With help from Google, impersonated Brave.com website pushes malware

With a valid TLS certificate, faux Bravė.com could fool even security-savvy people.

Read the whole story

 

[eldakka]

Its pure e̶v̶i̶l̶ greed these domains exist. Why isnt ascii enough ? There is no reason why bravè.com bravê.com or bravė.com should point to something else than brave.com

Well, mainly because the world is a bit more international than ASCII can handle. There's a huge difference for Spanish-speakers between diezaños.com (tenyears.com) and diezanos.com (tenbuttholes.com). I'm sure with other languages there can be even more extreme examples. And that's before we consider non-Latin script users among the world. Accommodating them effectively requires a Unicode derived system which will, in turn, also include Latin diacritics.

There are some tools that can sniff out potentially misleading URLs by using a variety of heuristics (e.g. all Latin except for one Cyrillic/Greek letter, and that one is known to be potentially confused with a Latin one). If a browser gets one of these URLs with mixed scripts or diacritics, it might be a good idea to check if it's rather similar to a top 1000 (or 10k, or 100k, etc) domain, and alert the user of a potential phishing attempt in such case.

Is tenbuttholes.com available? Asking for a friend.

 

[sockpuppet 127]

Why can’t browser companies highlight letters in the address bar with a yëllow cölor if it’s not part of the language set in the computer, and/or a button appears asking the user to confirm the address? This should be default when you download the browser and then something you can optout of in the settings menu if you choose so.


Edit @ Starouscz

There is absolutely no reason for URLs with letters not in the chosen language of the computer. I want to be able to block it without having the browser company logging all my pages via the safe browsing function, and I want it blocked even if it’s not deemed to be malicious. Sometimes these filters don’t function properly.

It could be displayed in the address bar before the page is loaded while serving up a tab with a prominent warning.

I like the idea of Google doing this in the search results. Why not both?


Edit 2 @ Malor

I have dark mode, so yellow would shine prominently. The color would have to be linked to the chosen browser colors.

 

[Starouscz]

Why can’t browser companies highlight letters in the address bar with a yëllow cölor if it’s not part of the language set in the computer, and/or a button appears asking the user to confirm the address? This should be default when you download the browser and then something you can optout of in the settings menu if you choose so.

Thats useless, since it means you have already clicked the fake link since it is in the adress bar, nobody would type it manually. Google doing it in search results, dunno i think it would only confuse people, better block it via safe browsing if the browser can tell it is malicious

 

[ikhtiar]

For those who are supporting Ads on Websites, I have a couple of questions -

1. Will the website that serves ads take responsibility for the Ads? For example, if a user clicks and installs MacKeeper from the sidebar ad, will the site that served the ad will compensate for the trouble?

2. Not everything put in ToS or T&C are legally acceptable and binding. A contract will become void (unenforceable) if it was agreed through misleading or deceptive conduct, duress, unconscionable conduct or undue influence. Since the websites do not have any control or idea of what is served, they can't ask my permission to agree to accepting them.

I have no issue when Websites take responsibility of the Ads shown on their webpages. However, I will continue to use Adblockers for reasons already mentioned by fellow Arsians. I saw some sites asked to turn off the Adblockers and I also respected that request and never bothered to visit it again.

 

[malor]

Why can’t browser companies highlight letters in the address bar with a yëllow cölor if it’s not part of the language set in the computer, and/or a button appears asking the user to confirm the address? This should be default when you download the browser and then something you can optout of in the settings menu if you choose so.


Edit @ Starouscz

There is absolutely no reason for URLs with letters not in the chosen language of the computer. I want to be able to block it without having the browser company logging all my pages via the safe browsing function, and I want it blocked even if it’s not deemed to be malicious. Sometimes these filters don’t function properly.

It could be displayed in the address bar before the page is loaded while serving up a tab with a prominent warning.

I like the idea of Google doing this in the search results. Why not both?

I would find it much harder to notice the bad letters in yellow than in black. I had to highlight the color block to read it at all.

 

[vonduck]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

that just means the browser they are using to get to that ad blocking browser doesn't block jack.
adblocking google search is practically a must, or at least ignoring all the ad at the top when looking at results. at least it hasn't got to the point where the google ad itself hits you without going into the site.

 

[fknuckles]

Mandatory "Firefox has addressed this" note:
https://ma.ttias.be/show-idn-punycode-f ... hing-urls/

It's a terrible solution though. Unless you assume that international audiences don't care about usability. Something less subtle, such as a background colour for any accented latin character (e.g yellow background) would do a better job of letting you know that it's not dirt on your screen without totally disabling a useful feature.

 

[SplatMan_DK]

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

I might grudgingly accept this if ads weren't so high on the list of information security threats to the average person browsing the Internet (up there with password database leaks). I could not advise anyone to browse the web without an ad blocker. Scams are simply too common, and there is nothing I can tell a less tech savvy individual that would really help them identify malicious ads. Maybe some of them are harder to detect now, but that doesn't matter, because being less good at identifying bad ads than I am doesn't mean you deserve to get scammed.

Then again, another way of looking at what's happening is that a website is auctioning your attention to some unknown third party, even to them. Unlike an ad in a newspaper, this is done on an individual level for everyone who visits the page. Surely you should have the ability to negotiate this arrangement, or at least an opportunity to evaluate it before consenting to it, since they are selling something that belongs to you. In fact, the most practical way to make that happen right now is to run an ad blocker, and let them refuse to serve you content if they think it's sufficiently valuable to entice you to reconsider (or to pay for it directly).

Malicious ads aren't very common where I live. As I see things the threat exist but is greatly exaggerated in order to justify blocking. Things may be different where you live.

I don't run a blocker and my endpoint protection suites has reported nothing for over a year (work PC uses Fortinet, private PC has Kaspersky).

I disagree any online media is selling something that's yours. They are selling ad space on their pages, exactly the same as if it was a printed edition. It's just brokered in milliseconds and served in new ways to optimize targeting. It's their space and they're not selling anything of yous. To do so would imply they could sell your eyeballs even if you didn't visit their site - but clearly that's not the case.

.

Ad networks aren't safe, Splatman. They just aren't. They're stacked multiple layers deep, and website operators may end up exposing their clients to dozens of different networks with completely different security standards. No matter how fantastic they might be locally, just one compromised system anywhere in the ad infrastructure is an attack vector against their clients.

It would be different if the ads were entirely hosted locally. If, say, Ars sold its own ads and hosted them on Ars' own servers, then customers wouldn't be at any more risk. But it's easier and requires very little effort to use ad networks, and companies just ignore the risk, because they don't run any particular risk themselves. Their customers bear the entire burden of their bad behavior.

Profiting by putting people at risk is flat out unethical. Ads could be done safely, but they never are, because companies would rather keep the dollars in their pockets than keep their readers safe.

I won't claim that ad networks are perfect. I am not in the industry so I don't have a dog in that race anyway. I also won't deny that breaches have happened. And I hate the way they track people and do micro-segmentation. I dumped most social media because of it.

But as this is Ars, I think it's time we get some hard facts and data to support your position. We're a scienc-and-facts bunch after all. I therefore suggest you get some sources that support your position that ad networks are a substantial threat - bigger or at least on par with other cyberthreats. Data should be in percentage of infected users (Vs total served users) or something similar. I don't think it's unfair to ask you to substantiate the claim.

In the absence of hard data I am going to stick to my experience that the threat is greatly exaggerated and mostly used as an excuse to block.

 

[SplatMan_DK]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

Are those sites with TOS that require you to allow ads making sure the users know about them, and that they have accepted them? Are those clauses actually legal? Are sites free to just not serve content to users that block ads? Are there any ethical and moral questions for the sites regarding the safety of their users, or is it just for us very very bad users?

I am not sure I understand the question.

I am not sure about the legality. And I am not sure what the legal status is if you incorporated a "TOS blocker" into you and blocker. Perhaps a TOS wouldn't apply of you had never seen it and hence never accepted it. IANAL.

Sites are free to attempt to not serve users using blockers, but users are then again free to circumvent such blocking. I don't think anybody doubts that users (end clients technically speaking) would win that cat and mouse game. So few bother.

Sites do have ethical and moral obligations to their users. Absolutely. Why wouldn't they? If Ars discovered substantial problems with their ad partners I am pretty sure they would suspend ads until the issue was resolved. Any reputable site would do that.

But here is the thing: I have never been served malicious ads from any reputable site I frequent, like Ars, The Guardian, or my local news organisations. I am betting that you have not either. The threat is so negligible that browsing the web for things without ads is likely more of a threat than ads themselves. But you haven't stopped using a browser altogether... right?

 

[SplatMan_DK]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I have a Pi-Hole running on my network, and use an ad blocker full time. I don't see ads. Ever. For anything. They are banished from my network.

I don't care if a site is supported by ads, advertising networks have proven themselves to be immoral, evil ass holes, and I will not allow their intrusive and obnoxious crap to be shown in my browser.

You have taken a stance, and that's fine. As long as you realize the consequences of your actions, and perhaps compensate in other ways.

Incidentally I couldn't help noticing you're a long-time Arsians with over 16000 posts, yet you're both blocking ads and not subscribing. To me, that is very telling. It tells me you have little moral ground to stand on. This site obviously provides great value to you, but you're neither viewing ads or subscribing. Why is that? Why do you feel entitled to get this value while giving nothing in return?

 

[panton41]

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

I might grudgingly accept this if ads weren't so high on the list of information security threats to the average person browsing the Internet (up there with password database leaks). I could not advise anyone to browse the web without an ad blocker. Scams are simply too common, and there is nothing I can tell a less tech savvy individual that would really help them identify malicious ads. Maybe some of them are harder to detect now, but that doesn't matter, because being less good at identifying bad ads than I am doesn't mean you deserve to get scammed.

Then again, another way of looking at what's happening is that a website is auctioning your attention to some unknown third party, even to them. Unlike an ad in a newspaper, this is done on an individual level for everyone who visits the page. Surely you should have the ability to negotiate this arrangement, or at least an opportunity to evaluate it before consenting to it, since they are selling something that belongs to you. In fact, the most practical way to make that happen right now is to run an ad blocker, and let them refuse to serve you content if they think it's sufficiently valuable to entice you to reconsider (or to pay for it directly).

Malicious ads aren't very common where I live. As I see things the threat exist but is greatly exaggerated in order to justify blocking. Things may be different where you live.

I don't run a blocker and my endpoint protection suites has reported nothing for over a year (work PC uses Fortinet, private PC has Kaspersky).

I disagree any online media is selling something that's yours. They are selling ad space on their pages, exactly the same as if it was a printed edition. It's just brokered in milliseconds and served in new ways to optimize targeting. It's their space and they're not selling anything of yous. To do so would imply they could sell your eyeballs even if you didn't visit their site - but clearly that's not the case.

.

Ad networks aren't safe, Splatman. They just aren't. They're stacked multiple layers deep, and website operators may end up exposing their clients to dozens of different networks with completely different security standards. No matter how fantastic they might be locally, just one compromised system anywhere in the ad infrastructure is an attack vector against their clients.

It would be different if the ads were entirely hosted locally. If, say, Ars sold its own ads and hosted them on Ars' own servers, then customers wouldn't be at any more risk. But it's easier and requires very little effort to use ad networks, and companies just ignore the risk, because they don't run any particular risk themselves. Their customers bear the entire burden of their bad behavior.

Profiting by putting people at risk is flat out unethical. Ads could be done safely, but they never are, because companies would rather keep the dollars in their pockets than keep their readers safe.

I won't claim that ad networks are perfect. I am not in the industry so I don't have a dog in that race anyway. I also won't deny that breaches have happened. And I hate the way they track people and do micro-segmentation. I dumped most social media because of it.

But as this is Ars, I think it's time we get some hard facts and data to support your position. We're a scienc-and-facts bunch after all. I therefore suggest you get some sources that support your position that ad networks are a substantial threat - bigger or at least on par with other cyberthreats. Data should be in percentage of infected users (Vs total served users) or something similar. I don't think it's unfair to ask you to substantiate the claim.

In the absence of hard data I am going to stick to my experience that the threat is greatly exaggerated and mostly used as an excuse to block.

Ad network uses advanced malware technique to conceal CPU-draining mining ads

Big-name sites hit by rash of malicious ads spreading crypto ransomware

Millions of web surfers are being targeted by a single malvertising group

Millions exposed to malvertising that hid attack code in banner pixels

Here’s why the epidemic of malicious ads grew so much worse last year

Advertising firms struggle to kill malvertisements

Google stops malicious advertising campaign that could have reached millions

It's not quite as evergreen of a story as "Google kills another product" or "Play store malware" but several times a year is pretty typical.

Those links aren't getting into stuff like dubious quality porn sites where malvertising is the norm, not the exception.

You claim you don't work in the ad industry and yet you keep regurgitating ad industry talking points and trying to claim "ethics" and "morals" to force a pathos argument on a technical subject which are best argued with logos.

 

[Starouscz]

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

I might grudgingly accept this if ads weren't so high on the list of information security threats to the average person browsing the Internet (up there with password database leaks). I could not advise anyone to browse the web without an ad blocker. Scams are simply too common, and there is nothing I can tell a less tech savvy individual that would really help them identify malicious ads. Maybe some of them are harder to detect now, but that doesn't matter, because being less good at identifying bad ads than I am doesn't mean you deserve to get scammed.

Then again, another way of looking at what's happening is that a website is auctioning your attention to some unknown third party, even to them. Unlike an ad in a newspaper, this is done on an individual level for everyone who visits the page. Surely you should have the ability to negotiate this arrangement, or at least an opportunity to evaluate it before consenting to it, since they are selling something that belongs to you. In fact, the most practical way to make that happen right now is to run an ad blocker, and let them refuse to serve you content if they think it's sufficiently valuable to entice you to reconsider (or to pay for it directly).

Malicious ads aren't very common where I live. As I see things the threat exist but is greatly exaggerated in order to justify blocking. Things may be different where you live.

I don't run a blocker and my endpoint protection suites has reported nothing for over a year (work PC uses Fortinet, private PC has Kaspersky).

I disagree any online media is selling something that's yours. They are selling ad space on their pages, exactly the same as if it was a printed edition. It's just brokered in milliseconds and served in new ways to optimize targeting. It's their space and they're not selling anything of yous. To do so would imply they could sell your eyeballs even if you didn't visit their site - but clearly that's not the case.

.

Ad networks aren't safe, Splatman. They just aren't. They're stacked multiple layers deep, and website operators may end up exposing their clients to dozens of different networks with completely different security standards. No matter how fantastic they might be locally, just one compromised system anywhere in the ad infrastructure is an attack vector against their clients.

It would be different if the ads were entirely hosted locally. If, say, Ars sold its own ads and hosted them on Ars' own servers, then customers wouldn't be at any more risk. But it's easier and requires very little effort to use ad networks, and companies just ignore the risk, because they don't run any particular risk themselves. Their customers bear the entire burden of their bad behavior.

Profiting by putting people at risk is flat out unethical. Ads could be done safely, but they never are, because companies would rather keep the dollars in their pockets than keep their readers safe.

I won't claim that ad networks are perfect. I am not in the industry so I don't have a dog in that race anyway. I also won't deny that breaches have happened. And I hate the way they track people and do micro-segmentation. I dumped most social media because of it.

But as this is Ars, I think it's time we get some hard facts and data to support your position. We're a scienc-and-facts bunch after all. I therefore suggest you get some sources that support your position that ad networks are a substantial threat - bigger or at least on par with other cyberthreats. Data should be in percentage of infected users (Vs total served users) or something similar. I don't think it's unfair to ask you to substantiate the claim.

In the absence of hard data I am going to stick to my experience that the threat is greatly exaggerated and mostly used as an excuse to block.

Not sure if i have the best numbers, but lest give it a shot. According to Google, 7% of tested websites are malicious, while 1.6% sites actually hosts malware. So blocking third party content from websites may protect you up to 80 % of the bad stuff. Obviously this very rough and innacurate , but i think it is sufficient to ilustrate the point

See point 5 and point 6 for the data:

https://dataprot.net/statistics/malware-statistics/

 

[SplatMan_DK]

Mandatory "Firefox has addressed this" note:
https://ma.ttias.be/show-idn-punycode-f ... hing-urls/

It's a terrible solution though. Unless you assume that international audiences don't care about usability. Something less subtle, such as a background colour for any accented latin character (e.g yellow background) would do a better job of letting you know that it's not dirt on your screen without totally disabling a useful feature.

Agree. Use of mixed alphabets should be a red flag. You're either using special characters for a reason, or you're a scammer.

Not sure how easy it is to detect though.

The core of the problem is that the internet was never designed for trust. It was designed for flexibility and resilience. Trust was slapped on top of everything, with duct tape and hair nails. At the beginning this worked because trust had a price I'm the form of certificates from somewhat reputable authorities. Now it's cheap and takes mere minutes. Trust has been reduced to facilitating encryption between endpoints, but the party offering encryption is no longer a known quantity and your browser doesn't show that.

At some point we will need a new form of trust system. I don't have a solution, but certificates issued by authorities to registered companies could be part of it.

 

[fknuckles]

Mandatory "Firefox has addressed this" note:
https://ma.ttias.be/show-idn-punycode-f ... hing-urls/

It's a terrible solution though. Unless you assume that international audiences don't care about usability. Something less subtle, such as a background colour for any accented latin character (e.g yellow background) would do a better job of letting you know that it's not dirt on your screen without totally disabling a useful feature.

Agree. Use of mixed alphabets should be a red flag. You're either using special characters for a reason, or you're a scammer.

Not sure how easy it is to detect though.

The core of the problem is that the internet was never designed for trust. It was designed for flexibility and resilience. Trust was slapped on top of everything, with duct tape and hair nails. At the beginning this worked because trust had a price I'm the form of certificates from somewhat reputable authorities. Now it's cheap and takes mere minutes. Trust has been reduced to facilitating encryption between endpoints, but the party offering encryption is no longer a known quantity and your browser doesn't show that.

At some point we will need a new form of trust system. I don't have a solution, but certificates issued by authorities to registered companies could be part of it.

Browser knows my preferred language, and it can be built up from there. If my language is English then highlight any characters that aren't in the English alphabet.

Might just highlight every non-English character anyway (a relatively short allow-list), and flip it for users in other scripts (for them you highlight english alphabet).

 

[bogasmia]

For someone not really tech savvy, is this a windows users problem only or Mac as well?

 

[Troglodytes troglodytes indigenus]

... There's a huge difference for Spanish-speakers between diezaños.com (tenyears.com) and diezanos.com (tenbuttholes.com).
...
There are some tools that can sniff out ...

Oh, very drôle...

 

[Troglodytes troglodytes indigenus]

... But here is the thing: I have never been served malicious ads from any reputable site I frequent, like Ars, The Guardian, or my local news organisations. I am betting that you have not either. The threat is so negligible that browsing the web for things without ads is likely more of a threat than ads themselves. ...

I have a library of about two thousand of links like these:

https://www.theregister.com/2017/11/20/ ... b_bank_ad/

https://www.theregister.com/2018/07/30/ ... wordpress/

https://meincmagazine.com/information-tec ... -porn-ads/

https://www.bbc.co.uk/news/technology-56886957

https://www.bbc.co.uk/news/technology-56888693

https://www.bbc.co.uk/news/technology-58001205

 

[Dietz]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I have a Pi-Hole running on my network, and use an ad blocker full time. I don't see ads. Ever. For anything. They are banished from my network.

I don't care if a site is supported by ads, advertising networks have proven themselves to be immoral, evil ass holes, and I will not allow their intrusive and obnoxious crap to be shown in my browser.

You have taken a stance, and that's fine. As long as you realize the consequences of your actions, and perhaps compensate in other ways.

Incidentally I couldn't help noticing you're a long-time Arsians with over 16000 posts, yet you're both blocking ads and not subscribing. To me, that is very telling. It tells me you have little moral ground to stand on. This site obviously provides great value to you, but you're neither viewing ads or subscribing. Why is that? Why do you feel entitled to get this value while giving nothing in return?

I was a subscriber, for 16 years. I suspended annual renewal in late 2015.

 

[malor]

I won't claim that ad networks are perfect. I am not in the industry so I don't have a dog in that race anyway. I also won't deny that breaches have happened. And I hate the way they track people and do micro-segmentation. I dumped most social media because of it.

But as this is Ars, I think it's time we get some hard facts and data to support your position. We're a scienc-and-facts bunch after all. I therefore suggest you get some sources that support your position that ad networks are a substantial threat - bigger or at least on par with other cyberthreats. Data should be in percentage of infected users (Vs total served users) or something similar. I don't think it's unfair to ask you to substantiate the claim.

In the absence of hard data I am going to stick to my experience that the threat is greatly exaggerated and mostly used as an excuse to block.

This source (csonline) says that 80% of malware attacks come by email. But they also say, later on:

Plenty of nasty malware was in the wild attempting to exploit these vulnerabilities. Kaspersky says that its web antivirus platform identified 24,610,126 "unique malicious objects" in 2019, a 14 percent boost over 2018. All in all, according to Kaspersky, nearly 20 percent of all internet users were the subject of some kind of malware attack. But those attacks weren't necessarily distributed equally, and attackers are showing more savvy and going after potentially richer targets. For instance, according to Malware Bytes, malware attacks on consumers actually dropped 2 percent, but businesses were in hackers' crosshairs, with threats against them spiking 13 percent.

What specific types of malware attacks were en vogue over the past year? Malware Bytes noted a 224 percent rise in infection of a category of malware it calls hack tools — basically, malicious programs that can probe through systems and networks and download further malicious payloads to take advantage of weaknesses.

So twenty percent of the population gets hit each year. I bet that's much lower among people who block ads.

Here's a quick example of an ad network being used as an attack vector:

Hackers Abuse Google Ad Network To Spread Malware That Mines Cryptocurrency

They've actually coined a term for this: Malvertising. Later sources (this one sounds a few years old) make it sound like this type of attack is in decline, but it was super common a few years ago, enough to actually name it.

Wikipedia has a page on malvertising as well.

 

[J.King]

Mandatory "Firefox has addressed this" note:
https://ma.ttias.be/show-idn-punycode-f ... hing-urls/

It's a terrible solution though. Unless you assume that international audiences don't care about usability. Something less subtle, such as a background colour for any accented latin character (e.g yellow background) would do a better job of letting you know that it's not dirt on your screen without totally disabling a useful feature.

Agree. Use of mixed alphabets should be a red flag. You're either using special characters for a reason, or you're a scammer.

Not sure how easy it is to detect though.

The core of the problem is that the internet was never designed for trust. It was designed for flexibility and resilience. Trust was slapped on top of everything, with duct tape and hair nails. At the beginning this worked because trust had a price I'm the form of certificates from somewhat reputable authorities. Now it's cheap and takes mere minutes. Trust has been reduced to facilitating encryption between endpoints, but the party offering encryption is no longer a known quantity and your browser doesn't show that.

At some point we will need a new form of trust system. I don't have a solution, but certificates issued by authorities to registered companies could be part of it.

Browser knows my preferred language, and it can be built up from there. If my language is English then highlight any characters that aren't in the English alphabet.

Might just highlight every non-English character anyway (a relatively short allow-list), and flip it for users in other scripts (for them you highlight english alphabet).

That doesn't really help for languages with both accented and unaccented Lation letters, like Castillian (one example given earlier) and Lithuanian (the subject of the article itself). Even if you assume the system locale reflects the preference of the user, lots of people out there are bilingual or trying to learn a language, and as IDNs become more common, warning fatigue will just cause people to ignore it.

 

[Maldoror]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

 

[betam4x]

You are not entitled to remove the ads...

I'll stop you right there. Of course I am. I am my computer's owner and operator. I am the only person entitled to say what processing my computer does or does not do. It most certainly does not answer to the arbitrary dictates of a foreign host which—surprise!—may be a scammer.

I am not going to stop you. But a TOS governs your visit to each URL. You may disregard it, it may not apply to you, and you may find excuses to not give a shit. You are free to not visit a site at all.

But when you do, certain legal, ethical and moral questions come in to play. Whether you like it or not.

You are the initiator of the visit, after all.

Terms of service on most websites are legally unenforceable because depending on the country, region, state, and/or locality they may be illegal as a whole (“shrink-wrapped”) or contain illegal sections that invalidate some or all of the document.

Furthermore, try suing someone that turned off javascript in their browser (which an adblocker essentially does among other things) and you will watch yourself get laughed out of court.

 

[SubWoofer2]

I don't think this question was answered in the article or the comments; could it be answered, please?

For Android users, loading Brave through Google Play Store is, or is not, a problem?

I am assuming the version in the Play Store is unaffected and kosher.

Otherwise, I have a problem. Thank you.

 

[ikhtiar]

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

I might grudgingly accept this if ads weren't so high on the list of information security threats to the average person browsing the Internet (up there with password database leaks). I could not advise anyone to browse the web without an ad blocker. Scams are simply too common, and there is nothing I can tell a less tech savvy individual that would really help them identify malicious ads. Maybe some of them are harder to detect now, but that doesn't matter, because being less good at identifying bad ads than I am doesn't mean you deserve to get scammed.

Then again, another way of looking at what's happening is that a website is auctioning your attention to some unknown third party, even to them. Unlike an ad in a newspaper, this is done on an individual level for everyone who visits the page. Surely you should have the ability to negotiate this arrangement, or at least an opportunity to evaluate it before consenting to it, since they are selling something that belongs to you. In fact, the most practical way to make that happen right now is to run an ad blocker, and let them refuse to serve you content if they think it's sufficiently valuable to entice you to reconsider (or to pay for it directly).

Malicious ads aren't very common where I live. As I see things the threat exist but is greatly exaggerated in order to justify blocking. Things may be different where you live.

I don't run a blocker and my endpoint protection suites has reported nothing for over a year (work PC uses Fortinet, private PC has Kaspersky).

I disagree any online media is selling something that's yours. They are selling ad space on their pages, exactly the same as if it was a printed edition. It's just brokered in milliseconds and served in new ways to optimize targeting. It's their space and they're not selling anything of yous. To do so would imply they could sell your eyeballs even if you didn't visit their site - but clearly that's not the case.

.

Ad networks aren't safe, Splatman. They just aren't. They're stacked multiple layers deep, and website operators may end up exposing their clients to dozens of different networks with completely different security standards. No matter how fantastic they might be locally, just one compromised system anywhere in the ad infrastructure is an attack vector against their clients.

It would be different if the ads were entirely hosted locally. If, say, Ars sold its own ads and hosted them on Ars' own servers, then customers wouldn't be at any more risk. But it's easier and requires very little effort to use ad networks, and companies just ignore the risk, because they don't run any particular risk themselves. Their customers bear the entire burden of their bad behavior.

Profiting by putting people at risk is flat out unethical. Ads could be done safely, but they never are, because companies would rather keep the dollars in their pockets than keep their readers safe.

I won't claim that ad networks are perfect. I am not in the industry so I don't have a dog in that race anyway. I also won't deny that breaches have happened. And I hate the way they track people and do micro-segmentation. I dumped most social media because of it.

But as this is Ars, I think it's time we get some hard facts and data to support your position. We're a scienc-and-facts bunch after all. I therefore suggest you get some sources that support your position that ad networks are a substantial threat - bigger or at least on par with other cyberthreats. Data should be in percentage of infected users (Vs total served users) or something similar. I don't think it's unfair to ask you to substantiate the claim.

In the absence of hard data I am going to stick to my experience that the threat is greatly exaggerated and mostly used as an excuse to block.

And why do you think people use Adblockers? Because they can sing? They look pretty? or they serve a good purpose?

You continuously put a Website's ToS as an excuse to accept Ads. The hard fact is those ToS have no legal standing. You can't ask someone to accept something which you do not posses or have not idea what it is. In layman's term, you can't sell what is not yours.

 

[Jeff S]

I'm not familiar with the punycode domain names. I notice they all start with xn--, but the linked article on punycode did not explain that.

Am I correct in thinking that xn-- at the beginning of the domain name is a flag to indicate that the domain name should be interpreted as punycode encoded, and not regular ascii?

 

[Wolfie0827]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

Because it's not just the ads we are blocking but the internet wide tracking most of those ads are doing that we are blocking. Sure the ads are annoying, but the tracking is worse. If this was done in the real world (Non-digital) you would have a bevy of followers walking behind and beside you every time you left your house and writing down everything you did, looked at, and or bought. As well as everyone you interacted with and every conversation recorded.

That is what we are blocking.

 

[J.King]

I'm not familiar with the punycode domain names. I notice they all start with xn--, but the linked article on punycode did not explain that.

Am I correct in thinking that xn-- at the beginning of the domain name is a flag to indicate that the domain name should be interpreted as punycode encoded, and not regular ascii?

The xn-- prefix is not a feature of punycode itself, but rather one of IDN (internationalized domain names). It is indeed used as a flag to denote an IDN (since all registrations in DNS are required to be a subset of ASCII).

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

 

[panton41]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

 

[Maldoror]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

Edit: if you are OK with restrictions on opting out of what to admit in your private space, you essentially give up the notion of a private space altogether.

 

[Wolfie0827]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

Because we are not just blocking the ads but the internet wide tracking those ads are trying to do. To put this in an easier way to understand Why the tracking bothers us just imagine this:

You step out your door and a bevy of people start following you around as you go about your day, writing down/recording everything you do, look at, buy, sell and everyone you talk to and what was said, what you order for or bring with you for breakfast/lunch/dinner/snack. Just everything and anything!

That is what most of us are blocking in addition to the security of not having our systems taken over by malicious software.

 

[panton41]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

I find it telling that SplatMan asked in one post "Is malware in ads really a problem" and after several people (myself included) throw up about 20 different link showing different aspects of the problem and naming individual high-profile cases suddenly there's crickets.

I'm sorry, but when The New York Times is serving malware because of bad ads I'm inclined to think it's a problem. And, again, among sites like porn malvertising is the norm, not the exception.

 

[DigitalHodgepodge]

To the credit of the fake Brave site, they're ahead of the real Brave on one thing: it was possible to download the whole fake browser rather than download a downloader that just has to be trusted.

 

[DigitalHodgepodge]

I don't think this question was answered in the article or the comments; could it be answered, please?

For Android users, loading Brave through Google Play Store is, or is not, a problem?

I am assuming the version in the Play Store is unaffected and kosher.

Otherwise, I have a problem. Thank you.

The Google Play Store is not affected here.

Google's "help" is with serving the ad. The article says "when people clicked on one of the ads, it directed them through several intermediary domains until they finally landed on bravė[.]com". At the time the ad was purchased from Google, I expect it would not have redirected to the malicious domain. Google should be checking for shenanigans, but that's happening perhaps at the time of purchase only. They could improve here, by periodically checking where ads lead after purchase.

 

[DigitalHodgepodge]

oops, delete, nothing to see here

 

[DigitalHodgepodge]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

You visit a plumber's premises, and sign ToS with fine print that allows robots to insert a tracking device into your body (I won't say where), and upload executable code into your brain. Then you have the audacity to block the tracking device from /insertion/, even though that's how the plumber's business model monetizes you, and you technically agreed to this even if you didn't understand the ToS.

Are you a politician?

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

Explain and contribute positively. Because I honestly feel my analogy is significantly closer to the real world than prior examples here.

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

You visit a plumber's premises, and sign ToS with fine print that allows robots to insert a tracking device into your body (I won't say where), and upload executable code into your brain. Then have the audacity to block the tracking device from /insertion/, even though that's how the plumber's business model monetizes you.

Are you a politician?

I could be. ;-)

So could you. Because you have a really simple choice: don't visit that plumber, with the business practices you don't like.

But you don't do that. You want to have you cake and eat it to. You demand the right to visit, the right to be served, and the right to dictate the commercial terms of your visit.

No other business on the planet accepts that. So why should the now-famous plumber?

 

[Maldoror]

[...] I honestly feel my analogy is significantly closer to the real world than prior examples here.

That's of course your right. But as I said before, "visiting a website" is really inviting the outside world into your computer. Given that your computer is a private space, the analogy should reflect that. Yours doesn't.

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

I find it telling that SplatMan asked in one post "Is malware in ads really a problem" and after several people (myself included) throw up about 20 different link showing different aspects of the problem and naming individual high-profile cases suddenly there's crickets.

I'm sorry, but when The New York Times is serving malware because of bad ads I'm inclined to think it's a problem. And, again, among sites like porn malvertising is the norm, not the exception.

I'll get to reading each and every one of them when I am not on my mobile. Rest assured I will diligently go though all of it.