Forbes forces readers to turn off ad blockers, promptly serves malware

Print Version
Share to a friend

For the past few weeks, has been forcing visitors to disable ad blockers

if they want to read its content. Visitors to the site with Adblock or uBlock enabled

are told they must disable it if they wish to see any Forbes content.

Thanks to Forbes’ interstitial ad and quote of the day, Google caching doesn’t

capture data properly, either.

What sets Forbes apart, in this case, is that it didn’t just force visitors to

disable ad blocking — it actively served them malware as soon as they did.

Details were captured by security researcher Brian Baskin,

who screenshotted the process:



Advertising malware has existed for years, but recent reports show that its

happening far more often than it used to. A report released by Cyphort earlier

this year claimed that online advertising infection rates had increased 325% from

2014 to 2015 as more malware authors began tapping into the market.

There are multiple ways that malicious advertising can masquerade to ad networks as

legitimate, including:

Enable the malicious payload after a delay of several days after the ad is approved.

Only serve the exploits to every 10th user, or every 20th user who views the ad.

Use SSL redirectors in malvertising chain.

Verifying user agents and IP addresses.

The reason this can happen, even on legitimate websites like Forbes

(which is far from the only company impacted by this kind of event) is that users

don’t need to actually click on an ad to be infected. Many websites contract with

third-party ad networks to provide advertising content.

Those ad networks sign agreements with advertising clients, but they don’t actually

serve the ads themselves. The ads are delivered by a server designated by the advertiser.

There are multiple ways that malicious advertising, or “malvertising” can be slipped

into service without direct approval of such by either the ad network or the site

serving the content. In 2015, some malicious sites began serving ads over HTTPS,

making it much more difficult to identify their source or deconstruct the attack.



What happened to Forbes isn’t unique; The New York Times, The Huffington Post,

and a number of other high-profile sites have been hit by similar attacks over the years.

What sets Forbes apart, however, is that the site is actively attempting to block people

from using ad-blocking software, even though we have an increasing amount of evidence

that suggests such software can meaningfully protect users.

What happens now?

Readers don’t like ads on websites any more than TV viewers like watching

commercials in programs. Websites, including this one, sometimes struggle to balance

revenue against reading experience and intrusiveness. But one thing we can all agree

on is that serving readers malware is utterly unacceptable.

Unfortunately, it’s simply not clear how to resolve the issue.

Websites that depend on ad revenue (all of them) can’t survive if 60-80% of

readers are using adblock. The nature of the advertising business practically requires

the use of automated approval tools and specialized partners — ad networks approve and

purchase millions of ads, in real time. Very, very few publications could afford to

build completely in-house solutions — and even those that can still face the challenge

of vetting ad security in an environment when bad actors have multiple ways to deceive

them about the actual content of an advertisement.

Forbes may have been the first website to ban ad blockers and then serve its

customers malware, but it’s probably not going to be the last. Long-term solutions

to the problem remain murky. Very few people subscribe to websites,

even when subscriptions are available, and politely asking people to turn off

ad blockers has a response rate of less than 1%.