[robertlagrant]

> With malicious ads being the primary vector for compromising a person's computer, calling these tools virus blockers would not only be more accurate, but it would make it harder for sites to counter their use from a public relations point of view.

I don't understand this. How are malicious ads the primary way to compromise a computer?

[korethr]

It depends on the ad. In the before time, long ago, ads were a simple static image or body of text. And in that case, while not impossible, it's rather hard to compromise a computer with a static image or block of text. You'd have to have a fairly specific image crafted to adversarially target a specific bug in the rendering of images to get code execution, and thus compromise a computer.

It is no longer the before time.

In the now time, ads frequently contain not just text or images, but javascript as well. And already having code execution by virtue of javacript, it is a lot easier to escalate the privileges of that code execution from the limited environment of the browser to installing code on the computer running that browser. Want to deploy your bot? Buy an ad that includes your malicious javascript payload. Now, anyone who goes to a site and views your ad will execute your javascript for free in addition to your offer to sign them up for credit score monitoring.

[mobjack]

Are there any ad networks that allow random advertisers to include custom JavaScript in ads?

It just seems like a huge security hole and is not in the interest of ad networks for multiple reasons.

They might have JS in ads, but isn't that from the ad network's infrastructure.

[teunispeters]

Every single ad seller's been caught by companies selling these dangerous ads. Google, yahoo, etc. They usually catch it within 3-5 days. That's too long.

[freehunter]

In short, yes. Advertisements are a huge way to get malware onto people’s computers. This just one random article from a google search for “malware advertising” but there are tons and it still happens today.

https://arstechnica.com/information-technology/2016/03/big-n...

[manicdee]

What is in the interest of the ad networks is income and plausible deniability.

“Sorry we didn’t realise that there was malicious content in that ad, we’ll do better in the future, and we’ll also work on taking less than four days to remove malicious content.”

In the meantime the reason ads are being bought is the ability to deploy customer enrichment experiences (the new name for malware) which will help customers better discover your product (by redirecting their browser, or rewriting links).

[michaelmrose]

Are there ad networks that don't?

[blntechie]

I have seen ads trigger site redirects, app download redirect to app stores etc. and even initiate apk(Android app package) file downloads automatically.

[mandelbrotwurst]

That metric may mean in an indirect sense as well as a direct one - i.e. ads are the most common first step in a pathway that begins with getting a user to take some action that eventually leads them toward doing something that ends in compromise, even if it's several (mis)steps later.

[rcxdude]

Even if you have a zero-day exploit for a browser, you still need to get that exploit to your victims. Ads are the easiest way to get custom media and javascript into as many browsers as possible. Ptherwise, you need to tempt users to your malicous site or find an exploit in a widely used site to get your payload to users (since most sites do not allow users to post arbitrary HTML, CSS or javascript).

Ad networks are supposed to vet ads to make sure they are safe, but they're bad at it and the system is not set up to make it easy (ads are dynamically generated by whoever's buying them as the page loads).

[Nextgrid]

Because most ads are served by a handful of ad networks (Google Ads, etc) you have a single entity through which you can get your malicious ad spread across a wide range of websites, increasing its yield. Without the ad networks you'd have to negotiate with every single site one by one to get your ad displayed, and some sites might do more due diligence and refuse to serve your ad because of its maliciousness.