To all of the the websites which have maliciously targeted users of NoScript and/or AdBlock Plus (Ars Tecnica, I'm looking at you), now do you understand why there is a segment of your readership which uses such software?!?
Pfft, I doubt you care. Once you serve an add, the consequences of your actions are safely ensconced in a Not My Problem field...
The business model of many companies is still advertising. You can't blame them for not being too happy they aren't making money off visitors.
I actually had several visitors on my site email me saying they got a virus from my site. I immediately ruled out the Google ads thinking there was no way it could come from there. Still, I felt terrible having having allowed my users be subjected to those ads, and I viewed it as bad business practice too--so it definitely didn't fall into a "not my problem" field
I have had two of my office computers get hit by this in the past year. At first I thought the office assistant was going to sites that she shouldn't have, until I got hit by it while on Autoblog.com which is an AOL site. At that point noscript and adblock got installed. But there are definitely badthings coming from ad networks. They are subtle - it may only try to send the payload every 10 or 20 screen refreshes - but they do send it. It took 10 screen refreshes on Autoblog, for example. This was some months ago, so I don't know if there is still a problem. The payload for me was the real looking Windows box that pops up and tells you that you have 20 viruses and to fix it just send $29.95 to this site and it will all go away.
Everyone has to make their own decision on the ethics of using ABP/NoScript, but I can guarantee you that DoubleClick invests substantial resources in trying to prevent malware ads, and they wouldn't be in the position they are today if they didn't.
Legitimate publishers like Rodale (Runner's World) and Conde Nast (Ars)care a great deal about these issues. These are big, responsible companies that care about their users, and about the sustainability of distributing high quality, advertising-supported content on the web.
Sometimes things go wrong, even when everyone has the best of intentions.
I'm not aware of any JavaScript sandbox widely regarded as flawless. AdBlock is one thing, but I have no qualms about not running arbitrary scripts that aren't even hosted by people I know and trust. If a publisher doesn't bother to use <noscript> or <iframe> to show me an ad anyway, it's their own oversight.
The display ad ecosystem these days is very complicated. Displaying one ad might involve a call to a publisher ad server, an advertiser ad server, an ad exchange, and a third party ad network. There's no way for the ad servers to know what kinds of other things need to be called and with what parameters, so they serve scripts which load scripts that eventually load a creative.
The site is windows-oriented, but it works fine on my Macs and I'd imagine any *nix platforms as well.
EDIT: note that if you use this as-is, google ads will stop working for you, you may want to selectively comment-out any ad sites you actually find useful.
Also note that it may break the functionality of some sites, e.g. paypal, since they route login/logout functionality through mediaplex (which I'm still shocked about).
Malware ads from Google hit quartertothree.com's forums at least twice over the past year and a half (the first time was in Jun 2009). Based on searching around when this happened, lots of forums that only serve Google ads have had the same experience. I'm surprised anyone is surprised Google is serving up bad ads because this has been going on for so long.
They do eventually remove the offending ads when you complain about them, but you'd expect a company of their stature to have better safeguards in place so this doesn't happen in the first place, but don't hold your breath because they seem unable or unwilling to fix this.
Is it funny to anyone else that Wired uses DoubleClick ads in this context? (And a page was blocked from popping up from another network?)
What I do know is that IE/FF/Chrome all have bugs that can be exploited by this malware - I see it regularly. While it may also be Adobe's fault at some junctures, I think with how much of a problem it is the browsers should at least TRY to detect dubious scripts/PDFs. Mozilla/Google can make their browser warn of an infected site but they cannot do a quick on PDF contents before initiating Reader?
23 comments
[ 3.7 ms ] story [ 58.8 ms ] threadPfft, I doubt you care. Once you serve an add, the consequences of your actions are safely ensconced in a Not My Problem field...
I actually had several visitors on my site email me saying they got a virus from my site. I immediately ruled out the Google ads thinking there was no way it could come from there. Still, I felt terrible having having allowed my users be subjected to those ads, and I viewed it as bad business practice too--so it definitely didn't fall into a "not my problem" field
Legitimate publishers like Rodale (Runner's World) and Conde Nast (Ars)care a great deal about these issues. These are big, responsible companies that care about their users, and about the sustainability of distributing high quality, advertising-supported content on the web.
Sometimes things go wrong, even when everyone has the best of intentions.
Catching malware embedded in Flash ad units isn't trivial.
Here's a diagram of what the market looks like right now. http://mediamemo.allthingsd.com/files/2010/09/LUMA-display-a...
http://www.mvps.org/winhelp2002/hosts.txt
The site is windows-oriented, but it works fine on my Macs and I'd imagine any *nix platforms as well.
EDIT: note that if you use this as-is, google ads will stop working for you, you may want to selectively comment-out any ad sites you actually find useful.
They do eventually remove the offending ads when you complain about them, but you'd expect a company of their stature to have better safeguards in place so this doesn't happen in the first place, but don't hold your breath because they seem unable or unwilling to fix this.
What I do know is that IE/FF/Chrome all have bugs that can be exploited by this malware - I see it regularly. While it may also be Adobe's fault at some junctures, I think with how much of a problem it is the browsers should at least TRY to detect dubious scripts/PDFs. Mozilla/Google can make their browser warn of an infected site but they cannot do a quick on PDF contents before initiating Reader?