Pop-up slingers face financial sanctions from Google

UPDATED Google is planning to roll out tougher sanctions against websites featuring deceptive content with the release of Chrome 71, an upcoming edition of its browser software due out next month.

The browsing experience of many has long been bedevilled by sites running various forms of bait and switch trickery in a bid to hoodwink the unwary and make money through dodgy affiliate programs.

Examples include a play button in an embedded video that actually triggers an unwanted download once it is selected, or the close button in a dialog box that actually open an unwanted pop-up window. Much of this malfeasance is associated with phishing scams and the like.

Google already defends surfers against these practices by blocking pop-ups and new window requests from sites employ tactics, such as redirecting pages, associated with abuse.

This has only proved partially effective, prompting Google to take tougher action, as the company explains in a blog post:

More than half of these abusive experiences are not blocked by our current set of protections, and nearly all involve harmful or misleading ads. These ads trick users into clicking on them by pretending to be system warnings or ‘close’ buttons that do not actually close the ad.

Further, some of these abusive ad experiences are used by scammers and phishing schemes to steal personal information.

Starting in December 2018, Chrome 71 will automatically remove ads from sites flagged up as serial abusers, who fail to mollify user-initiated complaints to Google during a 30-day grace period.

While the controls launched last year were largely technical the upcoming changes amount to a financial sanction.

Chris Boyd, a security researcher at Malwarebytes, and long-term fighter of web scams, welcomed Google’s move while arguing it’d be more effective if implemented once infractions are confirmed.

“I like it, but I don’t think they should get 30 days to clean things up,” he said. “There’s no excuse for being unaware these are bad practices after seeing it happen for so many years.”

Maggie Louie, CEO of cybersecurity vendor Devcon, disagreed with this assessment, arguing that website publishers are not necessarily responsible for the deceptive content of ads served through their sites.

"Publishers are not publishing these bad ads," she told The Daily Swig. "They, in face are going to great lengths to stop them! These are pervasive encrypted attacks being deployed through ad networks of all kinds. They are being passed though often injected into perfectly normal looking ads and other encrypted code."

"The ad networks don’t want this either. They are fighting just as hard as the publishers against these unwanted pop-up ads and malicious redirects.

Louie, who heads a firm that specialises in developing tech to combat ad fraud and money laundering through online advertising, concluded that Google may end up punishing publishers for something that isn't within their control.

"To punish publisher is unfair," he said. "It is not within their ability to simply 'remove' these ads. We fight these all day every day for publishers and networks, and as we talked about in the recent article, these are highly sophisticated attacks being deployed by bad actors, not just bad ad quality ads. Publishers are not the ones responsible for these ads entering the ecosystems."

This article has been updated to add comment from Devcon.