Forbes Asks Readers To Disable Adblock, Serves Up Malvertising

Deathlizard writes with a report at Engadget that when this year's "Forbes 30 Under 30" list came out , "it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list. On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information."

Welcome to why I run an adblocker

[Phydeaux314]

Seriously, this is why we run ad blockers, and why I stopped reading Forbes. They need revenue, and I don't trust them to vet their advertisements, so I get my news elsewhere.

Which is sad, because I like a lot of their articles.

Re:Welcome to why I run an adblocker

[Dutch+Gun]

For many years I used no-script instead of an ad-blocker, which almost amounted to the same thing, as the most obnoxious or dangerous ads rely on scripting. The difference is that the modern web utterly breaks without scripting, and it was just too much of a pain in the ass to try to figure out what to whitelist when sites are often pulling from many dozens of different domains for various javascript pieces, services, or what have you. So, I uninstalled no-script and installed ublock-origin instead, because nowadays, I figure most malware I'd see would be from ads.

We see from this that the ad networks still don't have malware under control, so I won't disable ad-blocking. That's essentially like asking me to disable my firewall or anti-virus to read an article - it will never happen, ever, unless I'm using a browser instead a disposable virtual machine image or something equally safe.

Until we get a mechanism to ensure that advertisers can't run arbitrary scripting, launch Flash or Java, or provide their own arbitrary content, I'll continue to block ads purely for safety reasons. Even static images or multimedia has proven to be dangerous, as the recent stagefright debacle on Android has shown. Honestly, most normal ads don't bother me all that much, and I'm aware they pay for a lot of content. But I'm not going to be lowering my shields to read your article, sorry. There's just too much malware out there today, and a lot of it is REALLY bad. My personal safety comes first.

we all get what most of us deserve

There was a time before advertising infested the internet. Then the first ads started to appear, and many of us warned, "If you support those sites, soon the whole place is going to go to shit. The internet will turn into a clusterfuck of excessive commercialization, fake reviews, astroturfing, and meaningless click-bait content designed to sell eyeballs to advertisers". But did people listen? No, because there were dancing monkeys.

When javascript-infested sites first started appearing, many of us warned, "Are you people fucking insane? Giving random sites the ability to run imperfectly sandboxed code on your computer is going to be a disaster. It'll result in horrifically annoying behavior like pop-unders, unclosable windows, auto-playing audio, and most likely malware. It'll result in behavioral tracking on a scale you can't imagine. It'll result in wholesale transfer of control away from the owner of each computer, to ad companies. Is that what you fools WANT?"

But did people listen? No. Like mice hooked on opiates they pushed the lever and and again for the next hit, without considering the long term ramifications, until it's become hard for most people to use the web without javascript, because we let it become so ubiquitous that nothing fucking works without it. We were too stupid to say "no" when the camel's nose first entered the tent. Now, here's the camel!

The same WILL happen with sites that refuse to serve content if you block ads. A few of us see where that road goes and will say "no thanks", but most of us are far too stupid. The end result will be a web completely unusable if you don't want to let the ad-men control your computer. The end result is TV 2.0, rather than what the internet used to be: a democratic medium where everyone had a voice. It's a wholesale transfer of control from everyone, to a few.

We all get what most of us deserve. Unfortunately, most of us are drooling mouth-breathers.

Fuck off, Forbes

[blind+biker]

I've rarely seen a website so encumbered with shit, like Forbes'. Not only should one not stop using ad-blockers when visiting them, one should simply never visit Forbes at all. Add it to the list of blocked sites.

Re:Fuck off, Forbes

[Darinbob]

The most ridiculous ones are showing up on youtube. I have twice seen non-skippable ads show before videos tha are movie previews. As in, have to watch the ads before you can see the ads.

Re:Uh, no

[wierd_w]

It could be argued, that the "No, really, let us show you the ads, because it pays for the content" mechanism is a payment mechanism to view protected content. By circumventing that to get unpaid access to the content, you are engaging in circumvention of a rights management system, and thus fall victim.

That's the thing with DRM-- it can be extremely feeble-- it still counts when considering the DMCA.

It could be argued that reading the article without "paying" for it (with your advert exposure) is piracy, and that to prevent you from doing this, the anti-blocker script was introduced.

Still a load of bullshit-- The need to circumvent protections that are onerous and not in the public good (or that prevent authorized special exception use, such as via a library) is very important but given short shrift as far as the DMCA is concerned.

Slashdot

[jeremyp]

Adblock plus is telling me it's blocked 13 ads on this page and that's with the excellent karma opt-out.

They Made Mozilla Their Bitch For a Reason

[Kunedog]

Note that browser makers Google, Microsoft, and Apple have continually pushed for DRM to become part of web standards.

And that they obtained considerable financial influence over the browser maker thought most likely to resist (Mozilla).

And that Mozilla gave in on DRM and continues to make inexpicable blunders and lose market share.

After such a relentless campaign to ensure all available browsers contain DRM, I wouldn't be at all surprised to see DRM used to protect ads, particularly in video. Stopping you from reading/recording a video stream necessarily stops you from altering it.

Damn, am I ever so happy (as always) that the proven tech leader was ousted as Mozilla's CEO in favor of the former head of marketing.

Re:They Made Mozilla Their Bitch For a Reason

[aix+tom]

Funny anecdote:

One site I frequent now and then shows short ads before the clips (with a timer how long the ad takes). So I usually open the tab, look how long it takes, then go on to another tab to do something else in the meantime. Works great. Only ONE time I got back to the page, see the last few seconds of the add, think "this looks interesting, what was that?" Of course they not only restricted fast forward during the ad, they also restricted rewind. So they themselves prevented me from watching the ad. Well. Serves them right. ;-)

Your content is not worth it.

[amberdalan]

Whenever I encounter a page that requires me to turn off adblock: I close the site.

Stop linking to Forbes

[cfalcon]

I went ahead and went to the Forbes site (which it says I'm "still" using an adblocker, in the same sense that I'm "still" a carbon based life form), and then I went and grabbed one of the scripts that they serve on the main page in lieu of fucking content.

Here's a link: I originally put a TINY amount of it here, but it was SO shitty than even after cutting it down it would just ruin you.
view-source:http://i.forbesimg.com/welcomead/scripts/12662fd2.vendor.js

Just go read that script. It might make you cry.

blah blah blah just megabytes of this shitscript to push through an article that maxes out at a kilobyte. It's fucking ludicrous.

And that's without all the ads (which are meant to own your head, and of course maliciously own your computer, and DO YOU THINK THEY ARE LIABLE FOR SERVING ADS THAT TURN YOUR MACHINE INTO A RUSSIAN SERVER?)

Stop. Linking. Forbes.

It's a pile of shit website. If you must, EACH link should go through archive/is or some other service to neuter the malware and bullshit. Stop enabling these fucks. If you need to serve megabytes of malware and bullshit just to put text on the screen, drink bleach kthx

Fuck Forbes

[jason8]

Fuck Forbes, they supported SCO back in the mid-00s and portrayed Linux users and supporters as a bunch of communists. Forbes gets filtered by my mental adblock way before it gets loaded by my browser.

Re:Content from one domain

If web sites allow advertisers to run scripts from the main domain, then these ad scripts will get access to everything, login cookies and all.

Web sites allow advertisers to run scripts from the main domain. Advertisers doesn't want to.
The reason is that advertisers doesn't trust the content providers. They need the end user to connect to the advertiser directly to verify that there is a legit access and not just the content provider trying to fake accesses.

When a content provider asks you to trust them and disable ad-block, remember that there is no trust between the advertiser and the content provider.

Re:Try uBlock

[cfalcon]

> People who scream that they should be able to use ad blockers because they don't want to see ads sound like self-entitled jerks.

I don't give a fuck what name you call me, I'm not watching your fucking ads. Go to hell.

Re:Try uBlock

[epyT-R]

No one is obligated to prop up your artificial scarcity dependent business model. Your rights end where others' systems begin. If you don't like it, put your site behind a paywall and find out what it's really worth to most people.

Primed? Likely?

[retchdog]

Interesting claims. Visitors were "immediately served with pop-under malware", although there is only one citation given, which is a link to a picture (presumably a screenshot) on @bbaskin's private Twitter account, which can only be seen by a "confirmed follower". Uh, okay. Nonetheless, this malware was "primed" to infect their computers and "likely" to do a lot of horrible stuff. Having run out of conjectures (let alone facts) about Forbes by the third paragraph, the rest of the article is padded out by a list of past incidents involving DailyMotion and MSN, followed by some bloviating which even Bennett Haselton might be ashamed of.

I'm totally sure that this isn't just attention-whoring from a litigious sex columnist who, after publishing The Adventurous Couple's Guide to Strap-On Sex and her second edition of The Ultimate Guide to Cunnilingus, apparently ran out of ideas and re-styled herself a computer security journalist.

Yes, I know malware is served through advertising, but this article is about a specific claim of Forbes being used as an injection vector with literally nothing backing it up. Also, let me note that there's nothing wrong with being a sex columnist. I just don't think that automatically means you should write about computer security.

Way out of control. Far worse than people say.

[Futurepower(R)]

My experience is that most ads are abusive in some way. I use these add-ons in Firefox: uBlock Origin ad blocking, NoScript, and Ghostery.

It amazes me that, when I go to the Ally Bank web site to see my accounts summary at the following URL, Ghostery says "Ghostery found 8 trackers":
https://securebanking.ally.com/#/accounts/summary

The Ally Bank URL contains the words "secure banking"!

Here are the trackers:
Advertising.com
Google DoubleClick Floodlight
Google DoubleClick Spotlight
Google Dynamic Remarketing
MediaMath Advertising
Omniture (Adobe Analytics)
Qualtrics
RUN (https://match.rundsp.com/)

There is nothing "secure" about notifying other companies that I am looking at a summary of my bank accounts!

Re:Uh, no

[dissy]

It could also be argued, much more concisely in fact, that the advertisers are guilty of violating the Computer Abuse and Fraud Act, one count accessing a computer system without authorization, multiple counts accessing computer networks without authorization, plus the multiple counts of fraud and counterfeiting their malware performs on their behalf.

I'm OK with a DMCA violation that is a $150,000 fine (max penalty) so long as these people get their 60 years in prison (max sentence) as well.

Re:And with laws like the DMCA you can be sued for

It's US Criminal Code, Section 2701. This law is closely tied to the European Directive 2001/29/EC. Please review it, not with the understanding of a reasonable person, but with the approach of a lawyer for whom the details of the law is critical, and their client's interests paramount over reason.

Re:Uh, no

[dissy]

Don't you by very nature of the HTTP protocol need to ASK for this content? I know this is splitting hairs but I can't imagine that your reasoning would fly.

That's the entire point.
I asked for an image. Not executable code, not an image with executable code, but an image.
(Note I made no complaint about getting that image I asked for)

Say you ask me to send you money. Are you arguing you have no right to complain about the anthrax in the envelope so long as I actually did include money along with it too?