Pagefair is an ad-blocking circumvention tool that publishers can use to track readers who've taken technological countermeasures to protect their privacy. The company has sold its service to many publishers — including the Economist — by deploying moral arguments about the evils of ad-blocking.
But on Hallowe'en, for about 90 minutes, Pagefair was hacked and served malware to Economist readers who were using ad-blockers on their computers. Though many ad-brokers have been tricked into serving malware before, Pagefair's technology to override users' security measures made it an ideal vector for infecting PCs.
The Economist was just one of an estimated 500 publishers who served malware during the attack. The attackers tricked PCs into installing Nanocore, a legitimate remote-access program used to allow administrators to control computers over the net. Computers compromised by Nanocore were completely open to attackers; all their files and processes available to them (as well as peripheral sensors like cameras and microphones).
Nanocore quickly disabled the user-account associated with the account, but have not said whether the attackers were able to infect the affected PCs with other malware, exfiltrate their password files, etc. The Economist's advisory to its readers is dishonestly bland, apologising for the "inconvenience" of what could result in virtually unlimited losses, should those users lose control of their bank accounts, confidential email with solicitors, corporate secrets, and login credentials to sensitive systems.
The Pagefair breach is neatly illustrative of the user-case for blocking: even if you don't care about advertising per se, you might still want to shield your computer from malvertising attacks and tracking.
While the damage appears to be limited, the attack is a stark reminder of the security implications of advertising on the web. Pagefair was outspoken in the ad-blocking debate, most notably with a report projecting $22 billion in publisher losses from the blockers in 2015. Pagefair's product offers publishers a way to get around ad-blocking through alternate tracking methods and specific deals with blockers like AdBlock Plus. That system allows publishers to serve ads, but exposes users to the same malvertising attacks that would be possible without an ad-blocker.
While the breach is certainly embarrassing for Pagefair, it's not clear that the damage is any worse than equivalent breaches suffered regularly by ad servers on the web. One attack from last September served millions of malware-laced ads through Doubleclick servers. The attacks also seem to be on the rise: one study found malvertising attacks tripled between June 2014 and February 2015.
A prominent ad-blocker-blocker served malware to Economist readers
[Russell Brandom/The Verge]
Pagefair [The Economist]
(via Nelson Minar)
