A number of online publishers have decided to express their displeasure with ad blocking by creating “ad walls” that prevent readers from accessing content without viewing ads. Pioneered by the Bild newspaper in Germany, the trend has been continued by Forbes and Wired in the US, along with CityAM in the UK, with surely many more to join the bandwagon in future weeks. While there are many popular reasons to employ ad blockers, from aesthetic distaste, bloated page load times, excessive data use, to a fear of invasive tracking, a key reason for many is, simply, safety.
Online advertising can be an attack vector for infections by malware. Recent “malvertising” attacks have compromised personal information, installed browser redirecting software, and, worst of all, unleashed ransomware on unsuspecting site visitors. Publishers using automated “programmatic” advertising networks often have very little practical control of what advertising gets served from their sites, either in the content or in the code embedded with the ad. Malicious actors have capitalized on this system by placing malware into ads served by ad networks, thereby greatly increasing the spread of the infecting technology.
But most embarrassingly, malvertising has been discovered on sites that employ ad walls to demand that readers turn off their ad blocking software and allow advertising through browser defenses. Recently, Forbes was called out by a noted security researcher for serving malware, which he found after the site forced him to turn off his ad blocking software to read an article about a colleague. Yesterday another, even more painfully embarrassing example of this phenomenon occured. The New York Times, arguably the most high profile publisher in the US, began recently testing out ad wall technology, nagging their users to whitelist the site and allow advertising to be served. And, as we should have expected, soon thereafter security experts discovered that the legendary Gray Lady, the “paper of record,” of all places, was hosting the very nasty “Angler EK” malware. Other sites infected included the BBC, AOL, NFL.com and many, many more.
It is becoming somewhat comical, if depressing, to witness repeated instances where ad blocker blocking publishers prove insecure and capable of infecting precisely those users who, against their better judgement, trusted these sites, in order to support an advertising-based business model. Of course, this should come as no surprise, as the attempts by publishers to enforce an ad wall, make exactly those sites all the more attractive to malware criminals. The ad wall sites are, after all, forcibly reducing their readers’ protections and then serving them up to the malvertisers on a silver platter, as lambs ready for the slaughter. We should expect malware purveyors to specifically target sites that employ anti-ad block strategies like ad walls. The malvertisers are merely following in the path of the legendary bank robber Willie Sutton, who (may have) answered to the question of why he robbed banks, “because that’s where the money is.” For someone looking to infect users with malware, an ad walled site is the most target rich environment imaginable. And consequently, users will need to be even more vigilant about visiting those sites, and even more cautious about voluntarily lowering their anti-infection shields.
As someone who has experienced ransomware first hand, I can attest to the devastating effects it can have. No article from Forbes, Bild or even the New York Times is worth that risk, in my opinion. But worse, we see from the misguided strategies advertisers and publishers are taking towards ad blocking that they have essentially no regard for their readers’ safety and well-being. Advertisers and publishers have mostly dismissed the security rationale for ad blocking, instead focusing on readers being cheap pirates or ignorant of the essential democratic value of advertising. The IAB, the trade organization of online advertisers has nothing to say on the relationship between ad blocking and malvertising, and “D.E.A.L.” their new approved methods for dealing with ad blocking, makes no mention of the topic of users’ security whatsoever.
Instead, the leadership of the IAB focuses on what he calls the “unethical, immoral, mendacious coven of techie wannabes” that distribute ad blocking software, the actual tools that in reality actually protect users. Randall Rothenberg, the CEO of the IAB seems far more interested in protecting advertisers’ revenue than he is in protecting users from devastating malware. In his honor, we will refer in the future to the inexorable phenomenon of sites with ad walls getting caught distributing malware as the “Rothenberg Inevitability.” While not as catchy as the “Streisand Effect,” I think the sad but inescapable rise in such occurrences make it quite likely to catch on.