Weird Pop-Ups On The Site? It’s Not (Necessarily) Just You

As you may (or may not) know, I also have a points consulting service, whereby we help people redeem their airline miles. I have several colleagues working with me, and they’re some of the most knowledgeable and passionate people I know in this hobby. During my dad’s round the world surprise birthday trip they offered to step in and help with some guest posts. Thanks to the positive feedback, they’re back with more. This post is from my friend Tiffany, whom you’ve heard from before.


In the past few weeks, you might have noticed people commenting about getting served sketchy pop-ups when they access the site, or click on links in the newsletter. You might even be one of those people.

It’s inexcusable. And we’re really sorry. Especially Ben.

The blog is basically his baby, so having people hijack his site and ruining the experience for y’all is just maddening.

So we’d like to interrupt your regularly-scheduled miles and points party to talk about why this is happening, what is being done about it, and what you can do on your end in the meantime.

Full disclosure: I am not an expert at advertising, malware, technology, or the internet at large. So this is going to be a very simplistic explanation, and if you are an expert in one of the above, please (please!) add your knowledge to the comments.

How does internet display advertising work?

The way I understand it, the majority of the ads you see on the internet, including BoardingArea, are powered by gigantic ad exchanges and servers. Think of like a catalog of potential advertisements in the cloud.

When you load a page that has advertising (so basically the bulk of the internet), the site says “Hey! I need a 350 x 350 ad to display for this user!” and the code from the ad pops into the correct slot.

The problem is that anytime there’s a network of anything, malicious people will try and use it for nefarious purposes. So what’s happening is that in addition to the trillions of billions of good, legitimate advertisers providing ad code to this catalog, there are also some nasty bugs as well. Some of these are so sophisticated they embed themselves like parasites into good ads, and are able to subvert some of the security checks.

Of course, the ad agencies and the people who control the exchanges are really aggressive about trying to keep the bad code out. Their reputation and income depends on it! Unfortunately, the more robust the security measures, the craftier the malware writers have to be, and you basically end up with the internet-equivalent of penicillin-resistant bacteria.

And the current malware ads are incredibly hard to root out, apparently. These aren’t like the email viruses from the days of Juno and NetZero accounts — you don’t necessarily have to click on these ads in order for their malicious code to be passed to your machine.

It’s a real problem.

See, what happens is that you visit a site, and are somehow infected with this yucky code. It doesn’t necessarily have to be an *ahem* disreputable site either — AOL, The Huffington Post, LA Weekly, and other major sites have all been impacted by this problem recently.

What’s worse, you might not even know you’ve been infected!

Part of what makes these attacks so difficult is that they don’t instantly (necessarily) start wreaking havoc on your internet experience. Instead they install a little beacon on your computer, or in your browser.

That is bad enough, but what this beacon seems to do is send out a “signal” to other bad ad codes. So each time you load a site with advertising, rather than the site just saying “Hey! I need a 350 x 350 ad to display for this user!” there’s another ping saying “WOOOT! PARENTS ARE OUT OF TOWN AND JOE BROUGHT A KEG!!!!!”

That’s cute, but how do I actually learn more about this?

Here’s an (really long, and informative, but not all that interesting) interview that explains in more detail:

Okaaaaay, so what can be done here?

Well, I don’t really know.

The main problem is that this isn’t happening to anyone at BoardingArea, and it’s harder to troubleshoot when you aren’t experiencing something directly. They’ve assured us that they’re making a concentrated effort, are working with the ad agencies and servers, etc., but there’s only so much that can be done, apparently. They’re good people, so I’m inclined to believe they’re trying their best, and they understand this is an untenable situation for everyone.

In the meantime, if you are one of the people receiving pop-ups, having your browser hi-jacked, or are otherwise running into issues, you should probably sweep for malware on your machine.

I have a couple of references here, but if anyone has tools they’ve used or better recommendations, please share!

That’s not a comprehensive list, but should get you started, hopefully.

Again, we’re really sorry. 

Of course, knowing that everyone feels badly doesn’t actually solve the problem of you not being able to read the blog in peace.

We don’t want to minimize that at all, and can do nothing but apologize profusely.

Is anyone an expert in this space? Any other tips?

Update: Boarding Area has issued the following statement:

We are aware that a small minority of users have had experience with potential security vulnerabilities when accessing Boarding Area websites and blogs. We have done complete scans of our systems and can verify that our network and our servers are secure and free from any security vulnerabilities. However, we do rely on a third party for some assets on the sites. We are constantly monitoring and reviewing those assets to ensure the quality of the content provided to us and are doing what we can to try to make sure these assets are clean of those security vulnerabilities as well. We’ll keep monitoring both ourselves and others to try to deliver a safe experience for all users.

If you have had an experience with security vulnerabilities on our websites, we apologize. We want our readers to know that we care and are doing what we can to resolve the issue.​

Comments

  1. This is a boardingarea.com-wide problem and they are aware. Installing adblock plus fixed it for me, but yes, it was very, very annoying.

  2. Seems to only happen to me when I try to access this blog via a link on FB or Twitter. If I come here directly there’s no problem.

  3. This was happening to me very frequently on my PC, but not my Mac, and it was driving me up the wall insane. After numerous failed attempts to root out the malware with virtually every malware removal kit on the market, I stumbled upon an article that said sometimes bad copies of WinZip can be the source of this. It seemed crazy, but I gave it a shot. Sure enough, after wiping out my installation of WinZip, and pulling down a fresh copy, the problem went away permanently. Back to being a happy reader of BoardingArea.

  4. Last night, on my home laptop, (I access this site mostly during the day on a work laptop) I got this new window that popped up on a separate tab alerting me, vocally, warning me that I had just downloaded a virus! I couldn’t close out of the window so I did the CTRL, ALT, DEL and closed out of the web browser. Launched the site again and same thing. 3rd time it went fine. I knew not to open anything else from that warning screen as I didn’t know what it would do. All seems fine today.

  5. I just want to say that I HATE the video ads on the site! When multiple ones start running at the same time, my computer slows down so much that I have to close the browser. It basically makes your site unreadable. I love the content, but please do something about the out of control video ads!

  6. I was having a terrible time with this on boardingarea. Asked my computer-geek friend and he suggested this: https://www.malwarebytes.org

    I know nothing about ANYTHING and don’t even know if I’ve introduced Nigerian princes directly to my hard drive, but the pop-ups stopped. Use at your own risk, of course.

  7. Happens to my PC at work and my Mac at home. I hate this annoying pop up that just won’t close when I click to close the window…So frustrating.

  8. @Mason Tip is disable Adobe Flash on your browser – or set it so that it asks you to activate if you want to watch something. That helped me a lot. Hope this helps you.

  9. Data points:

    What is described in this post never happens to me when using a desktop/laptop on 5 different devices (mac and pc) with different browsers. I never use twitter or RSS links.

    I do get a similar weird thing when I browse on my iPhone. Sometimes in the middle of scrolling a BA blog, Safari will take me to the App Store and will ask me to buy some weird app. I’m not aware of any iphone viruses, so I imagine this redirection is coming from something on the Boarding Area site. This happens occasionally and it in not unique to OMAAT, but is Boarding Area wide. Anyone else experience this?

  10. “I like that Ben cannot take the time to comment on this issue.”

    I like that you failed to make mountain out of an obvious molehill, and nobody took the bait. Really, is this issue of such grave magnitude that you need Ben, BEN THE MAN HIMSELF, to address this?

    Anyhoo, back to the topic at hand.

    I echo what neils said, do install Adblock Plus.

    Additionally, consider getting the NoScript extension for Firefox (I’m guessing it’s available for Chrome as well, but I don’t use it with Chrome). It basically prevents anything possibly harmful from loading, and you tell it what to permanently allow, temporarily allow, and permanently block.

    If you’re using Internet Explorer, any version, just stop it. STOP IT. It is designed and coded by the devil himself, and you need to get rid of it.

  11. I work in the digital advertising industry; specifically, I work on ad fraud prevention. What is being described here is the distribution of ‘drive-by’ malware. In the early day of online advertising, the code on a page was fixed for size dimensions, and ad servers simply made decisions on which image (GIF, typically) filled the space. Now, with an ecosystem that more closely represents a commodities exchange, long gone are the days of a basic 420×60 ad banner. As described in the post, today’s ads aren’t simply images, but bundles of code, which serve not only the static image, but also 1×1 invisible pixels alternately called ‘tracking beacons’, ‘tracking tags’, ‘action tags,’ etc. These little pixels allowed the ability to capture information used to create (anonymous) profiles of the computer (actually, browser) user to tracking if the ad had the opportunity to be seen.

    Moreover, the marketplace for ads has evolved from a direct relationship model (publishers sell to advertisers, or agencies) to an exchange/programmatic model (right ad for the right price and the right profile at the right time). This all happens in near real time, and pricing is often auction based. One supplier of publisher ad space may ‘make visible’ its inventory to a broker of ads, who in turn supplies to other exchanges and brokers. This creates a daisy chain effect whereby the original source of an ad may be hard to track, forensically (e.g. after the fact) as brokers call to brokers call to other brokers, call to yet another network.

    Finally, with the combination of code being served into an ad slot and the source of an ad being easily obfuscated, fraudsters simply create ads that they want run cheaply, and everywhere. When the code is eventually served (on Ben’s site, for example), it calls for more code which is malicious, and downloads it to the computer. It’s called ‘drive-by’ malware because once the user clicks to another page, that ad is gone, but its malware left behind. This malware (or adware, or malvertising) is programmed to do a number of actions, which are mostly annoying to the user experience, if visible at all. You may see pop-ups, or even worse (and more common these days), the malware turns your computer into a node of a large, distributed bot-net. Controlled by a ‘bot herder’, your computer is then used (typically while you’re not using the computer, or in the background) to visit sites and mimic human behavior to consume ads and, through various monetization schemes, illicitly claim revenue on ads served.

    That, my friends, is Ad Fraud in a nutshell – it’s a multi-billion dollar business run by organized crime in Eastern Europe, China, Russia, etc. All out of FBI jursdiction.

    My advice to the boarding area? Pick your monetization partners carefully. Do your research.

  12. @Eric – thank you so much for your post.

    Can you shed any light at all as to why we experience this “computer hijacking” on OMAAT and not other BA blogs? I think I experienced it also at FWTW, but less than a handful. Why would Ben’s site be targeted so frequently by these folks and not, for example, MJ or MP. Do they target the more highly-visited sites?

    It has gotten worse with these sites that require you to restart because they won’t let you shake them off.

  13. I’ve been experiencing this on all boardingarea blogs. I have flash blocked, so flash isn’t the issue. I don’t like installing adblock plus because ads are what makes money for these blogs. But I have no choice but to block these malicious ads until boardingarea can get things fixed.

  14. If you are experiencing these issues, here’s what you ees to do:

    1) Download Malwarebytes and run a FULL scan.

    2) Install a solid antivirus program that scans processes. I personally like Panda Cloud Antivirus Free. Run a FULL scan.

    3) Install a solid Firewall and disable Windows Firewall. I personally like Zonealarm Free.

    4) Download CCleaner from Piriform and run a cleaning of your programs and system. DO NOT scan and edit registry unless you know what you are doing.

    5) Install Google Chrome Browser, discontinue IE and install AdBlocker Plus extension to Chrome.

    6) Make sure Windows, Adobe Flash Player and Java are all 100% up to date to the layest version.

    If you follow these steps you should be clean and good to. Most importantly, it should keep you in good shape if you keep the sexurity programs up to date along the way.

    4)

  15. “…we do rely on a third party for some assets on the sites.”

    So, basically, Boarding Area knows that the problem is caused by their advertisers, and has done nothing about it.

    Now, I realize that Boarding Area views me as a marketable product, and like most websites worries more about traffic than how I am affected: the click bait headlines and the apparently required weekly recaps are an example, but if you know that one of your advertisers is attempting to defraud your readers, I think a more serious response is in order.

    My response was a little faster: I blocked it from the corporate network, and told people to read it at home. I know we’re not a major amount of traffic, but every bit helps. Failing to respond costs you readers.

  16. I only use chrome. I experience redirects when clicking on a blog post from the home page. It’s malware on the site. Seen it before.

  17. It’s happening to me when accessing other BA blogs, not just OMAAT. This is the first I’ve seen anyone acknowledging it. Thanks for the tips.

  18. You mean that I SHOULDN’T call the non standard Microsoft number that keeps popping up and will not close to see how to fix this assault?

  19. @Colleen – I’m assuming that BA represents all the advertising across the blog network? Assuming that is the case, my best guess is that it’s a volume/probability issue. OMAAT is probably the more widely read of the blogs, and thus more ads are served, thereby increasing the odds that malware will be dumped on a user (and with more users getting infected, the more likely someone will take note and comment). Now, if each blog owner has control of all or part of their own ad inventory, then results will vary based on the ad supplier.

  20. @ Eric — That’s incredibly interesting, thank you, and a much better explanation. It’s been a pretty steep learning curve over here, so that’s quite helpful. Your job sounds fascinating!

  21. I know it’s a hard decision but BoardingArea should stop serving ads until this is figured out. The seriousness of the malware reported should really make them change advertising partners. The current system is broken and it will drive away readers who don’t feel safe visiting BoardingArea.

  22. On the mobile version of the site it regularly loads up and automatically opens up the App Store. Very annoying.

  23. Same thing with Rich. Every now and then when I load a post the Play Store would suddenly pop up on my phone. There seems to be some code lurking in the background that “tricks” Chrome into thinking that I clicked a Play Store link for an app.

  24. Following on to @AAExPlat’s good advice, if you are a Firefox/Mozilla based browser user, the NoScript addon is an absolute must.

    “This add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).
    NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.”

    Adobe products are the number one vector for security vulnerabilities on end user workstations at my company – out of date FLASH PLAYER being the biggest culprit.

  25. @AAExecPlat and Eric,

    Malwarebytes appears to be only for Windows — any advice for a comparable program for Macs?

    Thanks

  26. @Tiffany – if you’d like to discuss further, Ben has my contact information. He knows me as Seattle Eric. 🙂

  27. One other suggestion: Try using OpenDNS for your router’s DNS servers. (OpenDNS.com) We use OpenDNS at my office, and I have it coded into my home & travel routers. Been all over OMaaT over the past two weeks and haven’t had a single bad ad/bad popup show up on Mac/PC/Android.

    OpenDNS blocks access to known malware/bad domains at the IP level, so even if an ad points to one, OpenDNS prevents the bad content from being sent.

    They even have step-by-step instructions on how to configure most of the common routers if you’re not experienced in it.

    Best part: It’s free.

  28. I encourage readers of lucky’s blog to consider using adblocplus. https://adblockplus.org/
    It stops many annoying tracking programs such as on Facebook, eliminates pop ups, and gets rid of the annoying ads on YouTube. It is even engineered in Germany.

  29. Just like user above. I click links on this blog’s home page to read the articles/posts. And the links themselves open a new tab that redirects to Russia, spam, porn, etc.!!! I can’t even click a link to read a post! Only this blog. No other web sites at all. It has made me stop reading it because I don’t want something nasty. Sounds like I might already have it- from here! Pretty awful. Way to destroy a site.

  30. Just this morning on my iPhone i got a full screen add asking me to sign up to competition when trying to access this site.

    I couldn’t close the add so clicked close button on advert. 2 mins later got txt on my phone confirming my competition entry and £5 added to phone bill!

    Checked bill and indeed charge added.

    Called mobile operator who claimed nothing they can do I need to follow up with 3rd party! Account has now been blocked from letting charges occur in the future, positive at least.

    Just thought info could be usefull if any others experiance it. I’ve never seen an a mobile advert that gets data without user filling in a form. Shocking and total spam.

  31. This is happening again more often then not when I try to visit this blog now. It is happening on multiple computers running different OSs. There is no excuse. Boarding Area blogs are the only sites I visit that have these redirects.

  32. My Malware Protection software (Malwarebytes) reports that BoardingAarea and One Mile at a time are infected (and infecting others) with the infamous ‘M55.dnsqa.me’ malicious redirect. Please have some scan and disinfect your site – it is very annoying and potentially dangerous to have this virus on your site

    Many thanks

    Luke

  33. October 19, 2016: While I was reading about this article on my iPhone, the pop up/malware happened. Change your advertisers.

  34. @ Allison S — That definitely shouldn’t be happening. Did you happen to take a screenshot? I’ll let our tech team know right away, but they can fix things faster if they know the culprit.

Leave a Reply

Your email address will not be published. Required fields are marked *