Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required.
Also for Mac, iOS, Android and For Business
Malvertising, or malicious advertising, is the term for criminally controlled advertisements within Internet connected programs, usually web browsers (there are exceptions), which intentionally harm people and businesses with all manner of malware, potentially unwanted programs (PUPs), and assorted scams. In other words, malvertising uses what looks like legitimate online advertising to distribute malware and other threats with little to no user interaction required.
Malvertising can appear on any advertisement on any site, even the ones you visit as part of your everyday Internet browsing. Typically, malvertising installs a tiny piece of code, which sends your computer to criminal command and control (C&C) servers. The server scans your computer for its location and what software is installed on it, and then chooses which malware it determines is most effective to send you.
“Malvertising can appear on any advertisement on any site, even the ones you visit as part of your everyday Internet browsing.”
Malvertising takes advantage of the same methods that distribute normal online advertising. Fraudsters submit infected graphic or text ads (both work as long as they use JavaScript) to legitimate advertisement networks, which often can’t distinguish harmful ads from trustworthy ones.
Despite the malicious code, malvertising takes on the appearance of everyday ads like pop-ups (pushing things at you such as fake browser updates, free utilities, antivirus programs, and so on), paid ads, banner ads, and more. Malvertising criminals rely on two main methods to infect your computer.
The first is an advertisement that presents some kind of provocative enticement to get you to click on it. The lure might come in the form of an “alert,” such as a warning that you already suffer from a malware infection. Or it might be an offer for a free program. Such tactics use social engineering to scare or tempt you into clicking on a link. Give into that temptation and you are infected.
Even more nefarious is the second method, known as a drive-by download. In this case, the infected ad uses an invisible web page element to do its work. You don’t even need to click on the ad to trigger the malicious activity. Just loading the web page hosting the ad (or a spam email or malicious pop-up window) redirects you to an exploit landing page, which takes advantage of any vulnerabilities in your browser or holes in your software security to access your machine.
RIG
malvertising campaign uses cryptocurrency theme as decoy
Malvertising
on Equifax, TransUnion tied to third party script (updated)
Tech
support scammers abuse native ad and content provider Taboola to serve malvertising (updated)
Perhaps a more pertinent way to put that question is: is there really any chance it won’t harm you? The answer is no, because the bad guys behind malvertising have multiple illicit goals they pursue with dogged determination. They want to make money off you by stealing your identification data, your financial data, and your contact data, among other things. Other than outright stealing data, they can encrypt or delete information, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission. It all depends on what kind of programs the malvertising succeeds in downloading. The payloads can include:
“The bad guys behind malvertising have multiple illicit goals they pursue with dogged determination. They want to make money off you by stealing your identification data, your financial data, and your contact data, among other things.”
According to Wikipedia, the first recorded malvertising attack occurred in late 2007 or early 2008. The threat exploited a vulnerability in Adobe Flash, attacking a number of popular platforms, including MySpace. It was also the last time anyone mentioned MySpace.
In 2009, The New York Times online magazine fell prey to malvertising by publishing an ad that enlisted computers into a larger botnet of malware-infected computers. Readers were served up ads telling them that their systems were infected, which was a ploy to trick them into installing malicious security software on their computers.
In 2010, malvertising exploded across the internet, with industry watchers identifying billions of display ads that were carrying malware across 3,500 sites.
In 2011, Spotify fell victim to an early example of a drive-by download malvertising attack.
In 2012, a massive malvertising attack hit The Los Angeles Times, infecting users via drive-by download. It was seen as part of a general campaign of malvertising to hit large news portals, and this strategy served as a template for future attacks.
The following year, 2013, saw a major malvertising attack on Yahoo.com, which put a significant number of the webpage’s 6.9 billion monthly visitors at risk. The attack infected user’s machines with the CryptoWall ransomware.
As we reported, 2014 showed a significant increase in malvertising attacks. Google DoubleClick and Zedo ad networks suffered major malvertising campaigns, as did news portals such as Times of Israel and The Jerusalem Post.
In 2015, attacks continued to diversify, using a variety of popular websites to display bad ads, and drop malware onto the computers of unsuspecting users. Targeted websites included dating sites, adult video streaming sites, Google Adwords, and MSN.com.
Today, malvertising detections continue to grow. ZDNet reported on a threat actor known as Zirconium, which perpetrated what was arguably the biggest malvertising campaign in 2017 when the organization bought an estimated one billion ads throughout the year. Zirconium designed its malicious ads with forced redirects that brought users to websites hosting fraudulent schemes or malware. Industry watchers believe that this single campaign was present on 62 percent of ad-monetized websites each week.
Malvertising actors have also gotten creative as of late. Cybercriminals are now taking over abandoned domains, i.e. websites that the previous owner never renewed, to display malicious ads that force redirect users to tech support scam sites. They’re also abusing cryptocurrency miners. In January 2018 Malwarebytes researchers discovered pages with malicious ads containing embedded scripts for Coinhive. While Coinhive has legitimate uses, cybercriminals use the service to turn your computer into a cryptomining machine without your knowledge or permission.
Once online crooks have determined what kind of computer you use, what software, and what country you are in, they have all they need to devise tailored campaigns. A few campaign categories include:
Although Windows has been the main focus of malware attacks for years, a malvertising campaign focused on a browser or plug-in can just as easily infect a Mac, Chromebook, Android phone, iPhone, or any such devices in a business network.
True, cybercriminals mostly target Windows users because the huge Windows user base gives malvertisers the best return on investment. But Macs are just as vulnerable to malvertising attacks.
“Cybercriminals mostly target Windows users because the huge Windows user base gives them the best return on investment. But Macs are just as vulnerable to malvertising attacks.”
Regarding mobile devices, malvertising can be even more of a threat, since many people don't take the same precautions or have the same firewalls on their phone that they routinely have on their desktop or laptop. Compounding the risk is the fact that mobile devices are always on and carried from home, to work, on weekend outings, are often used for shopping, and so on. All of which makes them a prime target for malvertising.
For instance, Android users are increasingly plagued by malvertising and online fraud through forced redirects and Trojanized apps—to cite the two most common examples.
Businesses, with their distributed networks full of attractive personal and financial data on all kinds of devices, have recently become even bigger targets for the kinds of malware that malvertising delivers. According to the October 2018 Malwarebytes Labs Cybercrime Tactics and Techniques Report, businesses saw a 55 percent increase in attacks compared to the previous quarter. At the same time, consumer attacks increased by only four percent quarter over quarter.
First, tighten up vulnerabilities on your computer and mobile device. Keep your operating system, your applications, and web browsers (plug-ins included) up to date with the latest security patches. Remove any software (especially Flash or Java) that you don’t use or need, because malvertising searches for ways to exploit weaknesses in such software.
Always practice safe computing and think before you click on anything. And always be skeptical about any suspiciously alarming notices, or scareware, as well as any too-good-to-be-true pop-up offers you receive. Even if you never click on suspect ads, it still won’t protect you against drive-by malvertising living on reputable sites, but it will decrease your odds of getting hit by much of what the bad guys throw at you as most malvertising relies on your click to deliver its malware payload.
Enable click-to-play plugins on your web browser. Click-to-play plugins keep Flash or Java from running unless you specifically tell them to (by clicking on the ad). A large percentage of malvertising relies on exploiting these plugins, so enabling this feature in your browser settings will offer excellent protection.
You should seriously consider using ad blockers, which can filter out a lot of the malvertising noise, thereby stopping dynamic scripts from loading dangerous content. By blocking all advertisements from displaying on websites, you remove any chance of viewing and clicking on an ad that is potentially harmful. Ad blocking also results in additional benefits, from reducing the number of cookies loaded on your machine, to protecting your privacy by preventing tracking, saving bandwidth, loading pages faster, and prolonging battery life on mobile devices.
However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. Malwarebytes has weighed in on this subject. There’s also considerable advice about using ad blockers on our blog, detailing some of the completely free methods available to you for a safer internet experience. For example, here’s one of our blogs about ad blockers and anti-tracking browser extensions. And we cover a few of the common ad blocking utilities and how to best configure those tools for maximum effectiveness.
Malwarebytes provides ad-blocking technology in our iPhone app, and offers powerful ad-blocking extensions for your Chrome or Firefox browser. We also include malicious website protection in our premium products and business products.
Of course, the best way to protect yourself and your equipment from falling victim to malvertising (and any malware, for that matter), you need to scan your system regularly with a quality cybersecurity program.
Real-time, always-on cybersecurity is the gold standard for preventing not only infection from malvertising on an infected site, but also from all other associated malware threats that may already be lurking on your device. For all platforms and devices, from Windows, Mac, and Chromebook to Android, and iPhone, plus business environments, Malwarebytes is your first line of defense.
Select your language