Security news that informs and inspires

Chrome’s Anti-Abuse Feature Blocks Ads on Dodgy Sites


Along with a slew of security fixes, the latest version of the Chrome web browser comes with new features to block online advertisements on sites that deliberately mislead users.

Chrome 71’s anti-abuse technology provides “further protection from harmful ad experiences on the web,” Google product manager Vivek Sekhar said earlier in November when it first unveiled the additions to Chrome 71. Harmful experiences in this context refers to situations where users are intentionally misled, or tricked, in to doing things online that they otherwise would not have.

For example, a site may have buttons that claim to do one thing, such as playing video or closing a window, but actually perform a different action, such as opening a pop-up window or new tab with an advertisement. There may be transparent objects on the page linking to other sites that the user may not be aware of. Users may be unexpectedly redirected to unrelated sites or encounter fake system error messages designed to get users to perform specific tasks.

“Some of these abusive ad experiences are used by scammers and phishing schemes to steal personal information,” Sekhar said.

Google added ad-blocking protections to Chrome 64 and 68 last year that let the browser block sites known to have these questionable—and unwanted—behaviors from opening up any new tabs or windows. While those features have had some effect, Google said that around half of the sites with harmful experiences were still not being blocked by Chrome. Nearly all the experiences involved malicious advertisements.

Chrome 71's anti-ad features extend the protection further as the browser completely blocks all the ads—even if some of those advertisements were legitimate—from being displayed on sites with “persistent abusive experiences.” This way, the onus is on website publishers to check and see if their websites are displaying potential malicious pop-ups, and to fix those questionable elements. If a site is flagged for repeatedly misleading users, the owner has 30 days to fix the problems before Chrome blocks the ads.

“Site owners can use the Abusive Experiences Report in their Google Search Console to see if their site contains any of these abusive experiences that need to be corrected or removed,” Sekhar said.

One impact of these ad-blocking features is financial. If Chrome won't let those sites display any advertisements, that impacts the site owner's bottom line as the revenue stream will be cut. So long as the site owner doesn't clean up the problems on the site, revenue from advertisers will be limited. However, lower revenues don’t mean the criminals close up shop; they shift operations to find alternate revenue streams..

“So it’s likely that the bad actors behind abusive adverts will turn to wider use of crypto-mining malware, planted on both shady and legitimate websites, to quietly exploit innocent users‘ CPU power and generate cryptocurrency whenever they visit those websites,” Checkpoint said.

It's also worth noting that Chrome 71 won't fix malvertising on the web, as the ad-blocking won't address the problem of malicious ads being distributed by third-party networks. The online advertising ecosystem is complex, with many players—resellers, advertisers, website owners, and ad networks—interacting through a "complex system of intermediaries and exchanges." All the layers make it too difficult for Google and third-party networks to effectively police the ads to ensure malicious ones don't make it through.

“Completely eliminating the problem of malicious advertisements remains highly unlikely any time in the foreseeable future,” Checkpoint said.

Criminals take advantage of the advertising industry's infrastructure to display malvertisements on legitimate sites. For example, Checkpoint researchers recently uncovered a campaign where traffic from 10,000 compromised WordPress sites were redirected to malicious websites which displayed ads pushed by the ad networks.

Those sites are “unaware they are carrying ads that exist simply to distribute malware and other attacks to users that unwittingly click on them,” Checkpoint said.

Another, unrelated, anti-abuse feature in Chrome 71 looks websites that invite users to enter their phone number into a form to receive a service. Once done, a fee shows up on the user's mobile phone bill as a subscriptoin. In many cases, there is nothing wrong with the subscription signup, but there are also sites that abuse the system, and mislead users about the subscription cost, or don't even warn the users beforehand at all. Chrome 71 identifies these sites and warns users trying to navigate to those sites.

“Stronger protections ensure users can interact with their intended content on the web, without abusive experiences getting in the way,” Sekhar said.