Malicious code in chess.com adverts

I've been a member of chess.com since 2009, and much of that time as a paid diamond subscriber. In more recent years I've become less interested in chess, and about a year ago, I stop playing altogether. I came back to the site about a month ago, and started playing a handful of games as a free member, to see if I wanted to get back into chess again.

I was surprised when my virus checker advised me not to go to the site, so as a long-time member, I ignored the advice. Over the next 2-3 weeks, I would occasionally come back to my computer to find the tab, which hosted chess.com, to be displaying lines of code. Clicking back on the browser, bought back the usual interface, so I didn't see it as any major problem.

Then yesterday, I came back to my computer, to find several authentication boxes on the chess.com tab, which would not let me close them. And the browser wouldn't let me move off from the chess.com tab, or let me close the browser. In the end I had to kill Firefox from the task manager. Unfortunately restarting Firefox, bought up all the tabs again, and the malicious code was able to hijack the browser again. After several attempts, I managed to restart the browser without any of the original tabs. Of course, I also did a thorough scan for malicious code on my system...

I have been considering resubscribing, but this has rather put me off. I suspect, that if I do resubscribe, I would not have any difficulties, because I would no longer be subjected to the adverts. However, I can't understand why chess.com is happy to let this happen. I searched the Internet and found other complaints, dating back years. On one discussion I read the response that chess.com cannot control the content of their adverts, but surely if their current provider, is sending malicious code, then they have the ability to change advert providers?

If you write an email to support@chess.com and provide more info about the ad- perhaps a screenshot, and the URL of the page which brings it up, I am sure chess.com will work to track down the source.

I know that in the past CEO Erik had asked for people to write in and identify malicious ads.

https://www.chess.com/forum/view/community/reward-earn-diamond-membership-by-finding-and-reporting-bad-ads

https://support.chess.com/customer/portal/articles/1444866-why-am-i-seeing-inappropriate-ads-on-chess-com-

That is tantamount to expecting the Members to do chess.com's job for them; the ads are the sole responsibility of the site and that obligation should not be sub-contracted.

All they asked for was help in identifying the problem ads.

Chess.com is not willing to give up the revenue from the ad servers, so they live with the problem. (Attacks via ad servers even has a name - malvertising.) Your choice is to either also live with the problem or install ad blockers.

At the time it happened, my first thought was just to try and rescue my system, and make sure no damage had been done. I didn't at all think about grabbing screenshots, or trying to work out where the advert code had come from. From a user's point of view, it is rather alarming. And even now, after running scans (which were all clear), and being 99% sure that it was safely contained, I am still nervous about what might be lurking on my system. It's definitely not the users job to stop this from happening!

If chess.com can't (or are not prepared to) make it safe to use for free players, then they should stop allowing free access, and maybe give a free trial instead.

Since the incident, I have switched chess.com to Microsoft Edge, as I feel it is more secure, and I have blocked all adverts too.

Doing away with free access would probably also greatly reduce revenue, so...

That last 1% uncertainty is a niggling problem. You could always do a fresh Windows install and reinstall all programs and data, but that's a big job. If you had a recent good image backup, you could always go back to that one.

Maybe so, but they need to protect players. Either that, or they should be honest and post a clear warning message that is permanently visible to all free players - something like:

WARNING - Please note that playing on this site for free, without blocking adverts, will subject your system to malware attacks. Use this site as your own risk!

That would at least let everyone know where they stand!

Just throwing this out there - you do not have to use Windows to use chess.com. Apple products are more resilient to malware, while Ubuntu (linux OS) has few to none.

"Apple products are more resilient to malware..."

If you're willing to pay a premium for Apple's hardware, and if you're willng to live in Apple's walled garden...

"...while Ubuntu (linux OS) has few to none."

Ubuntu MATE or Linux Mint are great choices for people switching from Windows to Linux.

Great idea, we'll all scrap our Windows machines and go out and spend 2 grand on a Mac...then we can safely play chess again.

 If any thread deserved a pic of Spock with a raised eyebrow saying "fascinating" it would be this thread. With all the data breaches in the past 5 yrs malicious code piggybacking on server ads is nothing new. I'm running Windows 10 with Adblock and MalwareBytes and haven't had any problems.....YET!

My apologies I didn't mean to ruffle any feathers. I have had the same Macbook Air since 2008(ish) and have used it for just about everything and never had a problem with malware (but then I am more paranoid then most about computer security).

Hey all, we definitely appreciate it when you bring issues like this to our attention. We monitor these too, but with such a high volume of ad impressions, there are rare cases when unapproved advertisers slip through the cracks for a short period of time before the system detects them and blocks them. Any website that serves ads deals with these issues. 

We recommend that members use antivirus and malware protection and regularly screen their computers just to be safe. This will help for all websites that serve ads, not just Chess.com. 

Usually our advertising network partners (like Google, Yahoo, etc.) automatically detect inappropriate ads and remove them. But if some bad advertisers persist, your reports help us find them quicker.

Thanks for your patience and understanding. This is something we care about and work on a lot, so we appreciate your help.