:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/58412023/ad_redirect_cover.0.jpg)
Just after noon on January 2, I was loading up a Vox Media site on an iPhone simulator to test something when I got a popup that excitedly said:
Congratulations!
Amazon.com User!
You’ve been selected for a chance to get the $1000 Amazon Gift Card, Apple iPhone X 256G or Samsung Galaxy S8!
Please Click OK to claim your reward before it expires!
Despite there being a small “close” button on the popup, nothing I could click would stop me from being redirected to a fake site that looked just like Amazon. On that site was a form available for me to “enter” the contest. I’d just encountered a malicious ad.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/10057033/image.png)
Was I hacked? Did I have a virus?
Reports of these ads were everywhere on Twitter in early January. They are frustrating and confusing to everyone who encounters them. The ads are intentionally designed to prey on your confusion: to make you think the gift card offer is real so you will put personal information into the form on the site you’re redirected to. You may have immediately feared that your phone has been hacked, or has a virus, or something else equally bad. What, you may have asked, should you do to fix this? Also, you didn’t even get to enjoy the content you were trying to see.
All of these fears make a lot of sense, but none of them are actually what happened to you. Good news, your phone has not been hacked. Rather, you visited a page with advertising and a malicious ad was served to you.
When you visited the page you wanted to view, our ad serving provider (we use Google’s DFP, other companies may use other providers) alerted servers at various ad companies that it had a few ad slots available on the page. Those servers responded with bids for the slots, and the provider chose the winning bid for each slot and loaded in the provided ad code. All of this happened in a second or two while the page was loading. Unbeknownst to our ad server or the publisher of the article, one of the ads that loaded on the page contained malicious code. Once that ad was loaded, the code triggered the popup that I mentioned above, and when you clicked to dismiss it, it redirected you to the site. There was nothing you could do to stop it. It’s not a virus and nothing on your phone had been hacked to trigger it. An ad hijacked the page you wanted to visit to make you visit a different webpage.
We hate that this happened.
I work on one of the three teams at Vox Media whose shared goals are to make advertising on our sites user-friendly and non-intrusive. We don’t do popover or interstitial ads that cover content, we don’t allow autoplay video with sound in ads, and we have spent a significant amount of engineering time trying to make sure that the loading of ads does not shift around content (work is ongoing!). It’s a goal at Vox Media that user experience should not be sacrificed to generate revenue. We work really hard to achieve that goal, and when ads like these make it to our sites, we take it extremely seriously.
How do we stop this from happening?
Vox Media’s Ad Operations (AdOps) team works as quickly as possible to stop ads like these from loading on our site, but we have to find out where they are coming from in order to stop them. This can be difficult. Just because one user sees the malicious ad does not mean everyone will, and that makes it hard to replicate the issue on our own devices. In this instance, I got lucky and I was seeing the redirects on my computer so it took me much less time than usual to catch the redirect in action.
Within about an hour we had successfully replicated the issue and pinpointed the source. Our AdOps team moved quickly to alert the vendor whose network was being used to serve the ad, and we blocked the source of the issue in Google’s tools. By the end of the day we felt we had successfully blocked the ad and had stopped receiving reports of redirects for the day. Whoever was behind the ad, however, kept finding ways into the system throughout the week on Vox Media sites and many others around the web. Our tools for blocking this require us to identify the source of each malicious ad and block it, which is reactive and not preventative. We started to look for other solutions.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/10063581/Screen_Shot_2018_01_19_at_1.34.01_PM.png)
How does the malicious ad work?
After we identified the partner, another engineer and I became curious about what exactly was happening to cause the redirect and annoy all users served the malicious ad. We dug in and were extremely surprised that the frigging thing could not be more simple. When the ad landed on the page there were about three lines of code. That code creates a link just like you click to go to any page on the web then waits seven seconds before triggering a click on the link which causes the browser to redirect you. That’s it. Why seven seconds? Most likely to avoid security tools that actively scan sites to try and detect ads like this, although that is just speculation on my part.
What we are doing
Let me be extremely clear: we hate these malicious ads with the fire of a thousand suns and are working actively to keep them off of our sites. We use automated services that regularly scan our sites trying to find malicious ads. We work with ad-selling partners to try to ensure the ads that are sold and served on our sites are high quality. And Vox Media’s AdOps team is constantly monitoring social media, email and Slack for reports of anything that seems questionable (not just malicious).
Despite all this, malicious ads like this pop up every few months. After this recent round, we started investigating what else we can do to prevent these ads from harming your experience on our sites. The ideal solution would be for ads to be delivered to our sites in a safe way that prevent things like this. Google allows advertisers to treat these safer options as opt-in, which means nothing currently prevents scammers from sneaking in ads that cause App Store or gift card redirects.
In the absence of Google being a lot more strict with ads they serve to publishers, we’re working to investigate ways we can force ads to obey these rules on our sites. All ads are served inside iframes — effectively a separate web page inside the current web page — and browsers offer ways to limit these inner web pages called sandboxing, preventing their access to cookies and also preventing them from redirecting the current website.
We’re testing a way to force all ads to be limited in this way. The test involves intercepting all ads just before they load and moving them into a sandboxed iframe. The iframe has permission to run the code necessary to show the ad and allow you to click on it, but it disables redirecting and limits the methods ads have for tracking you. Early results are encouraging but there’s still much work to be done with our advertising partners to understand what the full impact of this will be. Advertisers have been building ads without these restrictions for decades so we’re trying to make sure that enforcing these restrictions on our site doesn’t break too many things. If it doesn’t, we’ll ship this change and all ads served on Vox Media will be much more secure for you and everyone else who visits our sites. We’ll keep funding your favorite sites and also we’ll (hopefully) never again make you fear you’ve been hacked.