Truth in malvertising: How to beat bad ads

Truth in malvertising: How to beat bad ads

Update 6.15.16: An earlier version of this article mentioned a specific adblocking product. Its inclusion was intended to be illustrative only, and not an explicit promotion. We have removed the product’s name because it was leading to some confusion in this regard. Thanks for the great feedback.

Here’s a scary number: 1.3 billion. That’s the monthly traffic of, which was hit by a malvertising campaign earlier this year. Here’s an even scarier number: 70 percent. That’s the estimated amount of malvertising campaigns that deliver ransomware as a payload. What’s 70 percent of millions and millions of pageviews that cycle through the most popular websites each day? Far too much.

All this is to underscore the very real danger of malvertising. One of the basic tenets of cybersecurity is user awareness. If you practice safe browsing habits, you can protect yourself from a number of threats. But malvertising is a different beast. It hits you without your knowledge, often lives on reputable sites, and most of the time, delivers one of the most dangerous forms of malware today. Practice safe Internetting, and you could still be vulnerable.

What is malvertising?

Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. You could be researching business trends on a site like and, without ever having clicked on an ad, be in trouble. A tiny piece of code hidden deep in the ad directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the “right” malware for you.

Growing problem

Malvertising purposefully targets legitimate websites with high traffic, instead of trying to trick people into visiting malicious sites. In the less than 10 years since it’s been on the scene, malvertising has impacted major websites with traffic in the hundreds of millions (if not billions), including Yahoo!,,, and AOL.

And the problem’s only getting worse. In 2015, Google disabled more than 780 million bad ads, a nearly 50% increase over 2014. According to RiskIQ, in just the first half of 2015, malvertising increased 260% compared against all of 2014.

How it works

The problem is simple. Malvertising has gone unchecked because of the current lax conditions and low barrier for entry to ad networks. In order to advertise online, businesses merely sign up with a network and then bid in real time to have their ads appear on popular websites. However, not all advertising networks have strict criteria for advertisers. Not only that, but buying advertising space is increasingly being transacted automatically. Ad sellers don’t always know the buyers, and some ad platforms allow newcomers in cheap.

Criminals have done such an efficient job of “plundering the ad ecosystem,” that the FBI, Department of Justice, and Homeland Security have pledged to get involved. Yet even with some gatekeeping in place, cybercrooks can easily pull the wool over the ad networks’ eyes by serving up good ads for a while before switching to ads that contain malicious code.

Having Mission Impossibled the ad networks, bad actors move on to their real targets: you. Their infected ad often uses an iframe, or invisible webpage element, to do its work. You don’t even need to click on the ad to activate it—just visit the webpage hosting the ad. (Hence the term “drive-by download.”) The iframe redirects to an exploit landing page, and malicious code attacks your system from the landing page via exploit. The exploit kit delivers malware—and 70 percent of the time, it’s ransomware.

How to avoid malvertising

Plainly, if you use the Internet, you can’t avoid malvertising. But you can protect against it. Here are a few ways to batten down the hatches and brace yourself against malvertising.

1. Practice safe browsing

It won’t protect you against malvertising living on reputable sites, but it will decrease your odds of getting hit with the veritable wall of crap ready to greet you from the shadier side of the Internet.

2. Tighten up vulnerabilities on your computer.

Malvertising is simply a vehicle for finding security flaws hiding elsewhere in your system. Keep your software patched, update your operating system, run the latest browsers, and remove any software (especially Flash or Java) that you don’t use or need.

3. Download an ad blocker

Ad blockers can filter out a lot of the malvertising noise, stopping dynamic scripts from loading dangerous content. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content.

4. Enable click-to-play plugins on your web browser

Click-to-play plugins keep Flash or Java from running unless you specifically tell them to (by clicking on the ad). A good bulk of malvertising relies on exploiting these plugins, so enabling this feature in your browser settings will offer excellent protection.

5. Run an effective anti-exploit program

When all else fails, a good anti-exploit program can shield browser, OS, and software vulnerabilities, catching any of the riff-raff that makes it through your defenses.

So unless you’d like to become an Internet recluse, it looks like, for now, there’s not much you can do to avoid malvertising altogether. But with the right protections in place, you can still beat bad ads.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.