Ads that automatically redirect you from your daily browsing to a flashy sweepstakes have long been an incredibly annoying facet of the internet. But the versions that have evolved on the mobile web are particularly vexing, because they can trap you with a pop-up "notification" and nowhere to go. And a recent surge in these mobile pop-ups, even on reputable sites, has left people more frustrated than ever.
These redirects can show up seemingly out of the blue when you're in a mobile browser like Chrome, or even when you're using a service like Facebook or Twitter and navigating to a page through one of their in-app browsers. Suddenly you go from loading a news article to wriggling away from an intrusive ad. What enables these ad redirects to haunt virtually any browser or app at any time, rather than just the sketchy backwaters in which they used to roam? Third-party ad servers that either don't vet ad submissions properly for the JavaScript components that could cause redirects, or get duped by innocent-looking ads that hide their sketchy code.
"These popups are not a new tactic, I've seen them around for at least six to nine months minimum. But people have started talking about it, which I think is a very good thing, because it's a problem," says Crane Hassold, a threat intelligence manager at PhishLabs, who previously worked as a digital behavior analyst for the FBI. "Redirecting ads can do different types of things—some of them are just a nuisance, but we’ve also seen redirecting ads in the past that have dropped malware on people’s machines. You’re going to see evolution and adaptation on the threat actor side."
An ad hijacking your browser like that isn't technically a hack, in the sense that it doesn't exploit a software vulnerability. Instead, it relies on the attacker's ability to submit and run ads that contain redirecting JavaScript. But though they aren't a critical threat to web users yet, redirecting mobile ads could create a jumping off point for attackers. And since you encounter the redirects while browsing on even prominent, legitimate sites, there's nowhere to hide. Sometimes the ads are even designed to block your "Back" button, or keep redirecting when you try to close them, making it difficult to escape without having to restart the browser.
"I do think it's new that the ads are so pervasive and are on first-tier publishers," says Anil Dash, CEO of the software engineering firm Fog Creek. "These things used to be relegated to garbage sites, now it's happening on the New York Times."
After the Twitter account SwiftOnSecurity asked The Atlantic about aggressive ad redirects over the weekend, Washington Bureau Chief Yoni Appelbaum replied that they're working on stopping the malicious ads. That's not to pick on any particular publications, though. This is a problem that affects countless sites, with a fix proving elusive so far.
Publishers are particularly vulnerable, because they often rely on third-party ad networks for revenue. As a result, they can find themselves at the mercy of whatever a given ad network doles out. Even if publishers use only reputable services, those ad networks can themselves get duped.
"Ad purchasers are apparently not well-vetted enough and are given too much leeway with regards to JavaScript code execution," says Will Strafach, an iOS security researcher and the president of Sudo Security Group. "I would like to see ad exchanges crack down on this type of aggressive code with a better screening process."
In the meantime, you can install mobile ad blockers to help avoid the pop-ups, and browsers have increasingly incorporated protections to limit malicious intrusions. Google announced in November, for instance, that it would add specialized tools in Chrome to specifically work on addressing unwanted redirects.
But most ad-blocking services still rely on generating "blacklists" of malicious sites, and it's difficult to keep up with the rapid transformations attackers use to stay ahead.
"The known bad websites...are currently outpacing the blacklists it seems," says Strafach, who suggests that the best long-term solution is for ad networks to vet content more assertively, and be more responsive to complaints—something that likely won't come without financial pressure.
"I think the conversation has to change—this is an attack on publishers, being enabled by their ad dollars," Dash says, noting that mobile redirects delay user access to content, or put them off loading it altogether.
Many of the platforms, fortunately, are aware of these problems and already explicitly ban this type of ad behavior. For example, the Google ad network prohibits, "pop-ups or interstitials that interfere with the user's ability to see the content requested [and] sites that disable or interfere with the browser's back button." But in practice, malicious redirects still sneak through.
So the next time you see a weird notification or popup that suddenly coaxes you to play blackjack while you're trying to read the news, remember that it's not just your phone or your problem. Mobile redirects are systemic, and need to be addressed at scale. But in the meantime: Don't. Click. Anything.
- Pop-ups got you down? Chrome has a fix coming in a forthcoming version.
- While most ad blockers rely on blacklists to ban bad actors, Ghostery recently enlisted AI to help stay ahead of the game.
- If you think those pop-ups are bad, wait until you get a load of all the cryptojacking that's going on right under your nose.
