Forbes makes visitors turn off their ad blockers, then infects their computers with malware
As publishers continue to fight readers who use browsers with ad blockers installed, they also continue to deliver advertising that readers find obnoxious, and sometimes dangerous
The Forbes website has repeatedly been used by malicious hackers to serve up malware to unsuspecting readers, so one would think that before demanding that readers disable ad-blocking extensions Forbes would make sure their site was secure.
But you would be mistaken. Engadget reports that, through a compromised ad network, earlier this week Forbes served up a pop-under advert that prompted the reader to install a file. Engadget cited security researcher Brian Baskin, who tweeted this screenshot on Monday:
Baskin goes on to elaborate in follow up tweets that the file he was prompted to install wasn’t technically malware, but was instead a version of Java that was known to be vulnerable to hackers.
That executable is not itself dangerous, but that same trick could be used to deliver malware. Furthermore, anyone who installs that version of Java is setting themselves up to be hacked at a later date.
Forbes is not the first web publisher to get hit by a less than scrupulous advertiser; this is in fact so common that it is known as malvertising, and is regularly covered by the computer security blogosphere.
But it is still delightfully ironic that a web publisher who insists that readers must make their computers less secure was also used to infect those computer with malware.
And for what gain?
Forbes reported on Tuesday that their efforts to fight ad-blocking was having a positive effect. When they started tracking the use of ad-blockers, they found that “give or take, 13% of visitors to our site have installed ad blockers, predominantly on the desktop machines”.
A limited number of those visitors were blocked from viewing Forbes content, and asked to turn off their ad blockers. Not all ad-block users were prompted, and Forbes also found that their tech had bugs to work out (some users disabled the ad-blocking, and were still denied access).
They say the data has so far has taught them a lot:
- From Dec. 17 to Jan. 3, 2.1 million visitors using ad blockers were asked turn them off in exchange for what Forbes promised would be an ad-light experience.
- 903,000, or 42.4%, of those visitors turned off the blockers and received a thank you message.
- Those visitors generated 15 million ad impressions that would otherwise have been blocked.
I was surprised at that success rate; I have a nag screen on this blog which only convinces around 1% of visitors to disable their ad block. (And that goes double when we remember that the ad-light is not so light.)
And I am fine with that; the users who leave the ad-blocker enabled often need it because ads force their computers to slow to a crawl.
I am much more tolerant than Forbes, who throws this issue in the face of ad-block users:
I’m going to turn this around and throw it right back at Forbes.
If they don’t want to guarantee that the ads they serve are malware-free, won’t cost me bandwidth, and won’t slow down my computer, then Forbes might want to consider another business.
That’s not fair, I know, but that was kinda my point.
To be clear, online advertising has a multitude of problems ranging from security issues to a general state of chaos, panic, and disorder. Ad blocking is less a problem than a response to other issues, and it is not fair to put the onus on users when we all know that blaming users won’t fix the underlying causes.
Nate Hoffelder is editor and publisher of the industry website The Digital Reader