For the past few weeks, Forbes.com has been forcing visitors to disable ad blockers if they want to read its content. Visitors to the site with Adblock or uBlock enabled are told they must disable it if they wish to see any Forbes content. Thanks to Forbes’ interstitial ad and quote of the day, Google caching doesn’t capture data properly, either.

What sets Forbes apart, in this case, is that it didn’t just force visitors to disable ad blocking — it actively served them malware as soon as they did. Details were captured by security researcher Brian Baskin, who screenshotted the process:



Advertising malware has existed for years, but recent reports show that its happening far more often than it used to. A report released by Cyphort earlier this year claimed that online advertising infection rates had increased 325% from 2014 to 2015 as more malware authors began tapping into the market. There are multiple ways that malicious advertising can masquerade to ad networks as legitimate, including:

Enable the malicious payload after a delay of several days after the ad is approved

Only serve the exploits to every 10th user, or every 20th user who views the ad

Use SSL redirectors in malvertising chain

Verifying user agents and IP addresses

The reason this can happen, even on legitimate websites like Forbes (which is far from the only company impacted by this kind of event) is that users don’t need to actually click on an ad to be infected. Many websites contract with third-party ad networks to provide advertising content. Those ad networks sign agreements with advertising clients, but they don’t actually serve the ads themselves. The ads are delivered by a server designated by the advertiser. There are multiple ways that malicious advertising, or “malvertising” can be slipped into service without direct approval of such by either the ad network or the site serving the content. In 2015, some malicious sites began serving ads over HTTPS, making it much more difficult to identify their source or deconstruct the attack.

What happened to Forbes isn’t unique; The New York Times, The Huffington Post, and a number of other high-profile sites have been hit by similar attacks over the years. What sets Forbes apart, however, is that the site is actively attempting to block people from using ad-blocking software, even though we have an increasing amount of evidence that suggests such software can meaningfully protect users.

What happens now?

Readers don’t like ads on websites any more than TV viewers like watching commercials in programs. Websites, including this one, sometimes struggle to balance revenue against reading experience and intrusiveness. But one thing we can all agree on is that serving readers malware is utterly unacceptable.

Unfortunately, it’s simply not clear how to resolve the issue. Websites that depend on ad revenue (all of them) can’t survive if 60-80% of readers are using adblock. The nature of the advertising business practically requires the use of automated approval tools and specialized partners — ad networks approve and purchase millions of ads, in real time. Very, very few publications could afford to build completely in-house solutions — and even those that can still face the challenge of vetting ad security in an environment when bad actors have multiple ways to deceive them about the actual content of an advertisement.

Forbes may have been the first website to ban ad blockers and then serve its customers malware, but it’s probably not going to be the last. Long-term solutions to the problem remain murky. Very few people subscribe to websites, even when subscriptions are available, and politely asking people to turn off ad blockers has a response rate of less than 1%.