If you visited any of about 500 websites on Saturday, and also downloaded what looked like an update to Adobe Flash, you may have inadvertently installed malware that makes your Windows PC into a zombie computer on a hacker’s botnet. Even if you did visit the sites, you’re probably safe if you didn’t take the bait and install the malware masquerading as an Adobe Flash update. If you have a Mac, Chromebook, or Android, iOS or Linux machine, you are also probably safe, as the malware seems to have focused on Windows. Just the same, you should follow the standard drill of updating and running your antivirus/anti-malware software. (You do have AV, right?)
Regardless of how big the attack is, it’s a brilliant illustration of everything that’s going wrong with web publishing, advertising, and online security. As such, it’s a great teachable moment for everyone who’s online.
Fast Company reached out to PageView to find out which of their clients’ sites were affected by the malware attack, and, although they declined to name specific outlets, they informed us via email that of their 3,000 clients, “fewer than 501 publishers [were] affected,” mostly smaller publishers. They added, “It looks like only a small minority of users on those sites were actually affected,” before stating, “we are working on it.”
This breach turns the standard Internet-security narrative on its head, leaves out the usual suspects, and highlights both the security and revenue crises that are playing havoc with online publishing. To understand what happened, let’s back up and explain what’s going wrong with online advertising and why a company like PageFair exists.
It’s probably no surprise that people don’t look at online ads. They fetch a fraction of the revenue that print ads do; and as newspapers, magazines, and other publishers lose print subscribers, money is getting tight.
On top of that, more people are completely eliminating ads from view by installing ad-blocking software, usually industry leader AdBlock Plus, which has had more than 300 million downloads. An August 2015 report by PageFair itself puts the estimated cost of lost online ad revenue for 2015 at $21.8 billion globally. Things got potentially much worse for online publishers in September when Apple released its latest mobile operating system, iOS 9, which allows ad blockers on iPhones and iPads for the first time, (although they have since been removed).
It’s no wonder why people block online ads. The worst of them blink, cover over what you are reading, or play annoying animations to draw your attention to low mortgage rate offers. Running all those ads slows down page loading times and sucks up bandwidth. Even worse, some ads actually install malware on readers’ systems because hackers routinely infiltrate online-advertising networks and replace the legit (if annoying) ads with booby-trapped versions. “The advertising industry is not very good about filtering that stuff out,” says Chase Cunningham, threat intelligence lead at security firm FireHost (now Armor Defense), when we spoke to him earlier this year about some of the biggest online dangers people face.
That explains why companies that make ad-defeating software, of which AdBlock Plus is by far the biggest, are doing such a brisk business. According to the same PageFair report, about 16% of Americans (that’s 45 million people) have installed ad-blocking software. That’s about twice as many as a year earlier. Seventy-seven million Europeans are also blocking ads.
AdBlock Plus’s creator, Eyeo, professes on its home page to not be against all advertising, just the really annoying stuff. By default it allows through ads on a preapproved “whitelist” that conform to its acceptable ad guidelines (no animation, no covering over what people are reading, etc.). Just as Google sets the de facto standards for how to optimize sites for search engines, Eyeo is on its way to setting the global standards for advertising. Just as SEO experts make a living by mastering the intricacies of Google’s methods, PageFair is trying to do business as a middleman between web publishers and Eyeo.
They were able to do this by using what is becoming the oldest trick in the book: a technique called spear phishing. Everyone has probably gotten what’s called a phishing email—a generic note purporting to come from, say a bank or FedEx, asking you to click a link and do something like update account information. It then sends people to a bogus web form where victims diligently enter all the personal info that identity thieves need.
The hackers then used another classic trick: A bait-and-switch popup that asks people to install one piece of software, in this case an Adobe Flash update, but instead installs malware, in this case, apparently, a Trojan horse used to commandeer computers as slave nodes on what’s called a botnet (which can be used for processing big tasks like distributing spam or launching other cyberattacks). Adobe Flash is a favorite of hackers because it is so common on computers (though is generally not on mobile devices), and is so prone to having security vulnerabilities. But this time, Adobe is not to blame. The PageFair attackers didn’t take advantage of a vulnerability in Flash. Rather they took advantage of the fact that people are so used to Flash having vulnerabilities that they might instinctively click to download a patch.
It’s sad when bad things happen to good people—or at least, people who feel compelled to do good due to market forces. Most people are already wary of online marketers and advertisers, reported GfK., itself an online marketer, in a March 2014 survey of 1,000 Americans across five generations. Some of the painful truths include:
- 88% are “somewhat to very concerned” about protection of personal data
- 33% were affected at least once by misuse of their personal data
- 54% say marketers and advertisers need to change their policies on use of personal data
- Among the 23 categories of businesses they were asked about, respondents trusted marketers and advertisers the least (only 25% professed their trust).
For a lot of people, blocking ads just looks like the safest way to go. As the product name AdBlock Plus suggests, Eyeo is very good at this. Now companies trying to play by Eyeo’s rules just got a black eye from hackers.
This article has been updated to reflect the renaming of security firm FireHost.