Some online media outlets are – quite reasonably – disturbed about the rising popularity of ad blocking, as it could impact their attempts to generate revenue.
Well, if a new report from security firm FireEye is to be believed, Forbes hasn’t done itself and other ad-loving news sites any favours by serving up malicious adverts for a week between September 8 – 15th, redirecting users to webpages hosting the nasty Neutrino and Angler exploit kits.
The attacks attempt to exploit a series of vulnerabilities, including security holes in Adobe Flash.
According to the report, the malicious attacks were only triggered on a handful of Forbes articles – rather than every page – which is a blessing for the site’s many visitors. Of course, if the attacks had occurred on each and every page chances are that someone would have noticed sooner, so it’s horses for courses…
FireEye says that it has worked with Forbes and the third-party advertising networks the site uses to eradicate the malicious ads.
From the sound of things, the malicious ads managed to pollute the stream via the attackers abusing Real-Time Bidding to ensure that their ads were displayed on the high profile site:
“Malvertising continues to be an attack vector of choice for criminals making use of exploit kits. By abusing ad platforms – particularly ad platforms that enable Real Time Bidding – attackers can selectively target where the malicious content gets displayed.”
“When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk.”
I feel sorry for advertising networks who police their ads properly, and those businesses who rely heavily upon online advertising revenue to keep themselves afloat, but such is the risk of malvertising and tracking that I simply wouldn’t surf the web without having an ad blocker installed.
If ads could be trusted not to infect users’ computers, not to track their surfing behaviour across the web, and not to offend their eyesight with cheap, tacky ads and tactics, then a lot more people would feel happy about allowing ads while they surf.
Full details of the attack can be found in FireEye’s blog post.
By the way, this isn’t the first time that Forbes has had a malware problem on its website.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
They also take up a lot of resources (besides network) – some more than others but resource consumption is a burden nonetheless. I personally don't feel sorry for them when they have things like video (with or without sound), audio, other flashy things (including through flash) and other resource hogs. Then there is security with things like clickjacking, XSS and the many other problems websites are plagued by (sometimes because they were compromised but then they should be more careful in the future – and other times out of carelessness). This is entirely their fault and so if they have a problem with it they should fix what they created rather than whine about it. But I don't see that happening because they would rather play innocent victim.