Malvertising is the serving of malware through the ads that come along with much Web content. Creating and pushing malicious ads allows criminals to reach readers of many high-profile websites without the muss and fuss of defeating the security features of those same websites. Why hack their pages to deliver the malicious content when you can get an open invitation as an advertiser?
Since much web advertising is still allowed to be delivered as Flash, and since Flash remains what can only be described as a festering snakepit of vulnerabilities, attacking website readers this way is almost too easy. This is one of the main reasons I run an ad blocker. The fact that ad-blocked web pages load in way less than half the time, and the browser uses overall less than half the system resources it would otherwise, are pure gravy.
Some sites are pleading with you to turn off your ad blockers. In January, a Forbes Magazine website plea to disable the ad blocker was followed within milliseconds by a steaming pile of malware, delivered straight from those ads. The New York Times and my beloved Onion were also affected within the past year. Today I saw a report that most of the Netherlands’ most popular sites have been hit by similar attacks, potentially infecting millions without ad blockers or other deeper and possibly more intrusive countermeasures.
Until sites that are the clients of these ad networks create some pressure on them to lock down their S*, this will go on. And savvy web users everywhere will continue to use ad blockers.
As for me, my refusal to disable my blocker or whitelist random sites that demand it is absolute. If their pleas are only speed bumps, I click past and read anyway. If they refuse to serve me content without ads, I move on and find what I want somewhere else. There is always somewhere else.
UPDATE, Sep 15: Removed link to AdBlock Plus. See here for why.