Every time I use a browser without adblock I’m shocked to see what websites actually look like by default.
This reminds me of when I was working for a creative agency and we designed a handful of HTML5 banner ads and I built a small page to showcase all the ads but it never worked.
A day later the lightbuld clicked on and I realized my ad-blocker was blocking our own ads.
This shark came pre-jumped when there was nobody with both the incentive and the ability to stop malicious code being transmitted through advertising channels.
Ad networks have negative incentive to stop malware. Their incentive structure runs in the opposite direction entirely: They have to accept ads as quickly and as broadly as possible, and get them out to the world as quickly as possible. That’s their whole business model. Vetting anything is a cost center, and a big one, given how many ads they have to deal with and how easy it is to hide malware in ways which defeat automatic checks. From what I’ve heard (and not heard), however, they don’t even run automated checks.
People who put ads on their pages have incentive but no ability. Once the ad code is in place, that portion of their page is ceded to the advertiser, and their brand’s goodwill along with it.
So it comes down to the people who deal with the malware. And they’re using their power to block ads. And it is shocking, utterly shocking that the people who are affected by something are taking steps to mitigate it.
Kids these days, I tell ya: Give them malware, and they think it’s something they can take steps to prevent! Entitled brats…
To support that, here’s a Quora answer describing their requirements:
So, they have to analyze current data in real time to try to throw out a relevant ad with requests coming in at thousands a second at least. That’ no time to do a security assessment. Additionally, if pre-screening ads into a database, it would take a lot of both computer analysis and human review on a per ad basis. I imagine the rates are too low for that to be economical. Then, I speculate it gets worse with the large number of VC-funded newcomers that don’t care about security able to make better offers than the company accepting overheads to protect ad viewers. Ad viewers that aren’t paying or supporting them in any way but would be a cost center if protecting them.
There are still bugs sometimes in things like parsers for complex formats like videos which are exploitable without making use of the VM, but fewer of them. It’s harder to write exploits without the VM anyway because your most powerful tool for setting up the process internals the way your exploit code wants them is gone.
[Comment from banned user removed]