Chris Dzombak

Takeaways from Vox’s post on malicious ads

Vox has shared an interesting post about the recent appearance of a malicious ad across Vox Media sites in January. I wanted to share a few excerpts from their post, along with my takeaways.

When you visited the page you wanted to view, our ad serving provider (we use Google’s DFP, other companies may use other providers) alerted servers at various ad companies that it had a few ad slots available on the page.

We use automated services that regularly scan our sites trying to find malicious ads. We work with ad-selling partners to try to ensure the ads that are sold and served on our sites are high quality. And Vox Media’s AdOps team is constantly monitoring social media, email and Slack for reports of anything that seems questionable (not just malicious).

Despite all this, malicious ads like this pop up every few months.

Despite their best efforts, even Google can’t stop malicious ads from showing up on its own ad network. And despite Vox’s best efforts, they end up serving malicious code every few months.

(“We’ve been trying for years to stop this, but we still serve you malicious code every few months. Oops!”)

If Google can't solve this, can I expect any ad network to avoid distributing malicious code? If Vox can’t prevent this, can I expect any site not to serve malicious ads?

This has been happening for years. If ad networks haven’t been able to solve this by now, the entire system is completely broken and needs to be scrapped.

Unbeknownst to our ad server or the publisher of the article, one of the ads that loaded on the page contained malicious code.

Vox and Google run code which clearly hasn’t been vetted, from anyone on the Internet, on my computer. This is maddeningly irresponsible.

I believe that I get to choose what code is allowed to run on my own computer. I therefore use an adblocker, because Vox and Google DFP have proven they don’t deserve to be allowed to run random code on my system.

Vox Media’s Ad Operations (AdOps) team works as quickly as possible to stop ads like these from loading on our site, but we have to find out where they are coming from in order to stop them. This can be difficult. Just because one user sees the malicious ad does not mean everyone will, and that makes it hard to replicate the issue on our own devices. In this instance, I got lucky and I was seeing the redirects on my computer so it took me much less time than usual to catch the redirect in action.

Within about an hour we had successfully replicated the issue and pinpointed the source.

Even after Vox and Google DFP run someone’s malicious code on your computer, they can’t actually tell where the code is coming from. If they get lucky, it only takes them an hour to figure out why they’re serving malicious code. Usually, it takes much longer.

That’s unbelievably irresponsible. At the very least, it should take not take days to figure out why you’re serving your users malicious code.

Again: this has been the case for years. It’s not going to get better as long as the online advertising industry exists in its current form.

In the meantime, you can pry my adblocker out of my cold, dead hands.


Previous posts on ad networks: