Archive | Malware RSS feed for this section

Adobe Study Finds 198 million adblocking users, growing 47% YOY; Advertising to lose $21bn in 2015

10 Aug


An Adobe/Page Fair report, says that 16% of the US online population blocked ads in Q2, 2015  and that ad block usage grew 48% during the past year. Chrome, with its ease installing extensions, and with Chrome’s growth as the browser of choice have made it the major blocker of ads.

In the mobile space, Firefox and Chrome are responsible for 93% of mobile ad blocking.

400 non-blocking ad users were asked what would make them change their mind (I’m shocked that, “I didn’t know I could!” wasn’t the top answer):

  • Misuse of personal information was the primary reason to enable ad blocking
  • An increase in the number of ads was more important among millennials
  • 1 in 4 respondents aged 35-49 do not have any desire to ever use ad blocking so”ware.

I use Chrome with Adblocker Plus as well as a noscript extension to limit ads. For those sites that responsibly show ads and act as a resource for me, I try and be a good user and white list them. The problem with adblocking isn’t that it exists, it’s that so many websites are reckless and irresponsible with display advertising. Until that changes, the percentages of ads being blocked can’t help but to increase.

How do you handle display ads? Is your professional attitude different than your private behaviors? Would love to hear from you.


Crackers Using Your Own SEO Techniques Against You

18 Mar

This, ” IFrame exploit takes advantage of web site query caching. Web sites often cache the results of search queries that are run locally. These search results are forwarded to search engine providers (think Google or Yahoo), who use the information to generate their own search results. Hackers exploit the system by typing a query immediately followed by the text of an IFrame. This data (including the IFrame) is then passed to various search engines and displayed if a user searches for a relevant keyword. When the user visits an apparently legitimate document, the IFrame activates and attempts to complete whatever instructions it has been given. 

The major advantage of an injected attack versus an embedded one is that an injected attack requires no direct access to a web site’s server backend. Instead, it takes advantage of the company’s SEO (Search Engine Optimization) practices and poisons the results that are fed back to web surfers. The first wave of injections targeted ZDNet Asia and The attackers shifted away from these two domains quickly and branched out into other web sites. One key purpose of the attack was to advertise the rogue antivirus product developed by the RBN (Russian Business Network), XP Antivirus.

XP Antivirus is a cute piece of work. On the surface, it seems to be an ordinary anti-virus program, and it makes all the usual claims one would expect regarding its ability to keep a system clean and virus free. Once installed, however, XP Antivirus actually creates a set of registry keys that it will detect and flag as malware installations once a scan is run. The only way to remove these threats from the system, of course, is to buy the XP Antivirus software package. Additional IFrame were eventually added that pointed to downloads for Spyshredderscanner and MediaTubeCodec, both of which attempt to download additional malware into a system.

 —Ars Technica

Google acknowledged that this was a known attack vector, and confirmed that they are indeed working on ways to manipulate and “sanitize” links provided by them in an effort to minimize the effect of incidents such as XSS on indexed sites. They also share our opinion on the reality of XSS and its affects on web browsing: “Google recommends that sites fix their cross-site scripting vulnerabilities as a priority. These can be abused in a number of ways, including bad interactions with search engines. Google is helping by reaching out to affected organizations. In addition, Google has internal processes to block abuses when the situation warrants.

6 Botnets Responsible for 85 Percent of all Spam

5 Mar

From Ars technica:

Security firm Marshal estimates that six botnets account for 85 percent of the total spam sent world-wide. Srizbi is currently in the lead, with 39 percent of the “market,” followed by Rustock at 20 percent, Mega-D at 11 percent, Hacktool.Spammer at seven percent, Pushdo (6 percent), and Storm (two percent).

These numbers track the amount of spam each botnet is producing rather than the total number of systems infected by each botnet.

Spammers to Gmail Captcha: Gotcha!

25 Feb

From The Register:

Spammers have broken captcha at Gmail with a 20% success record. With Gmail an unlikely domain to be blacklisted, spammers have gained a powerful, free and incredibly annoying new weapon with which to spread their penis enhancement and re-fi mortgage offers (one of which I did recently…not from a email, so save the hate mail….I’ll leave you in the dark as to which).

The spammers are believed to be the same ones that broke MSN’s Live captcha a few weeks ago.

Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge-response systems, are used to prevent accounts being created until a user correctly identifies letters in an image, are designed to ensure requests are made by a human rather than an automated program. Websense reckons the latest Gmail Captcha hack is the most sophisticated it has seen to date.

More Legitimate Sites Serve Up Malware

23 Jan

From Ars Technica:

“According to security firm WebSense, the number of legitimate web sites that have been hacked and are distributing or enabling various types of malware attacks is greater than the number of malicious sites created specifically for that purpose. The company’s latest report (PDF) discusses this trend, along with the tremendous impact the Storm Worm had on the ‘Net through all of 2007. As WebSense states, there’s a clear advantage to infecting a legitimate site that comes with its own built-in traffic and a user base.

The type of theft varies depending on the site. Personal data and credit card information are the most obvious acquisition targets, but online gaming account theft and click-fraud are apparently common as well. It’s well known that there are forums, discussion groups, and IRC channels devoted to the topics of which web sites are known to be vulnerable. The problem also runs deeper than simply educating administrators about security vulnerabilities in the software that they use—locating the correct host provider for any particular web space can be difficult, and many sites don’t fall off WebSense’s malicious site blacklist quickly, sometimes remaining there for weeks or even months after being notified of a problem. ”

Sears And KMart Installing Spyware on Users Computers

3 Jan

Yet another corporate example of how not to win over the marketplace.

From Ars Technica:

Sears and Kmart are places you might go when you need a new air conditioner filter or a lawnmower; they’re not generally thought of as havens for spyware. But that’s what the two stores have become, at least online, where their web sites were found to be installing software to track users’ every online move—all without their knowledge. Security researchers are now hammering Sears (the owner of both and for the move, despite Sears’ claims that users were notified adequately beforehand.

The story goes like this: late last year, and began asking users if they wanted to participate in a “community” online (presumably a community made up of Sears and Kmart aficionados). In late December, security researcher Benjamin Googins at Computer Associates noticed, however, that the “community” actually installed software from comScore, a market research firm, in order to track the web activities of the sites’ visitors.

Googins stated on his company’s blog that Sears had installed spyware which transmitted everything—”including banking logins, email, and all other forms of Internet usage”—to comScore for analysis. This was all allegedly done with no notice that anything was being installed, and it ran contrary to documentation about the community that said any data collected would stay within Sears’ hands at all times.

But wait, there’s more! In an update to his original post, Googins noted that Sears actually offers a slightly different privacy policy—via the same URL—to compromised computers versus those that have yet to install the software. “If you access that URL with a machine compromised by the Sears proxy software, you will get the policy with direct language (like ‘monitors all Internet behavior’). If you access the policy using an uncompromised system, you will get the toned-down version (like ‘provide superior service’),” he wrote.

Surprisingly, Sears VP Rob Harles responded to Googins’ original post, stating that the company “goes to great lengths to describe the tracking aspect.” He claims that “clear notice” is provided to users multiple times throughout the sign-up process. The “community” continued on.

Now, spyware researcher Ben Edelman has taken a look at the situation, and he agrees with Googins’ assessment. Edelman heavily scrutinized all documentation that came with signing up for the community and found a few mentions of tracking software buried deep within the tangled legalese (for example, one mention was on page 10 of a 54-page license document). This, he says, goes against regulations by the Federal Trade Commission that require clear, unavoidable disclosure and “express consent” from the user before installing such software.

The two vague disclosures that Edelman found both fail to meet the FTC’s standards, he says, and he argues that Harles couldn’t possibly be more incorrect in his assertions that Sears goes to great lengths—or any lengths at all—to inform users of what’s going on.

The whole incident is reminiscent of another recent privacy blunder by Facebook, where its Beacon application tracked user activity elsewhere on the web and reported it back to the site for the world to see. The difference is that Facebook reacted relatively quickly to the community outrage (that is, the real, actual Facebook community, and not a nebulous term to describe being tracked by a retailer) and made significant changes to how Beacon interacted with the users it was tracking. The situation is still not perfect—the tool still tracks users’ activity even if they choose not to have it displayed—but it puts Facebook light-years ahead of where Sears is right now. As of today, Sears’ online community—complete with very detailed comScore tracking software—is still available online.

Adobe & Omniture Spying On CS3 Users

31 Dec

First Adobe went the paid ad route  with Yahoo, now they are snooping on users. Sounds like Adobe is getting a bit too frisky…and Omniture is getting well…if not untrustworthy…suspicious.

From Ars Technica:

It all began with a post at UNEASYsilence titled “Lies, Lies and Adobe Spies” which caught on to the fact that Adobe CS3 apps were calling out to a suspiciously-crafted IP address. As it turns out, the IP in question— (note the capital O instead of a zero)—is not an IP at all, but rather a domain owned by statistics-tracking firm Omniture.

Criticism and conspiracy theories quickly erupted across the web, calling for an answer from Adobe over what looked like a clear invasion of privacy crafted to look like a typical local IP address. The holidays aren’t always the best time to ask a corporation as large as Adobe for an answer on issues like this, but Photoshop Product Manager John Nack came to at least a preliminary rescue. Across a couple of posts at his official Adobe blog, Nack took it upon himself to dig into the matter.

According to Nack’s investigation, Adobe’s CS3 apps call out to Omniture’s services to track a few usage statistics across Adobe products. Specifically, only three things are tracked: the news items presented in some apps’ welcome screens, Adobe-hosted content loaded in Bridge’s implementations of Opera and Flash Player (Bridge is the asset management component of Creative Suite), and Adobe online help systems like forums and the Exchange service, but only upon a user’s request.

As for the suspicious nature of Omniture’s faux-IP URL, Nack is less sure. He also agrees with users’ concerns over the matter and says he’s doing his best to find out more. It is likely, however, that Omniture is not returning Nack’s calls just as it isn’t returning Ars Technica’s, again probably due to holiday vacations. Other theories postulate that the URL crafting is both a technical and social engineering attempt to fool curious users and firewalls that might use some kind of wild card to allow 192.168.* requests. An underhanded tactic to be sure, but one that would allow Omniture to continue collecting usage statistics from many of Adobe’s users.

Adding fuel to the fire, Omniture’s own explanation of the “” domain (note the lowercase “o” in Omniture’s usage) explains absolutely nothing about the disguising of the domain its clients’ products call. Even worse, Omniture’s opt-out method only covers individual web browsers, not applications. Neither Adobe nor Omniture offer an opt-out method that covers Creative Suite 3 applications, forcing power users concerned over this issue to add the specific Omniture URL to a firewall or other monitoring utility such as ObDev’s Little Snitch. Needless to say, this isn’t exactly as user-friendly as a splash screen check box, or even an application preference.

There’s a lesson to be learned from this latest marketing and privacy snafu, and Adobe and Omniture had better be taking notes. Omniture is clearly at fault—and still owes consumers an explanation—for trying to sneak this URL into clients’ products, and Adobe can’t be short on alternatives for product statistics tracking. One of the oddest things about the whole situation is that the outcry has focused on the crafty URL and not the stats tracking, suggesting that many CS3 users are used to companies watching (anonymously) over their backs. But no one likes wool, even digital wool, being pulled over their eyes or their routers.

%d bloggers like this: