We had just discussed a couple of websites, Forbes amongst them, joining the ranks of sites that were attempting to hold their content hostage over people’s use of adblockers. The general point of that post was that the reason people use adblockers generally is that sites like Forbes serve up annoying, irritating, horrible ads, such that the question of whether the site’s content is worth the hassle of enduring those ads becomes a legitimate one. The moment that question becomes relevant, it should be obvious that the problem is the ad inventory and not the adblocking software.
But of course that isn’t the only reason that people use adblockers. The other chief impetus for them is security. Here to show us why that is so is…well…Forbes again. One security researcher discusses his attempt to read a Forbes article, complete with the request to disable his adblocking software, and the resulting malware he encountered as a result. Ironically, the Forbes article in question was its notable “30 Under 30” list, and the researcher wanted to check out the inclusion of a rather well-known security researcher.
On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information. Or, as is popular worldwide with these malware “exploit kits,” lock up their hard drives in exchange for Bitcoin ransom.
One researcher commented on Twitter that the situation was “ironic” — and while it’s certainly another variant of hackenfreude, ironic isn’t exactly the word I’d use to describe what happened.
Vindicating might be a better word, I think. Vindication for those who insist that adblockers are not only beneficial, but may well be necessary. Necessary because, as we stated before, too much online advertising is garbage, whether that means the ads just suck, or are downright security threats. Ad networks have been a known vector for this type of malware, which can attempt to infect machines with fake antivirus software or compromise personal information from the infected machines. It’s important to understand that this is neither new nor is it some small thing.
Less than a month ago, a bogus banner ad was found serving malvertising to visitors of video site DailyMotion. After discovering it, security company Malwarebytes contacted the online ad platform the bad ad was coming through, Atomx. The company blamed a “rogue” advertiser on the WWPromoter network. It was estimated the adware broadcast through DailyMotion put 128 million people at risk. To be specific, it was from the notorious malware family called “Angler Exploit Kit.” Remember this name, because I’m pretty sure we’re going to be getting to know it a whole lot better in 2016.
Last August, Angler struck MSN.com with — you guessed it — another drive-by malvertising campaign. It was the same campaign that had infected Yahoo visitors back in July (an estimated 6.9 billion visits per month, it’s considered the biggest malvertising attack so far). October saw Angler targeting Daily Mail visitors through poisoned ads as well (monthly ad impressions 64.4 million). Only last month, Angler’s malicious ads hit visitors to Reader’s Digest (210K readers; ad impressions 1.7M). That attack sat unattended after being in the press, and was fixed only after a week of public outcry.
Insisting that users turn off their adblockers in this ecosystem is akin to refusing to allow people to tour the wing of a hospital dedicated to combatting highly infectious disease if they want to wear a bio-hazard suit. It makes no sense. “We can’t confirm that our ads are safe, but we insist you not block them.” Who actually wants to suggest that this stance makes sense?
What should the websites do? The ad networks clearly don’t have a handle on this at all, giving us one more reason to use ad blockers. They’re practically the most popular malware delivery systems on Earth, and they’re making the websites they do business with into the same poisonous monster. I don’t even want to think about what it all means for the security practices of the ad companies handling our tracking data or the sites we visit hosting these pathogens.
What should websites do? Well, how about they start treating their ad inventory with at least a percentage of the care with which they treat their content? After all, advertising is content, as it is consumed by the reader/viewer, so why not at least bother to make sure it’s palatable? Or maybe start putting in place stricter controls to weed out the malvertising and adware? That too could be helpful.
Guess what’s not anywhere on the list of things websites should do, though. If you answered “Insist that customers open themselves up to these security threats by demanding they turn off adblockers,” then you win.
Jan 11th 2016