August 9, 2024
Malvertising Definition
Malvertising or malicious advertising is a technique that cybercriminals use to inject malware into users’ computers when they visit malicious websites or click on an ad online. Malvertising may also direct users to a corrupt website where their data can be stolen, or malware can be downloaded onto their computer.
“Malvertising” simply refers to malicious advertisements. More specifically, the term refers to all the ads that are designed and deployed with explicit malicious intent or launched by bad actors.
There are many different forms of malvertising categorized by the various actions triggered when the malicious ad reaches the user’s screen, the vector of attack, and other factors. But the common element is the use of the ad creative, browser vulnerabilities, or any weak points along the ad supply chain, to negatively affect the end user.
When malvertising reaches its target user’s computer or device, it deploys the ad payload, which is whatever malicious content the ad delivers. In many cases, infected ads contain malicious code, which is a script engineered to execute an action, regardless of the user interaction with the infected ad. In other cases, they may use ״drive by download״ to get users to download malicious computer programs or flash files (like the now-retired Adobe Flash).
There are several paths malvertisers can pursue to reach their target user on sites via standard display, video, or in-app environments.
How Does Malvertising Work?
Malvertising comes from third parties that use ad calls to gain access to a publisher’s online advertising slots and/or the creative that renders in them.
Often a malvertiser will execute a media buy starting from the DSP, just like any legitimate advertiser. In other cases, the scammer will insert malicious code via inventory reselling, or some other unsecured point in the ad network or the supply chain for online ads.
For the malvertiser, it’s an efficient and scalable method of causing harm. There’s no need to take control of the publisher’s entire website or server, and typically there’s no need for the user to perform any action other than loading a web page. A malvertising campaign can have international reach and can be targeted to particular geographic regions, demographics, or device types.
Scammers often use auto-redirects to inject malicious code. In this exploit kit, malicious code takes over the ad unit, expanding the creative to fill the screen and giving the user no visible option to close the ad. The creative directs or links unsuspecting users to a malicious landing page, the app store, or a phone number for a phishing scam.
URL malvertising
Ad scanning tools at points along the supply chain will scan ad creative intended for suspicious URLs, but malvertisers get past the scanners in web browsers by using cloaking—hiding their real URLs within code that looks legitimate (for example, resembling the URL of a legitimate company) to a scanner or human QA. The cloaked URL slips past these relatively low-tech security measures and reaches the user’s screen undetected.
Malicious ad cloaking
Cloaking is a technique used by malvertisers to disguise both the creative the user sees and the landing page it leads to. The malvertiser will launch a campaign using ad creative in disguise, appearing harmless and legitimate at first glance. Scanning will reveal a landing page URL that also appears to be legitimate.
Yet, when the ad reaches a human environment, its code will automatically swap that false creative for the real creative the malvertiser wants the user to see. The code will also make the real, malicious URL interactive for the user, so it links to the problematic page. The landing page may even appear legitimate to the user—counterfeiting the design and branding of a premium publication or brand, and/or with a URL that appears to represent a well-known company.
This whole process is designed to take advantage of the audience’s trust in the brand they think they’re interacting with, and the publisher that hosted the ad. But the malicious landing page will, with or without the user purposefully initiating a download, deliver malicious code or malicious software to the user’s device or prompt the user to begin communicating directly with the malvertiser, who will try to extract personal information or money from the user.
Malvertising campaigns
Malvertisers evaluate consumer behavior and trends within various countries and create attack blueprints including various creatives and landing pages to suit the targeted users. Like traditional marketers, they test the effectiveness of their campaigns with probing attacks to gauge which campaigns are most effective. Many campaigns utilize sophisticated clickbait techniques to infect users with malicious programs such as showing ads with content related to local celebrities on ad networks specific to the user’s location. For example, a user in Argentina will see content about an Argentinian celebrity, and a user in India will see an Indian celebrity.
These are some of the common tactics used in malvertising campaigns:
Malicious Browser Extensions:
These ads show useful browser extensions. When the user downloads the extension, in addition to what it is supposed to do, it also installs malware or spyware on the user’s device.
Fake Antivirus & Cleaners:
In this tactic, ads are disguised to look like system messages telling the user that they need to install an anti-virus or cleaning program to keep their device safe. However, when they click on the ad, instead of installing legitimate software, malware is installed.
Suspicious VPN:
These ads show videos, but when the users try to view the video, they are told they need to download a VPN to watch it. When they do so, they also install spyware or malware.
These scams put pop-ups on the users device that cover the entire screen. The pop-ups direct users to fake support agents who instruct users to “solve” the issue by downloading software that is actually malware.
Fake Software Updates:
These ads are disguised to look like system messages telling users that they have a program that needs to be updated. When they click to update, they unintentionally install malware.
Mobile Malvertising campaigns
The small screen offers unique opportunities for malvertisers. Mobile users are often in a hurry, looking for a quick solution, and have little patience for interruptions. The delicate response on small screens makes erroneous clicks on ads an inevitable phenomenon.
Unfortunately, there is sometimes a symbiotic relationship between app developers and ad platforms. If an ad platform is paid on a CPI (cost per install) basis, and if a developer relies on that platform to distribute ads to drive app downloads, then the platform is essentially incentivized to run more ads from unfamiliar buyers. This makes it easier for bad actors to slip their campaigns through.
Malvertising on landing pages
In many malvertising campaigns, the most harmful elements are not actually carried in the ad itself. Often, the creative will function like a normal ad at first, and only when the user clicks through will they land on a page that contains malware or a setup for a scam. That’s why it isn’t enough to install antivirus software—in order to protect users, anti-malvertising efforts need to inspect not only the ad creative, but the landing page behind the ad as well.
Placing malicious code
In some cases, the bad actor will place malicious code in the ad creative either when the ad is called, or post-click.
Redirecting Pop-Ups
In this method, when the user opens a website or application, the bad ad will take over the screen. From there, it might direct the user to the app store to download an unwanted app. In other cases, it might show a message saying the user has won a gift card, or been invited to take part in a survey, or been exposed to a system risk that can only be fixed by clicking through.
Examples of Malvertising
Many reputable organizations have been involved in malvertising attacks in recent years. In many such cases, the attack stemmed from a compromised ad network, which made it nearly impossible for the organization to identify such risks.
Specific attacks include:
Angler Exploit Kit
This malvertising attack was an example of a drive-by download. It automatically redirected visitors to a malicious website where an exploit kit was able to exploit vulnerabilities in common web extensions, such as Adobe Flash, Microsoft Silverlight and Oracle Java.
RoughTed
RoughTed arrived on the malvertising scene in 2017. It was unique in that it could get around ad blockers and circumvent many antivirus programs.
To avoid being detected by defense systems, RoughTed created new URLs. Antivirus programs inspect the URLs of potential threats to see whether they match confirmed malware. They block any download associated with a known dangerous URL, and because RoughTed could change its URL, such types of protections were ineffective.
KS Clean
The KS Clean malvertising attack consisted of adware concealed in an otherwise benevolent mobile application. It targeted people through ads that could download malware. Once the individual clicked on the ad, the malware would start secretly downloading in the background. The user would have no idea they were under attack. The only sign would be a warning saying they needed to upgrade the app because their phone had a security issue. If the target clicked the OK button, the installation would be completed, and the malware would automatically obtain administrative privileges. Once these privileges were established, the user would start experiencing continuous pop-up ads on their phone. In addition to being an annoyance, these ads could also lead to sites that contained other threats.
How to Avoid Malvertising
Malvertising is extremely difficult to detect and avoid for both consumers and publishers. This is because of the incredible volume of digital ads being created and the rapid rate at which ads are circulated within a digital ad exchange. This means that publishers themselves often cannot directly oversee the ad verification and assessment process.
Generally speaking, it is also very difficult for cybersecurity experts to identify exactly which ad is malicious because the ads on a webpage constantly change. Further, most malvertising attacks require the user to interact with the infected ad. This means that not every website visitor will be affected by a malicious ad, which makes it more difficult to narrow down the offending advert.
While difficult to prevent infection from a malvertisement, users can take steps to reduce their risk:
• Ensure that all software and extensions, including web browsers, are up to date.
• Install antivirus software and ad blockers to reduce the risk of running a malicious advertisement.
• Avoid using Flash and Java or allowing these programs to run automatically when surfing the web.
Publishers have a responsibility to protect their visitors from malvertisements. Steps they can take include:
• Thoroughly evaluate third-party ad networks that will be responsible for selecting, vetting and running ads.
• Scan ad creative intended for display to discover malware or unwanted code.
• Avoid the use of JavaScript or Flash in ads.
• Engage a trusted cybersecurity partner to offer customized recommendations based on the organization’s digital advertising activity.
How To Identify Malvertisements
Malvertisements have a few distinct traits that can make them easy to spot if you know what to look for, including:
• Ads that look sloppy or unprofessional
• Ads with spelling mistakes
• Ads that have unrealistic promises, such as amazing cures
• Ads talking about celebrity scandals
• Any ad that advertises something that is too good to be true
• Ads that do not seem to align with your recent search activity
How To Prevent Malvertising
You can prevent malvertising using several different methods, from installing software to adjusting your settings to simply avoiding advertisements altogether.
1. Install an Ad Blocker
If you install an ad blocker, ads will not pop up on your screen, including malvertisements. This way, when you go to a webpage with malvertisements on it, you will only see the webpage’s content and not the fake ads hackers have worked into the advertising network.
2. Turn On Click-to-play for Your Browsers
Your browser has a click-to-play option, so any content that needs a plugin to play is disabled unless you specifically choose to click on it. With click-to-play enabled, you can be protected from malvertisements that automatically run when plugin content loads on a page.
3. Use All-around Antivirus Software
Antivirus software can be a powerful deterrent against malvertisement because it is designed to prevent particular kinds of malware, including malvertising. The key is to keep your antivirus software updated. If a new type of malvertising gets introduced to the internet, you want to ensure your antivirus can identify it and protect your system.
4. Identify Ads That Seem Illegitimate
If you see an ad that looks as if someone just haphazardly threw it together, if could be malvertising. Malvertisers may not put the time and effort into designing a polished, professional-looking ad in the same way a professional ad company would.
You should also check for spelling errors. Malvertisement designers who hail from other countries may target people in your language but make obvious errors. If you see spelling errors in an advertisement, do not click on it.
Any ad that contains promises that seem unrealistic may be clickbait tempting you to click on a malvertisement. Do not click on ads like this even out of curiosity. You should also keep in mind that if you do click on one, you may not even notice that malware has been downloaded, so even if nothing happens after you click, your computer can still be compromised.
You can also choose to never click on any ads that show up on your computer. In this way, any malvertisements that require a click to be activated will not be able to penetrate your system. If you are interested in a product or service, you can look up the company in the ad and inquire directly through email or via a phone call. This way, you avoid malvertisements and the various types of malicious code they can introduce to your system.
How Malvertisements Affect Web Users
1. Drive-by Download
In some cases, you do not have to click on malvertising for it to impact your device. With a drive-by download, for example, the viewer merely sees an ad on their screen and because they are interacting with the malware’s domain, it gets downloaded onto their device automatically. In many cases, there is no indication—at least at first—that the device has been infected. Soon, however, the user may notice it is slowing down, running too hot, or quitting applications out of the blue.
Does this fit the standard malvertising meaning? Yes, this aligns with the accepted malvertising definition because even though the user does not have to click on the content, the attacker is still using an advertisement to attack their system.
2. URL Malvertising
Another way malvertising affects users is through URL malvertising. What is URL malvertising? It happens when your browser gets forcibly redirected to a malicious site. What is a malvertising attack in this context? When you get sent to the fake site, you may try to click on something to navigate away from it, and that clicking action installs malware on your device.
What Are the Risks of Malvertising?
Malvertising comes with considerable risks that can threaten your computer, network, or mobile device. Here are the three most common dangers of malvertising.
1. Inoperable Computers and System Networks
Because a malvertising campaign can result in malware being downloaded onto your computer or into your network, one of the primary threats it presents is a complete or partial computer breakdown. Malware of any type, including ransomware, adware, bots, and other malicious software, can be downloaded onto your computer by a malvertisement without you knowing.
Once the malware is on your computer, it can infect your system on its own, rendering it inoperable, or set the stage for a hacker to penetrate your system later on. The attacker can then inject malicious code into your computer that renders it inoperable.
2. Hardware Failure
A harmful file from a malvertisement can attack your computer by overburdening the processors or taking up all its random access memory (RAM). This can cause your computer to overheat and result in the failure of hardware components connected to the motherboard. Also, it’s possible for some hardware components, such as your computer’s camera, to be hacked by malware introduced by a malvertisement.
3. Data Loss and Data Theft
Malware from malvertisements can be programmed to steal your data. They can also leave back doors open for thieves to come in and steal your data or that of your customers and clients at a later date.
Malvertisements can also install spyware onto your system, which can spy on your activity, including how you enter your login credentials on websites. These are called keyloggers, and if they are running on your system, they can record your login info for everything, from your email to your bank account. They can then send that information to a hacker who can either sell it or try to exploit it themselves.
Malvertising vs. Ad Malware
Although somewhat similar, malvertisements and ad malware are distinct. Malvertising in cybersecurity results from criminals using malicious ads within ad networks. The ads then appear on a web page and impact visitors.
Ad malware is different. This type of malware gets installed on a user’s computer and inundates the machine with unwanted advertisements.
Keep in mind, though, that malvertisements can also be a vehicle for getting malicious adware installed on someone’s computer.
