A few months back I postulated that Adblock Plus and other ad blocking software could act as protection against malware because they kept embedded malware in web pages from ever loading in your browser. Now, Forbes has proven me right.
Forbes has taken an aggressive line against ad blockers. When it detects one running on your system, it denies you access to the content until you turn off the ad blocker. Needless to say, this hasn't gone over very well with some people.
Forbes included a prominent security research in an article called "The Forbes 30 Under 30," which drew a number of other security researchers to check out the article. After disabling Adblock Plus, they were immediately served with pop-under malware. Security researcher Brian Baskin was the first to tweet about it and included a screen grab of the pop-under.
This is not the first time something like this has happened. Engadget notes that malvertising was found on the video site DailyMotion last month, putting an estimated 128 million people at risk. That case involved a particularly nasty strain of malware called "Angler Exploit Kit," which also infected MSN and Yahoo.
For his part, Baskin has tweeted that malware pages can occur in a very small percentage of ads and that disabling an ad blocker can open an attack vector, but he intends to keep reading Forbes with his ad blocker off and just monitor it better.
This problem is not with Forbes, it's their ad network's responsibility. Forbes is operating on trust that its ad providers are keeping their networks clean, and they clearly aren't if Forbes, DailyMotion, MSN, Yahoo, plus that bastion of clickbait, the Daily Mail, are all getting hit in a short period of time.
If you do a news search, you'll find a bunch of stories with headlines all saying "Forbes serves up malware" in one way or another, when it's not Forbes's fault, it's their ad network's fault. Publishers are going to have to lean on their ad providers a lot harder so they don't get tagged with responsibility.