Malvertising

Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required.

What is the definition of malvertising?

Malvertising, or malicious advertising, is the term for criminally controlled advertisements within Internet connected programs, usually web browsers (there are exceptions), which intentionally harm people and businesses with all manner of malware, potentially unwanted programs (PUPs), and assorted scams. In other words, malvertising uses what looks like legitimate online advertising to distribute malware and other threats with little to no user interaction required.

Malvertising can appear on any advertisement on any site, even the ones you visit as part of your everyday Internet browsing. Typically, malvertising installs a tiny piece of code, which sends your computer to criminal command and control (C&C) servers. The server scans your computer for its location and what software is installed on it, and then chooses which malware it determines is most effective to send you.

“Malvertising can appear on any advertisement on any site, even the ones you visit as part of your everyday Internet browsing.”

How does malvertising work?

Malvertising takes advantage of the same methods that distribute normal online advertising. Fraudsters submit infected graphic or text ads (both work as long as they use JavaScript) to legitimate advertisement networks, which often can’t distinguish harmful ads from trustworthy ones.

Despite the malicious code, malvertising takes on the appearance of everyday ads like pop-ups (pushing things at you such as fake browser updates, free utilities, antivirus programs, and so on), paid ads, banner ads, and more. Malvertising criminals rely on two main methods to infect your computer.

The first is an advertisement that presents some kind of provocative enticement to get you to click on it. The lure might come in the form of an “alert,” such as a warning that you already suffer from a malware infection. Or it might be an offer for a free program. Such tactics use social engineering to scare or tempt you into clicking on a link. Give into that temptation and you are infected.

Even more nefarious is the second method, known as a drive-by download. In this case, the infected ad uses an invisible web page element to do its work. You don’t even need to click on the ad to trigger the malicious activity. Just loading the web page hosting the ad (or a spam email or malicious pop-up window) redirects you to an exploit landing page, which takes advantage of any vulnerabilities in your browser or holes in your software security to access your machine.

Latest malvertising news

RIG malvertising campaign uses cryptocurrency theme as decoy
Malvertising on Equifax, TransUnion tied to third party script (updated)
Tech support scammers abuse native ad and content provider Taboola to serve malvertising (updated)

How can malvertising harm me?

Perhaps a more pertinent way to put that question is: is there really any chance it won’t harm you? The answer is no, because the bad guys behind malvertising have multiple illicit goals they pursue with dogged determination. They want to make money off you by stealing your identification data, your financial data, and your contact data, among other things. Other than outright stealing data, they can encrypt or delete information, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission. It all depends on what kind of programs the malvertising succeeds in downloading. The payloads can include:

  • Malware, which is the umbrella term that describes any malicious program or code that is harmful to systems.
  • Ransomware, the term for a form of malware that locks you out of your device and/or encrypts your files, then forces you to pay a ransom to get them back. Ransomware has been called the cybercriminal’s weapon of choice because it demands a quick, profitable payment in hard-to-trace cryptocurrency. The code behind ransomware is easy to obtain through online criminal marketplaces and defending against it can be difficult.
  • Spyware is malware that secretly observes the computer user’s activities without permission and reports it to the software’s author.
  • Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser. Typically, it uses an underhanded method to either disguise itself as legitimate, or piggyback on another program to trick you into installing it on your PC, tablet, or mobile device.
  • A virus is the original malware that attaches to another program and, when executed—usually inadvertently by the user—replicates itself by modifying other computer programs and infecting them with its own bits of code. Most cybersecurity professionals agree that viruses today are more of a legacy threat than an ongoing risk to Windows or Mac users. That’s because they’ve been around for decades and have not substantially changed.
  • Malicious cryptomining, also sometimes called drive-by mining or cryptojacking, is an increasingly prevalent malware usually installed by a Trojan. It allows someone else to use your computer to mine cryptocurrency like Bitcoin or Monero. So instead of letting you cash in on your own computer’s horsepower, the cryptominers send the collected coins into their own account and not yours. So, essentially, a malicious cryptominer is stealing your resources to make money.

“The bad guys behind malvertising have multiple illicit goals they pursue with dogged determination. They want to make money off you by stealing your identification data, your financial data, and your contact data, among other things.”

What is the history of malvertising?

According to Wikipedia, the first recorded malvertising attack occurred in late 2007 or early 2008. The threat exploited a vulnerability in Adobe Flash, attacking a number of popular platforms, including MySpace. It was also the last time anyone mentioned MySpace.

In 2009, The New York Times online magazine fell prey to malvertising by publishing an ad that enlisted computers into a larger botnet of malware-infected computers. Readers were served up ads telling them that their systems were infected, which was a ploy to trick them into installing malicious security software on their computers.

In 2010, malvertising exploded across the internet, with industry watchers identifying billions of display ads that were carrying malware across 3,500 sites.

In 2011, Spotify fell victim to an early example of a drive-by download malvertising attack.

In 2012, a massive malvertising attack hit The Los Angeles Times, infecting users via drive-by download. It was seen as part of a general campaign of malvertising to hit large news portals, and this strategy served as a template for future attacks.

The following year, 2013, saw a major malvertising attack on Yahoo.com, which put a significant number of the webpage’s 6.9 billion monthly visitors at risk. The attack infected user’s machines with the CryptoWall ransomware.

As we reported, 2014 showed a significant increase in malvertising attacks. Google DoubleClick and Zedo ad networks suffered major malvertising campaigns, as did news portals such as Times of Israel and The Jerusalem Post.

In 2015, attacks continued to diversify, using a variety of popular websites to display bad ads, and drop malware onto the computers of unsuspecting users. Targeted websites included dating sites, adult video streaming sites, Google Adwords, and MSN.com.

Today, malvertising detections continue to grow. ZDNet reported on a threat actor known as Zirconium, which perpetrated what was arguably the biggest malvertising campaign in 2017 when the organization bought an estimated one billion ads throughout the year. Zirconium designed its malicious ads with forced redirects that brought users to websites hosting fraudulent schemes or malware. Industry watchers believe that this single campaign was present on 62 percent of ad-monetized websites each week.

Malvertising actors have also gotten creative as of late. Cybercriminals are now taking over abandoned domains, i.e. websites that the previous owner never renewed, to display malicious ads that force redirect users to tech support scam sites. They’re also abusing cryptocurrency miners. In January 2018 Malwarebytes researchers discovered pages with malicious ads containing embedded scripts for Coinhive. While Coinhive has legitimate uses, cybercriminals use the service to turn your computer into a cryptomining machine without your knowledge or permission.

What are the main kinds of malvertising campaigns?

Once online crooks have determined what kind of computer you use, what software, and what country you are in, they have all they need to devise tailored campaigns. A few campaign categories include:

  • Get-rich-quick schemes and other surveys. These are aggressive efforts by unscrupulous advertising networks that disrupt your browsing with screen hijacks. They might be anything from a lottery offer, work-from-home scams, bogus surveys, and other too-good-to-be-true freebies. In the past, surveys in this category have even targeted iPhone users.
  • Tech support scams. Tech support scammers have long targeted Windows PC users, but they target Mac users too, exploiting their assumed sense of security with a number of social engineering tricks. In either case, fake websites falsely present themselves as Apple or Microsoft, using JavaScript to prevent victims from closing the page naturally. This leads frustrated users to call the toll-free number, listed by the malvertising, for assistance. Scammers, mostly out of India, make a show of scaring their victims in order to sell them hundreds of dollars of worthless “tech support.”
  • Fake Flash Player (and other software) updates. This is one of the most common techniques to foist adware and even malware onto Mac users. Masquerading as updates for the Flash Player, or video codecs, these pages are well designed and pushy. In some cases, the installer will automatically download itself onto your computer. These campaigns work particularly well on adult or video streaming websites, because they can lure users to download the application in order to watch the content they are looking for. You should stay away from such “programs.” But if you choose to download, only do so by going to the product’s official repositories, since these look-alikes on the infected sites are bundled with junk that will slow down your Mac, or worse, install spyware and other malware on it.
  • Scareware. Similar to the tech support scam, scareware first says that your Mac or Windows machine is severely damaged or infected, and then urges you to download a program to fix it. Scareware scams are typically the works of greedy malvertising affiliates trying to drive the most leads they can in order to collect large commissions off various PUPs.

What kinds of platforms are vulnerable to malvertising?

Although Windows has been the main focus of malware attacks for years, a malvertising campaign focused on a browser or plug-in can just as easily infect a Mac, Chromebook, Android phone, iPhone, or any such devices in a business network.

True, cybercriminals mostly target Windows users because the huge Windows user base gives malvertisers the best return on investment. But Macs are just as vulnerable to malvertising attacks.

“Cybercriminals mostly target Windows users because the huge Windows user base gives them the best return on investment. But Macs are just as vulnerable to malvertising attacks.”

Regarding mobile devices, malvertising can be even more of a threat, since many people don't take the same precautions or have the same firewalls on their phone that they routinely have on their desktop or laptop. Compounding the risk is the fact that mobile devices are always on and carried from home, to work, on weekend outings, are often used for shopping, and so on. All of which makes them a prime target for malvertising.

For instance, Android users are increasingly plagued by malvertising and online fraud through forced redirects and Trojanized apps—to cite the two most common examples.

Businesses, with their distributed networks full of attractive personal and financial data on all kinds of devices, have recently become even bigger targets for the kinds of malware that malvertising delivers. According to the October 2018 Malwarebytes Labs Cybercrime Tactics and Techniques Report, businesses saw a 55 percent increase in attacks compared to the previous quarter. At the same time, consumer attacks increased by only four percent quarter over quarter.

How do I protect against malvertising?

First, tighten up vulnerabilities on your computer and mobile device. Keep your operating system, your applications, and web browsers (plug-ins included) up to date with the latest security patches. Remove any software (especially Flash or Java) that you don’t use or need, because malvertising searches for ways to exploit weaknesses in such software.

Always practice safe computing and think before you click on anything. And always be skeptical about any suspiciously alarming notices, or scareware, as well as any too-good-to-be-true pop-up offers you receive. Even if you never click on suspect ads, it still won’t protect you against drive-by malvertising living on reputable sites, but it will decrease your odds of getting hit by much of what the bad guys throw at you as most malvertising relies on your click to deliver its malware payload.

Enable click-to-play plugins on your web browser. Click-to-play plugins keep Flash or Java from running unless you specifically tell them to (by clicking on the ad). A large percentage of malvertising relies on exploiting these plugins, so enabling this feature in your browser settings will offer excellent protection.

You should seriously consider using ad blockers, which can filter out a lot of the malvertising noise, thereby stopping dynamic scripts from loading dangerous content. By blocking all advertisements from displaying on websites, you remove any chance of viewing and clicking on an ad that is potentially harmful. Ad blocking also results in additional benefits, from reducing the number of cookies loaded on your machine, to protecting your privacy by preventing tracking, saving bandwidth, loading pages faster, and prolonging battery life on mobile devices.

However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. Malwarebytes has weighed in on this subject. There’s also considerable advice about using ad blockers on our blog, detailing some of the completely free methods available to you for a safer internet experience. For example, here’s one of our blogs about ad blockers and anti-tracking browser extensions. And we cover a few of the common ad blocking utilities and how to best configure those tools for maximum effectiveness.

Malwarebytes provides ad-blocking technology in our iPhone app, and offers powerful ad-blocking extensions for your Chrome or Firefox browser. We also include malicious website protection in our premium products and business products.

Of course, the best way to protect yourself and your equipment from falling victim to malvertising (and any malware, for that matter), you need to scan your system regularly with a quality cybersecurity program.

Real-time, always-on cybersecurity is the gold standard for preventing not only infection from malvertising on an infected site, but also from all other associated malware threats that may already be lurking on your device. For all platforms and devices, from Windows, Mac, and Chromebook to Android, and iPhone, plus business environments, Malwarebytes is your first line of defense.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.