So the attacker got the password for a work email (and let's be honest, it was likely a shared account amongst a department not an individual) that was used for the CDN account hosting their serve code, where the attacker appended a malware download link to their script running on however many sites they work with.
And they were able to convince website owners to grant them access to visitor's connection in order to prevent people from blocking ads? And they were also able to convince them to pay money for this service?
"Both sides win" when a consumer chooses to spend their money on gambling. They're getting what they pay for, of their own volition.
I consider advertising to be offensive, and think it's appropriate for a society (big or small) to control what forms of ads are allowed via law. I'd like to see limits on what sorts of trade-offs we can make with respect to ads, so that the life experience of a citizen need not be drowning in advertisement.
Riding a taxi in NYC (where ads are built-in to the cabs and cannot be stopped) is a distinctly unpleasant experience compared to elsewhere. We can only have so many forms of transit available to the people of NYC. I would rather we choose to remove the ads and pay for the transportation system via direct-monetary transfer, or taxation, or some combination. shrug
"Both sides win" when a consumer chooses to spend their money on gambling. They're getting what they pay for, of their own volition.
Yes, they do. With some exceptions, gambling is an harmless activity that people engage in just for the fun, not expecting to win. Or quoting Motörhead: You win some, lose some, it's all the same to me / The pleasure is to play, it makes no difference what you say / I don't share your greed
It doesn't turn off the screen, and it doesn't turn off the ads. It stops the moving video and audio, and replaces it with a mostly-static blue screen with a few ads that jump position on the screen now and then.
Would love to know this as well. I only have a high level understanding of the purpose of CA Certs, but beyond that I'm lost.
Ignorant questions ahoy:
1. Using Chrome, would you have to manually accept the MITM certificate?
2. Could such a certificate be valid across multiple domains?
3. Would it pose any threat to the computer if it was moved from the MITM network to an outside network?
4. What kind of potential problems could occur if I issued a self-signed certificate for my network?
As far as I understand it (please someone correct me if I'm wrong):
1. In this case you would not have to manually accept anything, as the root certificate (the CNNIC cert) is already in your browser/os and the certificate chain for certs created by MCS would be OK (because their cert is signed by CNNIC).
2. As CNNIC issued them an intermediate CA cert, MCS was able to create certificates for any domain they wanted and these certificates would be considered valid by everyone that has CNNIC in the root store. So the MCS cert is not valid accross multiple domains, but it allows MCS to create certificates for every domain which kind of has the same consequences.
3. I think it would pose a threat when leaving the MITM network, but not as a consequence of having been in the MITM network. Only the root certificates are stored locally. Websites have to send a complete certificate chain that anchors their certs in one of the root certs. This means that the cert generated by MCS is not stored and therefore not used when leaving the network anymore. The danger is that this intermediate cert allows MCS to generate certs for any domain and use them outside their network, too.
4. A self signed certificate would have to be installed on the machines in the network. Otherwise users would get a certificate warning and would have to add the cert to their rootstores themselves. Other than that I think that this would grant you the same MITM-powers as this intermediate cert did for MCS, with the only restriction that you couldn't create certs for domains not in your control that would be accepted by users outside your network/that don'd have your self signed cert installed.
Check the certificate store for the browser you are using. Mozilla Firefox has its own. Internet Explorer and Chrome on Windows rely on the Windows certificate store.
Because there's a scary proportion of people in here saying things like:
- "how about they just move?"
- "the guy is a construction worker? they're in demand, just go to a construction office and get a job"
- "I don't get it. One person on video lives in nice bedsit (garage) and talks about homeless."
Access to IP address + browser fingerprint on two sites that you've recently visited. Doesn't seem that implausable with all the recent security breaches.
The problem with display advertising is that too much of the industry is focused on clicks. Anti-fraud companies can come up with ways to try to mitigate click fraud but it won't do much of anything as they can, and will be, gamed by black hats - there's too much money at stake.
I deal with it every day and the best method is to educate the client by explaining why a click is a poor indicator of performance. Work with the client to come up with measurable goals to track click-through/view-through conversions on these goals and ultimately try to measure impact on ROI. It's really not THAT difficult for most campaigns.
The most difficult part is that the client becomes aware of all those wasted dollars on previous campaigns that they thought were high performance because of a high CTR.
> "Work with the client to come up with measurable goals to track click-through/view-through conversions on these goals and ultimately try to measure impact on ROI. It's really not THAT difficult for most campaigns."
Strongly disagree here. It really is THAT difficult for most campaigns. What you are talking about is attribution, and display attribution in particular is still in the dark ages compared to anything click-based. It is IMHO by far and away the toughest problem to tackle in the industry right now. Even more so thank fraud, because if you have a clear sense of what is actually driving revenue, the fraud just becomes another factor for bid algorithms to consider.
Coming up with the value of a view-through conversion, etc. is non-trivial. Further, even getting revenue data from view-throughs is not easy for most advertisers that don't have an ad server in place (think everyone using the vanilla AdWords tracking on the GDN). Specifically, Google gives you view-through conversions, but not view-through revenue, even though they clearly have the data.
I agree that too much of the industry is focused on clicks, and publishers are still loving branding clients that go after impressions because they see it as an easy commission that is super simple to automate management for.
That said, I wish any company with a display offering would do more to prove the value of it from an attribution standpoint. Why do I need to have DFA for accessing full exposure-to-conversion path data? Wouldn't that make it much easier for me to sell in the value of display to my org/clients so I would spend even more?
Personally, I'm dying to see what Google does with Adometry, and what FB does with Atlas in terms of proving the value of display from a data-driven dynamic attribution standpoint. Static models are broken and display is a much more difficult beast to tackle.
> Aren't most advertising campaigns focused on acquisitions these days?
Nope, much of it is branding. Some are focused on clicks, some are focused on viewability... it's sort of a turning point in the industry...
> No, and they are not focused on clicks either. The majority of the adspend* cares about impressions, viewability and lift.
*display adspend
Most or not, it's still a significant amount. The clients you mention may be more concerned with impressions/viewability/lift, but they're still vulnerable to be gamed the same way as someone who cares about clicks. Viewability is already being manipulated by the same bots that generate fraudulent clicks. It's a great metric in theory, but take it with a grain of salt.
If anything, these companies (Moat, IAS, Oxford...) are the ones who should be most concerned about combating bots.
> The clients you mention may be more concerned with impressions/viewability/lift, but they're still vulnerable to be gamed the same way as someone who cares about clicks.
No arguing there. I was just pointing out facts to the previous comenters.
They will typically set up several generic websites with ads, and set their click farm loose to represent fake traffic while clicking on ads for X% of impressions. You could also be a mercenary and drive traffic to other website operators who want traffic/rev, or even dilute quality/waste spend on competitor ad campaigns.
Since these click farms are typically just infected computers, they can likely setup other tasks to monetize: DDoS, email, BTC mining, etc...
