For the past few weeks, Forbes.com has been forcing visitors to disable ad blockers
if they want to read its content. Visitors to the site with Adblock or uBlock enabled
are told they must disable it if they wish to see any Forbes content.
Thanks to Forbes’ interstitial ad and quote of the day, Google caching doesn’t
capture data properly, either.
What sets Forbes apart, in this case, is that it didn’t just force visitors to
disable ad blocking — it actively served them malware as soon as they did.
Details were captured by security researcher Brian Baskin,
who screenshotted the process:
Malware1
Advertising malware has existed for years, but recent reports show that its
happening far more often than it used to. A report released by Cyphort earlier
this year claimed that online advertising infection rates had increased 325% from
2014 to 2015 as more malware authors began tapping into the market.
There are multiple ways that malicious advertising can masquerade to ad networks as
legitimate, including:
Enable the malicious payload after a delay of several days after the ad is approved.
Only serve the exploits to every 10th user, or every 20th user who views the ad.
Use SSL redirectors in malvertising chain.
Verifying user agents and IP addresses.
The reason this can happen, even on legitimate websites like Forbes
(which is far from the only company impacted by this kind of event) is that users
don’t need to actually click on an ad to be infected. Many websites contract with
third-party ad networks to provide advertising content.
Those ad networks sign agreements with advertising clients, but they don’t actually
serve the ads themselves. The ads are delivered by a server designated by the advertiser.
There are multiple ways that malicious advertising, or “malvertising” can be slipped
into service without direct approval of such by either the ad network or the site
serving the content. In 2015, some malicious sites began serving ads over HTTPS,
making it much more difficult to identify their source or deconstruct the attack.
MalvertRate
What happened to Forbes isn’t unique; The New York Times, The Huffington Post,
and a number of other high-profile sites have been hit by similar attacks over the years.
What sets Forbes apart, however, is that the site is actively attempting to block people
from using ad-blocking software, even though we have an increasing amount of evidence
that suggests such software can meaningfully protect users.
What happens now?
Readers don’t like ads on websites any more than TV viewers like watching
commercials in programs. Websites, including this one, sometimes struggle to balance
revenue against reading experience and intrusiveness. But one thing we can all agree
on is that serving readers malware is utterly unacceptable.
Unfortunately, it’s simply not clear how to resolve the issue.
Websites that depend on ad revenue (all of them) can’t survive if 60-80% of
readers are using adblock. The nature of the advertising business practically requires
the use of automated approval tools and specialized partners — ad networks approve and
purchase millions of ads, in real time. Very, very few publications could afford to
build completely in-house solutions — and even those that can still face the challenge
of vetting ad security in an environment when bad actors have multiple ways to deceive
them about the actual content of an advertisement.
Forbes may have been the first website to ban ad blockers and then serve its
customers malware, but it’s probably not going to be the last. Long-term solutions
to the problem remain murky. Very few people subscribe to websites,
even when subscriptions are available, and politely asking people to turn off
ad blockers has a response rate of less than 1%.