Forbes Asks Readers To Disable Adblock, Serves Up Malvertising

Deathlizard writes with a report at Engadget that when this year's "Forbes 30 Under 30" list came out , "it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list. On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information."

Welcome to why I run an adblocker

[Phydeaux314]

Seriously, this is why we run ad blockers, and why I stopped reading Forbes. They need revenue, and I don't trust them to vet their advertisements, so I get my news elsewhere.

Which is sad, because I like a lot of their articles.

Re: Welcome to why I run an adblocker

[ArmoredDragon]

Use anti-adblock killer. Anyways, I think this would be a good thing to start lawsuits over. That is, if Forbes serves you a ransomeware ad, hold them liable for the cost.

If the courts find Forbes not liable, then we need laws to make it happen.

Re:Welcome to why I run an adblocker

[Dutch+Gun]

For many years I used no-script instead of an ad-blocker, which almost amounted to the same thing, as the most obnoxious or dangerous ads rely on scripting. The difference is that the modern web utterly breaks without scripting, and it was just too much of a pain in the ass to try to figure out what to whitelist when sites are often pulling from many dozens of different domains for various javascript pieces, services, or what have you. So, I uninstalled no-script and installed ublock-origin instead, because nowadays, I figure most malware I'd see would be from ads.

We see from this that the ad networks still don't have malware under control, so I won't disable ad-blocking. That's essentially like asking me to disable my firewall or anti-virus to read an article - it will never happen, ever, unless I'm using a browser instead a disposable virtual machine image or something equally safe.

Until we get a mechanism to ensure that advertisers can't run arbitrary scripting, launch Flash or Java, or provide their own arbitrary content, I'll continue to block ads purely for safety reasons. Even static images or multimedia has proven to be dangerous, as the recent stagefright debacle on Android has shown. Honestly, most normal ads don't bother me all that much, and I'm aware they pay for a lot of content. But I'm not going to be lowering my shields to read your article, sorry. There's just too much malware out there today, and a lot of it is REALLY bad. My personal safety comes first.

Uh, no

[rsilvergun]

I hate the DMCA as much as the next guy but there's no DRM involved in blocking ads. Now, if you told people how to get around a paywall (even a trivial one) then you'd have a point.

Re:Uh, no

[wierd_w]

It could be argued, that the "No, really, let us show you the ads, because it pays for the content" mechanism is a payment mechanism to view protected content. By circumventing that to get unpaid access to the content, you are engaging in circumvention of a rights management system, and thus fall victim.

That's the thing with DRM-- it can be extremely feeble-- it still counts when considering the DMCA.

It could be argued that reading the article without "paying" for it (with your advert exposure) is piracy, and that to prevent you from doing this, the anti-blocker script was introduced.

Still a load of bullshit-- The need to circumvent protections that are onerous and not in the public good (or that prevent authorized special exception use, such as via a library) is very important but given short shrift as far as the DMCA is concerned.

Re:Uh, no

[tepples]

Then encrypt the article with a key derived from the hash of the ad.

Re:Uh, no

[dissy]

It could also be argued, much more concisely in fact, that the advertisers are guilty of violating the Computer Abuse and Fraud Act, one count accessing a computer system without authorization, multiple counts accessing computer networks without authorization, plus the multiple counts of fraud and counterfeiting their malware performs on their behalf.

I'm OK with a DMCA violation that is a $150,000 fine (max penalty) so long as these people get their 60 years in prison (max sentence) as well.

Re:Uh, no

[dissy]

Don't you by very nature of the HTTP protocol need to ASK for this content? I know this is splitting hairs but I can't imagine that your reasoning would fly.

That's the entire point.
I asked for an image. Not executable code, not an image with executable code, but an image.
(Note I made no complaint about getting that image I asked for)

Say you ask me to send you money. Are you arguing you have no right to complain about the anthrax in the envelope so long as I actually did include money along with it too?

Re:Uh, no

[Intron]

The problem is that Forbes doesn't know who the advertisers are. They sell ad space to a company which in turn sells some number of hits to many different advertisers, mostly through automated means. Some malware distributor buys some hits with a stolen credit card number, uploads the malware and neither Forbes nor their ad service has any way to track down the source. IP will turn out to be a Starbucks or Internet cafe.

Re:And with laws like the DMCA you can be sued for

[Mitreya]

you can be sued for telling other how to bypass the ad block block.

I wonder, can Forbes be sued for the damage that they have facilitated?
If users can demonstrate that infection came from them?

Content from one domain

[DogDude]

I'll accept content from the domain that's in my address bar, and that's it. If somebody wants to show me ads, it's going to have to be from their own domain.

Re:Content from one domain

If web sites allow advertisers to run scripts from the main domain, then these ad scripts will get access to everything, login cookies and all.

Web sites allow advertisers to run scripts from the main domain. Advertisers doesn't want to.
The reason is that advertisers doesn't trust the content providers. They need the end user to connect to the advertiser directly to verify that there is a legit access and not just the content provider trying to fake accesses.

When a content provider asks you to trust them and disable ad-block, remember that there is no trust between the advertiser and the content provider.

we all get what most of us deserve

There was a time before advertising infested the internet. Then the first ads started to appear, and many of us warned, "If you support those sites, soon the whole place is going to go to shit. The internet will turn into a clusterfuck of excessive commercialization, fake reviews, astroturfing, and meaningless click-bait content designed to sell eyeballs to advertisers". But did people listen? No, because there were dancing monkeys.

When javascript-infested sites first started appearing, many of us warned, "Are you people fucking insane? Giving random sites the ability to run imperfectly sandboxed code on your computer is going to be a disaster. It'll result in horrifically annoying behavior like pop-unders, unclosable windows, auto-playing audio, and most likely malware. It'll result in behavioral tracking on a scale you can't imagine. It'll result in wholesale transfer of control away from the owner of each computer, to ad companies. Is that what you fools WANT?"

But did people listen? No. Like mice hooked on opiates they pushed the lever and and again for the next hit, without considering the long term ramifications, until it's become hard for most people to use the web without javascript, because we let it become so ubiquitous that nothing fucking works without it. We were too stupid to say "no" when the camel's nose first entered the tent. Now, here's the camel!

The same WILL happen with sites that refuse to serve content if you block ads. A few of us see where that road goes and will say "no thanks", but most of us are far too stupid. The end result will be a web completely unusable if you don't want to let the ad-men control your computer. The end result is TV 2.0, rather than what the internet used to be: a democratic medium where everyone had a voice. It's a wholesale transfer of control from everyone, to a few.

We all get what most of us deserve. Unfortunately, most of us are drooling mouth-breathers.

Re:we all get what most of us deserve

[umafuckit]

You present it as though there were a choice. As internet access spread beyond a small number of geeks (and people started to buy stuff via the internet) then adverts began to appear in earnest and what you describe is more less inevitable. Telling people (at least the non-tech "general public") not to use sites that have advertising is akin to telling them not use the web at all. When a platform becomes as widely used and powerful as the web then it inevitably becomes of interest to the rich and powerful who wish to control it. This is what is happening to the web and it will continue to happen. That's not "our" fault, it's just how things are.

I think the internet will remain a medium for making your voice heard--anyone can start a website, for instance--but we will increasingly give up control to use it. This has been happening continuously. e.g. who bothers to make a website to put up family photos and so forth for their relatives? Nobody really. It's all on the Facebook private sub-internet.

Fuck off, Forbes

[blind+biker]

I've rarely seen a website so encumbered with shit, like Forbes'. Not only should one not stop using ad-blockers when visiting them, one should simply never visit Forbes at all. Add it to the list of blocked sites.

Re:Fuck off, Forbes

[Darinbob]

The most ridiculous ones are showing up on youtube. I have twice seen non-skippable ads show before videos tha are movie previews. As in, have to watch the ads before you can see the ads.

Re:And that's why...

[Deadstick]

because it's a big and trusted name

And trying hard to rectify that...

Slashdot

[jeremyp]

Adblock plus is telling me it's blocked 13 ads on this page and that's with the excellent karma opt-out.

They Made Mozilla Their Bitch For a Reason

[Kunedog]

Note that browser makers Google, Microsoft, and Apple have continually pushed for DRM to become part of web standards.

And that they obtained considerable financial influence over the browser maker thought most likely to resist (Mozilla).

And that Mozilla gave in on DRM and continues to make inexpicable blunders and lose market share.

After such a relentless campaign to ensure all available browsers contain DRM, I wouldn't be at all surprised to see DRM used to protect ads, particularly in video. Stopping you from reading/recording a video stream necessarily stops you from altering it.

Damn, am I ever so happy (as always) that the proven tech leader was ousted as Mozilla's CEO in favor of the former head of marketing.

Re:They Made Mozilla Their Bitch For a Reason

[aix+tom]

Funny anecdote:

One site I frequent now and then shows short ads before the clips (with a timer how long the ad takes). So I usually open the tab, look how long it takes, then go on to another tab to do something else in the meantime. Works great. Only ONE time I got back to the page, see the last few seconds of the add, think "this looks interesting, what was that?" Of course they not only restricted fast forward during the ad, they also restricted rewind. So they themselves prevented me from watching the ad. Well. Serves them right. ;-)

Re:They Made Mozilla Their Bitch For a Reason

[mridoni]

The faggots, of course, think it was all about "homophobia".

I wonder how they got that idea.

Your content is not worth it.

[amberdalan]

Whenever I encounter a page that requires me to turn off adblock: I close the site.

Stop linking to Forbes

[cfalcon]

I went ahead and went to the Forbes site (which it says I'm "still" using an adblocker, in the same sense that I'm "still" a carbon based life form), and then I went and grabbed one of the scripts that they serve on the main page in lieu of fucking content.

Here's a link: I originally put a TINY amount of it here, but it was SO shitty than even after cutting it down it would just ruin you.
view-source:http://i.forbesimg.com/welcomead/scripts/12662fd2.vendor.js

Just go read that script. It might make you cry.

blah blah blah just megabytes of this shitscript to push through an article that maxes out at a kilobyte. It's fucking ludicrous.

And that's without all the ads (which are meant to own your head, and of course maliciously own your computer, and DO YOU THINK THEY ARE LIABLE FOR SERVING ADS THAT TURN YOUR MACHINE INTO A RUSSIAN SERVER?)

Stop. Linking. Forbes.

It's a pile of shit website. If you must, EACH link should go through archive/is or some other service to neuter the malware and bullshit. Stop enabling these fucks. If you need to serve megabytes of malware and bullshit just to put text on the screen, drink bleach kthx

Fuck Forbes

[jason8]

Fuck Forbes, they supported SCO back in the mid-00s and portrayed Linux users and supporters as a bunch of communists. Forbes gets filtered by my mental adblock way before it gets loaded by my browser.

Re:Try uBlock

[cfalcon]

> People who scream that they should be able to use ad blockers because they don't want to see ads sound like self-entitled jerks.

I don't give a fuck what name you call me, I'm not watching your fucking ads. Go to hell.

Re:Try uBlock

[epyT-R]

No one is obligated to prop up your artificial scarcity dependent business model. Your rights end where others' systems begin. If you don't like it, put your site behind a paywall and find out what it's really worth to most people.

Primed? Likely?

[retchdog]

Interesting claims. Visitors were "immediately served with pop-under malware", although there is only one citation given, which is a link to a picture (presumably a screenshot) on @bbaskin's private Twitter account, which can only be seen by a "confirmed follower". Uh, okay. Nonetheless, this malware was "primed" to infect their computers and "likely" to do a lot of horrible stuff. Having run out of conjectures (let alone facts) about Forbes by the third paragraph, the rest of the article is padded out by a list of past incidents involving DailyMotion and MSN, followed by some bloviating which even Bennett Haselton might be ashamed of.

I'm totally sure that this isn't just attention-whoring from a litigious sex columnist who, after publishing The Adventurous Couple's Guide to Strap-On Sex and her second edition of The Ultimate Guide to Cunnilingus, apparently ran out of ideas and re-styled herself a computer security journalist.

Yes, I know malware is served through advertising, but this article is about a specific claim of Forbes being used as an injection vector with literally nothing backing it up. Also, let me note that there's nothing wrong with being a sex columnist. I just don't think that automatically means you should write about computer security.

Re:What isn't broken?

[cfalcon]

> Then what means of deploying an application across platforms isn't fundamentally broken?

The part where you deploy an application. That part is broken.

Did you follow the link to your spreadsheet? Or was it to a news article? There's an application you have for "display a news article". It's a browser running HTML with no scripting enabled. That displays text just fine- it's the only fucking purpose.

The reason scripts are FUNDAMENTALLY broken is that they are code. The fact that they are code that is treated by browsers as if they are just part of the browsing experience is ludicrous. If you want to use like Google Docs, that's a pretty good time to need code, so if you click through some script-enable dialogs, or honestly even a UAC in Windows for that, that could be reasonable. If the majority of browsers in the world just download and execute code, you are asking for exactly the security shitstorm we constantly and ceaselessly see. Running javascript is AS RISKY as running raw opcodes, because at any given day since Javascript's release, there's been multiple exploits to turn the javascript straight into those opcodes. The fact that the world is full of fools who think you need a webapp to display a news story is hideous.

Re:My brother

[SvnLyrBrto]

In my case, it really was the ads just getting too annoying. I never used to block ads when they were just a .gif banner at the top of the site, or a static image in the sidebar. Popups began the annoyance, and I blocked them but not ads in general for a while. I think it was X10 and their pop-under ads that provoked me into using a general ad blocker.

Way out of control. Far worse than people say.

[Futurepower(R)]

My experience is that most ads are abusive in some way. I use these add-ons in Firefox: uBlock Origin ad blocking, NoScript, and Ghostery.

It amazes me that, when I go to the Ally Bank web site to see my accounts summary at the following URL, Ghostery says "Ghostery found 8 trackers":
https://securebanking.ally.com/#/accounts/summary

The Ally Bank URL contains the words "secure banking"!

Here are the trackers:
Advertising.com
Google DoubleClick Floodlight
Google DoubleClick Spotlight
Google Dynamic Remarketing
MediaMath Advertising
Omniture (Adobe Analytics)
Qualtrics
RUN (https://match.rundsp.com/)

There is nothing "secure" about notifying other companies that I am looking at a summary of my bank accounts!

Re:And with laws like the DMCA you can be sued for

It's US Criminal Code, Section 2701. This law is closely tied to the European Directive 2001/29/EC. Please review it, not with the understanding of a reasonable person, but with the approach of a lawyer for whom the details of the law is critical, and their client's interests paramount over reason.

Re:And with laws like the DMCA you can be sued for

[Altanar]

Here's law verbatim

(a)Offense.—Except as provided in subsection (c) of this section whoever—

• (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
• (2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

In other words, if something is preventing you from accessing content, bypassing it is a violation. Blocking ads itself isn't a violation, but blocking something that hides content unless you turn off ad blocking is.

Re:And with laws like the DMCA you can be sued for

[Opportunist]

By that silly law it's even illegal to keep the malware from infecting you.

That law is seriously broken. It's like making it illegal to keep a burglar from entering your house.