Ads that automatically redirect you from your daily browsing to a flashy sweepstakes have long been an incredibly annoying facet of the internet. But the versions that have evolved on the mobile web are particularly vexing, because they can trap you with a pop-up "notification" and nowhere to go. And a recent surge in these mobile pop-ups, even on reputable sites, has left people more frustrated than ever.
"These popups are not a new tactic, I've seen them around for at least six to nine months minimum. But people have started talking about it, which I think is a very good thing, because it's a problem," says Crane Hassold, a threat intelligence manager at PhishLabs, who previously worked as a digital behavior analyst for the FBI. "Redirecting ads can do different types of things—some of them are just a nuisance, but we’ve also seen redirecting ads in the past that have dropped malware on people’s machines. You’re going to see evolution and adaptation on the threat actor side."
"I do think it's new that the ads are so pervasive and are on first-tier publishers," says Anil Dash, CEO of the software engineering firm Fog Creek. "These things used to be relegated to garbage sites, now it's happening on the New York Times."
After the Twitter account SwiftOnSecurity asked The Atlantic about aggressive ad redirects over the weekend, Washington Bureau Chief Yoni Appelbaum replied that they're working on stopping the malicious ads. That's not to pick on any particular publications, though. This is a problem that affects countless sites, with a fix proving elusive so far.
Publishers are particularly vulnerable, because they often rely on third-party ad networks for revenue. As a result, they can find themselves at the mercy of whatever a given ad network doles out. Even if publishers use only reputable services, those ad networks can themselves get duped.
'I would like to see ad exchanges crack down on this type of aggressive code with a better screening process. But that is unlikely without some sort of financial pressure.'
Will Strafach, Sudo Security Group
In the meantime, you can install mobile ad blockers to help avoid the pop-ups, and browsers have increasingly incorporated protections to limit malicious intrusions. Google announced in November, for instance, that it would add specialized tools in Chrome to specifically work on addressing unwanted redirects.
But most ad-blocking services still rely on generating "blacklists" of malicious sites, and it's difficult to keep up with the rapid transformations attackers use to stay ahead.
"The known bad websites…are currently outpacing the blacklists it seems," says Strafach, who suggests that the best long-term solution is for ad networks to vet content more assertively, and be more responsive to complaints—something that likely won't come without financial pressure.
"I think the conversation has to change—this is an attack on publishers, being enabled by their ad dollars," Dash says, noting that mobile redirects delay user access to content, or put them off loading it altogether.
Many of the platforms, fortunately, are aware of these problems and already explicitly ban this type of ad behavior. For example, the Google ad network prohibits, "pop-ups or interstitials that interfere with the user's ability to see the content requested [and] sites that disable or interfere with the browser's back button." But in practice, malicious redirects still sneak through.
So the next time you see a weird notification or popup that suddenly coaxes you to play blackjack while you're trying to read the news, remember that it's not just your phone or your problem. Mobile redirects are systemic, and need to be addressed at scale. But in the meantime: Don't. Click. Anything.
Pop Goes the Bad Ad
- Pop-ups got you down? Chrome has a fix coming in a forthcoming version.
- While most ad blockers rely on blacklists to ban bad actors, Ghostery recently enlisted AI to help stay ahead of the game.
- If you think those pop-ups are bad, wait until you get a load of all the cryptojacking that's going on right under your nose.