AdviceChoose Your CityColumnsNewsSan FranciscoTech

The Scourge Of The ‘Congratulations!’ Pop-Up Ad

The Bay's best newsletter for underground events & news

A despicable “Congratulations!” malware ad has been wreaking internet havoc for the last several months, and websites are confused as hell about what is happening. The ad has appeared on visits to the New York Times and Washington Post, The Verge, Vice and virtually every reputable website. A just-released report from ad platform Confiant found that 62% of sites that run ads have been hit with these pop-ups in the last year, and calls it “2017’s Largest Malvertising Operation.”

Even this very website has encountered the goddamned things. “People were so cranky about it,” Broke-Ass Stuart says. “They thought it was my site and my fault, and that I was purposefully having spammy shit in there to make money. To make things worse, I’m pretty sure it came through Google Ads and it’s impossible to get ahold of anyone there. I was pretty furious.”

The Alamo Drafthouse blog Birth.Movies.Death completely suspended online ad operations until they could they could what the fuck kind of virus they had on their site. But they didn’t have a virus on their site.

And if you got that pop-up ad, it doesn’t mean you have a virus on your phone or computer.  (Though you can get one if you click through and follow its instructions.) Instead, this some bot-operated, third-party ad network bullshit where the companies who put the little ads on websites have been duped by completely fake, non-existent ad firms that went so far as to create fake social media pages and fake LinkedIn accounts for their fake CEOs so they could look like legitimate companies and buy ads that execute evil javascript on your device.

These goddamned pop-ups look a little different on desktop computers than on smartphones. Here is a desktop version via


Most websites don’t choose or put up their own ads. They get them delivered “programatically” (that is, robot-style) from advertising platforms like Google AdSense or Amazon Web Services. That means the ads themselves come from a different third-party platform which is neither Google nor Amazon. And big tech companies like Google and Amazon are philosophically opposed to anything involving “double-checking” or “human beings,” so they let these seedy motherfuckers run wild with ads that can hijack your browser.

These particular ads are called forced redirects. They get submitted to Google, Amazon, etc. as legitimate-looking ads,  but there is hidden javascript within the ad that takes over your phone or desktop browser once the ad runs.

“These forced redirects are a technical mechanism that can be leveraged to deliver a variety of malicious attacks, from those targeting businesses (affiliation fraud), to those targeting individual users (phishing scams, malicious downloads, fake updates etc.),” Confiant CTO Jerome Dangu wrote in an explanation to Ars Technica. “At a minimum, these forced redirects often make a website unusable for an everyday user, [and] at worse [visitors] are being directly attacked. People need to understand where the issues are coming from (often the website owner gets blamed, even as they themselves are a victim, too) and what the new risks are for them in an ad-supported Internet.”


We’re going to assume your browsing on Safari (iOS) or Chrome (Google/Android). If you’re browsing on another platform, try Googling “How to stop forced redirects on [name of your platform].”

On Safari (iOS), go into your Settings and then click on Safari. On the Safari list, make sure you check Block Pop-Ups, Prevent Cross-Site Tracking, Block All Cookies, and Ask Websites Not To Track Me. (As seen above). NOTE: You’ll have to enter passwords manually if you do this. You’d think that a $1,000 iPhone would say something about this in the instructions, but a $1,000 iPhone does not come with instructions.

Google claims they’ve just fixed this problem for Chrome and Android with the Jan. 23 release of Chrome 64. (I only upgraded like an hour ago, so I cannot vouch.) To make sure you’re running Chrome 64, go to your Browser’s menu, click Help, then Click About Google Chrome and follow the upgrade instructions.

Considering Google runs the very ad servers on which this is happening, maybe they could maybe budget a little more money on vetting their ad partners, and less money for their employees’ catered meals, desk massages, and exorbitant salaries? Then some real congratulations would be in order.

Like this article? Make sure to sign up for our mailing list so you never miss a goddamn thing!
Previous post

SFCentric History: Some of the Coolest Things Said About San Francisco

Next post

This Week's Need to Know News for the Bay Area & Beyond

Joe Kukura- Millionaire in Training

Joe Kukura- Millionaire in Training

Joe Kukura is a two-bit marketing writer who excels at the homoerotic double-entendre. He is training to run a full marathon completely drunk and high, and his work has appeared in the New York Times and Wall Street Journal on days when their editors made particularly curious decisions.