Advertisement

You say advertising, I say block that malware

Forbes asked readers to turn off ad blockers then immediately served them pop-under malware.

The real reason online advertising is doomed and adblockers thrive? Its malware epidemic is unacknowledged, and out of control.

The Forbes 30 Under 30 list came out this week and it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list.

On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information. Or, as is popular worldwide with these malware "exploit kits," lock up their hard drives in exchange for Bitcoin ransom.

One researcher commented on Twitter that the situation was "ironic" -- and while it's certainly another variant of hackenfreude, ironic isn't exactly the word I'd use to describe what happened.

That's because this situation spotlights what happened in 2015 to billions -- yep, billions -- of people who were victims of virus-infected ads which were spread via ad networks like germs from a sneeze across the world's most popular websites.

Less than a month ago, a bogus banner ad was found serving malvertising to visitors of video site DailyMotion. After discovering it, security company Malwarebytes contacted the online ad platform the bad ad was coming through, Atomx. The company blamed a "rogue" advertiser on the WWPromoter network.

It was estimated the adware broadcast through DailyMotion put 128 million people at risk. To be specific, it was from the notorious malware family called "Angler Exploit Kit." Remember this name, because I'm pretty sure we're going to be getting to know it a whole lot better in 2016.

Last August, Angler struck MSN.com with -- you guessed it -- another drive-by malvertising campaign. It was the same campaign that had infected Yahoo visitors back in July (an estimated 6.9 billion visits per month, it's considered the biggest malvertising attack so far).

October saw Angler targeting Daily Mail visitors through poisoned ads as well (monthly ad impressions 64.4 million). Only last month, Angler's malicious ads hit visitors to Reader's Digest (210K readers; ad impressions 1.7M). That attack sat unattended after being in the press, and was fixed only after a week of public outcry.

It's crazy to consider what a perfect marriage this is, between the advertisers and the criminals pushing the exploit kits. They have a lot in common.

pop-up ads coming out of laptop screen with a spring

Both try to trick us into giving them something we don't want to. We've recently learned that both entities surveil and track us beyond what we're OK with. And both are hard to get rid of. You know, like those gross toenail and skin condition ad-banners found at the bottom of every cheapo blog you've ever seen, forever burned into the "can't unsee" section of your brain.

It actually makes business sense to think about malware attacks like an advertiser. You want to deliver your infection to, and scrape those dollars from, every little reader out there. You need a targeted delivery system, with the widest distribution, and as many clueless middlemen as possible.

It's easy to want to blame Reader's Digest, or Yahoo, or Forbes, or Daily Mail, or any of these sites for screwing viewers by serving them malicious ads and not telling them, or not helping them with the cleanup afterward. And it's a hell of a lot easier when they've compelled us to turn off our ad blockers to simply see what brought us to their site.

But the problem is coming through them, from the ad networks themselves. The same ones, it should be mentioned, who control the Faustian bargains made by bartering and selling our information.

What should the websites do? The ad networks clearly don't have a handle on this at all, giving us one more reason to use ad blockers. They're practically the most popular malware delivery systems on Earth, and they're making the websites they do business with into the same poisonous monster. I don't even want to think about what it all means for the security practices of the ad companies handling our tracking data or the sites we visit hosting these pathogens.

So, to my friend on the Forbes 30 Under 30 list -- a malware researcher, which I'll concede is actually ironic -- I'm sorry I won't be seeing your time in that particular spotlight. What we need is a word for the fact that ad blockers have become our first line of defense against a malware epidemic. Especially during a time when the sites we visit are begging, pleading, demanding and practically tricking us into turning off Ad Block Plus.

[Image credit: Getty Images]