Malicious advertising, or malvertising, as it is commonly known, is the practice of placing malicious code into legitimate ads.
These malvertising campaigns then spread malware or phishing campaigns, often going undetected by platforms and publishers until end-users alert them to the malvertising attack.
Malvertising poses a huge threat to the entire digital advertising landscape.
Not only does it tarnish the user experience, but it can also cause irreparable damage to the publisher's reputation. Further to this, it drives the deployment of ad blockers, reducing the number of impressions served and impairing publishers’ ability to earn a valuable revenue stream.
With malvertising on the increase -recent studies showed 1 in every 100 ads is injected with malicious content- legitimate websites need to stay on top of the threats on both the supply and demand side in order to counter these potentially crippling malvertising attacks.
Table of content:
What is Malvertising and Why is It Bad for Publishers?
Malvertising, a portmanteau of malicious software and advertising, is the use of online, malicious advertisements to spread malware and compromise systems. This is generally enacted by malicious actors, or hackers, injecting malicious code into legitimate online advertising networks. The malicious actors behind this code usually pay legitimate advertising networks to display these infected ads on various websites without the ad network or legitimate websites having any knowledge that these harmful ads are being served to unsuspecting users.
One of the most problematic elements of malvertising is that the infected ad looks just like any other legitimate ad served on a page. Not even the publishers are aware they are serving a malicious ad on their site. Due to the complexity of programmatic advertising, it is nearly impossible to control every ad that wins the auction and is served to the reader. In the past, malvertising attacks have hit large news portals, with renowned publishers serving malicious ads without knowing it – such as New York Times, BBC, or Yahoo. However, there do exist a few ways to mitigate the risk of serving a malicious ad on a publisher’s page, and we’ll talk about them in a bit.
Let’s establish two more things before diving deeper into malvertising. What is the reason people hide malicious codes behind ads, and why is it so bad for publishers if it infects the visitors?
Well, the answer to the first question is easy – money. The code injected behind an ad can cause many actions, including stealing the visitor’s financial data.
That brings us to the second question. If a visitor visits your website and is served an ad that causes them troubles, they are most likely to never revisit your page, leading to the loss of traffic and ad revenue, which is a thing all publishers would like to avoid.
How Does Malvertising Work?
Malvertising occurs when a malicious actor hides malicious code into an otherwise legitimate advertisement. This then directs the user to a malicious website or compromised server. When the user’s system successfully connects to the server, an exploit kit then executes. Exploit kits operate by detecting and then exploiting, any vulnerabilities they find on the user’s system.
What is the Difference Between Malvertising and Adware?
Malvertising is often mistakenly confused with adware, and understandably so. Adware is another major online threat to users; however, it operates differently from malvertising.
The primary difference between malvertising and adware is where the infection resides. While malvertising works to insert malicious code in the ad network, adware installs malicious software onto the user’s computer.
How Malvertising is Injected Into Ads
There are several ways malware can get served on your website. A user can get affected by malware even when they don’t click on the ad at all.
That means there are different ways of how malware is inserted into ads ranging from within a pixel to an injected post-click.
Malware In Ad Calls: When a website displays an ad, a selection of third-party users bid for that ad space via an ad exchange. One or more of these may be compromised by an attacker who can include malicious code in the ad payload.
Post-Click Malware: When a user clicks on an advertisement, they are usually redirected along a chain of URLs, the final of which is the ad landing page. Malware injected post-click occurs when an attacker compromises any of the URLs along this delivery path.
Malware in Ad Creative: Many malvertising attacks occur via malware embedded in a banner or text ad. Ads that used to employ adobe flash were particularly vulnerable in the past, which contributed to flash being discontinued in late 2020.
Malware Within a Video: Video ads are especially tricky, as video players do not protect against malware. There are several ways how a user can get affected by a video. Even without playing it, a reader can get exposed to the malicious code, as it can be inserted in the pre-roll featured image. Or, after a user sees the video, there can again be a URL inserted that takes the reader to a false landing page.
Malware Within a Pixel: A regular pixel on a webpage sends data when a visitor enters the page for tracking purposes; however, if it’s hacked, it can send a malicious code to the user’s device and provoke an undesirable action. In this way, the user does not even have to click on the ad.
Main Types of Malvertising Campaigns
As the world of digital advertising has evolved, so too have the different malvertising strategies employed by cybercriminals.
Here are some of the more common examples of malvertising campaigns.
Stenography, the age-old technique of concealing secret messages and images inside other text and images, has more recently been adopted by cybercriminals to hide malicious code within ad images.
Polyglot images take the implementation of stenography one step further. Not only do they have the code for the malware, but they also include the scripts required to execute and launch the attack. Polyglot images contain not only the initial hidden payload but are able to speak several languages.
With no need for an external script to extract the malware package, polyglots are a sophisticated and dangerous form of malicious advertising.
Tech support scams involve tricking users into thinking there is a technical issue with their device or operating system. These ads typically install a form of malware that hijacks the users
browser, directing them to call a number to fix the ‘problem’.
Tech support scammers on the other end of the line then work to extract money and information from unsuspecting users.
Operating with similar social engineering tactics to tech support scams, scareware attempts to scare users into thinking that their computer has a malware infection or other technical problem.
However, rather than directing users to a call center, scareware attempts to scare users into downloading fake anti-virus software. The irony of scareware is that the ‘anti-virus software’ advertised to fight malware is often malware itself.
Get Rich Quick Schemes and Fake Surveys
The internet is littered with advertisements for get-rich-quick schemes and fake surveys offering big payouts. While these malvertising ads promise big rewards, they are more likely to be injected with a malware infection than the legitimate opportunity to make money. If something looks too good to be true, it probably is.
Fake Software Updates
Fake software updates are a popular malvertising technique that pretends to offer users legitimate software updates and other popular downloads, often for security and performance purposes. However, once clicked, these ads install unwanted software such as spyware, viruses, or other malware. Users can avoid this malvertising by ensuring that they download their software from a first-party vendor such as the app store.
How Users Are Affected By Malvertising
There are two ways a visitor can get affected by the malicious software hidden behind an ad.
1. Without clicking on the malicious ad
The tricky part of malvertising is that users do not even have to click on the malicious ad to run into trouble. Loading a page with the vicious ad is often enough to infect the user’s device. This way of malvertising attack is known as a drive-by download. Just loading the web page hosting the spam ad is enough to trigger the malicious activity, which leads to the infection of the user’s computer.
2. By clicking on the malicious ad
The second way a user can get affected is actually clicking on the ad, while
believing it is a legitimate ad.
After a visitor is exposed to the malicious ad, several actions can follow. Among the most common ones belong installing:
- Ransomware – a type of malware that locks a user out of their device and demands a payment to get it back. Ransomware can also encrypt the user’s files and again require a payment in order to restore them.
- Spyware – allows for full access to the computer, observes the user’s activities and reports it back to the software’s author. In this way, any passwords and financial or sensitive information of the user can be exposed.
- Adware – adware is a widespread type of malware where a user is repeatedly exposed to pop-up ads on their computer. The purpose of such ads is for the user to eventually click one of them and install another software that is usually paid for.
None of these actions are naturally desired by the user and can even happen without the visitor’s knowledge, such as when being affected by spyware.
For that reason, the readers and publishers need to engage in actions that prevent crossing paths with malvertising in the first place.
Users are usually aware of the possibility of malicious ads and often try to protect themselves by installing good antivirus programs or not using Java, Adobe Reader, or Flash codes to lower the likelihood of coming across a harmful code. Sometimes readers install ad blockers, which can then directly lead to lower ad revenue of the publisher.
When a user does not protect themself and ends up being affected by the bad ad, they are most likely to never come back to your page, and they may tell people about their poor experience. The subsequent effects are a publisher’s damaged reputation, loss of traffic, and ad revenues.
When hackers manage to slip infected ads into popular ad networks, no publisher, big or small, is immune to these malvertising attacks.
However, by understanding where and how previous major malvertising attacks were implemented, publishers may be better equipped to protect themselves in the future.
These malvertising campaigns were particularly notable.
In 2011, the free desktop version of Spotify was targeted by malicious ads, as hackers attempted to attack Windows users with the Blackhole exploit kit.
Users didn’t have to click on the ad to be affected. Once the users' systems had connected to an outside IP address, the exploit kit attempted to exploit a range of vulnerabilities, including flaws affecting Adobe Reader and Acrobat.
The end game of this malvertising attack was to get users to download the Windows Recovery fake AV application to their systems.
This malvertising attack was particularly notable, as the malvertising campaign launched inside the app.
Perhaps the most well-documented malvertising attack, in 2016, AdGholas infected thousands of users daily using an advanced combination of techniques, including sophisticated filtering and steganography.
Hitting significant sites such as Yahoo, MSN, and other big-name outlets using an ad for fake software which redirected victims to a malicious landing page that used several Flash exploits to download and install malware.
Hosting an exploit kit from the domain covid19onlineinfo[.]com, cybercriminals recently targeted users of Internet Explorer using a fake advisory notice.
The attack used the Fallout exploit kit to attack users still operating the outdated Internet Explorer browser installing malware that could steal personal data and passwords.
How Publishers Can Protect Themselves from Malware
To protect your webpage and your readers as a publisher, you can cooperate with several companies that offer technology to identify the ads infected with malicious codes.
- Confiant – Confiant offers an ad verification technology that should automatically identify and block all types of malicious creatives in real-time.
- Geoedge – GeoEdge’s technology guards against non-compliance, malware, inappropriate content, data leakage, operational and performance issues.
- Adwizard – Publift has developed a technology that offers many features, including the blockage of bad ads. Our Google Chrome Extension gives users the ability to make informed decisions about ads on a webpage in real-time. A user can view information from the ad server and header bidding performance all in one place, and premium users and Publift members have the added benefit of identifying problematic ad units and blocking them with a single click.
Malvertising is an ongoing issue when a malicious ad containing a bad code is served on a publisher’s page, often without the knowledge of both the publisher and the reader. By loading the page and viewing the ad, it can infect the visitor’s device with different types of malware, causing the loss of data or access to their device.
Malvertising negatively impacts the publisher’s reputation and leads to a subsequent loss of traffic and ad revenue. Publishers should protect their readers and their webpage from malicious ads by installing one of the technologies available on the market. Get in touch with Publift to find out more about Adwizard, which is protecting more than a thousand publishers on the market.