The Forbes website has repeatedly been used by malicious hackers to serve up malware to unsuspecting readers, so one would think that before demanding that readers disable ad-blocking extensions Forbes would make sure their site was secure.
But you would be mistaken. Engadget reports that, through a compromised ad network, earlier this week Forbes served up a pop-under advert that prompted the reader to install a file. Engagdet cited security researcher Brian Baskin, who this screenshot on Monday:
Baskin goes on to elaborate in follow up tweets that the file he was prompted to install wasn't technically malware, but was instead a version of Java that was known to be vulnerable to hackers.
That executable is not itself dangerous, but that same trick could be used to deliver malware. Furthermore, anyone who installs that version of Java is setting themselves up to be hacked at a later date.
Forbes is not the first web publisher to get hit by a less than scrupulous advertiser; this is in fact so common that it is known as malvertising, and is regularly covered by the computer security blogosphere.
But it is still delightfully ironic that a web publisher who insists that readers must make their computers less secure was also used to infect those computer with malware.
And for what gain?
Forbes reported on Tuesday that their efforts to fight ad-blocking was having a positive effect. When they started tracking the use of ad-blockers, they found that "give or take, 13% of visitors to our site have installed ad blockers, predominantly on the desktop machines".
A limited number of those visitors were blocked from viewing Forbes content, and asked to turn off their ad blockers. Not all ad-block users were prompted, and Forbes also found that their tech had bugs to work out (some users disabled the ad-blocking, and were still denied access).
They say the data has so far has taught them a lot:
- From Dec. 17 to Jan. 3, 2.1 million visitors using ad blockers were asked turn them off in exchange for what Forbes promised would be an ad-light experience.
- 903,000, or 42.4%, of those visitors turned off the blockers and received a thank you message.
- Those visitors generated 15 million ad impressions that would otherwise have been blocked.
I was surprised at that success rate; I have a nag screen on this blog which only convinces around 1% of visitors to disable their ad block. (And that goes double when we remember that the ad-light is not so light.)
And I am fine with that; the users who leave the ad-blocker enabled often need it because ads force their computers to slow to a crawl.
I am much more tolerant than Forbes, who throws this issue in the face of ad-block users:
It was my first day of class as a first-time Skype instructor, so I got right to it: “How many of you pay for content?” I asked a dozen or so University of Iowa journalism students as the fall semester got under way at my alma mater. Two, maybe three, gently raised an arm. Then came my follow-up question: “How many of you use ad blockers?” Nearly everyone put a hand straight up, proudly admitting to installing software that snuffs out display ads from their daily Web browsing experience. “That’s wonderful,” I said. “You don’t want to pay for content and you don’t want to see the ads that fund the content you don’t want to pay for. You might want to consider another profession.”
I'm going to turn this around and throw it right back at Forbes.
If they don't want to guarantee that the ads they serve are malware-free, won't cost me bandwidth, and won't slow down my computer, then Forbes might want to consider another business.
That's not fair, I know, but that was kinda my point.
To be clear, online advertising has a multitude of problems ranging from security issues to a general state of chaos, panic, and disorder. Ad blocking is less a problem than a response to other issues, and it is not fair to put the onus on users when we all know that blaming users won't fix the underlying causes.
image by jorge.cancela