• by Felicia Greiff , Staff Writer, January 11, 2016

Forbes' visitors recently got an unwanted proposition after turning off their ad blockers: pop-under malware.

Engadget reported that readers who visited Forbes' "30 Under 30" list were asked to turn off blockers to see the list. (Pretty typical.) After that, a new tab asked readers to install updated Java software -- a common malware pop-up aiming to steal a user's private information. (See the original screenshot from security researcher Brian Baskin here.)

Last week, Forbes reported that about 13% of its 43 million domestic monthly visitors (as measured by comScore) use ad blockers. The article said between Dec. 17 and Jan. 3, 2 million Forbes visitors using ad blockers got this message: "Thanks for coming to Forbes. Please turn off your ad blocker in order to continue. To thank you for doing so, we’re happy to present you with an ad-light experience."

Part of a project Forbes is doing on serving ads to readers (and blockers), the testing found 900,000 people, or 42.4% of visitors, turned off blockers. Then they received a thank-you note. "We monetized 15 million ad impressions that would otherwise have been blocked," wrote Lewis DVorkin, Forbes Media, chief product officer.

DVorkin noted that glitches are still being worked out, and he mentioned Baskin's tweet about the pop-under malware: "Other public reports of issues are also being monitored, with as of yet no confirmed direct correlation with our ad-blocking tests," he said.

The malware itself isn’t necessarily Forbes’ fault, as Baskin said on his Twitter account. Like many publishers, Forbes likely uses the services of third-party ad networks, which can get hacked, too. And other publishers have accidentally served readers malware.

Still, many are on the fence about accepting the publisher/reader agreement (i.e., readers see ads in exchange for free content), and this move isn't exactly a "rah-rah" moment in favor of that arrangement. If turning off an ad blocker open readers up to legitimate security threats, the cost is greater than sitting through 10 seconds of an unwanted ad.

Baskin tweeted, "Point stands that malware pages can occur in a very small % of ads. Suggestions to remove Ad Blocking can open an attack vector." And later, a hopeful message: "I still like @Forbes and will continue reading their articles. I will also keep AdBlock disabled for their site. But will better monitor."