pernicious. The former, we are told, cannot be stopped while the latter cannot be reversed. To be sure, it still requires a successful exploit – but add one unpatched system or one zero-day exploit to the mix and you’re up the proverbial without a whatsit. But ad blocking could help.

Earlier this week Trustwave announced that it had discovered a malvertising campaign that had infiltrated a number of very popular websites, and, via the Angler exploit kit sought to deliver the TeslaCrypt ransomware. It commented:

…it’s important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of Malvertising. The only “crime” here is being popular and having high volumes of traffic going through their sites daily.
Angler Takes Malvertising to New Heights

A day later Malwarebytes reported that it too had seen a ‘large Angler malvertising campaign’ affecting some major sites, including the BBC, MSN, New York Times, AOL and others. It’s not clear whether these are two different views of the same campaign, but the timing, large targets, malvertising and Angler are common to both.

…out of the blue on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while.
Large Angler Malvertising Campaign Hits Top Publishers

Commenting on this news, Fraser Kyne, Principal Systems Engineer at Bromium, announced:

Malvertising is highly effective because cyber criminals can target their attacks to specific demographics, and deliver them with tremendous volume. The online advertising model is such that ad networks simply cannot verify the validity of each and every advertisement it serves…

The implication of Fraser’s comment is that we cannot stop malvertising. To be fair, his solutions are good (“endpoint threat isolation or virtualization based security“); but are only feasible for companies or very tech savvy users – they won’t help the average user at home.

However, I part company with both TrustWave and Fraser in one particular area: the infected websites delivering malware are guilty parties, and we can do something to stop it. The underlying cause of the problem is greed – and it’s not the criminal greed of the hackers. It’s the greed of the publishers and advertisers.

The advertisers pay over the odds to ‘target’ their advertisements, and the publishers accept those adverts without undertaking due diligence to ensure their safety.

Two things would stop malvertizing. Firstly, by cutting off it’s life-support. Targeted advertising is based on and stoked by the practice of user-tracking. By tracking what we do, they know what we like; and knowing what we like, they can target their adverts accordingly. If we cannot persuade our governments to make tracking unequivocally illegal, and to enforce that with meaningful sanctions, then we can at least block all delivered adverts.

Ad blocking will work

It is already upsetting the publishers. You will have noticed how many will now block their content if you are blocking their adverts (although I’m not sure that is strictly legal in Europe at least). Notice that rather than accept our ad blocking judgment (that is, we don’t want delivered adverts) they seek to force us to change our behavior.


If enough of us block all delivered adverts, and embedded Flash etcetera, then the advertisers will stop buying our personal data to target their advertisements. If this were to happen, then the life-blood of malvertising (personal data) would be cut and it would wither and die. And contrary to the propaganda of vested interests, it will not mean the death of the free internet. Advertisers would simply be forced into a methodology that we find acceptable – perhaps the static embedded adverts that worked well in print publications for more than 100 years.

The second solution would be a lot quicker. If a publisher delivers malware, that publisher should be liable in law for any criminal damage. The onus of proof should be on the publisher to prove that he did not deliver the malware via malvertising. If he exposes a visitor to malvertising and the visitor is subsequently infected, the publisher should have no defence – and if this leads to the loss of data from the visitor, the amount of damages could be left for a jury to decide.

Don’t hold you breath for the latter solution. Our governments are more concerned about supporting big business than about protecting their citizens. But we can and should use a good ad blocker. If enough of us do so, then targeted advertising based on personal data can be defeated. We’re not saying ‘no’ to advertising, just to targeted advertising.

The bottom line is simple: ad blocking is good for security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: