If Meta earns billions from scammy ads, maybe it’s time to mandate adblockers?
Malvertising has become such a prevalent threat that hackers are now suggesting cyber insurance companies should mandate adblockers. The provocative idea was raised at the 39th Chaos Communication Congress in Germany. However, not everyone agrees.
The rise of malvertising was one of the key trends last year, and it is expected to remain a major threat in the future, as highlighted by the Chaos Computer Club (CCC), Europe's largest association.
Ads for scams and banned goods accounted for $16 billion, or 10% of Meta’s revenues in 2024, and every user on its platforms sees at least a few fraudulent ads every day, comprising a total of 15 billion scam ads a day, Reuters reported last year.
“It's totally clear malvertising is not going to die, can someone prescribe adblockers?” said Konstane Kurz, a computer scientist and spokesperson for the Chaos Computer Club (CCC), during its annual conference.
Ron Fulda, another active CCC member and cybersecurity expert, suggested that if governments can’t mandate this simple measure, perhaps insurers could.
“If governments won't step in, perhaps insurance companies will.”
The provocative suggestion was met with applause from the audience at the conference.
But could an adblocker really be a formal remedy that helps prevent breaches? Cybernews asked a few cybersecurity experts for their thoughts on the proposal, and it appears to be dividing opinions.
Yes: social media giants would fight back
Bryce Austin, CEO of TCE Strategy and a cybersecurity expert, explains that adblockers are generally effective for browser-based social media, but they don’t work for app-based situations.
“Social media sites are pushing hard to move people to their apps because those apps get around what little privacy protections there are in browsers such as Chrome or Firefox,” Austin said.
“Insurance companies have good reason to consider requiring adblockers. Many already require antivirus applications, so the precedent is already established, but social media companies are sure to fight back, as this idea fundamentally challenges their business models.”
Perhaps: focus on outcomes, not tools
Nik Kale, a Principal Engineer and Product Architect at Cisco Systems, with over 17 years of experience in designing and implementing security controls, agrees that adblockers help mitigate some of the risks associated with malvertising.
“However, requiring an organization to use a particular ad blocker is the wrong level of abstraction for cyber insurance. Cyber insurance providers should focus on security controls and risk outcomes rather than recommending specific technology tools to an organization,” the expert explained.
While adblockers are helpful to protect from limited threats, they do not protect organizations from other threats, such as a lack of trust in the advertising supply chain, browser exploitation, and user behaviors outside the browser.
“A better way to achieve the desired security objective of cyber insurance is to implement outcome-based requirements, including demonstrated reductions in the organization's web-based attack surface, the enforcement of hardened browsers, and layered endpoint protection solutions,” Kale suggests.
Prescribing a list of tools risks creating “checklist-compliant organizations with a false sense of security,” which could only add to the systemic risks.
No: try to audit adblocker usage
Brian McGraw, a Global CISO with 20 years of experience, has a strong opinion about adblockers.
“No, making adblockers a required insurance control is mostly security theater,” McGraw said.
“They’re inconsistent, easy to bypass, and often break legitimate business workflows.”
The shortcomings often lead users to completely disable adblockers or find workarounds, which negates the benefits.
McGraw also noted that mandating a single tool shifts the focus to box-checking rather than real risk reduction. Mandating adblockers would also make claims and audits “even more painful.”
The expert suggests that insurers should focus on outcomes and accountability, rather than imposing rigid controls that have minimal impact and only appear favorable on a questionnaire.
“Payouts are already an issue when it comes to cybersecurity insurers, and this type of mandate would only lead to further loopholes towards payout avoidance,” McGraw said.
Why demand an adblocker if you can sue Meta?
David Shipley, CEO and Field CISO at Beauceron Security, agrees that adblockers could be used as a band-aid solution on a bullet wound, but he came up with an even better idea for insurers.
“What they should do is find cases where they've had payouts, and the root cause is malvertising and sue the pants off Meta and Google,” Shipley said.
“Or best yet, Meta, Google, and other online advertisers should be held to the same know your customer requirements.”
According to the expert, there have been precedents of the US government pushing cloud service providers for better KYC, similar to banking, to prevent abuse of American infrastructure.
Unlock exclusive Cybernews content on YouTube.
