Ad blockers are in the news right now following the release of iOS 9 which incorporates a simple way for iPhone and iPad users to block adverts as they surf the web using Safari.
Some online media outlets are – quite reasonably – disturbed about the rising popularity of ad blocking, as it could impact their attempts to generate revenue.
Well, if a new report from security firm FireEye is to be believed, Forbes hasn’t done itself and other ad-loving news sites any favours by serving up malicious adverts for a week between September 8 – 15th, redirecting users to webpages hosting the nasty Neutrino and Angler exploit kits.
The attacks attempt to exploit a series of vulnerabilities, including security holes in Adobe Flash.
According to the report, the malicious attacks were only triggered on a handful of Forbes articles – rather than every page – which is a blessing for the site’s many visitors. Of course, if the attacks had occurred on each and every page chances are that someone would have noticed sooner, so it’s horses for courses…
FireEye says that it has worked with Forbes and the third-party advertising networks the site uses to eradicate the malicious ads.
From the sound of things, the malicious ads managed to pollute the stream via the attackers abusing Real-Time Bidding to ensure that their ads were displayed on the high profile site:
“Malvertising continues to be an attack vector of choice for criminals making use of exploit kits. By abusing ad platforms – particularly ad platforms that enable Real Time Bidding – attackers can selectively target where the malicious content gets displayed.”
“When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk.”
I feel sorry for advertising networks who police their ads properly, and those businesses who rely heavily upon online advertising revenue to keep themselves afloat, but such is the risk of malvertising and tracking that I simply wouldn’t surf the web without having an ad blocker installed.
If ads could be trusted not to infect users’ computers, not to track their surfing behaviour across the web, and not to offend their eyesight with cheap, tacky ads and tactics, then a lot more people would feel happy about allowing ads while they surf.
Full details of the attack can be found in FireEye’s blog post.
By the way, this isn’t the first time that Forbes has had a malware problem on its website.