Understanding the Drive-By Download

Understanding the Drive-By DownloadMost malware infections now originate from the Web and the majority of those come from drive by downloads. Because it works in the background and doesn’t require human intervention, the drive-by download has become one of the most preferred methods for spreading malware.

With this method of infection, the victim need only visit a malicious website in order to get infected. You don’t even have to click anything to initiate the download. But how is this possible? Wouldn’t this mean no one can ever be safe on the Web? Well not really.

A drive-by download usually relies on what are known as exploit kits. These are installed on malicious sites and scan each visitor’s Web browser for vulnerabilities to exploit. Once a browser or browser plugin vulnerability is found, the download, which takes place in the background, commences.

Because exploit kits (which pave the way for drive-by downloads) work by exploiting vulnerabilities, you can counter them by addressing those vulnerabilities. How? By keeping browsers, Java and Adobe Flash installations, and other add-ons up-to-date. Software updates usually include security patches. The problem is, most users simply don’t take time to update. That’s why exploit kits and drive-by downloads are so prevalent.

Given that drive-by downloads are web-based, they can be used to attack any platform that connects to the Internet and has a Web browser. That means, it doesn’t matter if you’re using Windows, Linux or Mac OS X. The Flashback Trojan for example, managed to herd 600,000+ computers into a botnet, attacked Mac OS X.

Similarly, desktops and laptops aren’t the only devices at risk. Smartphones and tablets are at risk as well. Just last month (July 2016), millions of Android devices were infected with malware that allowed attackers to gain root access. Known as Hummingbad, it infected Android-powered mobile devices mainly through web pages that initiated drive-by downloads.

A web page that initiates a drive-by download is typically hosted on either a malicious site or a legitimate site that redirects to a malicious site. In order to redirect visitors, attackers insert malicious code in the legitimate website, i.e. through an insecure form or iframe.

These malicious items are rarely detected. Few organizations keep a close watch on their pages for threats, and even if they do, the attackers attempt to stay hidden using various obfuscation techniques. Obfuscation basically renders malicious code unreadable while preserving the code’s functionality. Most obfuscation techniques are applied to JavaScript (not related to Java). Not surprisingly, JavaScript is the most common type of script that’s processed by web browsers.

Attacks that take advantage of legitimate websites and domains (such as domain shadowing) are particularly hard to counter. Blacklisting and domain reputation solutions are problematic as you could end up blocking a reputable or business critical domain. For many, the trade-off is not worth the risk.

Drive-by download payloads can vary. Ransomware is the most popular of late, but they can also include rootkits, worms, viruses, spyware, trojans, keyloggers, and a host of others. Any of which can wreak havoc on your systems or your network.

So how do you protect your users from drive-by downloads? First and foremost, proper update and patching protocol. Secondly, user training and awareness is key. Lastly, you need a security solution that can block both malicious sites as well as the compromised components of legitimate sites.  Feel free to learn more about how our solution addresses drive-by downloads.






Cyber Threats Exploiting Pokemon Go Popularity

pokemon threat up aheadLike most popular software, Pokemon Go has quickly become a magnet for cyber criminals. Within just a few days of its launch, the hottest mobile app today has already become the target of DDoS and malware attacks.

For those who have been living under a rock, Pokemon Go is an augmented reality game that runs on iOS and Android. Using the phone screen and camera as its main tools, Pokemon Go allows players to search and capture virtual critters – known as Pokemon – in the real world in real time. Once captured, Pokemons can be trained and brought into battle.

The game’s innovative use of augmented reality, which blends elements of a virtual world with the real world, has enthralled millions of users. Sadly, this extremely high level of activity also attracts individuals with malicious intent. There have been reports of players being robbed when they have wandered off to catch Pokemon or engage with other players.

Since Pokemon Go is first and foremost an app, threats are not limited to the brick-and-mortar world. There are cyber threats too. Two threats that have gained considerable attention are a DDoS attack and a malware attack.


DDoS attack on Pokemon Go servers

A DDoS (Distributed Denial-of-Service) attack was targeted at Pokemon Go login servers on the weekend beginning July 16. This prevented users from logging in to play the game. Two hacking groups have already claimed responsibility for the attack(s). The first group calls themselves OurMine, while the second is known as PoodleCorp. The latter was even bold enough to tweet about the event right before it happened:



While some people believe the server crashes were simply due to the overwhelming influx of users, PoodleCorp has already issued a threat that seems to imply a bigger attack on August 1:



That’s just right around the corner, so we’ll see what happens.

The folks at Niantic (Pokemon Go’s developers and publishers) have ample time to set up contingency measures, so if some considerable downtime still takes place on that date, PoodleCorp must be on to something.


Pokemon Go Malware

Cyber crooks are hitting Pokemon Go on both the server and client fronts. Earlier this month (July 2016), Google removed a fake Pokemon Go app known as “Pokemon Go Ultimate” after researchers at ESET flagged the malicious app.

Pokemon Go Ultimate was capable of locking your phone’s screen after starting up. The app wasn’t designed to be ransomware, but because there was no way to unlock the phone. Users were forced to remove their phone’s batteries in order to restart. The problem was, that upon rebooting, the app would continue running; this time in the background. While running, the app would simulate user clicks on porn ads in a manner similar to Hummingbad.


Possible impact on business cyber security

While DDoS attacks on Pokemon Go servers might have little to zero impact on business’ cyber security, the possible impacts of Pokemon Go related malware are worthy of attention. Some employees might become too enthusiastic with the game and start downloading apps or visiting websites that appear related to the game.

If those apps or websites turn out to be malicious, the phones used to download them could end up getting infected. Those phones can then be a threat as soon as they connect to your network.

Learn more about mobile threats and how to prevent them from invading your network. Contact us now.

Android Malware Hummingbad Infects Millions of Devices

hummingbad android malwareMillions of Android devices (about 10 million to be more exact) are infected by Hummingbad, a piece of malware that gains root access, installs malicious apps, and dupes users and ad networks in an elaborate fraud campaign. This is what researchers from Check Point discovered after a 5-month long study. While ad networks are currently the main victims, the level of sophistication of these attacks can potentially threaten a lot of businesses.


Infection and attack

Hummingbad primarily uses a drive-by download attack to infect devices. That means, your device can get infected if you happen to visit one of the attackers’ malicious websites even if you don’t intentionally download anything.

The attack consists of two main components:

  1. One that utilizes a rootkit designed to exploit a wide selection of vulnerabilities in order to ultimately gain access to the system
  2. One that’s called into play if the first component fails. This one displays a fake system update notification in order to deceive the user into granting the malware access to the system.

Even if Hummingbad fails to gain system-level access, it is still able to download several malicious apps. These apps display ad banners and force users to click on them. Because the ads actually belong to legit ad networks like Mobvista, Cheetah, the attackers are able to collect their share of the ad revenues from those clicks. It’s believed that the attackers earn about $300,000 per month from this exercise alone.


How Hummingbad can affect your business

The fact that Hummingbad can gain root access and install other malicious apps makes it a serious threat to enterprises. With most everyone bringing smartphones and/or tablets to work, either unofficially or through a BYOD (Bring Your Own Device) program, it’s likely that there is work-related data on their devices.

With the level of access Hummingbad is capable of acquiring, it’s not a stretch to imagine the malware operators – or even copycats – to eventually introduce features for exfiltrating sensitive information stored in the victim’s device. The stolen data can then be sold to fraudsters and identity thieves.

Attackers may also sell access capabilities similar to the way server login credentials were sold at online marketplace xDedic. Other possibilities include putting together all these compromised devices (we’re talking millions) into botnets or using some of them to carry out targeted attacks on people with sensitive positions (e.g. system admins or C-level executives).

Any of these attacks can cause considerable harm to your organization.

While most of the victims are located in Asia, Android users in the United States haven’t been spared completely, with about 286,800 victims in the US.


Upgrading to the latest version mitigates the risk of infection

According to the study, a combined 90% of all infected devices were running on Jelly Bean (40%) and Kitkat (50%). These are old Android versions that were first released in July 2012 and October 2013, respectively. By comparison, only 1% of those infected were running Marshmallow, the latest version.

This underlines the importance of upgrading to the latest version. Upgrades may include security updates designed to patch known vulnerabilities. Such updates are especially critical in devices running the Android OS, where vulnerabilities abound. Early this month alone (July 2016), Google released its largest ever security update for Android. That single update addressed an astounding 108 vulnerabilities.

For more information about this malware and how to avoid getting infected, contact us now.

Your Server Could be for Sale – For Only $6


What can hackers do to a server once they’ve broken into it? A lot. Some install malware and make it part of a botnet. Others steal valuable data stored within. Still others, like those mentioned in this post, sell login credentials at shady marketplaces in the Dark Web.

Hot Offer

Thousands of servers for sale

Earlier this month, researchers at Kaspersky revealed yet another alarming discovery in the field of cybercrime. Login credentials to over 70,000 hacked servers were being sold at an online marketplace known as xDedic. Like many underground online marketplaces where tech-savvy crooks trade illicit goods, xDedic can only be reached through the Dark Web.

Apparently, hacked servers are very affordable. Prices for hacked servers were found to go as low as 6 USD. Most of the servers were located in Brazil, China, Russia, India, Spain, Italy, France, Australia, Republic of South Africa, and Malaysia.

Launched in 2014, xDedic gained its reputation as a leading source of compromised server login credentials when 3,000 servers were added to its inventory sometime in 2015. Business has boomed since then.


Tools of the trade

xDedic not only provides a platform for buying and selling hacked servers. It also offers both buyers and sellers tools they can use in finding servers that suit their specific objectives as well as carrying out remote administration via RDP.

One example is a tool used by sellers to scan a hacked system and obtain relevant information such as the Windows version, size of RAM, type of CPU, whether ports 25 and 80 are open, type of VM used, antivirus installed, upload/download speeds, and so on. The same profiling tool is used to search for an RDP service on the server and then to patch it if any is found.

The patch modifies the RDP settings to allow multiple user logins, which would enable a buyer to access the server without alarming the server’s legitimate administrator. The buyer could then access the hacked server through xDedic’s own RDP client.


What can buyers do with a hacked server?

A hacked server can open up a lot of opportunities to a buyer, especially one who operates in the cybercrime industry. Because most of these servers have not yet been blacklisted by blacklisting engines and web reputation sites, they’re perfect for a variety of cyber attacks, including ransomware, malvertising, DDoS, phishing, and many others.

Of course, if a server also happens to store or provides access to storage systems that contain sensitive data, a buyer who specializes in identity theft could have a field day.

The Kaspersky researchers observed a marked interest for servers containing accounting, tax reporting and point-of-sale (POS) applications. Apparently, buyers need these applications for carrying out fraudulent operations. By making use of existing software, attackers can avoid arousing attention.


What countermeasures can help?

Servers that end up at xDedic acquire certain characteristics that can help cybersecurity specialists determine whether a server has been hacked. For instance, the profiling tool mentioned earlier, which is installed on a hacked server after the server is compromised (usually through brute-force attacks), communicates with certain Command-and-Control locations.

In addition, it has been found that the hacked servers are also infected with other pieces of software, including a certain Trojan, bitcoin mining software, and a wrapper for a proxy tool, among perhaps others. For more details about xDedic and these malicious tools, refer to the Kaspersky report on the subject.

Of course, prevention is always preferable to treatment. Once you’ve determined that your servers are safe, you should carry out server hardening to prevent future compromises.

Need help in determining whether your servers have been compromised? Contact us now for a free Harbinger network risk assessment.

The Secrets Behind Ransomware’s Surging Notoriety


Ransomware and the interest around it is surging. A quick look over time at Google Trends reveals an astounding visual representation of the growing interest…


The first ever malware that could be classified as ransomware emerged way back in 1989. Known as the AIDS Trojan, that particular piece of malware hid directories and encrypted filenames, in turn causing its victim’s computer to be unusable (just like today’s CryptoLocker, Locky, Teslacrypt, Cryptowall, and CTB-Locker). To regain control of their PCs, victims had to send money to a Post Office box.

As the graph above shows, ransomware has never before achieved the level of notoriety that it enjoys today. So why are we seeing this growth now?

In this post, we take a closer look at the key drivers fuelling this rapid ascent to infamy. But first, let’s briefly discuss what ransomware is.


What is ransomware?

Ransomware is a piece of malware that, as it name implies, involves ransom money. Once it gets installed on your computer, the malware holds digital assets (in most cases, files) captive and prevents you from retrieving or viewing them. Just like your typical kidnap-for-ransom criminal, it then declares an ultimatum – either you pay a ransom or your files go kaput.

This malware will usually block access to files by locking the screen or encrypting the files themselves. To regain access, you need to pay. Ransom payment is typically done through bitcoins or other electronic payment methods like Ukash, Paysafecard, or MoneyPak. Most systems get infected with ransomware when their users inadvertently download trojans through either phishing emails or malicious websites.

Some ransomware can infect entire establishments, which is what happened to a large hospital in Hollywood. The entire network of the Hollywood Presbyterian Medical Center was locked down by ransomware whose controllers demanded payment in exchange for the “freedom” of the locked patient files.

So why is ransomware fast becoming so popular?


Technology has arrivedransomware1

Back in 1989 (specifically as depicted by the AIDS Trojan) the idea of ransomware was clearly ahead of its time. It spread through floppy disks and encrypted files through symmetric encryption. Floppy disks had to be distributed by hand (literally), while symmetric encryption suffered from the necessity of having decryption keys accompany the trojan files themselves.

Today, trojans that carry the ransomware payloads can spread much faster through the Internet and other connected networks. Encryption is also now asymmetric, which allows the attacker to tuck the decryption key away in a safe location.

Last but not the least, payment can now be done without the hassles of having to deposit to a physical location. Electronic methods like bitcoins and Ukash allow ransom payment to be delivered in just a few clicks.

There’s also a psychological aspect to it.


Instant pain = instant gratification

For the victims, the impact of a ransomware infection can be felt instantly. They can no longer use their computer and they can no longer access important files. Those effects are different from a data breach wherein, although the potential legal repercussions and damage to reputation are known, they’re not felt immediately.

What’s more, the solution to the problem is clear and easily achieved. To get out of their predicament, victims simply have to pay. If they can afford it, many of them will pay. This reaction of course plays into the hands of the crooks responsible for these attacks because it makes these operations highly lucrative.


$$$RANSOM$$$ = funding for R&D

So then it becomes a vicious cycle. The more victims pay, the faster these cybercrime syndicates get their ROI. The crooks then have enough to invest into research and development. That’s why ransomware like CryptXXX are getting updated and acquiring additional malicious functions.


Countering ransomware

Ransomware infection can be prevented through a combination of proper education and the right malware detection and prevention solutions. For example, users must be trained how to identify suspicious email attachments as well as who to contact in the event that one is encountered. In conjunction with that, your network must be secured by advanced anti-malware solutions that are capable of detecting malicious activity.

Vulnerabilities in ImageMagick Library



A large majority of the applications running on the Web today rely on free, open-source libraries. These pieces of software are responsible for many of the features that we often take for granted. While these software suites enable developers to build web applications quickly, they can also be problematic.

When these libraries have vulnerabilities, all he servers that depend on their code become sitting ducks until a patch is made available. That’s what’s happening now with ImageMagick, which has been found to have multiple vulnerabilities.


What is ImageMagick?

ImageMagick is a commonly used library that enables applications to manipulate images in bulk. It supports a wide range of image formats (at least 200) including png, jpeg, bmp, cgm, ico, and many others. Through this library, applications can, for instance:

  • Convert images from one format to another;
  • Create thumbnails of uploaded images;
  • Reduce the number of colors in an image through color quantization or posterization;
  • Carry out dithering;
  • Resize, rotate, flip, and crop images; or
  • Generate animated GIFs out of a series of images

These are just the basics. It can also perform discrete Fourier transformations, morphology, pixel distortions, color management, and many other complex image-manipulation tasks.


Where is it used?

Because of its versatility, several major programming languages have implemented bindings for the ImageMagick library. For example, Java has JMagick, C++ has Magick++, Python has PythonMagick, PHP has IMagick, and so on.

Consequently, it has become ubiquitous and is usually the underlying code responsible for image-manipulation features in:

  • Content management systems like WordPress and Drupal (that means, over half of the blogs out there rely on it for image processing);
  • Social media sites;
  • Forums (e.g. phpBB); and
  • Wikis

Possible exploitsbad-bug

There are currently a handful of known vulnerabilities in ImageMagick. But the two most alarming are CVE-2016-3717, which allows remote attackers to read arbitrary files through a crafted image and CVE-2016-3714, which allows remote attackers to execute arbitrary code in a crafted image.

The latter, now dubbed ImageTragick, is the more serious of the two. In layman’s terms, that particular vulnerability, once successfully exploited, would allow attackers to remotely control a compromised web server.  The attackers could, for instance, gain access to all system files, spread malware, steal sensitive information, or cut the entire system off the network. In other words, they would be able to do practically anything they want to on a compromised system.

Early this month, a bug bounty hunter discovered the CVE-2016-3714 vulnerability on one of Yahoo’s domains and was awarded a $2000 bounty for it. If this security flaw managed to go unnoticed at one of the largest Internet companies in the world, how do smaller organizations fare?.

Even when the vulnerability was first discovered, security researchers already believed that it had already leaked to other individuals. And because the exploit is rather basic, the number of threat actors were expected to multiply quickly.

The developers at ImageMagick have released multiple patches, now the onus is on admins and security teams to make sure that their systems are up to date.

BillGates – The Botnet That Spares Windows Machines

Gone are the days when Linux machPenguin-ID11834-640x427ines had that reputation of being immune to malware. Today, Linux systems, like their Windows counterparts, can even be ensnared into botnets that launch highly disruptive DDoS attacks. One such botnet family has been gaining considerable attention of late, largely in part because of its name – BillGates.

Much to the chagrin of Linux zealots, the BillGates malware is designed to infect only Linux machines. BillGates, which is based on the Elknot’s malware source code, is believed to be aimed at the same targets as XOR DDoS, a trojan that gained notoriety in 2015 but was eventually subject to a takedown by the authorities.

Like XOR DDoS, BillGates infects Linux systems and then allows attackers to control the infected machines through one or more C2 (command-and-control) servers. In most cases, the zombie computers are directed to conduct DDoS attacks. This particular toolkit supports a variety of attack vectors, including: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood.


How BillGates infects and attacks

Unlike most botnet malware, BillGates doesn’t use phishing to infect. Instead, its attackers carry out brute force attacks on Linux SSH services in order to acquire root login credentials. Once they’ve acquired the passwords and gained access, the attackers then execute a bash script that would in turn download and run the malware on the compromised machine.

As soon as the malware is installed, it then performs a handful of functions that include the following:

  • Carry out persistence mechanisms. This is to ensure that it’s able to infect the host for as long as it needs to;
  • Replace system tools with corrupted versions. BillGates replaces tools like /bin/netstat, /bin/lsof, /bin/ps, and others that may be used for checking the integrity of the system. If, for example, /bin/ps is replaced, you won’t be able to view the actual processes running on your system.
  • Check its own health and integrity. If it discovers that something’s amiss, BillGates re-executes the main program and re-infects the host.
  • Contacts its C2 and executes commands. Once everything is in place, the malware communicates with its C2 server, receives commands from the server, and then executes the commands, which range from launching DDoS attacks to executing shell commands.

Like many nefarious kits these days, BillGates comes with a “builder” which allows just about anyone to create their own version of the malware. Thus, several botnets running their own variations of BillGates could be attacking their own separate targets around the globe as we speak.

More details can be found in Akamai’s threat advisory


Countering botnets

Because botnets pose such a serious threat to business, it’s important to prevent, detect, and act on botnet infections. We can help you in that regard. Our deep understanding of botnets has enabled us to assist businesses in countering some of the deadliest botnets ever. Please visit us online for more details and to register for a free online session.

Stack Buffer Overflows – Old Exploits Never Die

Buffer overflows remain one of the most highly exploitable vulnerabilities on the Internet. Just last month (Feb 2016), researchers from Red Hat and Google discovered a bug in the GNU C Library a.k.a.  Glibc that made machines running the glibc package vulnerable to stack-based buffer overflow exploits.

The glibc package is found in several Linux distributions, including those running on servers as well as some routers and other network devices, so the potential scope of impact is quite extensive. Fortunately, a bug fix has already been released and hopefully the majority of the affected machines should have been patched by now. Nevertheless, it doesn’t change the fact that buffer overflows continue to be a threat to information security.

Continue reading Stack Buffer Overflows – Old Exploits Never Die

Shadow Puppets – Domain Shadowing 101

Earlier this year (2016), WordPress sites were attacked by a massive malvertising campaign that employed an evasion technique known as domain shadowing. Domain shadowing is becoming increasingly popular among cybercriminals who employ exploit kits because of its superior ability to avoid detection. In this post, we explain what domain shadowing is, how it’s employed, why it’s so effective, and some of the ways to counter it.

What is domain shadowing?
Domain shadowing basically refers to the cybercriminal exercise of infiltrating multiple domain registrant accounts in order to spew forth several subdomains for malicious purposes.

Cyber criminals are able to acquire login credentials to these registrant accounts through methods like phishing and keylogging. Once they’ve gained access, these malicious individuals then create a large number of subdomains. These subdomains could then allow the crooks to carry out attacks behind perfectly legitimate domains, which make the attacks both hard to detect and counter.

domain_shadowingIn the exploit kit campaign discovered by Cisco’s Talos Group during their initial encounters with domain shadowing, the hijacked subdomains were set up in two layers. The first layer of subdomains, mostly third level subdomains (e.g. letters.somedomain.com), received traffic from the malicious ads served on legitimate web pages and then redirected the traffic to the second layer.

This second group of subdomains, now mostly fourth level subdomains (e.g. abcfsaa.letters.somedomain.com), in turn hosted exploit kit landing pages. The exploit kit then scanned the victim’s system for vulnerabilities and infected it with malware that would in turn set the system up for more nefarious acts. The number of subdomains on this group is much larger than the first and are rotated rapidly.

Why domain shadowing is so effective

One of the reasons why this technique is so effective is that registrant accounts are rarely checked. Perhaps the only times they’re ever opened are when they’re created, i.e. when the owner registers his/her first domain, and when the owner adds new domains.

Thus, these accounts are only accessed by their real owners about once or twice a year. This gives the attackers ample time to create illegitimate subdomains without getting noticed.

Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly. In fact, each subdomain may not stay active for more than an hour, depriving security groups the time to gather enough information and come up with any meaningful analysis about the attack.

Thirdly, domain shadowing is immune to many of the countermeasures being used today. For instance, domain reputation systems, which assign scores to known domains and block or allow traffic from certain domains based on their scores, can have limitations when used against domain shadowing. If the malicious subdomains are built off of reputable domains like say cisco.com, they can easily slip through.

Some people are suggesting that since the fourth level subdomains used in domain shadowing are usually made up of random alphanumeric characters, these kind of subdomains might be used as a basis to issue red flags. Unfortunately, several cloud based services also use such random naming conventions for the subdomains they generate, so using this characteristic as a filter can cause problems with false positives.

Clearly, any effective way of countering domain shadowing would require a combination of several approaches. First of all, domain registrants’ accounts must secured. Strong authentication, preferably 2FA, must be required in order to access these accounts to prevent them from being compromised. Reputation-based systems can also help in detecting malicious subdomains but, as stated earlier, must not be the only method.

Defence Intelligence solutions can help you prevent, detect or counter domain shadowing. To learn how, contact us today.

Google’s Latest Safe Browsing Update: The End of Fake Download Buttons?

You’ve probably browsed pages – some on well-known high traffic sites – that are full of ads with fake download buttons that took you further away from what you were actually searching for, to dark corners of the internet you’d never willingly visit and software you regret downloading. The real intent of these deceptive ads? Malware. Although they’ve been around for quite a while, they are becoming more prevalent. Some don’t even require a click to pass on an infection.

Here are some examples you probably recognize:

error1 error3error2

Good news for those of you who may not recognize these deceptive ads: Google’s Safe Browsing update aims to minimize your exposure to them. Recently, Google announced a new Chrome feature – as part of its Safe Browsing update – that warns users when they are about to visit sites with these call-to-malware ads. This means that any pages that mimic trusted entities (like your device, browser or the actual site) and trick you into disclosing sensitive information like passwords (that you’d typically only disclose to a trusted entity) will now be flagged by Google. Opening such site would give you the following warning:


The update is turned on by default in Chrome. You can switch it on and off by checking or unchecking the “Protect you and your device from dangerous sites” box located under Preferences in Chrome (Preferences → Settings → Advanced → Privacy).

The ultimate question is: will Google’s latest update keep you completely safe from call-to-malware ads? The answer is most definitely “no.” Even when combined with ad blocking software or applications, Google’s Safe Browsing may not be able to completely keep these ads at bay.

For example, earlier this year, Forbes forced visitors to disable ad blocking software before they could read its content. Since Forbes serves a ‘quote of the day’ and an ad before directing visitors to main content, Google does not accurately cache the page’s content/data. The result was that users were immediately served malware after they disabled ad blockers. Other high profile sites like the New York Times have been victim to similar attacks.

It also looks like it will take a while for Google to compile a comprehensive list of flagged sites. If your site has been flagged, you can follow these instructions to fix the issue.

While Google’s latest Safe Browsing update is an important step towards making the internet a safer space for us, we certainly won’t see the end of malware ads just yet.