Malvertising: Hidden Advertising Threats You Need to Know About

Malvertising article image

You’re on a website riddled with ads that make it almost impossible to use.

Sounds familiar?

In all probability, this situation likely sounds all too familiar. But what happens if you click on one of these ads? Increasingly, you’re risking your security or the health of your computer.

This kind of malicious advertising—or malvertising—uses ads as carriers to infect your computer with dangerous code. Frighteningly, malvertising is on the rise, taking advantage of whatever trust you put into the ads you see.
In this article we’ll discuss how good advertising works, the standards that are in place, how malvertising is taking advantage of the current ecosystem, and what you need to do about it.

Why Are There So Many Ads on Websites?

The ads and their intrusiveness is frustrating up to the point where the value of website’s content no longer justifies the massive dose of ads you have to make your way through. The implied concept is that sites need to be ad-supported in order to deliver content to users free of charge—clearly running a website requires a fair amount of time and resources. Sometimes a team of developers, designers, and contributors supports the website.

However,it seems that we need to introduce another definition to draw a fine line between “ad supported” and “ad-driven” websites. The latter may be used to describe the case when an actual site has more ad placements than unique content pieces to offer their visitors.

Isn’t Internet Advertising Regulated?

Organizations like Coalition for Better Ads , comprised of prominent online marketing  and Ad Tech companies, are working to create new standards and promote best practices in online advertising, aimed at improving users’ experience. Their efforts include research surveying 25,000 real consumers from US and EU, to understand consumer perception of more than 104 mobile and desktop advertising formats. According to the Coalition’s Better Ads Standards, pop-up ads are the most annoying ads for desktop users.

Least preferred ads. Research results
Least preferred ad types according to Coalition for Better Ads

Despite being considered a less “ethical” ad format, and, even being completely banned by some of the Ad Tech giants, like Appnexus, pop-ups, and pop-unders are still a very common advertising medium. They are used by ad networks and guarantee  stable revenue for website owners. Compounding the problem, pop-ups are  relatively cheap, with some advertisers readily purchasing large volumes of pop ads for their products or services, despite the irritation it brings to consumers’ web surfing experience.

But there is more at stake than which advertising format is most or least annoying.

Malvertising—A Truly Disturbing Advertising Development

While the effort to reshape online advertising is noteworthy and more organizations are joining the cause, another wave is on the rise.  It takes legit advertisers, ad networks, and even top media outlets a hostage and puts the users at much more risk than just change of mood brought by a fatiguing sequence of ads as they surf the web.

Malvertising (malicious advertising) is a common name for this different type of threat

Simply put, malicious advertising is a method of spreading malware, where the ad itself serves as a carrier of malicious code or script. External threat actors, pretending to be advertisers, use legitimate ad networks to display these bad ads through a vast number of websites that serve network’s advertisements to end users like us. Cyber criminals may also hack ad serving platforms or individual sites to inject code into advertising mediums like banners, hosted on those web properties.

Is Malvertising a Serious Threat?

In a  blog post by Digital Threat Management Platform RiskIQ on the malvertising landscape in 2016, threat researchers noted a 132% rise in malvertising cases compared to 2015. The situation is darkened by the fact that attackers choose global sites like MSN, NY Times and BBC as their attack surface.

Malwarebytes Labs gives a account of such a case from March 2016.  During the attack, malicious ads were distributed via legitimate ad networks. Malware authors were  distributing malicious payload (so-called ransomware) that would encrypt the data on infected computers, forcing users to pay to retrieve their files.

Basically  malvertising purveyors are using the latest advancements in ad tech to target potential victims on  the websites where their attack is least expected.   

Malvertising is becoming a weapon of choice for ransomware authors.

How Does Malvertising Work?

Malvertising can hit users in several ways, most importantly: – it is often unnoticeable, even by experienced users, who know a thing or two about safety on the web. Simply this is what happens in a malvertising attack:

Malvertising attack illustrated
Sequence of events in malvertising attack
  • User clicks a malicious ad (banner, pop-up, text link)
  • The user may get his computer infected instantly or redirected to a website where the infection occurs.  There may be no visible signs of redirection in the browser.
  • Sometimes, users do not even need to click on the malicious ad itself to get infected— it happens at the moment when a web page, containing compromised ad loads in their browser.
  • A harmful script within an ad is executed, redirecting user’s browser to an infected page, containing  an exploit kit. It is used to deliver actual malware to victim’s computer. It could be anything from banking trojan to ransomware.

 How To Protect Yourself from Malvertising?

Malvertising protection is in of all parties involved in ad tech industry, since the manner in which malvertising operates puts the industry in a position where individual effort of separate Ad Tech companies is simply  not enough.

On an industry level ad networks and large sites should consider investing in ad screening and vulnerability detection solutions, along with sharing the much valued data with security researchers, which should improve prevention techniques and attacks mitigation.  As a result,this will reduce possible attack surface and increase the cost of malvertising for threat actors.

On a personal level, there are several actions that will reduce your risk from a malvertising attack

Keeping Your Computer and Data Safe from Malvertising

    • Keep your system and software updated. Outdated software is a weak link that may let you down.
    • Educate yourself about safe browsing. Learn to identify suspicious content/links etc. Make sure you’re in control of your Flash/Java settings, as they’re often exploited by malvertising authors. 
    • Use an ad blocker app to avoid ads, including malvertising.
    • Get an AV and keep it updated