The Syrian Electronic Army invading your news & sites - via the advertising networks

The Syrian Electronic Army should be familiar to you by now, they hacked Forbes last year, as well as Time magazine's twitter account in 2013, and now that they've hacked Skype's twitter and blogs, the Guardian has made a timeline of the SEA hacks. When the SEA targeted Yahoo last year tens of thousands of visitors were infected by malware.

Ok, so what does this have to do with advertising? Everything. The ad networks are the weak link in the publishing chain, reaching into your phone and existing on every website we visit.

The way advertising networks and comment networks are run these days are by third party clients, embedded into the website that you, dear reader, are visiting and trust. You've seen the familiar Gigya, Disqus and Livefyre embeds, you're well familiar with the blue arrow icon indicating a Google ad network. There's countless sharethis, facebook, twitter and po.st buttons on any given site. Remember how banner hijacks happened a lot almost ten years ago, when even Adrants fell victim to such a hijack? Well, this old trick hasn't retired yet as Frederic Jacobs theorises that the New York-based Taboola network was the akilles heel that allowed for the hacking of Reuters, among others.
In How Reuters got compromised by the Syrian Electronic Army (hint it isn't actually Reuters fault) he writes:

By compromising Taboola, the value of the compromise is significantly higher than just compromising Reuters. Taboola has 350 million unique users and has partnerships with world’s biggest news sites including Yahoo!, the BBC, FoxNews, the New York Times… Any of Taboola’s clients can be compromised anytime now.
****
What this means for system administrators
If you’re using 3rd party analytics or advertising networks, your website’s security relies on the weakest of those since any of them is able to take over your website (and potentially steal your user’s data or trick them into installing malware). Websites like Reuters use more than 30 of these services and thus expose a considerable attack surface.

Adland was extremely reluctant to join the networked ads & button frenzy, specifically for the reasons mentioned above - like we joke: " it's a control freak thing, I won't let you understand" - as our security is weakened when we suddenly have many other ports of entry. As we've told you, dear reader, to beef up your personal security and privacy as much as you possibly can, recommending things like Privacyfix, Disconnect and similar services to keep cookies out and info locked down. It's not a popular opinion in the advertising business where cookies collecting your data and cyber-stalking your online habits is our business, but poor security habits among the population is like having an unvaccinated population. It can hurt us all in the end.

And it's hurting us right now. Confirmed ad network hacks so far are IBM Times, The Independent, CNBC & NBC, Telegraph, LA Times, Boston Globe, and Forbes Also reported hacks: Business Insider and NHL. While news outlets report these attacks as a simple defacements, despite the SEA tweeting the information of Taboola's Paypal account and other deeper breaches, the exposed insecurity in our ad networks should make us sit up and take notice.

Big money is spent on online advertising. But thanks to the convoluted brokering among ad networks, ad media buyers can't prevent your brands from being seen next to porn and piracy, or seen by millions of bots instead of the humans we intended to target. These same ad networks open up publishers sites to defacing, without a Project Sunblock variant to protect them (us!) from being hacked. How can a publisher stay secure, when almost every ad network out there has been used in hacks like these?

With mobile malware on the rise, you as a consumer are at a high risk of being hacked just by visiting The Guardian and The Verge - who are currently being reported as distributing malware. You need to have ad blockers installed everywhere, including on your Android phone and iPhone. I wouldn't let my mom use anything online without installing a thousand ad blockers and two-factor authentication, and this has become the default behaviour of a generation of people who "grew up online". How can we advertise to a target market who is blocking all of our ads? You see how this is a problem? Native ads will not solve this issue, masquerading sponsored content as editorial content is subject to laws and regulations we can't get around by just giving it a new name, and the novelty wears off very fast, diluting the masthead's brand integrity with it. Places like Tumblr and Medium will likely become advertising only deserts, populated only by bots, trolls and PR, once people not paid for their words have moved on to share their thoughts in unbranded spaces instead. This is a war for your attention, and the escalation of defenses in the shape of adblocks will simply bring new tactics to get around them in an ever evolving arms race. People in the advertising industry need to pay attention to security, ten years ago already, before the business of advertising online is ruined all together. I feel like a broken record, because I said the same thing about email marketing in the mid-90s. Does anyone even use email anymore, other than to receive social media bacn and ignore mailinglists we were force-subscribed to when we tried to buy a pillow?

@gcluley are @verge 's ad partners distributing malware? pic.twitter.com/4RFQgd8jFO

— AJSTA (@ajsta) January 14, 2015

src="adland.tv/roject-sunblock-protects-brands-being-seen-porn-piracy/1471006358">Project Sunblock variant to protect them (us!) from being hacked. How can a publisher stay secure, when almost every ad network out there has been used in hacks like these?

With mobile malware on the rise, you as a consumer are at a high risk of being hacked just by visiting The Guardian and The Verge - who are currently being reported as distributing malware. You need to have ad blockers installed everywhere, including on your Android phone and iPhone. I wouldn't let my mom use anything online without installing a thousand ad blockers and two-factor authentication, and this has become the default behaviour of a generation of people who "grew up online". How can we advertise to a target market who is blocking all of our ads? You see how this is a problem? Native ads will not solve this issue, masquerading sponsored content as editorial content is subject to laws and regulations we can't get around by just giving it a new name, and the novelty wears off very fast, diluting the masthead's brand integrity with it. Places like Tumblr and Medium will likely become advertising only deserts, populated only by bots, trolls and PR, once people not paid for their words have moved on to share their thoughts in unbranded spaces instead. This is a war for your attention, and the escalation of defenses in the shape of adblocks will simply bring new tactics to get around them in an ever evolving arms race. People in the advertising industry need to pay attention to security, ten years ago already, before the business of advertising online is ruined all together. I feel like a broken record, because I said the same thing about email marketing in the mid-90s. Does anyone even use email anymore, other than to receive social media bacn and ignore mailinglists we were force-subscribed to when we tried to buy a pillow?

@gcluley are @verge 's ad partners distributing malware? pic.twitter.com/4RFQgd8jFO

— AJSTA (@ajsta) January 14, 2015

src="adland.tv/acking-web-banner-networks-sends-banner-ads-hated-feared">banner hijacks happened a lot almost ten years ago, when even Adrants fell victim to such a hijack? Well, this old trick hasn't retired yet as Frederic Jacobs theorises that the New York-based Taboola network was the akilles heel that allowed for the hacking of Reuters, among others.
In How Reuters got compromised by the Syrian Electronic Army (hint it isn't actually Reuters fault) he writes:

By compromising Taboola, the value of the compromise is significantly higher than just compromising Reuters. Taboola has 350 million unique users and has partnerships with world’s biggest news sites including Yahoo!, the BBC, FoxNews, the New York Times… Any of Taboola’s clients can be compromised anytime now.
****
What this means for system administrators
If you’re using 3rd party analytics or advertising networks, your website’s security relies on the weakest of those since any of them is able to take over your website (and potentially steal your user’s data or trick them into installing malware). Websites like Reuters use more than 30 of these services and thus expose a considerable attack surface.

Adland was extremely reluctant to join the networked ads & button frenzy, specifically for the reasons mentioned above - like we joke: " it's a control freak thing, I won't let you understand" - as our security is weakened when we suddenly have many other ports of entry. As we've told you, dear reader, to beef up your personal security and privacy as much as you possibly can, recommending things like Privacyfix, Disconnect and similar services to keep cookies out and info locked down. It's not a popular opinion in the advertising business where cookies collecting your data and cyber-stalking your online habits is our business, but poor security habits among the population is like having an unvaccinated population. It can hurt us all in the end.

And it's hurting us right now. Confirmed ad network hacks so far are IBM Times, The Independent, CNBC & NBC, Telegraph, LA Times, Boston Globe, and Forbes Also reported hacks: Business Insider and NHL. While news outlets report these attacks as a simple defacements, despite the SEA tweeting the information of Taboola's Paypal account and other deeper breaches, the exposed insecurity in our ad networks should make us sit up and take notice.

Big money is spent on online advertising. But thanks to the convoluted brokering among ad networks, ad media buyers can't prevent your brands from being seen next to porn and piracy, or seen by millions of bots instead of the humans we intended to target. These same ad networks open up publishers sites to defacing, without a Project Sunblock variant to protect them (us!) from being hacked. How can a publisher stay secure, when almost every ad network out there has been used in hacks like these?

With mobile malware on the rise, you as a consumer are at a high risk of being hacked just by visiting The Guardian and The Verge - who are currently being reported as distributing malware. You need to have ad blockers installed everywhere, including on your Android phone and iPhone. I wouldn't let my mom use anything online without installing a thousand ad blockers and two-factor authentication, and this has become the default behaviour of a generation of people who "grew up online". How can we advertise to a target market who is blocking all of our ads? You see how this is a problem? Native ads will not solve this issue, masquerading sponsored content as editorial content is subject to laws and regulations we can't get around by just giving it a new name, and the novelty wears off very fast, diluting the masthead's brand integrity with it. Places like Tumblr and Medium will likely become advertising only deserts, populated only by bots, trolls and PR, once people not paid for their words have moved on to share their thoughts in unbranded spaces instead. This is a war for your attention, and the escalation of defenses in the shape of adblocks will simply bring new tactics to get around them in an ever evolving arms race. People in the advertising industry need to pay attention to security, ten years ago already, before the business of advertising online is ruined all together. I feel like a broken record, because I said the same thing about email marketing in the mid-90s. Does anyone even use email anymore, other than to receive social media bacn and ignore mailinglists we were force-subscribed to when we tried to buy a pillow?

@gcluley are @verge 's ad partners distributing malware? pic.twitter.com/4RFQgd8jFO

— AJSTA (@ajsta) January 14, 2015

src="adland.tv/roject-sunblock-protects-brands-being-seen-porn-piracy/1471006358">Project Sunblock variant to protect them (us!) from being hacked. How can a publisher stay secure, when almost every ad network out there has been used in hacks like these?

With mobile malware on the rise, you as a consumer are at a high risk of being hacked just by visiting The Guardian and The Verge - who are currently being reported as distributing malware. You need to have ad blockers installed everywhere, including on your Android phone and iPhone. I wouldn't let my mom use anything online without installing a thousand ad blockers and two-factor authentication, and this has become the default behaviour of a generation of people who "grew up online". How can we advertise to a target market who is blocking all of our ads? You see how this is a problem? Native ads will not solve this issue, masquerading sponsored content as editorial content is subject to laws and regulations we can't get around by just giving it a new name, and the novelty wears off very fast, diluting the masthead's brand integrity with it. Places like Tumblr and Medium will likely become advertising only deserts, populated only by bots, trolls and PR, once people not paid for their words have moved on to share their thoughts in unbranded spaces instead. This is a war for your attention, and the escalation of defenses in the shape of adblocks will simply bring new tactics to get around them in an ever evolving arms race. People in the advertising industry need to pay attention to security, ten years ago already, before the business of advertising online is ruined all together. I feel like a broken record, because I said the same thing about email marketing in the mid-90s. Does anyone even use email anymore, other than to receive social media bacn and ignore mailinglists we were force-subscribed to when we tried to buy a pillow?

@gcluley are @verge 's ad partners distributing malware? pic.twitter.com/4RFQgd8jFO

— AJSTA (@ajsta) January 14, 2015