Anyone who uses an ad blocker has no doubt seen the “placeholder” images or text that replace where the advertisement would be on popular websites. These placeholders implore us to turn off our ad blockers to give the site vital revenue, to not starve the website owners of cash. Lately, there have been even more aggressive methods to ask us to turn blocking off – pop-up or interstitial notifications to shut the blocker off, or even full-page-blocking notifications that keep you from seeing anything if an ad blocker is on.
I do not, in principle, have an issue with these notifications. I think companies and individuals who support their sites with advertising have the right to ask us to turn off the tech that keeps them from getting paid and paying their bills. However, I must regretfully inform these sites that I will not be turning off my ad blocking software, and here is why:
Ad networks (the 3rd-party companies that serve up the ads found on most websites these days) have become nothing more than the latest vector for delivering malware of many forms. In the past, an attacker had to compromise the site itself through security holes or brute force in order to turn that site into an attack vector for infecting visitors with various nasty software. Ad networks have allowed attackers to do many multiple times the damage with a fraction of the effort.
Here’s how it works: The attacker buys ad space with a network that allows Javascript or other active-code ad serving. The technology generally allows advertisers to show rich-media ads (which are annoying and should be removed from the internet anyway, but I digress). Rich-media ads have video, audio, and other eye-catching stuff built-in, but require that the website displaying them allow for the scripts to be run. They also require that the browser allow the scripts to run, which ad blockers disable. For a legitimate advertiser and the website owner, this means better conversion rates (the rate at which viewers click on the ad to see the product/service being sold) and rich-media ads have become insanely popular for advertisers themselves; and a requirement for most ad networks to support.
An attacker can create an “advertisement” that has scripting which delivers the payload of their choice. This could be malware or spyware that the user must accept and run, other malware and spyware that requires no user interaction (limiting what it can attack, but making it much more likely to execute), or more recently crypto-currency mining scripts that chew up CPU cycles and can theoretically damage a computer though overheating it. Since the ad network has no way to tell that the malicious ad is any different from any other rich-media ad (because networks don’t bother to police their customers), the ad network serves up the bad ad to hundreds of websites and infects thousands of end-users.
In short, network advertising on websites has become the new way for attackers to deliver their malware.
This “malvertising” has become so prevalent that even giant sites like Showtime have been attacked via malware in ads posted on their sites. The ad networks do nearly nothing to stop the problem, and the site owners cannot stop it short of removing the ad networks’ code from their sites.
So, until such time as ad networks begin to properly police the ads they put up on network sites, or until such time as you – the site owner – remove that code and post ads you know to be non-malicious only; I’m not turning off the ad blocker. I’m sorry that this impacts you, truly I am. However, the situation has reached a point where no site that runs network ads is safe unless that code is blocked from ever running.
PS: I do indeed subscribe to websites that offer quality content without ads, either through Patreon or directly with the site itself. I know that this limits how many sites I can possibly support, but for those that offer great content and don’t attempt to infect my system with their lax code policies, I’m more than willing to put my money where my mouth is.