Forbes Asks Readers To Disable Adblock, Serves Up Malvertising

Deathlizard writes with a report at Engadget that when this year's "Forbes 30 Under 30" list came out , "it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list. On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information."

Welcome to why I run an adblocker

[Phydeaux314]

Seriously, this is why we run ad blockers, and why I stopped reading Forbes. They need revenue, and I don't trust them to vet their advertisements, so I get my news elsewhere.

Which is sad, because I like a lot of their articles.

Re: Welcome to why I run an adblocker

[ArmoredDragon]

Use anti-adblock killer. Anyways, I think this would be a good thing to start lawsuits over. That is, if Forbes serves you a ransomeware ad, hold them liable for the cost.

If the courts find Forbes not liable, then we need laws to make it happen.

Re:Welcome to why I run an adblocker

[Dutch+Gun]

For many years I used no-script instead of an ad-blocker, which almost amounted to the same thing, as the most obnoxious or dangerous ads rely on scripting. The difference is that the modern web utterly breaks without scripting, and it was just too much of a pain in the ass to try to figure out what to whitelist when sites are often pulling from many dozens of different domains for various javascript pieces, services, or what have you. So, I uninstalled no-script and installed ublock-origin instead, because nowadays, I figure most malware I'd see would be from ads.

We see from this that the ad networks still don't have malware under control, so I won't disable ad-blocking. That's essentially like asking me to disable my firewall or anti-virus to read an article - it will never happen, ever, unless I'm using a browser instead a disposable virtual machine image or something equally safe.

Until we get a mechanism to ensure that advertisers can't run arbitrary scripting, launch Flash or Java, or provide their own arbitrary content, I'll continue to block ads purely for safety reasons. Even static images or multimedia has proven to be dangerous, as the recent stagefright debacle on Android has shown. Honestly, most normal ads don't bother me all that much, and I'm aware they pay for a lot of content. But I'm not going to be lowering my shields to read your article, sorry. There's just too much malware out there today, and a lot of it is REALLY bad. My personal safety comes first.

(Re)?Dear Slashdot

[TeknoHog]

What's a redear?

Re:And with laws like the DMCA you can be sued for

[Mitreya]

you can be sued for telling other how to bypass the ad block block.

I wonder, can Forbes be sued for the damage that they have facilitated?
If users can demonstrate that infection came from them?

My brother

[rsilvergun]

is convinced the ads just got too annoying, but in my experience there's no amount of annoying in ads that makes Joe or Jane average run screaming from them. I'm guessing it's relatives sick of cleaning malware. I run some ads on my site to pay for bandwidth and what have you and I've stuck with plain Google ads even though other folks might pay more because I can't be bothered dealing with serving up malware to my users. Both AVGN & Penny-Arcade have seen their sites taken down by Malvertisements and now even Forbes?

Re:My brother

[SvnLyrBrto]

In my case, it really was the ads just getting too annoying. I never used to block ads when they were just a .gif banner at the top of the site, or a static image in the sidebar. Popups began the annoyance, and I blocked them but not ads in general for a while. I think it was X10 and their pop-under ads that provoked me into using a general ad blocker.

Re:Uh, no

[wierd_w]

It could be argued, that the "No, really, let us show you the ads, because it pays for the content" mechanism is a payment mechanism to view protected content. By circumventing that to get unpaid access to the content, you are engaging in circumvention of a rights management system, and thus fall victim.

That's the thing with DRM-- it can be extremely feeble-- it still counts when considering the DMCA.

It could be argued that reading the article without "paying" for it (with your advert exposure) is piracy, and that to prevent you from doing this, the anti-blocker script was introduced.

Still a load of bullshit-- The need to circumvent protections that are onerous and not in the public good (or that prevent authorized special exception use, such as via a library) is very important but given short shrift as far as the DMCA is concerned.

Hahahahahaha

[cfalcon]

Now stop linking to Forbes, slashdot. Archive.is if you need to. That website has been a steaming pile of shit since they started demanding what you think and see, of course they think nothing of demanding what your computer processes and does. They are tyrants, STOP LINKING FORBES

Stop linking to Forbes

[cfalcon]

I went ahead and went to the Forbes site (which it says I'm "still" using an adblocker, in the same sense that I'm "still" a carbon based life form), and then I went and grabbed one of the scripts that they serve on the main page in lieu of fucking content.

Here's a link: I originally put a TINY amount of it here, but it was SO shitty than even after cutting it down it would just ruin you.
view-source:http://i.forbesimg.com/welcomead/scripts/12662fd2.vendor.js

Just go read that script. It might make you cry.

blah blah blah just megabytes of this shitscript to push through an article that maxes out at a kilobyte. It's fucking ludicrous.

And that's without all the ads (which are meant to own your head, and of course maliciously own your computer, and DO YOU THINK THEY ARE LIABLE FOR SERVING ADS THAT TURN YOUR MACHINE INTO A RUSSIAN SERVER?)

Stop. Linking. Forbes.

It's a pile of shit website. If you must, EACH link should go through archive/is or some other service to neuter the malware and bullshit. Stop enabling these fucks. If you need to serve megabytes of malware and bullshit just to put text on the screen, drink bleach kthx

Fuck Forbes

[jason8]

Fuck Forbes, they supported SCO back in the mid-00s and portrayed Linux users and supporters as a bunch of communists. Forbes gets filtered by my mental adblock way before it gets loaded by my browser.

Re:Fuck off, Forbes

[Darinbob]

The most ridiculous ones are showing up on youtube. I have twice seen non-skippable ads show before videos tha are movie previews. As in, have to watch the ads before you can see the ads.

Re:Uh, no

[tepples]

Then encrypt the article with a key derived from the hash of the ad.

Way out of control. Far worse than people say.

[Futurepower(R)]

My experience is that most ads are abusive in some way. I use these add-ons in Firefox: uBlock Origin ad blocking, NoScript, and Ghostery.

It amazes me that, when I go to the Ally Bank web site to see my accounts summary at the following URL, Ghostery says "Ghostery found 8 trackers":
https://securebanking.ally.com/#/accounts/summary

The Ally Bank URL contains the words "secure banking"!

Here are the trackers:
Advertising.com
Google DoubleClick Floodlight
Google DoubleClick Spotlight
Google Dynamic Remarketing
MediaMath Advertising
Omniture (Adobe Analytics)
Qualtrics
RUN (https://match.rundsp.com/)

There is nothing "secure" about notifying other companies that I am looking at a summary of my bank accounts!

Re:They Made Mozilla Their Bitch For a Reason

[aix+tom]

Funny anecdote:

One site I frequent now and then shows short ads before the clips (with a timer how long the ad takes). So I usually open the tab, look how long it takes, then go on to another tab to do something else in the meantime. Works great. Only ONE time I got back to the page, see the last few seconds of the add, think "this looks interesting, what was that?" Of course they not only restricted fast forward during the ad, they also restricted rewind. So they themselves prevented me from watching the ad. Well. Serves them right. ;-)

Re:Uh, no

[dissy]

It could also be argued, much more concisely in fact, that the advertisers are guilty of violating the Computer Abuse and Fraud Act, one count accessing a computer system without authorization, multiple counts accessing computer networks without authorization, plus the multiple counts of fraud and counterfeiting their malware performs on their behalf.

I'm OK with a DMCA violation that is a $150,000 fine (max penalty) so long as these people get their 60 years in prison (max sentence) as well.

Re:And with laws like the DMCA you can be sued for

[Opportunist]

By that silly law it's even illegal to keep the malware from infecting you.

That law is seriously broken. It's like making it illegal to keep a burglar from entering your house.

Change useragent to Googlebot to read Forbes w/ AB

[cshay]

They are of course reliant on Google page rank so the Googlebot gets special treatment.

Re:Uh, no

[dissy]

Don't you by very nature of the HTTP protocol need to ASK for this content? I know this is splitting hairs but I can't imagine that your reasoning would fly.

That's the entire point.
I asked for an image. Not executable code, not an image with executable code, but an image.
(Note I made no complaint about getting that image I asked for)

Say you ask me to send you money. Are you arguing you have no right to complain about the anthrax in the envelope so long as I actually did include money along with it too?