The Mac Security Blog

Security & Privacy

How online ads can endanger your security

Posted on by

Ads are everywhere on the internet. From simple banner ads at the tops of web pages to small ads in sidebars, that you see as you scroll down to a page. From animated ads to pop-up videos, both of which distract you when you’re trying to read to grab your attention. And sometimes ads cover an entire page until you either click them, or find the little x to dismiss them.

But ads have also become the scourge of the internet, with what seems like anarchy around how they are served and how much they annoy users. Given the way ad networks function, ads can be very dangerous.

To view or not to view ads?

Many websites are inundated with ads: they not only use a lot of data, but if you have a slow connection they can make web pages load very slowly. And most of them are not interesting; a lot of ads are from clickbait websites that just went to get people to visit them so they can see more ads, which earn money for the sites that host them.

The problem of ads gets a lot worse on large websites. While small sites can pick and choose which ads they want to display, larger sites use ad networks, which are companies that provide ads to a variety of websites according to their subject matter, and tailor them to users through tracking cookies that determine their interests. They may serve millions of different ads each day, all of which are uploaded to their servers without limited verification and provided to websites via simple code that the websites insert in different locations on their pages.

Because of this, publishers – websites, or even apps that serve ads – have little control over ads, and generally don’t even see what types of ads they show their users. A recent story shows how dangerous this is. Hackers managed to take over ad servers running the open-source Revive software, compromising some 60 servers, loading malicious ads onto thousands of websites. This isn’t new; in 2016, a number of major websites, including the New York Times, the BBC, the NFL, and others, were hit by a malvertising attack, after their ad servers were compromised. And even YouTube was hit by cryptomining ads in 2018. YouTube, which is owned by Google, whose DoubleClick ad network unwittingly served the malicious ads.

The ethics of blocking ads

Blocking ads raises a number of ethical questions. Because “free” is the original sin of the internet, ads are essential for many websites; it’s how they pay their contributors, and without ads they wouldn’t survive. In the absence of any viable micro-payment system, where you would pay a small amount of money each time you visit a website, or read an article, the only sites that can survive on subscriptions are those who provide enough consistent content that people are willing to pay for it.

So if you block ads, you’re depriving websites of their income; but you’re also protecting yourself from potential security threats. On the Mac, most of these malicious ads serve images that try to get you to download a Flash Player updater. You probably haven’t used Flash Player in a long time, so you almost certainly don’t need it. Adobe will be killing off Flash Player at the end of 2020, because the technology is archaic, and dangerous. And if you really need to use Flash Player for a website, download Google Chrome, which has a safe version of Flash Player included in the software; and never succumb to any suggestions that you need to update it.

Another technique is to display a dialog telling you that your Mac is not secure, then trying to convince you to buy an app that claims to remove malware from it. This scareware can be dangerous, because the app touted may itself be malware, it may grab files from your Mac or install other software to compromise it.

Other forms of malware can be served via ads. In some cases, the code is ads can trigger drive-by downloads, files that are downloaded without you knowing, and, if there are unpatched zero-day vulnerabilities on the Mac, they could have potentially serious effects. And other ads may contain code that can collect information about you, and upload it to a remote server.

How to protect yourself

There are plenty of ad blockers for Mac and for iOS, and they all give you the option to whitelist – or allow ads – on any website. The best way to use them is to leave them on when you’re using the web, but to whitelist sites you trust, so they get income from ads. I see the relationship between publisher and viewer as one that needs trust; if I see invasive or tacky ads on a website, then the publisher is clearly trying to exploit me.

Strong action from users has helped shape the online ad market over the years. Pop-up and pop-under ads used to be common, until complaints from users and security analysts convinced companies to offer options in web browsers to block such windows from displaying. Web browsers now also let users block auto-play videos, and some have a reader mode, which shows just the content of a web page without the cruft. User tracking has long been common, but Apple has made great strides in preventing granular tracking in its Safari browser.

Ad networks will keep trying to push the envelope with more invasive ads, and will never individually vet ads; there are just too many. As long as this doesn’t change, users need to protect themselves.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →