RSS
Forbes Site, After Begging You To Turn Off Adblocker, Serves Up A Steaming Pile Of Malware 'Ads'
from the you-have-32-registry-errors dept
We had just discussed a couple of websites, Forbes amongst them, joining the ranks of sites that were attempting to hold their content hostage over people's use of adblockers. The general point of that post was that the reason people use adblockers generally is that sites like Forbes serve up annoying, irritating, horrible ads, such that the question of whether the site's content is worth the hassle of enduring those ads becomes a legitimate one. The moment that question becomes relevant, it should be obvious that the problem is the ad inventory and not the adblocking software.
But of course that isn't the only reason that people use adblockers. The other chief impetus for them is security. Here to show us why that is so is...well...Forbes again. One security researcher discusses his attempt to read a Forbes article, complete with the request to disable his adblocking software, and the resulting malware he encountered as a result. Ironically, the Forbes article in question was its notable "30 Under 30" list, and the researcher wanted to check out the inclusion of a rather well-known security researcher.
On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information. Or, as is popular worldwide with these malware "exploit kits," lock up their hard drives in exchange for Bitcoin ransom.Vindicating might be a better word, I think. Vindication for those who insist that adblockers are not only beneficial, but may well be necessary. Necessary because, as we stated before, too much online advertising is garbage, whether that means the ads just suck, or are downright security threats. Ad networks have been a known vector for this type of malware, which can attempt to infect machines with fake antivirus software or compromise personal information from the infected machines. It's important to understand that this is neither new nor is it some small thing.
One researcher commented on Twitter that the situation was "ironic" -- and while it's certainly another variant of hackenfreude, ironic isn't exactly the word I'd use to describe what happened.
Less than a month ago, a bogus banner ad was found serving malvertising to visitors of video site DailyMotion. After discovering it, security company Malwarebytes contacted the online ad platform the bad ad was coming through, Atomx. The company blamed a "rogue" advertiser on the WWPromoter network. It was estimated the adware broadcast through DailyMotion put 128 million people at risk. To be specific, it was from the notorious malware family called "Angler Exploit Kit." Remember this name, because I'm pretty sure we're going to be getting to know it a whole lot better in 2016.Insisting that users turn off their adblockers in this ecosystem is akin to refusing to allow people to tour the wing of a hospital dedicated to combatting highly infectious disease if they want to wear a bio-hazard suit. It makes no sense. "We can't confirm that our ads are safe, but we insist you not block them." Who actually wants to suggest that this stance makes sense?
Last August, Angler struck MSN.com with -- you guessed it -- another drive-by malvertising campaign. It was the same campaign that had infected Yahoo visitors back in July (an estimated 6.9 billion visits per month, it's considered the biggest malvertising attack so far). October saw Angler targeting Daily Mail visitors through poisoned ads as well (monthly ad impressions 64.4 million). Only last month, Angler's malicious ads hit visitors to Reader's Digest (210K readers; ad impressions 1.7M). That attack sat unattended after being in the press, and was fixed only after a week of public outcry.
What should the websites do? The ad networks clearly don't have a handle on this at all, giving us one more reason to use ad blockers. They're practically the most popular malware delivery systems on Earth, and they're making the websites they do business with into the same poisonous monster. I don't even want to think about what it all means for the security practices of the ad companies handling our tracking data or the sites we visit hosting these pathogens.What should websites do? Well, how about they start treating their ad inventory with at least a percentage of the care with which they treat their content? After all, advertising is content, as it is consumed by the reader/viewer, so why not at least bother to make sure it's palatable? Or maybe start putting in place stricter controls to weed out the malvertising and adware? That too could be helpful.
Guess what's not anywhere on the list of things websites should do, though. If you answered "Insist that customers open themselves up to these security threats by demanding they turn off adblockers," then you win.
Reader Comments (rss)
(Flattened / Threaded)
[ reply to this | link to this | view in thread ]
If only...
Someone must not be reading what's getting published online lately. The grammar and spelling is downright awful. And if it's a news story you can tell the editor is not proofing the story either. It's almost as if they are in a race to publish as much coff-content-coff online as possible. If they won't proof what they publish do you think they even think about the ad source?
[ reply to this | link to this | view in thread ]
A very clear message is being sent
They throw their hands up, not our fault its the ad network.
They ad network throw up their hands, it was a rouge how could we know.
Perhaps maybe if contracts were negotiated with clauses allowing sites to dump networks who served up malware, the networks might try a bit harder to police the content.
Perhaps if sites couldn't claim they had no responsibility & there was a financial penalty for allowing bad ads to continue after they were alerted.
Imagine a clear system to report bad ads so there didn't need to be a week of public outcry to get action. Imagine sites being forced to inform viewers they hosted bad ads & direct them to run checks. People not actively blocking ads right now most likely aren't the most computer savvy people & would need direction to run a scan of their machine.
Everyone says how horrible this is, but nothing changes. Punishing the people most likely to be harmed seems like a stupid play.
The public can only block ads to try and stay safe and then are treated to sites refusing to allow them access unless they stop blocking... when is the last time a site who got screwed running attack ads fired the network serving them up?
No system will ever be perfect, but there is a rapidly shrinking window before ad blocking is much more widespread. Perhaps rather than worrying about how to craft the next supercookie or track where the mouse moves should take a backseat to proactively protecting consumers rather than demanding they remain targets for the "good guys" & the "bad guys" so they can get some click thru revenue.
[ reply to this | link to this | view in thread ]
Hit the back button. Read the page from the search engine cache. That worked fine.
[ reply to this | link to this | view in thread ]
http://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target- forbes-visitors/
And.. they'll hope it again...
[ reply to this | link to this | view in thread ]
No thanks Forbes
[ reply to this | link to this | view in thread ]
Always use protection
[ reply to this | link to this | view in thread ]
Re: Always use protection
If your trying to establish some kind of corollary between the Internet and the worlds oldest profession, please be more specific.
[ reply to this | link to this | view in thread ]
This attitude is going to remain prevalent amongst websites offering up malware until there are penalties at stake for infecting visitors machines, and liabilities for proven damages.
Without an 'incentive' that affects their bottom line, they're not going to care, or feel they have a reason to change.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
re Forbes add block
I am willing to tolerate adds, but I am totally unwilling to run active content from advertisers. In fact, I do not use Bing et al, as it relies on javascript to function.
[ reply to this | link to this | view in thread ]
Re: Re: Always use protection
Well I've never gotten a virus or malware from the world's oldest profession...
[ reply to this | link to this | view in thread ]
There's your problem...
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Re: Re: Always use protection
[ reply to this | link to this | view in thread ]
Long ago
I suggested that Sites do 1 of 2 things...
1. MAKE the ADVERTS themselves..
2. Scan every 3rd party advert they will display..
Something Iv asked for from BROWSERS...
Remember that the data Must be sent to you, to be displayed.
Why cant the Browser, NOTE which sites I got this Data from?? It might slow browsers down abit(insted of just Loading Crap, they have to Label it) but you could TRack this garbage back to the sender..
Also...arnt Site liable for the data they are sending?? and if you can PROVE who sent the crap, sue..?
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Re: Re: Re: Always use protection
[ reply to this | link to this | view in thread ]
Having already run up on this malware trick before, after the painstaking efforts to clean my network of it, I then installed an adblocker and it will now stay on at all times due to a hard learned experience.
It is not up to me to clean up the industry. However I do control my computer and its uses. I will not give up that security because someone else wants to make money. I am not a walking wallet. I further resent the stealing of my internet speed to show these eyesores, the stealing of my data without asking for datamining purposes, and the damn underhandedness of many of the advertisers.
After long experience of dealing with questionable and down right dirty methods, it will be a cold day in hell before I ever turn it off again, even if tomorrow the ad industry claims it's gotten religion and decides to clean itself up. They've earned this response through years of on purpose abuse.
I am still waiting for them to honor 'Do Not Track'. Since they can't do any of the things that improve my surfing experience and refuse to do the most basic I really don't care what they want as my wants are not considered. If my desires are not considered, then what they want ranks the same consideration.
My answer is when I find this out that I have to turn off the adblocker is simply to close the site that wants this as a good bargain worth my time to move on.
[ reply to this | link to this | view in thread ]
Forbes is not very good at news
Forbes news tells me: you are using an ad blocker.
Hey, that's not news. I know that, and it's not even recent info. What kind of news site is Forbes anyway?
[ reply to this | link to this | view in thread ]
Re: Long ago
Those ad pixels should arrive to the ad network in raw form. Then the ad network themselves will encode it into a more efficient form for internet transmission such as PNG, or other form.
Even animated ads could be received as multiple still images and then encoded into efficient form by the ad network.
Even sounds. They could arrive at the ad network in high resolution form. The ad network encodes them into some internet friendly form.
The fact that the ad network is doing the encoding, using trusted tools, means you are not likely to find malware within the ad content sent to the user's browser.
The ad network wants pixels. Sequences of frames. Sound that could be encoded through an analog channel which re-digitizes the sounds.
Malvertisers would very go to a different advertising network.
[ reply to this | link to this | view in thread ]
Pssssst . . . I've got this really cool program you should try!
[ reply to this | link to this | view in thread ]
The Blame Game
None of this will change until sites and networks are held accountable for their complete disregard for the security of their service and their users. Sites should only deal with ads networks that don't allow foreign code of any kind, and sign contracts that hold the networks liable for security issues created by their ads. However, this will only happen when users and regulators start mandating that sites only use secure ad networks.
[ reply to this | link to this | view in thread ]
turn off Adblock
Now that I've done that I don't think I'll bother going back to Forbes. It's not worth the effort.
[ reply to this | link to this | view in thread ]
Re: Re: Long ago
Rather a bit naive there, aren't you? What makes you think they'll use any other than the tools the ad distributors give them?
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Time for websites to be held to similar standards. Deliver malware, stand by for lawsuits. No exemptions for disclaimers in TOS or EULA.
[ reply to this | link to this | view in thread ]
Dear Forbes
[ reply to this | link to this | view in thread ]
Dear forbes...
my guess is that you are now liable for my damages.
funny story..
different computer running different OS, rhymes with SLINUX, no adblocker on, but the site STILL thinks ad blocker was on. Clicked on 'continue' and it thanked me for turning off the adblocker that wasn't there. WTF Forbes? Can't afford to get a decent programmer? Hurting so bad that you have to sell malware?
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Re: Pssssst . . . I've got this really cool program you should try!
[ reply to this | link to this | view in thread ]
Re: Re: Re: Long ago
Trust might be restored. Somewhat.
[ reply to this | link to this | view in thread ]
Re:
Why would they not? It's low-hanging fruit.
[ reply to this | link to this | view in thread ]
Re: re Forbes add block
#!/bin/bash
# usage: $0 url_of_forbes_article
# Writes html document (including article content) to standard output.
# Assumes last component of URI is a suitable title.
title="$(basename "$1" |tr -- - ' ')"
[ ${#@} -eq 1 ] || { echo "$0: usage: $0 url" ; exit 1 ; }
opening="<html><head><title>${title}</title></head><body>\n"
clo sing="</body></html>"
wget -q -O - -- "$1" |
grep -o '"body":"\([^"]\|\(\\["]\)\)*' |
sed "1 s#^\"body\":\"#${opening}# ;
s#[\]\"#\"#g ;
s#[\]r[\]n#\\n</p>\\n<p>#g ;
$ a\
${closing}
; "
# 2nd and 3rd commands in sed routine do, respectively:
# (2) replace backslash-escaped double-quotes with plain double-quotes, and
# (3) replace \r\n sequences with adequately equivalent html markup.
[ reply to this | link to this | view in thread ]
33 Posts, and unless I'm blind...
And, it would be a position that the more enlightened among us (except for me, I will never buy that b.s.) would be less dismissive toward if someone could make a well reasoned case for it in light of the situation that Forbes seemingly finds itself in every few weeks.
I suspect that not only they won't, but can't, make such a case against ad-blockers. Ad-blockers are not unethical. Unethical is - serving up a hot dish of malware/PUP/viruses/etc to your users after making demands that those same users turn off security software.
[ reply to this | link to this | view in thread ]
Firefox + Adblock + Greasemonkey + Anti-Adblock Killer = no more nonsense
My motto, stolen from @pourmecoffee: "I will ruthlessly curate my online experience to selfishly satisfy my own sensibilities and make it fun for me, period."
[ reply to this | link to this | view in thread ]
Adblockers are the new norm.
Specifically, I'm pointing at the click bait sites commonly found on Facebook with a single captioned graphic per page, surrounded by at least a dozen ads that almost take minutes to render.
[ reply to this | link to this | view in thread ]
Re:
Stuffing the content that belongs in p or div elements within the body element instead into meta tags in the head element is such horribly broken HTML design that it makes the commonplace a href="#" onClick=document.load(stupid script to unpack obfuscated URL goes here) and images that are displayed by scripts instead of img tags seem like paragons of correct HTML by comparison.
[ reply to this | link to this | view in thread ]
Re: Re: Long ago
[ reply to this | link to this | view in thread ]
Re: Adblockers are the new norm.
They created the method of their own destruction by inaction & indifference.
[ reply to this | link to this | view in thread ]
Re: If only...
[ reply to this | link to this | view in thread ]
The choice
[ reply to this | link to this | view in thread ]
Forbes
1) If someone has good anti virus (anti malware) software won't this protect them from bad ads?
2) I go to Forbes almost every day and have never had a problem. Although sometimes the articles are slow to load and I suspect this is from ads.
3) In my industry the articles they have are consistently very popular and well written.
4) I don't consider them holding content for hostage. they put content there for free (unlike Wall Street Journal and a few others that require subscriptions) and expect to earn money ( and pay for the content) through ad revenue.
5) By the same token there is nothing wrong with someone making the decision they would rather not go there than be subjected to ads and possible problems from them.
6) They had a pretty good article on the dispute that is not overly biased. "Inside Forbes: From 'Original Sin' To Ad Blockers -- And What The Future Holds"
[ reply to this | link to this | view in thread ]
Re: A very clear message is being sent
[ reply to this | link to this | view in thread ]
Re: Forbes
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
Reasonable ads
Ads will be more viewed that way not by passer byes but loyal viewers.
Ads without limits will and do take over your computer without your consent and trying to get around the law using fancy loopholes is just cowardly on their end.
It seems being moral is bad and bad is good. Hey just like the bible said would happen in the final hours before the Trib.
We are in the 'knocking on the door' stage with the hand on the doorknob starting to twist it.
[ reply to this | link to this | view in thread ]
Reasonable ads
[ reply to this | link to this | view in thread ]
Re: The choice
[ reply to this | link to this | view in thread ]
Re:
Very few sites will be left except Joe Doe's rants that won't require ad block turned off.
The web is almost a corporation police state far from the 90s open era.
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
Re: A very clear message is being sent
Windows 8 and 10 is MS attempt to cater to these type of people shunning people who know how to edit and do serious daily work on PC's.
They want PC's to be closed game machines.
[ reply to this | link to this | view in thread ]
Ie, Today a bomb exploded on flight xyz killing 231 Americans and 13 pure bred German Shepards. Shepards are known for their uncanny ability to sniff out,consume,and shit out ordinance however as the trainer/owner John Joe Scapegoat didn't feed them Purina brand Aryan chow the deaths sadly avoidable occured. Do you want the blood of 231 Americans or worse 13 pure breeds on your hands? Use coupon code sinistermarketing and save 10% of your pets food. With savings like this, it will be seen as terrorism not to.
[ reply to this | link to this | view in thread ]
How to get the code
[ reply to this | link to this | view in thread ]
MALWARE+
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
The internet is gone
The web should I say rather then calling it the internet is all commercial and it's the way globalist want it for a one world economy based on digital money using ones and zeros to control nations.
It's basically going back to the days of kings and peasants they are trying to revive that lifestyle with no sustaining economy to keep things rolling so they BS their way thru instead.
Having a BS economy never works well and entire nations/kingdom fold under disasters that a healthy nation could recover from with just a mild depression or in extreme cases eventually get invaded by outsiders due to not having the resources to defend themselves.
Our economy is a ticking time bomb and they just lengthen the fuse.
[ reply to this | link to this | view in thread ]
Re:
They could care less and feel they can do what they want. If the economy wasn't BS we would be having competitors and choices but people now are *holding on* to their money instead of taking risks.
[ reply to this | link to this | view in thread ]
The internet is gone
[ reply to this | link to this | view in thread ]
Forbes gives me no realistic option but to skip it
[ reply to this | link to this | view in thread ]
Forbes has even screwed their paying subscribers.
No way to get into the archives, no way to read this month's, nothing! After this year's finished, I will no longer renew unless they change their position.
[ reply to this | link to this | view in thread ]
Even if ads were ads and not malware
Getting someone who is not computer savy to use adblock is hard enough without me physically being at their computer and installing it for them. Throwing in various scenarios where they are locked out of a major website because of adblock would be a big blow to the war against commercials and ad spam.
I hope to christ that whenever someone sees this wall, they never return to that POS site and their content views takes a noticeable hit.
[ reply to this | link to this | view in thread ]
past the wall with an attack
[ reply to this | link to this | view in thread ]
document.cookie = 'global_ad_params={BORK!%22ab%22:{%22value%22:%22off%22%2C%22expiration%22:1456810565900}}; expires=2016-01-31T06:00:00:000Z; domain=.forbes.com; path=/';
Click the "Continue to Site" button once, and got the following javascript error in the console: (see the second screenshot)
Click the "Continue to Site" button again, and BAM! ad-blocking-blocking-blocked: (see the third screenshot)
NOTE: This has only been tested in Chrome, and sometimes breaking that cookie breaks the site, and you have to fix the cookie to continue browsing, like so:
document.cookie = 'global_ad_params={%22ab%22:{%22value%22:%22off%22%2C%22expiration%22:1456810565900}}; expires=2016-01-31T06:00:00:000Z; domain=.forbes.com; path=/';
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
The folks at Forbes are cutting their own throats with their decision to restrict their content in this way. I can happily visit other sites and find similar content. I think Forbes needs to realize that they are not the only game in town, and in a competitive marketplace, they need to work to find a larger audience. Keeping content restricted from those who prefer not to see advertising is not the way to do it. If I ever was likely to be in the market for Forbes' product, all this does is alienate me further, since it sends the message that all they're selling is ad space. If they continue this exercise in self-strangulation, I give the company ten years before it goes belly-up.
[ reply to this | link to this | view in thread ]
Class Action Lawsuit
It seems to me, that someone who got an $xxx ransomware, or paid the nerd herd to remove malware from their computers could be the base of a class action lawsuit... That's what it will take to get this crap to change is to actually hold one of these larger media sites responsible.
[ reply to this | link to this | view in thread ]
Re: Class Action Lawsuit
[ reply to this | link to this | view in thread ]
Re: Re: Re: Long ago
[ reply to this | link to this | view in thread ]
The advertisements aren't "3rd party content".
Forbes would certainly like to disclaim all liability for their selected advertising network, but that doesn't make them a 3rd party. They are a "jointly liable party".
The advertisements are structured as part of the Forbes website. Forbes is insisting that they be received as part of viewing the stories. Forbes contracting out the sales of advertisement and failing to review the contents doesn't make them unrelated -- it just means that they abdicated their responsibility. An industry standard of abdicating responsibility doesn't transform the practice into reasonable behavior.
To use a tradition magazine analogy, Forbes sent out a magazine with poisoned ink and child pornography. They don't get to pass all responsibility onto the chemical company and photographer.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
I don't even use an adblocker!
But the thing is.... I don't even have an adblocker!!! What on earth is the deal here??
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
I feel no sympathy for these companies so desperately trying to commercialize and monetize the internet. That isn't what the internet was created for. It is supposed to be a public meeting space, not another cog in your profit machine - so if you don't like it, screw you and your ads.
What further discusts me is when I see what they really want our experience to be like. If you dont know what I mean - think about using the internet on your smartphone, where there aren't any adblockers (well maybe there are now, I'm about to make a check on that because a few months ago I couldn't find any). These site are INSANE, it's like the 1990's before the tech bust all over again. You can't read an article for all the freaking ads. I don't think that is in line with what people want, and I'll be damned if I don't do something so I can browse in peace. If they want to make money, how about a new idea? SELL SOMETHING PEOPLE WANT - and stop with the unscrupulous and mostly dangerous ads, mostly with no accountability and no consideration of safety (and decency, as sometimes the ads are on the x-rated side).
[ reply to this | link to this | view in thread ]
Re: Pssssst . . . I've got this really cool program you should try!
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Don't let the door hit you in the a** on the way out
[ reply to this | link to this | view in thread ]
Re: If only...
[ reply to this | link to this | view in thread ]
Re: Forbes Adblock Warning
[ reply to this | link to this | view in thread ]
The minute I enter a site demanding I turn off an adblocker, I immediately leave, knowing full well sites like that contain absolutely nothing I can't read or find elsewhere - and without the irritating ads and malicious malware/spyware, too.
And since when did the advertising industry decide they have the right to intrude upon our lives and harass us with rubbish? They can go whistle dixie, too - with a snorkel.
[ reply to this | link to this | view in thread ]
bieden leningen tussen bepaalde ernstige en eerlijk
Hallo, ik wend mij tot alle personen in nood voor hun gedeelde Ik geef geld voor de leningen van € 3.000 tot € 950.000 aan iedereen kunnen terugbetalen met rente van 3% per jaar, en een tijd van 1 tot 15 jaar, afhankelijk van het gevraagde bedrag. Ik doe het in de volgende gebieden: - financieel-Ready Ready Ready for Real Estate-Investissement-Ready auto-Consolidatie Schuld Redemption crédit Ready persoonlijk Je zit vast Als je echt in nood, neem dan contact met mij op voor meer informatie. Neem dan contact met mij op via mail: henrid647@gmail.com
[ reply to this | link to this | view in thread ]
Re:
U.S. written, high quality articles literally cost $30 - $500 each, and you think webmasters are doing you a disservice when they front the bill for your FREE entertainment? Cracked pays $150 for their articles. You like Cracked? Well, that's the quality ad revenue can buy you. Go to a bar that operates at $0 income (you'll be in someone's leaky basement). Watch YouTubers who don't have ads activated (it'll be 12 year Olds with a vertical filming iPhone 2). Or go do one of a million other things which requires $ for quality, but do it for free and see the difference. You won't find quality for free because you get what you pay for; or in this case, you dont even have to pay.
[ reply to this | link to this | view in thread ]
Add Your Comment