Everything You Need to Know About Malvertising

Laptop Virus Alert Malware

Online advertising is a very important source of income for many websites and online companies. With demand for ads increasing over time, online networks have grown expansive and more complex to enable them to reach bigger online audiences. Because of this growth, a new cyber threat, malvertising, has taken form. Malvertising takes advantage of the complex pathways of advertising networks and uses them to infect devices with little to no input from its victims.

What is Malvertising?

Malvertising, short for malicious advertising, is a newer type of malware where criminally controlled ads are pushed to internet-connected programs, such as web browsers. These malicious ads are designed to intentionally harm devices with all types of malware, including potentially unwanted programs (PUPs) and online scams. In short, malvertising piggybacks on what looks like authentic online advertising to spread malware and other threats to various devices. The scary part is that malvertising requires little to no user interaction for the infection to happen.

This online attack enables cybercriminals to target users, even on highly reputable websites, such as Spotify, The New York Times Online, The Atlantic, and The London Stock Exchange. These popular websites have all been exposed to malvertising.

Malvertising can show up on ads on any website, even the ones you visit as part of your everyday internet browsing. Typically, malvertising installs a tiny piece of code, which sends your computer information to the criminal command and control (C&C) servers. The server scans your computer for its location and what software is installed on it, and then chooses which malware is most effective to send you.

The online advertising environment is a complex network that includes publisher sites, ad servers, ad exchanges, retargeting networks, and content delivery networks (CDNs). Multiple redirections between different servers happen after a user clicks on an ad. Attackers take advantage of this complexity to inject malicious content in places that publishers and ad networks would least expect.

Malvertising vs. Adware

Malvertising is generally confused with ad malware or adware, which is another form of malware involving online advertisements.

Adware is a program running on a user’s computer and is usually packaged with other, legitimate software. It can also be installed on the device without the user’s knowledge. Adware shows unwanted advertisements, redirects search queries to advertising websites, and mines information about the user to use for targeted advertisements.

Main differences between malvertising and ad malware include:

  • Malvertising uses malicious code that is deployed on the publisher’s web page. Adware, on the other hand, is used to target only individual users.
  • Malvertising only affects those who are viewing an infected webpage. Adware, however, operates continuously on the user’s device.

Why is Malvertising Dangerous?

The cybercriminals behind malvertising usually have several illegal goals for distributing this malicious software. They are designed to make money off users by stealing their personal data, financial information, contact data, and others. Other than stealing sensitive data, malvertising can also encrypt or delete information, modify or hijack critical computer functions, and spy on your online activities without your knowledge or permission.

Malvertising have several ways to attack users viewing the malvertisement without clicking it:

  • A drive-by download. This is the installation of adware on the device of the user viewing the ad. This attack is made possible because of browser vulnerabilities.
  • Forced browser redirect to a malicious website.
  • Display unsolicited ads, malicious content, or pop-ups, aside from the ads legitimately delivered by the ad network. This is usually accomplished by executing Javascript.

When users actually click on a malicious ad, the following scenarios can happen:

  • A code is executed to install adware or other types of malware on the user’s computer.
  • The user gets redirected to a malicious website, as suggested by the ad’s content.
  • The user is redirected to a malicious website that looks similar to a real website, except that it is being operated by the attacker—a phishing attack.

Here are some of the common payloads that malvertising usually distributes:

  • Malware – This is the umbrella term that refers to any malicious program or code that harms operating systems.
  • Ransomware – This is a form of malware that locks user’s out of their device or encrypts the files, then forces the user to pay a ransom to get them back. Ransomware is considered the cybercriminal’s weapon of choice because it asks for a quick, profitable payment using hard-to-trace cryptocurrency.
  • Spyware – This malware secretly monitors the user’s activities without permission and send the log to the malware’s author.
  • Adware – This is an unwanted software created to shove advertisements up on the user’s screen, most often using a web browser. It uses a sneaky method to either disguise itself as legitimate, or piggyback on another program to trick you into installing it on your PC, tablet, or mobile device.
  • Virus – This is the original malware that is bundled with another program and replicates itself when executed by the user. The virus modifies other computer programs and infect them with bits of its code.
  • Cryptojacking – Malicious cryptomining, also called drive-by mining or cryptojacking, is an insidious malware usually installed by a Trojan. It allows the hacker to use your computer to mine cryptocurrency, such as Bitcoin or Monero.

How Malvertising Works

There are several strategies a malvertiser might use but the end result is almost always the same — to get the user to download and install malware, or direct the user to a malicious website. The common strategy of malvertiser is to send their malicious ads to third-party ad vendors. Once the vendor approves the ad and the malvertiser wins the bid, the innocent-looking ad will be delivered through the number of websites the vendor is working with.

Here are some common delivery methods malvertising uses to inject malicious code into ads:

  • Inserting malware within ad calls – When a website displays a webpage that contains an ad, the ad vendor pushes the ads to the user through many third parties. One of these third-party servers may be vulnerable to attacks and the attacker can add malicious code to the ad payload.
  • Injecting malware post-click – When users click on an ad, they are usually redirected between several URLs, and ultimately, the ad landing page. If attackers compromised any of the URLs along this delivery route, they can easily execute any malicious code.
  • Adding malware in ad creative – Malware can also be embedded within a text or a banner ad. For example, in HTML5, it is possible to show an ad as a combination of images and JavaScript, which could be contaminated with malicious code. Ad networks that serve ads using Flash (.swf) format are especially vulnerable.
  • Inserting malware within a pixel – Pixels are codes embedded within an ad call or a landing page, then send the data to a server for tracking purposes. An authentic pixel only sends data. But if an attacker intercepts the pixel’s delivery path, it can send a reply which contains malicious code back to the user’s browser.
  • Injecting malware within a video – Video players have zero protection against malware. For instance, a standard video format called VAST includes pixels from third parties, which may contain malicious code. Videos can distribute malware to users by showing a malicious URL at the end of the video.
  • Injecting malware within a Flash video – Videos based on Flash can also inject an Iframe into the page, which can download malware even if the user did not click on the video. Flash files might also deliver a pre-roll banner, which is a static image that can be viewed while the video is loading. Attackers can insert malicious code into the pre-roll banner, and will run even without clicking on the video.
  • Adding malware on a landing page – Even on authentic landing pages created by reputable websites, there may be clickable elements that can execute malicious code. This type of malware is especially dangerous because when users click an ad, they land on a real landing page, but get infected by a malicious on-page element.

Different Types of Malvertising Campaigns

Once cybercriminals have determined what kind of device you use, what software you have installed, and what country you are residing, they have all the information needed to devise a personalized campaign. Some campaign categories include:

Get-rich-quick schemes and other malicious surveys

These are bold efforts by unethical advertising networks that disrupt your browsing experience with screen hijacks. They could be anything from a lottery offer, bogus surveys, work-from-home scams, and other too-good-to-be-true offers.

Tech support scams

Tech support scammers have been targeting Windows PC users for a long time, but they also target Mac users, taking advantage of their assumed sense of security through various social engineering tricks. In some cases, fake websites pose as Apple or Microsoft, employing JavaScript to prevent victims from closing the webpage naturally. The frustrated users then call the toll-free number listed by the malvertising for assistance. Scammers then make a show of scaring their victims to sell them expensive, yet worthless, tech support.

Fake software updates

This is one of the most common techniques to deliver adware and other types of malware onto users’ devices. Disguising as updates for the Flash Player or video codecs, these pages are well-designed and annoyingly pushy. In some instances, the installer will even automatically download itself onto the computer. These campaigns are effective on adult or video streaming websites because they can tempt users to download the application to be able to watch the content they are looking for.


Just like the tech support scam, scareware first notifies you that your Mac or Windows computer is severely corrupted or infected. Then it urges you to download a specific program to fix it. Scareware scams are usually the works of unscrupulous malvertising affiliates trying to get the most leads they can to collect higher commissions off various PUPs.

What to Do When You Encounter Malvertising

No matter how careful you are, there are times when you just can’t avoid malvertising. Even when you’re visiting a legitimate website or reading popular news portals, it is possible to encounter malvertising and get infected without even clicking anything. Although most modern browsers are equipped with anti-malware features that warn users if the website they are visiting is malicious, there are still a lot of malvertisers that escape the net.

So if you suspect that the website you visited has malvertising, quickly close the browser. Log out all logged-in accounts. Next, run your anti-malware software in Safe Mode. This should detect if there are any malware entities that were downloaded to your device. Remove any detected malware and delete all files associated with it.

Ways to Avoid Malvertising

Malvertising is an attack that is difficult to detect and mitigate. Avoiding malvertising takes awareness and vigilance, but it is not impossible to defend against it. Here’s how:

Invest in a good antivirus program.

The best way to guard against malvertising is to install and run a robust antimalware app on your computer. And once you install the software, make sure to promptly install the update as well.

These updates are released to protect your device against the latest forms of malware, including malvertising. If you fall behind on the major updates, you could leave your device vulnerable.

Switch on click-to-play for your web browsers.

All web browsers have the option to choose the “click-to-play” feature. By turning this on, all online content that require plugins to play, such as Java, Flash, Adobe Reader, or QuickTime, will be disabled, unless you manually approve the content to play.

If you want to stay away from malvertising, make sure to enable the “click-to-play’ option in your browser’s settings. This should protect you from drive-by download malvertising.

Install an ad blocker

You probably won’t click on an online ad if it didn’t show up on your screen in the first place. That’s the idea behind ad blockers. If you install one, some cost money while others are free, it will clear your web pages of ads and help protect you against malvertising in the process.

Be aware, however, that not all ad blockers are able to stop all ads. Some websites might also have problems running properly if an ad blocker is turned on. Fortunately, you can set up ad blockers to allow online ads from certain sites through whitelisting.

Other general tips for preventing malvertising attacks include:

  • Regularly updating all systems and machines to make sure you have the latest patches and the safest version of your software.
  • Avoiding the use of Flash and Java to protect users from common vulnerabilities that are usually exploited by malvertising.
  • Updating web browsers and plugins to prevent many malvertising attacks, particularly those which operate before the user clicks the ad.