Skip to content
Naked Security Naked Security

Adblocker blockers move to a whole new level

Hold onto your hats! This article is about adblocking, always a windswept topic when we discuss it on Naked Security...

GALE WARNING

Hold onto your hats!

This article is about adblocking, always a windswept topic when we discuss it on Naked Security.

Adblockers do pretty much what they say.

They usually run as browser plugins, so they can see what’s coming and going in your browser, try to identify ads, and stop them from being downloaded, rendered or displayed.

You can also block ads at your web gateway, if you have one, but the idea is the same: let through the bulk of the site, but get rid of the ads.

Adblockers can recognise ads in numerous ways, for example:

  • By maintaining a blocklist of URLs used to link to ads.
  • By detecting the JavaScript that is used to fetch ads.
  • By spotting the HTML used for the actual ad content.

If that sounds like how an anti-virus works, or application control software, or a web filter, don’t be surprised.

The principle is generic: write an algorithm which examines data objects and divides them into two distinct sets, X and not-X.

ADBLOCKERS CONSIDERED HARMFUL

In theory, adblockers ought to be uncontroversial.

Some countries block the sites you are allowed to view (by law, in practice, or both), but we don’t know of any jurisdictions where you aren’t allowed to filter your own traffic by choice, over and above any minimum required by law.

But in practice, adblockers have turned into a contentious issue, because many sites that allow free access rely on ad revenue as their way of recovering what we’ll refer to as “the cost of free.”

As a result, people who use adblockers are seen as leeches, for want of a better word, who enjoy free content while suppressing any chance of the website making money out of ads.

Indeed, anti-adblocking site PageFair, in a joint press release with Adobe in August 2015, claimed that adblocking would cost the business world an astonishing $22,000,000,000 (yes, that’s 22 billion dollars!) in 2015.

But there’s a deeper aspect to this dilemma.

ADS CONSIDERED HARMFUL

Although lots of users block ads simply because they don’t like them (which makes you wonder just how much ad revenue they would generate if they were compelled to see the ads, but that’s a question for another time), we know that many people block ads for security reasons.

That’s because of malvertising, where crooks hack into an ad server’s delivery network, insert malware, and sit back while mainstream sites start attacking their own visitors with poisoned ads.

💡 LEARN MORE: Malvertising explained ►

If your site serves ads chosen from 100 different ad providers, and each ad provider has 100 different ads in its current active database, even one poisoned ad will end up distributed widely, but only occasionally, making it hard to track down and deal with.

Worse still, malvertising often appears in websites that you are inclined to trust: high-profile victims in the past year have included the Daily Mail and Forbes.

Ironically, PageFair, having said in its August press release that “it is tragic that [adblock] users are inadvertently inflicting multi-billion dollar losses on the very websites they most enjoy”, was itself the victim of malvertising at the end of October 2015.

One response from ad networks is to detect that you’re using an adblocker, and then block you in return, treating the ads as a sort of subscription: if you unblock ads on the site, you’re deemed to have paid your admission fee, and you’ll be allowed back in.

Think of this as adblocker blocking.

But now, a Californian adblocker blocker is going one step further, and offering an adblocker bypass.

THE ADBLOCKER BYPASS

According to online marketing site Marketing Land, the process goes something like this.

There’s a bypass loader and a bypass proxy.

The loader tries to fetch an ad conventionally, and checks to see if it turns up in the browser.

If not, the loader figures that it has spotted an adblocker, because something is getting in the way of loading the ad.

So the loader scrambles its own ad-fetching JavaScript code, obfuscates the URL from where the ad will be fetched, and tries again.

This time, instead of connecting to the ad server directly, the new and scrambled ad-fetcher goes via a bypass proxy, resulting in deliberately-disguised JavaScript issuing a deliberately-disguised ad request via a deliberately-disguised site.

Of course, if an adblocker can spot known ad servers using easily-updated technology such as a blocklist, it can detect known proxies via its blocklist too.

The ad proxies are, in effect, just ad servers with a different name.

So the bypass proxy gets obfuscated too, for example by using a domain generation algorithm to switch server names every so often, and by changing, or “fluxing”, DNS entries so that the browser proxies move around on the internet.

The bypass proxy then fetches the desired ad from the ad server, and rewrites its content so that any links to the real ad server that are embedded in the ad are themselves adjusted to go via the proxy.

This rewriting isn’t strictly necessary, because each recursive request to the ad server would go back through the bypass loader, get blocked and thus detected, and then get rewritten to go via the proxy anyway. But rewriting the links inside each ad makes things much faster, because only the first visit to the ad server needs to go through the test-to-see-if-it-will-be-blocked process.

If this sounds like how cybercrooks fight back against security products, with obfuscated JavaScript, disguised URLs, andregularly changing proxy servers and DNS records, don’t be surprised.

The principle is generic: create an algorithm which examines data objects and if they are in set X, rewrites them so that they are in not-X.

WHAT HAPPENS NEXT?

We’re not sure how well this trick is going to work.

We’re not thinking about the technological aspects here, but the cultural ones.

If I’ve blocked your ads – whether I don’t like them, don’t trust them, or both – then blocking me from your site unless I agree to unblock those ads seems perfectly reasonable.

If we can reach a willing buyer/willing seller compromise, then we will both end up happy; if not, then neither of us will end up with something at the expense of the other.

But forcing ads on me, especially if I’ve blocked your ads because of of security concerns and yet you are tricking my browser into displaying them in a way I won’t notice until it’s too late…

…how is that going to win me over?

As a commenter pointed out when we last discussed malvertising:

No, we don’t expect companies to give us everything for free. But neither should companies expect us to sacrifice our safety for their product. It’s a risk evaluation.

Perhaps a better approach would be to set about building an ad network that people were willing to unblock out of choice?

Isn’t that better than giving them an ad network with which they end up playing a cat-and-mouse game of detect-evade-detect-evade?


Images of red stop hand and bullet hole courtesy of Shutterstock.

45 Comments

“Perhaps a better approach would be to set about building an ad network that people were willing to unblock out of choice?” I can just see how much of attack that ad network (single point of failure) can cause.

This is why i have such a strong disdain for marketing companies/people. Anything for the almighty dollar, regardless of the consequences to the consumer and/or others.

I can appreciate ads. I know that ‘free’ is really never free. But I use ad-blocking because so many ads are down right annoying. THEY ARE TOO LOUD. If an advertiser can’t figure this out, then we shouldn’t have to listen to it. I do not use the interactive ads that offer me ‘shorter’ ad time. I don’t mind the ads. What I do mind is the volume! After all these years, they’ve not figured that out. Then the advertiser gets what he/she deserves: BLOCKED. In the end, if I can’t control that, I’ll soon quit watching anything.

This points out what I have long argued with our marketing group: Marketing and Malware utilize the same process; only the product is different. There needs to be a paradigm shift on the marketing side to attract and engage with consumers.

as a recipient of the ads, we don’t see the products as different, they both interfere with web use. At least your company has you to point out the realities of ad viewing experiences. I hope you get them to find a better method of engaging people other than pissing them off.

I must agree.
As many have said before I really do not mind some ads… but as Mahn says, when these ads interfere with the page we want to view or make the web experience unpleasant, well then we just stop going to the sites and the world economy will collapse as PageFair and Adobe have said.

Last time this came up I commented that advertisers can force me to display ads but they can’t make me look at them or respond to them. Now I realize, the problem isn’t advertisers, it’s ad servers. And they don’t care whether or not I look or shop! They get paid to deliver the ad and they will do what ever they can to make that happen. They don’t even care if the ad is successful. They will never run out of new clients. And they probably consider malvertisements a cost of doing business.

For me, web surfing is a recreation. I turned my adblocker off for FOX news this morning and was shocked at the large in-your-face ads. I could tell a site that I don’t need their content and I’m not coming back until they cut back on, or remove ads but most high ad-content sites offer no feedback option! I imagine researchers and other professionals may have to learn to cope.

Ads are like spam: if people see them often enough, some will eventually click and buy. I will never look at advertisements on the web or on TV but then I’m not the target audience and I don’t think anybody cares.

You left out one MAJOR reason people use ad blockers and similar software – due to all of the tracking code and the sheer volume of code loaded with ads and tracking software. Ad blockers (and tracking blockers) make pages load multiple times faster and helps keep your metadata more private.

Yeah, the pages are loading multiple times faster. For a while. Until the site will go bankrupt due to lack of funding. And this happens because people like you think that an unique id into a tracking cookie is a personal information that should be kept into a safe. What (the hell) is the problem with tracking? The ads tracking systems are used just to make advertising more interested for everybody, in order to show ads related to interests of each one of you. For example, if you are interested by sport cars, it is very likely to see ads related to sport cars, otherwise (without ads tracking systems) you may see totally unrelated ads with your interests. In conclusion, the tracking ads systems are a good thing, and they have not any shady part that hurt your privacy. Remember, no personal data (like phone or email) is used by these systems.

“Until the site will go bankrupt due to lack of funding.”
And? If a business has a model that customers don’t want, why should that business be propped up. Simple fact is that people increasingly don’t want ads. If content providers can’t understand that then perhaps they don’t deserve to be in business.

This hole thing is silly. as long as i can’t trust ad’s i’ll find a way to block them. with exceptions of course. for instance one of the few sites i allow ad’s threw on is Youtube, the reason is simple. the channels i enjoy came right out and asked me to. they explained why i should, and what the repercussions would be if everyone blocked the ad’s. i respect that and added the exception for my ad blocker.

i guess what i’m trying to say is, don’t just go behind my back and think your out smarting me. first try just explaining your point of view and asking me allow ad’s if i can.

The problem is this “Tracking Ads” or “Targeted Ads” crap. The only reason we have these AD servers and distribution networks is because of the “Targeted Advertising” campaigns.
If websites were more like the company Spiceworks we wouldn’t be in the situation.
The Spiceworks model of advertising is “We have a target market that uses our site, we will display simple traditional images with a hyperlink to you about things related to this site and our target market (in this case IT Professionals) ”
So you get simple clean ads along the side of your page NOT ALL UP IN YOUR CONTENT.
And they are relevant to me because I am the target market.
They don’t care that i was on walmart.com and searched for milk and now are showing me the cheapest milk prices in town because I’m “interested”.
They say “if your here your probably in IT. Here are thing IT people like” and I go “Damn that is a neat thing ‘click’… ”
Simple effective Advertising is the way to go. This we need a network of a thousand ads so that we can show anyone anything they are “interested” in is stupid and leading to a bunch of problems that could be avoided if every didn’t give such a big shit MONEY.

That targeted stuff is downright scary. I get ads that are perfectly suited to me, and I run noscript, adblockers and more, and don’t allow cookies by default.

But to use some sites, you have to open up to 3rd parties, not the least of which being facebook. Most news videos, slideshows etc are stored on fbcdn, so temporarily opening up to that blows everything your ad blockers, script blockers etc are supposed to do.

I was wondering though, if ads served by ‘subversion’ would be as targeted as ‘normal’ ads, it seems they would have all your pertinent info up front, before checking to see if an ad loaded, right? Other words, blocking ads does nothing whatsoever to protect privacy?

That targeted stuff is downright scary. I get ads that are perfectly suited to me, and I run noscript, adblockers and more, and don’t allow cookies by default.

But to use some sites, you have to open up to 3rd parties, not the least of which being facebook. Most news videos, slideshows etc are stored on fbcdn, so temporarily opening up to that blows everything your ad blockers, script blockers etc are supposed to do.

I was wondering though, if ads served by ‘subversion’ would be as targeted as ‘normal’ ads, it seems they would have all your pertinent info up front, before checking to see if an ad loaded, right? Other words, blocking ads does nothing whatsoever to protect privacy?

Imagine a world without ads though. Commerce would come to a stop. Ads enables small businesses to expand their reach. The bad players who trick people to install malware absolutely must go. Nonetheless, there’s an adblock blocker for sites like this on WordPress called AdBlockPrevent.com that’ll help keep the balance… currently publisher’s revenue is getting decimated – and that’s not good for small business either.

“I only go to websites I trust” (Security 101)
The trouble is so many of those websites try then to foist on me ads, images, javascript from other domains and apart from it not being clear who they are, I don’t have a clue whether I trust them.
So Adblock Plus and Noscript seem a reasonable way to control what gets on my browser.

This is a point that Chester and I like to make in the Chet Chat podcast…it’s not really enough just to be a “safe surfer” any more by sticking to websites that are useful and mainstream and that you trust.

You have to trust every ad from every advertiser sold through every ad network that your “safe site” uses.

And that’s a big ask, especially when the same site that is telling you that you’re costing the industry billions, so stop being so cheap by blocking ads…

…then gets “malvertised” itself :-(

I use streaming media sites with an ad blocker because the ads (which would only last 30 seconds) pop up to cover and block the content I am watching, which is not paused. So you miss 30 sec to a few min of the media. Not acceptable. If the adds were on the side, or only banner sized with no audio, I might not block them. Now CNN is a gawd awful place, every video has exactly the same add that hour. So if you watch 5 news stories you have to sit though the same 1-3 min ad 5 times. I don’t use CNN often anymore due to their crappy ad method (and biased reporting).
What everyone says; don’t make ads that piss people off – not only will we not look at them, we will hate the product for being a nuisance.

“not only will we not look at them, we will hate the product for being a nuisance”

Same applies to paper advertising. I have a sticker on my mailbox saying “no advertising” and still sometimes they will throw in their flyers. I have been making a point of taking a quick look at the name on the flyer and try to remember the name – so as when one day I need that kind of service, I’ll know what company NOT to use.

It’s a simple connection. If people like things, then you must be doing something right. If people dislike things, you’re probably doing something wrong.
People run adblockers because they dislike ads. Maybe for security reasons, maybe for bandwidth, maybe because the ads are annoying as all heck. Maybe something else. So if an ad provider is being blocked, the provider is doing something wrong. Therefore the onus is on the ad provider to fix the problem, not on the people using adblockers.
Hint: Whining about it and trying to find ways to evade it do not count as a solution.

Or worse, they continue to show me ads for a product I researched on the web and bought. I don’t need another one. The one I bought will last for years. Stop showing me any ads for the thing I just bought.

People trust the Daily Mail?!

Good Grief, now I’ve heard it all.

Indeed. The words “websites that you are inclined to trust” and “Dail Mail” don’t belong in the same sentence, unless the words “do not include” are between them.

The advertising Industry & the internet support for that industry has created the need for Adblockers by not policing itself & by not setting clear boundaries & guidelines for advertising standards on websites, instead they ride roughshod over consumers with their anything goes approach & the backlash presented by Adblocking software is entirely justiied, Advertising Industry needs to do more itself to correct the abuses that they perpetrated upon consumers & web surfers not simply sit back & moan about their lost billions of revenue, clean up your act or continue to lose money, getting into a fight with consumers via circumventing adblockers is retarded.

As a 10 year security professional who made a career change to the online publishing industry for 2 years, I can easily say that users dont install ad blockers due to security concerns, they install them because ads are annoying. I do agree that ad servers/networks should take more measures to prevent malvertising and detect fraud traffic, it will benefit everyone in the industry – prices go up, publishers make more money, they can put less ads on the page. But the average joe knows nothing about security or privacy and just doesnt want to be bothered by annoying ads everywhere. Adblockers exist only due to the fact that big advertisers (eg – Google, Facebook) pay them so much money to not block their ads (we’re talking in the 10s of millions of dollars yearly). Bottom line – nothing comes for free. If you dont like the ads, stay off the site, Adblocking will only cause major publishers to charge money or bombard you with native promoted content (look at business insider and buzzfeed, this is where the industry is going).

I use Ghostery and Ad Block. If your website doesn’t work correctly because of that, I’ll go elsewhere. It’s a fairly simple algorithm.

And in several years you will not have where (elsewhere) to go, as most of sites will bankrupt if most of people think and act like you. But that is, it seems that critical mass was reached :(

Again. And? How is it my responsibility to prop up a failing business model? How is it my responsibility to be someone’s revenue stream. Content providers’ customers increasingly reject their business model. It’s on the provider, as the business, to adapt to the customer. Not the other way around.

One reason for blocking ads is to reduce bandwidth usage. We live in a rural area served only by satellite. The monthly cost is $130 for 25 gigs at a medium speed that does not allow any streaming. We do our major s/w updates between midnight and six am when bandwidth is free.

Another reason is that I never click on unsolicited ads; only those I initiate via a search.

So you’ve mentioned regular (benign) ads and malicious malvertizing, but there’s also the gray area of loading scores of tracker networks on every pageload. Your own site loads 15 (according to PrivacyBadger). To be fair, the ones on Sophos are mostly powering social features like comments and twitter/fb buttons, but they all slow down page loads. HuffPo loads upwards of 40 remote trackers on every pageload (!!!), most from data analytics companies I’ve never heard of and don’t consent to sharing my data with! Content sites need to acknowledge this shadowy practice and come clean with readers about how they’re being sold to marketers.

Your article missed a SIGNIFICANT point… TO many of the ads foisted up the public are annoying in multiple forms, too loud visually, many times the audio is too loud and most times the spacing where I want/need to see PAGE content is destroyed, if not ruined, by these ‘ads’. Too often ‘ads’ stomp over the top of the desired content, getting IN my face, deliberately covering the content over, forcing me to see their screaming-at-me content, but having to now waste more time searching for the magical super-tiny hidden button to make it go away; worst is when they have ridiculous timeouts of a few seconds to sometimes 2-3 MINUTEs before finally getting a button to make it go away, this time. Were the 99.9999999999999999999999999 % of ads we see responsibly created, minimal in size and placed out of the way, NEVER clamoring for attention and NOT be annoying then I would have no reason to use an ad-blocker. Sadly, advertisers FAIL to be that sensible, much less that respectful.

If there were a universal ad rating system that users could rate ads on their safety and ability to not be so invasive then we would have something. Cause only the best ads that users liked would be displayed and it would force companies to try and fix whatever security issues there are and create ad content that isn’t so “in your face” so to speak.

Website’s have lots of options to make money in support of their projects. They can sell things themselves, offer to sponsor a companies store, or other such sponsorships. Graham Cluley does the later because he realized most of his site visitors, being security minded were using blockers by default. The real problem, is lazy, greedy websites that don’t want to do the hard work of selling their product to sponsors. Likely many would be turned away because of quality and or quantity of original material. I’m sorry, but posting someone else’s material with a link to the rest of the Story does not deserve the right to make a living off others work. So the fight continues, and the ad people will never truly understand, because I bet anything, they use blockers themselves.

It’s kinda simple. Build us a system that we can trust. This means; No intrusive adds screaming at us or auto playing somewhere (and we can’t find it to mute it). No false, fake, or misleading adds that download something that we don’t want. Modern day web advertisement is much like a mine field, it’s best to stay out. I’m sure most people don’t mind some adds but please use a little common sense about this. It’s not worth the risk to view adds that compromise my security and sanity.

How about “If you are going to try and serve something onto my browser host it on your own servers and take responsibility”?

I personally don’t use an add blocker. I don’t mind seeing the ads placed on a web page, as long as they are unobtrusive. I can deal with the pop-overs, the pop-under’s, the peels, and the muted side videos. The ads that stick in my craw are the sites that play a video when you just want to read an article or the side videos that start with a decibel level of a jet taking off. Yes I know I can shut my speakers off (I expressly put speakers on my desk with a front mounted power switch just for this reason) but why should I have to. In the Jurassic days of the internet it was considered bad form and impolite to have a web site that played loud music or sounds when the page loaded. Why is it OK now? I can see why people are trying to block ads. Maybe, if the ad industry wasn’t so aggressive, this wouldn’t be a problem.

What I want to know is who the heck clicks on ads at all. With an industry standard 0.06% (yes, six thousandths of a percent), I can only imagine that any ads that do get clicked on were purely by accident.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?