We
had just discussed a couple of websites, Forbes amongst them,
joining the ranks of sites that were attempting to hold their
content hostage over people's use of adblockers. The general
point of that post was that the reason people use adblockers
generally is that sites like Forbes serve up annoying,
irritating, horrible ads, such that the question of whether the
site's content is worth the hassle of enduring those ads becomes
a legitimate one. The moment that question becomes relevant, it
should be obvious that the problem is the ad inventory and not
the adblocking software.
But of course that isn't the only reason that people use
adblockers. The other chief impetus for them is security. Here
to show us why that is so is...well...Forbes again. One security
researcher discusses his attempt to read a Forbes article,
complete with the request to disable his adblocking software,
and the resulting malware he encountered as a result.
Ironically, the Forbes article in question was its notable "30
Under 30" list, and the researcher wanted to check out the
inclusion of a rather well-known security researcher.
On arrival, like a growing number of websites, Forbes asked
readers to turn off ad blockers in order to view the article.
After doing so, visitors were immediately served with pop-under
malware, primed to infect their computers, and likely silently
steal passwords, personal data and banking information. Or, as
is popular worldwide with these malware "exploit kits," lock up
their hard drives in exchange for Bitcoin ransom.
One researcher commented on Twitter that the situation was
"ironic" -- and while it's certainly another variant of
hackenfreude, ironic isn't exactly the word I'd use to describe
what happened.
Vindicating might be a better word, I think. Vindication for
those who insist that adblockers are not only beneficial, but
may well be necessary. Necessary because, as we stated before,
too much online advertising is garbage, whether that means the
ads just suck, or are downright security threats. Ad networks
have been a known vector for this type of malware, which can
attempt to infect machines with fake antivirus software or
compromise personal information from the infected machines. It's
important to understand that this is neither new nor is it some
small thing.
Less than a month ago, a bogus banner ad was found serving
malvertising to visitors of video site DailyMotion. After
discovering it, security company Malwarebytes contacted the
online ad platform the bad ad was coming through, Atomx. The
company blamed a "rogue" advertiser on the WWPromoter network.
It was estimated the adware broadcast through DailyMotion put
128 million people at risk. To be specific, it was from the
notorious malware family called "Angler Exploit Kit." Remember
this name, because I'm pretty sure we're going to be getting to
know it a whole lot better in 2016.
Last August, Angler struck MSN.com with -- you guessed it --
another drive-by malvertising campaign. It was the same campaign
that had infected Yahoo visitors back in July (an estimated 6.9
billion visits per month, it's considered the biggest
malvertising attack so far). October saw Angler targeting Daily
Mail visitors through poisoned ads as well (monthly ad
impressions 64.4 million). Only last month, Angler's malicious
ads hit visitors to Reader's Digest (210K readers; ad
impressions 1.7M). That attack sat unattended after being in the
press, and was fixed only after a week of public outcry.
Insisting that users turn off their adblockers in this ecosystem
is akin to refusing to allow people to tour the wing of a
hospital dedicated to combatting highly infectious disease if
they want to wear a bio-hazard suit. It makes no sense. "We
can't confirm that our ads are safe, but we insist you not block
them." Who actually wants to suggest that this stance makes
sense?
What should the websites do? The ad networks clearly don't have
a handle on this at all, giving us one more reason to use ad
blockers. They're practically the most popular malware delivery
systems on Earth, and they're making the websites they do
business with into the same poisonous monster. I don't even want
to think about what it all means for the security practices of
the ad companies handling our tracking data or the sites we
visit hosting these pathogens.
What should websites do? Well, how about they start treating
their ad inventory with at least a percentage of the care with
which they treat their content? After all, advertising is
content, as it is consumed by the reader/viewer, so why not at
least bother to make sure it's palatable? Or maybe start putting
in place stricter controls to weed out the malvertising and
adware? That too could be helpful.
Guess what's not anywhere on the list of things websites should
do, though. If you answered "Insist that customers open
themselves up to these security threats by demanding they turn
off adblockers," then you win. |