The Economist used a tool on their site to block collect stats and serve ads to visitors using ad blockers. I will avoid diving into the ad-blocking debate, but I will note that my quick check showed 16 ad trackers and beacons on the page. I don’t mind ads, but I do mind tracking.
It turns out that tool, called PageFair, was compromised by attackers to serve malware to Economist readers. The Economist is one of the few publications I still respect, so this made me more than a little sad.
This one is a good learning case. Ryan Naraine and I discussed it on Twitter. Both of us were critical of The Economist’s hack response, Ryan a bit more than me. I see the seeds of good intent here, but flawed execution. Let’s use this as a learning opportunity.
- Good: They detected the situation (or, more likely, someone else did and told them) and responded within 6 days.
- Good: They put up a dedicated page with information on the attack and what people should do.
- Good: They didn’t say “we care very deeply about the security and privacy of our customers”. I hate that crap.
- Good: The response page pops up when you visit the home page.
- Bad: The response page only pops up when you visit the home page from certain browsers (probably the ones they think are affected), and could be stopped if you use certain blockers. That’s a real problem if people use multiple systems, or if the attackers decide to block the popup.
- Bad: They don’t specify the malware to look for. They mention it was packaged as a fake Adobe update, but that’s it. No specificity, so you cannot know if you cleaned up the right badness.
- Bad: They recommend you change passwords before you clean the malware. VERY BAD. Thanks to @hacks4pancakes and @malwrhunterteam for finding that and letting me know.
- Bad: They recommend Antivirus, without confirm recommended tools would really find and remove this particular malware. That should be explicitly called out.
It looks like an even split, but I’d give this response a C-. Right intention, poor execution. They should have used an in-page banner (not a popup) and a popup to grab attention. They should have identified the malware and advised people to clean it up before changing banking passwords.
There is one issue of contention between myself and Ryan. Ryan said, “No one should ever rely on free anti-malware for any kind of protection”. I often recommend free AV, especially to consumers (usually Microsoft). It’s been many years since I used AV myself. Yes, Ryan works for an AV vendor, but he’s also someone I trust, who actually cares about doing the right thing and providing good advice.
I don’t want to turn this into an AV debate, and Ryan and I both seem to agree that the real questions are:
- Would the AV they recommend have stopped this particular attack?
- Would the AV they recommend clean an infection?
But they don’t provide enough detail, so we cannot know. Even just a line like, “we have tested these products against the malware and confirm it will completely remove the infection” would be enough.
I’m not a fan of blaming the victim, but this is the risk you always face when embedding someone else’s code in your page. Hell, I talked about that when I was at Gartner over 10 years ago. You have a responsibility to your customers. The Economist seems to have tried to make the right moves, but made some pretty critical mistakes. Let’s not lambaste them, but we should certainly use this as a learning opportunity.