No Pop-up Window in Web Browser

Nexus Mods site goes public with “bad ad” report

We cover a lot of Malvertising disasters on this blog, and I’ve previously looked at how many websites will go to war with a user’s ad blockers – or indeed, try to disavow themselves of any harm done through infection (“It wasn’t us, it was the ad provider!”) Today, we have an example of a high traffic website so fed up with the ads they’ve been serving that they’ve spoken out publicly about the issue. This is a reasonably rare occurrence, and worth taking a look at.

The site in question is Nexus Mods, a massively popular videogames modding website [1], [2], whose download service means an estimated bill of around $780,000 to keep it up and running each year. The site uses adverts, but doesn’t block ad blockers; instead, they offer perks to users who remain blocker free (there’s also a paid service which removes ads).

They’d had so many complaints about adverts in the past that they set up a reporting feature in March, to see how big of a problem it really was. Some of the options included “extreme flashing colours”, “causes browser slowdowns or crashes”, and “AV software reports this ad is malicious”.

nexus report box

Well, the eye-opening results from their new reporting feature are in. Check out the number of reports (bold added by myself):

I had an inkling, but I had no official figures to back it up.

Over 8,500 reports later on 115 specific ad placements (in under 2 months)...I have a very, very good idea. (I) sent regular emails expressing my disgust to my provider. Here’s just a snippet:

We're a part of the problem! We're the reason more and more people are turning to adblockers to secure themselves against this ****. And I think what annoys me most is it's taken me having to waste my coder's time creating an ad reporting even know there was a problem in the first place! It's diabolically bad, and I'm ashamed I'm serving these ads to my users and ashamed I've let it go on for so long.

Ouch. They also go on to say the following (again, with bold added by myself):

We’ll rework our reporting system to work with the new provider’s system and I will continue to monitor the situation closely. If it doesn't work out, we will move again (and again, and again, if necessary) until we find a provider we can truly rely on. Even if it means taking a hit on our ad revenue to ensure the security is correct.

A site stating they’re willing to take a financial hit from ad revenue loss while simultaneously needing a frankly terrifying amount of money to stay online is quite the thing, and unusual in the “There’s been a problem with our adverts” stakes. Hats off to the Nexus. So far, we’ve seen Doubleclick, Adroll, and Rubicon Project in the ad boxes and nothing untoward taking place. It’ll be interesting to see if Nexus gives an update on bad ad reports in the near future.

Some entities would have us believe that the Adpocalypse is coming, and one has to wonder if other site owners could end up following suit in being more upfront about the scale of malicious ad related problems. Ultimately, it can only benefit both websites and their visitors.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.