Okay, so I expressed my initial outrage, explained how to use an RSS reader instead of your friends page and pulled all my content from LiveJournal. So I guess you could say I’m pretty freaked out over this whole ads-serving-malware thing. This will (hopefully) be my last post on the issue, and I’m only going to be bothering you one more time because I think I haven’t yet done a good enough job of making it clear exactly how bad this actually was. Because I guess from one angle it kinda doesn’t seem all that bad, or like it affects you.
But it does. Trust me. This sort of thing is my day job.
So what happened, exactly?
Whilst browsing LiveJournal while logged off and using Internet Explorer 7, I clicked a link in an official LiveJournal news post. The link opened, but it also caused several pop-ups to spawn. These pop-ups imitated the appearance of anti-virus warnings (quite well, actually), purporting to be performing “scans” and telling me my computer was “infected”. These “warnings” were actually ads, trying to entice me to download a fake anti-virus application to “protect myself”.
Meanwhile, my PC’s actual anti-virus program (Symantec’s unfortunately-named SEP11) also displayed a message warning me about the fake warnings.
So what you’re saying is that nothing happened, right? You got some dodgy pop-ups and just closed out of them?
I did, true; but as they say on MythBusters, I’m a trained professional. Your mileage on this one may vary, and it’s the variance that bothers me.
What harm is there in installing a so-called “fake” anti-virus application anyway?
Fake anti-virus apps belong to a class of malware known as scareware, as they attempt to scare you into installing them (hey, no-one ever said security researchers were imaginative). According to the sorts of people who keep these sorts of stats, scareware was one of the top-two consumer-level computer security threats of 2009, with that trend predicted to worsen in 2010.
Scareware is big business, mostly because Joe Average Consumer has not yet been trained to be sufficiently suspicious of it.
But this came from an ad, right? Why would people be advertising this “scareware”?
Two reasons: Some scareware gets you to pay for it, and people obviously do. Computer security is difficult even when you know what you’re doing, and it’s almost impossible waters for the non-geek to navigate. How do you tell which security products are reputable if you don’t know your Symantecs from your McAfees?
Surely anything that’s advertising on a reliable site like LiveJournal must be okay… right?
(Thanks, Dorothy.)
Here’s where things get really frightening. Because most scareware — paid for or not — actually also belongs to a class of malware whose primary purpose is getting your computer infected with more malware. All while telling you Everything Is Fine Totally Don’t Worry Trust Me I’m an Antivirus Program Really. And once one piece of malware is on your system, it’s pretty much open-slather time on your PC; it can do everything from downloading and installing new malware without your intervention, to masking its presence nearly completely, to subversively disabling any legitimate antivirus applications you may have.
And about the only option you have to get rid of it? Is a full reformat.
The big threats with malware nowadays are not viruses that cause chaos on your computer (e.g. deleting files, randomly restarting your PC, etc.); that sort of thing is old hat now. Malware nowadays is mainly geared towards quietly co-opting your PC for use in what’s know as a zombie botnet. Basically, these are giant global networks of compromised user PCs that can be rented on the black market to execute a variety of illegal activities ranging from sending spam to cyber-terrorism.
Holy shit.
Yes.
Now maybe you can start to see why I have a problem with LiveJournal advertising this stuff. People have a trust relationship with LiveJournal, and the scareware ads exploit that in order to try and entice you to download and install them. And the consequences can be dire.
But… wait a second. We’ve had this conversation before: It’s not like LiveJournal is deliberately advertising this stuff. People just buy space on its network. It doesn’t individually vet all ads before it runs them, and it pulls stuff sometimes if enough people complain.
LiveJournal has a set of guidelines about what it will and will not advertise (it’s FAQ question #265; I’m not linking for reasons that are hopefully obvious by now), and scareware technically breaches the first one. For what that’s worth (LJ’s “guidelines” have a known history of being revised every time someone points out a breach).
But really, my problem is with the fact that LiveJournal has chosen something that is a fundamentally unsafe delivery method for its advertising. LiveJournal’s ads are served via ad giant DoubleClick (currently owned by Google). The pop-under/-over/whatever style of ad delivery — that is, basically anything that’s not just a banner or link displayed in or on a page — is known as an “interstitial” and must be opted-into by ad-displayers.
Interstitial ads are the target ad-type for malicious content vendors because they can be designed to look like they originate from a user’s operating system rather than the browser.
You just hate ads! LiveJournal has to make money somehow!
We’re not talking about “just ads” here; we’re talking about something that is deliberately trying to trick you into performing an action that is harmful to your computer.
LiveJournal is a business, and it’s a business’ responsibility to make money. But when that business’ money-making strategy has the potential to compromise the confidentiality, integrity and availability of my computer, then I as a customer have the right to take my business elsewhere.
The most objectionable part here is that these ads are being displayed on content produced by LiveJournal’s users. As a LiveJournal user, you have to ask yourself if you’re comfortable with the notion that you’ve indirectly caused the compromise of someone else’s computer because they just happened to be viewing your cat photos/fanfic/emo poetry/whatever when a dodgy ad popped up.
But I have a Paid/Permanent/Early Adopter account! Ads don’t display on my journal.
So do I (Permanent nee Early Adopter, actually). Yet I still pulled my content. Why?
Because even ad-free accounts have knock-on effects. Maybe someone likes your journal and signs up for an account, resulting in them being exposed to the harmful ads. Maybe your Paid account expires, and someone is exposed before you can renew it. The fact is, the more content you host on LiveJournal, the more people the site attracts, the more chance there is for someone to be harmed by malicious advertising.
But can’t those people just use AdBlock?
They could, sure. However, the reality is that the sort of people who are most likely to fall victim to scareware exploits are also the ones who are the least likely to know how to protect themselves via technologies like AdBlock (or AdThwart for Chrome). And again, you have to ask yourself: Am I okay with my content being used for this purpose?
Still, that’s sort of missing the point; as a user and a security professional, I feel obliged to let companies like LiveJournal know that it’s unacceptable to endanger users with malicious advertising, no matter how much it pays. And the main way I can do that? Is by removing myself from their service.
This… does sound pretty bad. What should I do?
The first thing is to protect yourself. Invariably, you’re still going to end up using LiveJournal because you’ll always have some friends/communities who’ll refuse to move. That’s fine. Prevention is much better than cure in the murky world of computer security.i So get yourself a good, lightweight AV application like Avast! or AVG Free and learn what its alert windows look like. Learn how to avoid risky behaviours online, and invest in an ad-blocker for your browser (AdBlock and AdThwart as linked above, or something like Privoxy if you’re feeling more technically adventurous). Site that rely on advertising revenue hate this one, of course, but until advertising stops being one of the major vectors for the spread of malware they can just suck it up and deal.
The second thing is to protect others and send a message to LiveJournal by removing your content from the site. This is a probably a pretty heavy decision for a lot of people to make, but be heartened to know there are a lot of alternatives that don’t use the intrusive interstitial advertising. Dreamwidth gives you all the community and privacy features of LJ, plus more, and has an intuitive system for importing all your content. Twitter is currently the world’s favourite microblogging service. Tumblr is great if you make a lot of media posts. Delicious (or maybe Diigo) is where it’s at for rec lists and link dumps. And, of course, there are any number of more traditional blog services like WordPress (or the roll-your-own version).
The great thing, of course, about all these sites is that they tend to interoperate with each other (that’s Web 2.0, after all). Import your Twitter into Tumblr. Mirror your Diigo links to Delicious. Crosspost your WordPress to Dreamwidth… the combinations are both complex and endless.
Or, not. It’s up to you; the point is, you’re not as tied to LJ as you might think you are. Really. Trust me on this one.
Okay, so say I leave LJ. Then what? Should I ever go back?
Let people — including LiveJournal — know why you’re leaving as a start. LJ being able to function as a platform that can actually cause damage to your computer is a lot different than getting annoyed at them because they de-listed your interest from the popular interests list.
Also, it’s not like I’m advocating you never go back to LJ EVER AGAIN EVER OMG!!! Chances are, you still have friends who post there who you’d like to interact with. That’s fine; now you know exactly the risk you’re taking it’s your choice to take it or not. All I’m really saying is that you should treat the site as potentially harmful, and minimise your exposure to it accordingly.
And, who knows. Maybe one day they’ll ditch the interstitial ads, and all these warning will become moot.
Edit: 27th January, 2010
Oh-kay. So apparently this post has gone viral across LJ and Dreamwidth over the last48-hours or so, aided mostly by being picked up by a few widely-read fen. It’s been crossposed about a hundred times that show up in my logs, and I’ve spent the last day carefully reading people’s comments (because I am a dirty referrer-stalker, as most of my regulars know). There are a couple of common threads that’ve popped up, and I figured they could do with some abstracted answers.
I’ve dusted off Dorothy, so let’s get ready for round two…
You’re just trying to scare people and stir up anti-LiveJournal sentiment! If there were really an issue here, you would’ve reported it to LiveJournal directly instead of posting about it on your blog!
The nutshell here is that I feel more obligated to help Joe Average User (by which read “my friends”) by exposing the issue than I do helping out LiveJournal to cover it up by reporting it to them.
As people have pointed out in the comments to this post, interstitial and (apparently) Flash advertising being “poisoned” by malware vendors isn’t a new thing. The networks who sell these ads and the companies who buy them both know it’s a problem. But you guys, the people who are actually affected? If there’s one thing the last day has taught me, it’s that you guys overwhelmingly don’t.
Well, didn’t, I guess.
Okay, so why pick on LiveJournal? Lots of sites have been affected by this problem, and the internet is a scary place. It’s up to users to protect themselves.
Three things:
One: Apparently a lot of people don’t know they’re “supposed” to be “protecting themselves” — let alone what they’re supposed to be protecting themselves from — or even how to go about that. It’s a pretty common mistake for IT-savvy people to assume that all people have the same base level of tech knowledge they do. They really don’t, and it’s not because they’re “stupid” or “naive” or any nasty things like that; it’s because there are so many incredibly complex issues surrounding what goes wrong and why. When you spend all day researching ancient Sumerian funerary customs or trying to teach 11-year-olds to spell, coming home and learning about zero days and threat vectors and the difference between a vulnerability and an exploit isn’t exactly top of your list.
Two: I picked on LiveJournal because it’s a site that specifically serves potentially poisoned advertising on top of content created by users. By you guys, in other words. Also, it was the one that “caught” me — and apparently a lot of other people — out, mainly because of the trust relationship people have with it (or, rather, with their friends there). I wanted to convey the message that it can no longer be treated as a “safe” site for people to visit. That’s all.
Three: Why the hell is it up to users, anyway? Like I mentioned above, ad networks know the risks their “rich content” advertising poses to users, yet they keep selling them and companies like LiveJournal keep buying them. Sure, users should be protecting themselves, but it’s also reasonable to assign culpability to the companies that keep providing the tools for these exploits to occur. After all, Microsoft fulfils an equivalent role in the software space, and everyone loves blaming MS for every little thing that goes wrong. I don’t see why DoubleClick and LiveJournal should get away with equivalent behaviour (actually worse, since nowadays Microsoft is actually quite diligent about security due to the bad rep it’s managed to acquire).
But LiveJournal now knows about the issue, right? And they’re fixing it?
They now know about it, yes. As to whether they’re fixing it…
The people from LiveJournal I’ve spoken to have been helpful but are mostly interested in pulling the one particular malware ad that affected me initially. I’m not a fan of this approach since it doesn’t actually “fix” anything and, worse, gives users a false sense of security.
At the end of the day, LJ’s ad network remains vulnerable and will continue to put users at risk. And I wouldn’t be holding my breath waiting for LJ to change their advertising model.
Well, I never clicked on a banner ad/pop-up or installed any dodgy software. So I’m okay, right?
Not necessarily. More and more malware nowadays is using a technique known as drive-by downloading; basically installing itself on your PC without your direct knowledge or intervention, just because you happened to visit the wrong website (which could be served to you in a pop-up). The infamous IE6 vulnerability that gave us Operation Aurora used a very complicated (but now freely-available) version of this attack. No user download or installation required.
Forget clicking or installing anything; sometimes all you need to do is have a compromised page load in your browser.
So, do you think it was the—
If you finish that sentence with “Russians” I’m going to strangle you.
Sorry.
Edit: 2nd February, 2010
Last one, hopefully. But I just did a Google search for “livejournal malware” (yes, only just now: I am slow) and apparently exactly the same thing has happened before. Back in ’06 it was apparently big enough news to get posted to Slashdot. Oh how times have changed…
- The thing most people don’t realise about anti-virus applications is that they really are only good as a kind of alarm system; with all but the oldest of viruses, by the time your AV has picked it up, you’re probably screwed. Most IT geeks I know (and I know many) will automatically reformat a PC — that is, completely wipe the disks and reinstall everything from the operating system up — rather than try to remove malware piece at a time. ↩
)
179 days ago
6 comments