What is malvertising?
Malvertising, short for malicious advertising, is a cybersecurity threat where attackers inject malicious code into legitimate online advertising networks and platforms. This technique allows cybercriminals to distribute malware, steal sensitive information, or redirect users to fraudulent websites through seemingly trustworthy advertisements that appear on reputable websites.
The concept of malvertising emerged in the mid-2000s as online advertising became more sophisticated and widespread. As digital advertising evolved into a multi-billion dollar industry, cybercriminals recognized the opportunity to exploit the complex ecosystem of ad networks, publishers, and advertisers to reach massive audiences with malicious content.
Unlike traditional malware distribution methods that require users to visit suspicious websites or download questionable files, malvertising leverages the trust users place in familiar websites and recognizable brands. This makes it particularly effective because users typically don't expect advertisements on legitimate sites to pose security risks.
Malvertising vs. adware
While both involve unwanted advertising content, malvertising and adware operate differently. Adware is software installed on a user's device that displays unwanted advertisements, often bundled with legitimate programs. Malvertising, however, doesn't require any software installation and operates through compromised advertisements on websites the user is already visiting.
How malvertising works
Malvertising attacks follow a sophisticated multi-stage process that exploits the complex advertising ecosystem. The attack begins when cybercriminals create malicious advertisements that appear legitimate to ad networks and automated screening systems. These malicious ads are then submitted to advertising platforms or networks, often using stolen identities or fake business credentials to bypass initial security checks.
Once approved, the malicious advertisements are distributed across the ad network's publisher websites. When users visit these sites, the compromised ads load alongside legitimate content. The malicious code embedded in these ads can execute automatically without any user interaction, a technique known as a drive-by download, or may require minimal user engagement like hovering over the advertisement.
Drive-by downloads represent one of the most dangerous aspects of malvertising. These attacks exploit vulnerabilities in web browsers, plugins, or operating systems to automatically download and execute malware when a user simply views a webpage containing the malicious ad. The user remains completely unaware that their system has been compromised.
Malicious redirects constitute another common delivery method. When users click on what appears to be a legitimate advertisement, they're redirected through a series of intermediate websites before landing on a page designed to steal credentials, install malware, or conduct fraudulent activities. These redirect chains often involve multiple domains to obscure the attack's origin and evade detection.
The impact on users and organizations can be severe. Individual users may experience identity theft, financial fraud, or system compromise, while organizations face data breaches, network infiltration, and potential regulatory compliance violations. The widespread nature of malvertising means that a single compromised ad campaign can affect thousands or millions of users across multiple websites simultaneously.
Common types of malvertising
Malvertising attacks manifest in several distinct forms, each designed to exploit different user behaviors and system vulnerabilities.
Malicious banner ads
Malicious banner ads represent the most traditional form of malvertising. These cyber attacks embed malicious code within standard display advertisements that appear on websites. The banner ads often mimic legitimate advertisements from well-known brands, making them difficult for users to distinguish from authentic content. When loaded in a user's browser, these ads can exploit browser vulnerabilities or redirect users to malicious websites.
Fake software updates
Fake software updates have become increasingly sophisticated and convincing. These malvertising campaigns display pop-up notifications claiming that the user's browser, Flash Player, or other software requires immediate updating. When users click to install the supposed update, they actually download malware instead of legitimate software. These attacks are particularly effective because they prey on users' security consciousness and desire to keep their systems updated.
Video ad malware
Video ad malware exploits the popularity of video content and streaming services. Malicious actors create video advertisements that contain embedded malware or redirect users to compromised websites when clicked. These video ads often appear on legitimate streaming platforms or video sharing sites, leveraging users' trust in these platforms to distribute malicious content.
Malicious pop-ups
Malicious pop-ups utilize intrusive advertising formats to capture user attention and increase the likelihood of interaction. These pop-ups may claim to offer prizes, warn of system infections, or present urgent security alerts. Users who interact with these pop-ups may be redirected to phishing sites, prompted to download malware, or tricked into providing sensitive information.
Real-world examples of malvertising attacks
The advertising industry has witnessed numerous high-profile malvertising campaigns that demonstrate the scale and sophistication of these threats. Major advertising networks and popular websites have fallen victim to malvertising attacks that exposed millions of users to malicious content.
Steganography-based attacks on major news sites
One notable example involved a large-scale malvertising campaign that compromised advertisements on major news websites and popular online platforms. The attackers used a technique called "steganography" to hide malicious code within seemingly innocent image advertisements, making detection extremely difficult for both automated systems and human reviewers.
Fake antivirus campaigns
Another significant case involved fake antivirus advertisements that appeared on legitimate websites. These ads claimed to detect infections on users' computers and prompted them to download fake security software. Users who fell for this scheme actually installed malware that could steal personal information, display additional unwanted advertisements, or provide attackers with remote access to compromised systems.
Banking trojan distribution
Banking trojans have also been distributed through malvertising campaigns targeting financial websites and services. These attacks specifically targeted users of online banking platforms by displaying advertisements that, when clicked, installed malware designed to steal banking credentials and financial information.
Mobile malvertising emergence
Mobile malvertising has emerged as attackers adapt their techniques for smartphone and tablet users. These campaigns often involve fake mobile app advertisements that redirect users to malicious app stores or directly install unwanted applications without proper user consent.
Why malvertising is hard to detect
The detection of malvertising presents unique challenges that stem from the complex nature of modern digital advertising ecosystems. Ad networks process millions of advertisements daily, making comprehensive manual review impractical and necessitating reliance on automated systems that attackers have learned to circumvent.
The complexity of ad networks creates multiple potential entry points for malicious content. Modern advertising involves numerous intermediaries including demand-side platforms, supply-side platforms, ad exchanges, and data management platforms. Each layer in this ecosystem represents a potential vulnerability that attackers can exploit to inject malicious content into the advertising supply chain.
Malvertising attacks often exploit the trust relationship between users and established websites. When malicious advertisements appear on reputable news sites, e-commerce platforms, or social media networks, users naturally assume the content is safe because they trust the hosting website. This implicit trust makes users more likely to interact with malicious advertisements than they would be on obviously suspicious websites.
Attackers employ sophisticated evasion techniques to avoid detection by security systems and human reviewers. These may include time-delayed activation where malicious code only executes after a specific period, geo-targeting that only affects users in certain locations, or behavioral analysis that identifies and avoids security researchers or automated analysis systems.
The use of legitimate advertising infrastructure makes malvertising particularly challenging to combat. Unlike traditional malware distribution that relies on obviously malicious websites or email attachments, malvertising leverages the same systems and protocols used by legitimate advertisers, making it difficult to distinguish between safe and dangerous content based solely on delivery methods.
How to prevent malvertising
Best practices for individuals
Individual users can implement several defensive strategies to protect themselves from malvertising attacks:
- Keep software updated - Maintain current versions of operating systems, web browsers, browser plugins, and security software with the latest patches and security updates. Many malvertising attacks exploit known vulnerabilities that have been patched in newer software version.
Install ad blocking software - Modern ad blockers not only prevent advertisements from loading but also include filters specifically designed to identify and block malicious advertising content. Choose reputable ad blocking solutions and keep their filter lists updated to ensure protection against the latest threats.
Configure browser security settings - Disable automatic downloads, enable click-to-play for plugins like Flash and Java, and configure browsers to warn users about potentially dangerous websites. Consider disabling JavaScript for untrusted websites, though this may affect website functionality.
Practice safe browsing habits - Be skeptical of urgent security warnings, too-good-to-be-true offers, and unexpected software update notifications that appear in advertisements. Obtain legitimate software updates directly from the software vendor's official website rather than through advertisements or pop-up notifications.
Best practices for organizations
Organizations face additional challenges in protecting against malvertising due to the scale of their operations and the need to balance security with business functionality:
Deploy comprehensive endpoint protection - Implement solutions that include real-time threat detection and behavioral analysis to identify and block malvertising attacks before they can compromise organizational systems.
Establish network security controls - Deploy web filtering solutions that can identify and block malicious advertisements at the network level. Use DNS filtering to prevent users from accessing known malicious domains used in malvertising campaigns, while network segmentation limits the potential impact of successful attacks.
Implement employee education programs - Train staff to recognize common malvertising tactics, understand the risks associated with clicking on advertisements, and know how to report suspected malicious content. Regular security awareness training helps maintain vigilance against evolving malvertising techniques.
Establish incident response procedures - Create specific protocols for malvertising attacks, including identifying affected systems, containing the spread of malware, and implementing recovery procedures to restore normal operations. Having a well-defined response plan reduces the impact of successful attacks and helps organizations recover more quickly.
Protecting yourself in the digital advertising landscape
As cybercriminals continue to exploit the trust users place in legitimate websites and advertising networks, understanding these attacks becomes crucial for both individuals and organizations. The sophisticated nature of malvertising campaigns, from steganography-based attacks to fake software updates, demonstrates that traditional security measures alone are insufficient.
The key to effective malvertising prevention lies in adopting a multi-layered security approach. For individuals, this means maintaining updated software, using ad blockers, and practicing skeptical browsing habits. Organizations must implement comprehensive security controls, educate their workforce, and prepare incident response procedures tailored to malvertising threats.