Hackers used the most insulting part of Forbes’ website to distribute malware

Hackers used the most insulting part of Forbes’ website to distribute malware

Thought of the day: interstitial ads aren’t just annoying, they’re dangerous

By Casey Newton on February 10, 2015 02:29 pm Email @CaseyNewton
http://www.theverge.com/2015/2/10/8014221/hackers-used-the-most-insulting-part-of-forbes-website-to-distribute

Nobody likes an interstitial advertisement. The landing pages and pop-ups that temporarily block our access to whichever link we’ve clicked on are interruptions at best and counterproductive at worst — there are few better ways to drive visitors away from your site than by asking them to sit through a 20-second entreaty from brands. But while interstitial ads are just about everywhere these days — though not on The Verge! — there’s one interstitial ad more offensive than any other. It’s on Forbes.com, and it’s called the Thought of the Day. And Forbes must be having many thoughts on this day about the Thought of the Day, because it turns out Chinese hackers took over their widget for three days and used it to distribute malware.

Click any link to Forbes and you’ll find yourself not where you hoped to arrive but rather on the disingenuously named “welcome screen,” sitting at the top of which is the Thought of the Day. It squats in a crudely rendered cartoon speech bubble, indifferently placed toward the top left of your screen, on a backdrop of the bleakest gray. Between the Forbes logo and everything contained in the speech bubble, the Thought is a riot of typefaces; it’s as if the designer were being paid by the font. And that’s to say nothing of the Thought itself: a platitude so empty of meaning that it barely constitutes a sentence, much less an idea. (Today’s, from Malcolm Forbes himself: “To measure the man, measure his heart.” Hey Malcolm — measure this.)

The sole purpose of the Thought is to draw attention to the ad that sits next to it. By now, most of us have learned to immediately click the “Continue to Site” link at the top of the page. But for a short time late last year, those who did not found themselves victim of malware.

THE HACKERS USED VULNERABILITIES IN FLASH AND INTERNET EXPLORER

For years the Thought of the Day has been compromised intellectually. But the Washington Post reports that for three days in December, the Thought of the Day was compromised from a security standpoint as well. Chinese hackers mounted an attack targeting US defense and financial institutions using the Thought widget, the paper reported. The hackers used vulnerabilities in Adobe Flash and Internet Explorer to mount their attack. Visitors from certain companies and organizations who saw the widget were redirected to a second site where malware was surreptitiously installed on their computers, it said.

Forbes told the Post that the incident began November 28th and was fixed by December 1st. Flash and Internet Explorer have both since been patched. Forbes has found “no indication of additional or ongoing compromise nor any evidence of data exfiltration,” the paper said. But alas, there is an ongoing compromise — the editorial compromise of pretending an interstitial ad is an occasion for Thought. Today we learned it is actually an occasion for malware distribution. It’s enough to make you wonder whether Forbes couldn’t find another, better way to monetize its millions of monthly readers.

It’s worth thinking about.

Leave a Reply