53 comments

[ 3.3 ms ] story [ 27.5 ms ] thread
Nothing in this article explained how this advertising could actually be dangerous. It "collects the IP address and user agent string." Is there something serious or not?
It seems the author is assuming we normally trust legitimate ad networks with this data, but in this case a scary third party is getting the data.
I don't understand, thats just a notice dialog box, right? Presumably clicking Ok just dismisses it, right?
From what I understood from the reading, this could be an example of XSS (cross-site scripting): we "trust" a site, but there are other connections towards other ones, potentially malicious. So, weather(dot)com could have been compromised and should need to run some checks.
I trust darkweb organized crime more with my IP address, user agent, and battery info that I do Facebook or Google.
yes, but what about phone orientation!
ok, actually that info is also damaging in the wrong (i.e. Google/Facebooks) hands. ;)
I've been boycotting The Weather Channel since they started naming storms.
Summary:

weather.com uses an ad provider who gives them a malicious ad .1% of the time.

When you customer base is 100m+, that's potentially affecting a lot of people. It's very likely most of their users are not very technically literate, so these kinds of attacks are very performant.

"Only 0.1% of our profit comes from pureeing children into profit!" isn't a defense.

Certainly, but that comment basically contains all the information I needed to move on to the next article in the HN firehose.
Takeaway:

Install adblockers to universally block advertising networks--even on sites you would otherwise trust and like to support--and encourage all your friends and loved ones to do the same, especially if they're less technically literate.

He hasn't even shown this is a malicious ad, rather than a misleading, bogus offer.
weather.gov - use it.
I am still amazed weather.com exist. Go to weather.gov and get everything you need without all the ads, tracking and bs of that other site.
Ah, the good old world doesn’t exist outside USA narrative.
I didn’t think The Weather Channel was available outside the US. I’m sure they’ll give you a forecast on weather.com but the company is American based.
The folks behind weather.com are actively trying to kill weather.gov through lobbying and other campaigns. Folks need to be made aware that their tax dollars are already being spent on top-notch science tools by folks with a vested interested in their safety.
They almost got their dream leader of NOAA when Trump appointed the head of AccuWeather, Barry Meyers, to lead NOAA. He withdrew his nomination for health reasons, but believes the government shouldn't provide any type of direct forecasts to the public. Michael Lewis has a good write up of this in his book The Fifth Risk.
Not very useful for the other 7 1/2 billion people who aren't in the USA.
shout out to TropicalTidbits
Great site, but more for severe storm and weather enthusiasts.
The article has no citations to back it the claims. It states "researchers also believe that this malware is being used by an organized crime ring either to prepare for an enormous future attack on targeted users, or to sell collected information on the dark web" with no attribution. Nor is it obvious how battery condition or orientation would be any use to attackers or purchasers.
Seems like it could be reproduced easily by a typical HN reader. “Fetch a site a thousand times and check the served JavaScript for weirdness” isn’t exactly a high bar. Defining weirdness is the secret sauce for sure, though!

Battery condition and orientation are useful for fingerprinting devices, alongside the more commonly-known canvas attacks.

Your battery status may be used to track you online, 98 comments (2016) https://news.ycombinator.com/item?id=12208880

Your battery status and orientation aren't going to be useful for tracking you in a "future attack on targeted users", since by then both would have completely changed.
If the purpose is to identify you as a visitor to the site, then once they have identified you, that goal has been met.

You're assuming that they must, in the future, again identify you: that is not at all necessary for e.g. spear phishing, blackmail, or other attacks.

Combine it with 300 other metrics slurped up by similarly "innocuous" software, and, presto - ad-network!
This whole article is bunk. How do they get this conclusion?

"So anyone who has visited weather.com from a mobile device in the past few months is now vulnerable to future malicious activity down the road."

Weather.com steals forecasting data from NOAA
It's public domain information, there's no theft.
There’s the actual NOAA page for your area which is lightweight and increadibly information dense, IMO it’s what other weather websites can measure themselves against it’s pretty awesome!

Also: curl wttr.in (I guess hackernews night nock that over heh, it seems like it’s been struggling lately.)

Mobile and desktop (it auto-adjusts), visit https://forecast.weather.gov/ for a nice NOAA experience. I've even had a great email experience reporting a data population error, the local-to-me team replied within hours and had it fixed up.
They still use flash for their regional radar animations.
Wunderground (weather underground) used to be an amazing resource before the "Web 2.0" redesign. You could still access it as "classic.wunderground.com" for many years right up until IBM bought them and they finally turned it off in ~2016. There are still screenshots of it floating around. It looks like crap, very 1999 web design but it was organically built and curated for ~15 years and quite functional compared to what they have now. Also significantly faster IIRC.

Commercial online weather sites have really gone downhill since wunderground classic. I have yet to see a comparable info-dense site since.

3 out of 3267 isn’t really a big enough sample to determine the rate of occurrence.

Also, practical advice: use an ad/content blocker.

> Last year, a single malvertising campaign reached 100 million users, and there’s no reason attackers would pay for all that exposure unless some fish were biting.

But there is.

For example, an entity could have sold the malware to a rube. They would do this by using the same "bullet proof" logic: why would they be selling a tool that can hit 100 million users unless some fish will bite?

A meteorologist colleague informed me of https://www.yr.no/ and it has a version in English. It is what I usually use along with weather.gov. Their short and long-term World-Wide ECMWF forecasts are really nice as are the meteorograms. Yeah dump weather.com.

Edit: Ohh and one more: Jeff Masters and his crew at Weather Underground (wunderground.com). For example another nice meteorogram: https://www.wunderground.com/forecast/us/co/boulder/KCOBOULD...

You know Weather Underground is now owned by The Weather Company, the same parent as weather.com, right?
Which are in turn owned by IBM.
Their bulk data API now only serves NOAA data. All the personal weather data contributed for free is not available in bulk.
Oh man, I was using yr.no when I was in Norway, but didn't realize it had global coverage. In particular they have a really neat graph of hyper-local precip probability over the next 90 minutes, which is really handy when hiking in Norway :)
This page quotes this from "Binary Defense":

"if a user stumbles upon a webpage that has a compromised third-party library, the malware runs checks. These checks consist of who the user agent is, the type of device they are operating on, the level of battery it has, and the device’s motion and orientation. After these checks are verified, the malware will connect the infected device to a remoter peer prior to transferring the device’s IP address"

This statement is written to make it seem like like something bad is happening. But read the statement -- it's total BS.

yeah reading that felt weird. Honestly, I'm surprised this got so much attention on here.
> scanning the session for malware using Wireshark’s advanced malware analysis

Is this some feature of Wireshark I've never come across, or does the author not know what they're talking about?

I wondered the same, I made a mental note to check out this supposed feature. But now that you've asked this question and since the author was just peddling unsubstantiated hyperbolic horseshit in the 2nd half of the article, I'm guessing there's no such Wireshark feature.
I can save you the trouble. There is no such feature. Using Wireshark FOR advanced malware analysis is a thing, but it has no special feature built in with that name.

It's almost like the author was given some short hand notes and wrote them up wrong.

We use Wireshark day in, day out at my work place and many of us picked up on that statement.

weather.com was already collecting and marketing an obscene amount of user data as anyway. That's what drove me to stop using it a while back. Wunderground is in the same group.

This is US-specific, but what I use now is the National Weather Service's website. It's actually really excellent. https://www.weather.gov/

AFAIK most sites and news agencies in the U.S. get their data from weather.gov [1] I have never seen any shenanigans on that site.

[1] - https://www.weather.gov/