Forbes Makes Visitors Turn off Their Ad Blockers, Then Infects Their Computers w\Malware
The Forbes website has repeatedly been used by malicious hackers to serve up malware to unsuspecting readers, so one would think that before demanding that readers disable ad-blocking extensions Forbes would make sure their site was secure.
But you would be mistaken. Engadget reports that, through a compromised ad network, earlier this week Forbes served up a pop-under advert that prompted the reader to install a file. Engagdet cited security researcher Brian Baskin, who tweeted this screenshot on Monday:
Baskin goes on to elaborate in follow up tweets that the file he was prompted to install wasn’t technically malware, but was instead a version of Java that was known to be vulnerable to hackers.
That executable is not itself dangerous, but that same trick could be used to deliver malware. Furthermore, anyone who installs that version of Java is setting themselves up to be hacked at a later date.
Forbes is not the first web publisher to get hit by a less than scrupulous advertiser; this is in fact so common that it is known as malvertising, and is regularly covered by the computer security blogosphere.
But it is still delightfully ironic that a web publisher who insists that readers must make their computers less secure was also used to infect those computer with malware.
And for what gain?
Forbes reported on Tuesday that their efforts to fight ad-blocking was having a positive effect. When they started tracking the use of ad-blockers, they found that "give or take, 13% of visitors to our site have installed ad blockers, predominantly on the desktop machines".
A limited number of those visitors were blocked from viewing Forbes content, and asked to turn off their ad blockers. Not all ad-block users were prompted, and Forbes also found that their tech had bugs to work out (some users disabled the ad-blocking, and were still denied access).
They say the data has so far has taught them a lot:
- From Dec. 17 to Jan. 3, 2.1 million visitors using ad blockers were asked turn them off in exchange for what Forbes promised would be an ad-light experience.
- 903,000, or 42.4%, of those visitors turned off the blockers and received a thank you message.
- Those visitors generated 15 million ad impressions that would otherwise have been blocked.
I was surprised at that success rate; I have a nag screen on this blog which only convinces around 1% of visitors to disable their ad block. (And that goes double when we remember that the ad-light is not so light.)
And I am fine with that; the users who leave the ad-blocker enabled often need it because ads force their computers to slow to a crawl.
I am much more tolerant than Forbes, who throws this issue in the face of ad-block users:
It was my first day of class as a first-time Skype instructor, so I got right to it: “How many of you pay for content?” I asked a dozen or so University of Iowa journalism students as the fall semester got under way at my alma mater. Two, maybe three, gently raised an arm. Then came my follow-up question: “How many of you use ad blockers?” Nearly everyone put a hand straight up, proudly admitting to installing software that snuffs out display ads from their daily Web browsing experience. “That’s wonderful,” I said. “You don’t want to pay for content and you don’t want to see the ads that fund the content you don’t want to pay for. You might want to consider another profession.”
I’m going to turn this around and throw it right back at Forbes.
If they don’t want to guarantee that the ads they serve are malware-free, won’t cost me bandwidth, and won’t slow down my computer, then Forbes might want to consider another business.
That’s not fair, I know, but that was kinda my point.
To be clear, online advertising has a multitude of problems ranging from security issues to a general state of chaos, panic, and disorder. Ad blocking is less a problem than a response to other issues, and it is not fair to put the onus on users when we all know that blaming users won’t fix the underlying causes.
image by jorge.cancela
karen January 10, 2016 um 4:29 pm
This is a timely article. I’d recently read that Forbes had ad malware a few years ago but I didn’t realize it was a current issue. Ugh.
Thanks, Nate, just made a donation for your blog… I appreciate your articles and the hard work you put into it.
Nate Hoffelder January 10, 2016 um 4:29 pm
And thank you, Karen!
Reader January 10, 2016 um 6:12 pm
Which supports my decision several days ago to not turn off AdBlock when I visited the Forbes site.
Medium Punch January 10, 2016 um 9:33 pm
I think your conversion numbers could be due to your niche audience compared to Forbes. A niche audience that is mostly tech-savvy too. But that’s me guessing.
As the techohead for my friends and family, I view ad-blockers as synonymous with antiviral programs. Likely every virus/malware/tracker/whatever/etc. issue I had to resolve for friends, family, or co-workers was due to some form of malvertising.
Curious to see what 2016 brings to the ad-blocking wars.
DavidW January 11, 2016 um 8:02 am
Well said! On that Forbes article ublock picked up 35 ad requests and ghostery blocked 20 trackers. I don’t think it was intentional malice or avarice on the part of the writer. I think that he is just an ignorant fool. He has no idea the price that people day on their mobile data plan, on loading the site on slow connections or pcs, on infecting PCs with malware. He also has no idea why we do what we do. He assumes that we don’t realize that is how they make their money. But we know, it’s a case of enough is enough.
David North January 15, 2016 um 6:32 pm
Here’s the REALLY simple response to all of these "high quality, professional" web media publishers: "If your content is so great, why can’t you sell it?".
Ad blight: A TeleRead community member speaks out – TeleRead January 30, 2016 um 1:57 am
[…] news is that the ads are less pushy than those at another combatant, Forbes, which has unwittingly served up security threats to visitors who turn off the blockers. Furthermore, just now, I myself was able to call up the Telegraph without any hassles when I […]