[vklmn]

I don't think that it's google's fault. Google sometimes trade ads on auctions, meaning they issue and HTTP request to partners asking "Hey, you want to show an ad here", and partner respond with price and HTML code, the highest bidder wins and HTTP code is inserted.

HTTP contains JavaScript, and theoretically anything can be executed within the browser (I've seen people mining bitcoins!).

Google can't monitor an execute every HTML snippet, but they doing pretty great job sampling responses and evaluating some of them. Fraudsters are smart, and trying to understand if the code is executed on Google's servers, but overall they are loosing.

It seems like a case where google's system didn't work.

By they way, all google partners are listed here: https://developers.google.com/third-party-ads/adx-vendors. Usually, it's possible to track down who's exactly responsible by looking at dev console

[driverdan]

> I don't think that it's google's fault

Of course it is. It's their ad network.

> Google can't monitor an execute every HTML snippet

Of course they can. There's no excuse for allowing this nonsense on their network.

[coffeefirst]

Well, they do monitor snippets. There's a lot more going on here than meets the eye.

The problem is bad actors are really good at evading detection through obfuscation and dynamically serving different code depending on the IP address so the creative behaves normally if it thinks you're a server Chrome instance and does bad stuff for real people.

To make matters worse bad actors have automated their process, so when they discover they're blocked everywhere, they rotate to a new account, domain, change their obfuscated code to look different, and are back up in a few hours. This leaves everyone else playing whack-a-mole.

And even if Google sees through all of that, the code might never actually touch Google, but come from one of the many marketplaces or resellers being rendered through Google's Ad Server. For any given site, the list of what markets they work with is usually public. This site, https://techsparx.com/ads.txt, is doing business with way too many markets - 680 of which are resellers of other markets' inventory.

This means if you're a bad actor, you can evade anyone capable of seeing through your obfuscation entirely, select for marketplaces that have extremely poor quality control (I see a few), and wind up on this website.

[Malcx]

That sill is Google's fault as far as I'm concerned as an end user.

[ziml77]

If you're looking at it from an end-user perspective then it's the fault of techsparx.com.

[andybak]

If Google can't guarantee no malicious javascript then they should strip all javascript.

If I serve any content to my users, then I'm responsible for any malware it contains.