Google Chrome adds new anti-malvertising features

Google announced plans today for three new Chrome security features that will block websites from sneakily redirecting users to new URLs without the user or website owner's consent.

While all three additions are welcomed, one of these features has the potential to stop a few malvertising campaigns dead in their tracks, and could potentially disrupt the malware scene in the next few months.

Chrome will block iframe redirects

The first of these three features — and the most important — will land in Chrome 64, scheduled for an official release in late January 2018.

Starting with v64, Chrome will block URL redirection attempts triggered by code loaded inside iframes embedded in a page.

Most website owners don't use iframes when creating their sites and iframes usually end up on a page loaded via ads.

Malicious ads — also known as malvertising — will use JavaScript code loaded inside these iframes to redirect users to malicious sites.

By blocking iframes from redirecting users to new sites, Google will be putting a huge dent in malvertising campaigns starting next year.

"I think this will be a HUGE help," Gary Warner, Director of Research in Computer Forensics at the University of Alabama at Birmingham (UAB), told Bleeping Computer in a private conversation.

Warner believes that the malvertising campaigns most affected by this change are the ones that rely on delivering malicious ads through ad networks.

"They [malvertisers] have invested huge amounts in the delivery infrastructure," Warner said. "In some cases, they have even purchased ad companies just to deliver malware. I love that all of that investment is now wasted!"

"Sadly the side effect may be an enormous increase in hacking to deliver the 'local' malware," Warner added, referring to malware hosted on hacked sites instead of the one delivered via malvertising campaigns redirecting users to exploit kits.

But malvertising takes many forms, and this change will not put an end to all forms of malvertising. For example, malvertising campaigns that rely on botnets of hacked sites, where the redirection is included in the hacked site's source code and not via an iframe, will most likely remain unaffected.

No more tab-unders

But this is not the only new feature that Google has prepared for Chrome that will give crooks headaches.

The second feature — confirming a Bleeping Computer exclusive from last month — is a new mechanism that will block tab-under behavior.

Tab-under is a relatively new term that describes the act of a web page opening links in new tabs and redirecting the old tab to a new URL.

Tab-unders are used by malvertisers, but also by your regular advertisers as well, mainly because they bypass Chrome's built-in popup blocker and allow advertisers to open multiple tabs pushing unwanted products, services, or sites.

This feature will land in Chrome 65, scheduled for release in early March 2018. For both features, Chrome will block the unwanted (iframe or tab-under) redirection and show a toolbar at the bottom of the page with details regarding the blocked action.

Chrome tab-under UI blocking UI

Chrome will also block misleading UI elements that redirect users

The last of the three new features launched today, is named Abusive Experiences Report, and is in the form of a blacklist of sites that use misleading UI elements that redirect users without their consent.

"These [misleading UI elements] include links to third-party websites disguised as play buttons or other site controls, or transparent overlays on websites that capture all clicks and open new tabs or windows," Google said.

Starting today, website owners who registered their site with Google will receive warnings about these type of misleading UI elements in the new Abusive Experiences Report section part of their Google Console account.

Google says that beginning January next year, website owners who do not address these reports will have redirections triggered via these misleading elements blocked via Chrome's built-in popup blocker.

Image credits: Google, Nutflix, Bleeping Computer

Related Articles:

Google Chrome to Remove "Secure" Indicator From HTTPS Pages in September

Chrome 69 Keeps Google's Cookies After You Clear Browser Data

Google Experiments With Showing Search Queries in Chrome 71 Address Bar

Chrome 70 Lets you Control Automatic Login and Deletes Google Cookies

Users Forcibly Being Logged Into Chrome When Signing Into a Google Service