Botnets typically don't spread in a sophisticated way. Most of the time it's spam emails or dodgy ads with "hey! install this random .exe file and you can have emoticons in Outlook!"
I think Chrome has shown us the advantages of an automatically updated browser. The future in personal computing I think lies squarely in an automatically updated (even managed) sandboxed environment.
This isn't to say that's right for everyone of course.
But how much fraud, extortion, DDoSing, identity theft, invasion of privacy (eg ratting), etc do people need to put up with before they demand a better way?
EDIT: to address two points:
1. Side-loading is orthogonal to the issue of a sandboxed managed environment. I agree users should be able to side-load. Most won't know how and won't care and that's a Good Thing [tm];
2. Sure the central server can get compromised but the thing is botnets rarely spread in a sophisticated fashion. It's all social. The Facebooks, Apples and Googles of the world have far more experience and a far better track record in dealing with these kinds of threats.
- When the future moves to sandboxed environments, (financial) risk will move there too and attacks will target that future in the sandbox, and attacks will develop with technologies allowed within that sandbox. Disallowing anything but port 80/443, appeared to be a secure environment 10yrs ago, and now javascript, cookies, and the web sites incur many more diverse types of attacks than earlier, within what was allowd.
- A managed, self updated environment, or a walled garden, already gives the authority a bigger power on every activity and that's often a bigger cut (no botnet can dream of 30% of all transactions...) and a draconian power than sporadic illegal attacks to some business. And this is a bigger risk overall, to diverse businesses, than this poor botnet poses.
While the bulk of the drive bys come from plugins that don't exist on your classic walled garden (ios) webkit is far from invulnerable. ios (and others) are quite resistant, but so was ASLR at one point - malware rises to the occasion.
Every so often, someone comes along and says that people don't know what is good for them, so its better that someone decide for them rather to let "them" decide.
Sometimes it happens in politics, and we get dictatorships. Sometimes it happen in the market, and we get illegal monopolies. Sometimes it happen with the police force, and we get a police state. Sometimes it happens in crime, and we get mafias. Sometimes it happens in families, and we get forced marriages. And sometimes it happen with software, and we get walled gardens.
Deciding for people by removing all choices are not "a better way". We just tend to forget what the cost are of losing the ability to choice for our self. Its that, or we are just saying that all software around us is just of such small importance that being allowed to decide your own fate is not an important thing.
Better that than not being able to install what you want because "the garden protects us!"
--
[1] http://en.wikipedia.org/wiki/Great_Famine_%28Ireland%29#Pota...
But we should never stop demanding that we can install our own certificate roots for signed binaries to verify against, and that users are allowed to make their own decisions about allowing access outside the box (if they think they are capable).
Until the day where the main server serving the automated updates gets compromised and instead of serving, say, an updated Chrome, it serves a version of Chrome which a) is compromised on the behalf of a botnet master and b) never ever accepts any other update automatically.
Because people have been trained never to update their browser themselves anymore they'll think everything is fine.
Because hundreds of millions --if not billions-- of people are running Chrome suddenly you have the biggest botnet ever out there.
I find it very interesting that you fear extortion, exploits, DDoS, identity theft, invasion of privacy and whatnots as an argument for putting something in place which potentially can be way more destructive.
But of course this shall never happen right? Just as we haven't seen FaceBook getting penetrated and just as we've seen any major bank getting hacked right? And rogue employees also don't exist right?
Be careful about what you wish in the future...
1.) A million people using $BROWSER, never updating, continually downloading free_ipad.exe
2.) A million people being owned by an intelligent hacker because of a fault of Google, that is relatively quickly patched, and I'm sure someone will figure out something to disable those rouge Chrome installs.
The first scenario is much, much more likely to happen, and while the second could happen I doubt, Google would sit on their hands while it does happen.
I guess the only problem is in the second issue, its not your fault if you got screwed. Its your mom's, and just your mom's, problem if she downloads free_ipad.exe, but if Google is hacked all the sudden all your info is comprised and it wasn't your fault.
Considering these two options however, IMO, I'd rather place my faith in Google overloads keeping us all safe.
You don't fix this by switching out automatic updates for manual ones, because users will blindly install an update even if it's a badly-designed 'update dialog' popup on a shady website. You fix it by ensuring users can trust their software, and care enough to do so.
I don’t think she was alone - I’d bet a ridiculous number of $300 netbooks have a $100 Windows OS and $200 MS Office Suite installed on top.
I don't think this distinction affects the grandparent comment's point.
1. Why?
2. How widespread is this in general? How long before most web advertising is bot-fraud as users learn about ad-blockers?
3. Didn't realise my mouse traces were being recorded by advertisers in such detail.... I do not like this.
2.) I haven't been able to find meaningful info on this yet.
3.) I work in e-commerce tech. I had NO IDEA how bad it was before I got into this industry. Just had a sales call with a company who is tracking 400 unique data points per second on users. They track mouse clicks, mouse movements, what your highlight, how long on site, navigation pattern, buying behavior form other in-network sites, page position, etc... and then use that data in real time to dynamically generate promos and offers to "encourage buying behavior".
2. The article shows a bunch of these ghost sites so I would suspect that it's common in the world of scamming/ghost sites to drive up their CPM (Cost per Thousand). Hell, if I was running a legit site, I'd outsource the bullshit ghost sites to a Russian company so that my own CPM gets higher. As an example: I bet the value of "Baby Powder" as a search term is probably twice what it should be.
3. Get "Live HTTP Headers" or run your traffic through a proxy and see how many HTTP requests you generate just using a basic ad. I worked in Rich-Media Advertising and the way we tracked was every interaction. Right when I left in 2008-2009 we started tracking more and more. Really depended what the client bought/paid for. But we'd always track opens, clicks, etc.. the basic stuff. We didn't do heatmaps or X,Y coordinate tracking, but we had the data.
It was impressive to see, we would host our units on Akamai and due to the sheer traffic were unable to do real-time SQL inserts, so we would crunch the HTTP logs in hour increments after the fact to generate the data. So a typical GET string would be ad.domain.tld/?id=adunitMD5&type=Click&x=0&y=0&action=MD5
Of course it wouldn't be that verbose, but the GET string would be quite long with all the data. This was all done through a combo of JS and ActionScript.
[1] http://www.adweek.com/news/technology/meet-most-suspect-publ...
It's guaranteed, but it probably won't work: "Thanks for doing business with us -- by the way, where did you hear about us?" "Online, but I forget where."
Advertisers need to be able to associate an advertisement with a result. Otherwise the effectiveness of advertising is a myth.
So as good as CPA sounds, its not full proof either. You can just bypass it with either stolen credit card purchases or refunds.
I saw a presentation. From a data scientist at bitly. She showed that spammer links have a distinctive traffic shape (constant over time) while real links have a totally different one (initial peak followed by logarithmic drop to zero). Similar patterns exist in advertising campaigns. 6MM/month seems like a lot of breakage that someone is fine cutting that check.
Do you find something particularly sinister or unethical about click-based ads (more so than any advertising)?
I do freelance dev work for some guys that run ads; it's just another business to me.
But this is analogous to TV advertisers complaining about TiVO and the ability to skip commercials. Can't stop it!
The odd thing is that either these sites are already very big, or there are others ways they are getting 5 billion ad impressions.
A list of these 202 websites would be informative. I guess a number of them could be fake, to throw the scent off?
[1] http://www.adweek.com/news/technology/meet-most-suspect-publ... [2] http://imgur.com/WHxmmHo
E.g., there are approx. 1e6 people in Maine and 4e7 people in California. If you assume 1e2 infected hosts in Maine (0-99) and 3e4 in California (>1e4, 1.2e5 in total), you get an infection rate in California of about 7.5 that in Maine.
Given the very coarse graining in the data source, such a factor can either be dismissed as statistical fluctuation or you could try to explain it using, for example, an infection model that favours geographical proximity, such as one based on Facebook friends. Furthermore, it might well be that internet connectivity is better in California than it is in Maine and the bot prefers hosts with high uplink rates. I don’t know :)
Edit: We don’t know what websites were targeted, but maybe they ran ads that would prefer users from the southwest for some reason?
This was estimated to be making $500K a month before being found... and was a work of pure genius.
I'm still not sure I understood the role of the "HGTV" sites and how the fraudster was getting money by showing the HGTV ads (even after reading the comments on the post explaining this). Weren't the ads on those parked domains enough to generate the revenue for the fraudster?
Are you gonna leave it? I must admit, screwing advertisers doesn't feel so wrong, I'm certainly no fan, but you can't ignore that it's not very ethical.
Given that it's not technically your fault, you'd very likely never get blamed, and your actions will likely not change the world in any way, what will you do?
Do they have the bot code? I didn't see anything about where it came from...just an assumed analysis of effect. Just saying, it might not be a bot or malware at all.
The malware that forces your computer to participate in the botnet can be delivered by any avenue imaginable. Drive-By Downloads, crapware, embedded into pirated software, etc. Not sure how chameleon specifically did it.
The team at spider.io has found a great niche and has impressive results - I always enjoy seeing posts like these pop up from them. Keep up the great work!
When I did this, a few of the IPs had a significant number of orders. Interestingly, the IP with the most orders mapped to E! corporate headquarters.
http://www.networksolutions.com/whois/results.jsp?ip=208.78....
