Learn what adware is, the signs of infection, removal tips, and steps to protect your devices from malicious adware. Read Huntress advice now.
Malvertising is a cyberattack method where criminals inject malicious code into legitimate online advertisements to distribute malware or redirect users to dangerous websites.
TL;DR
What is malvertising? Malvertising is a cyberattack method where criminals inject malicious code into legitimate online advertisements to distribute malware or redirect users to dangerous websites.
How malvertising works: Understand the techniques attackers use to inject malicious code into legitimate ads.
Risks involved: The potential dangers that malvertising poses to individuals and businesses.
How to protect yourself: Gain actionable tips to safeguard against malvertising threats while browsing online.
Malvertising represents one of the more insidious threats in cybersecurity because it exploits something we encounter daily: online advertisements. Unlike other cyberattacks that require users to visit suspicious websites or download questionable files, malvertising can strike through ads on completely legitimate, trusted websites.
The term combines "malicious" and "advertising," which perfectly captures how cybercriminals have weaponized the digital advertising ecosystem. What makes this attack particularly dangerous is that it doesn't require any specific action from the victim beyond normal web browsing.
How Malvertising works
Malvertising attacks follow a predictable pattern that exploits the complex digital advertising supply chain. Here's how cybercriminals execute these attacks:
Initial compromise
Attackers begin by targeting third-party advertising networks or servers. These networks serve millions of ads across thousands of websites, making them attractive targets. Once compromised, criminals inject malicious code into legitimate advertisements or ad components like banner images, videos, or interactive elements.
Distribution through legitimate channels
The infected advertisements then flow through normal advertising channels. Ad networks distribute these compromised ads to publisher websites, often without detection. Because the ads appear to come from legitimate sources, they bypass most initial security screenings.
Payloaddelivery
When users encounter these malicious ads, several things can happen:
Click-based attacks require user interaction. Clicking the ad triggers the malicious code, which may install malware, redirect to a dangerous website, redirect to a phishing website, or launch an exploit kit that scans for system vulnerabilities.
Drive-by downloads are more concerning because they don't require any user interaction. Simply loading a webpage with a malicious ad can trigger automatic malware downloads by exploiting browser or plugin vulnerabilities.
Post-infection activities
Once the malware is installed, it operates like any other form of malicious software. It might steal sensitive data, monitor user activity, establish backdoor access, or encrypt files for ransomware demands. The malware can also redirect internet traffic for the purposes of denial of service attacks or serve as a launching point for additional attacks.
Malvertising vs. Adware: Understanding the difference
Many people confuse malvertising with adware, but these are distinctly different threats that require different approaches to prevention and removal.
Malvertising is the attack method itself—the process of using corrupted advertisements to deliver malicious payloads. It's always malicious and often delivered without the user's knowledge or consent.
Adware is a type of software that displays advertisements, often in intrusive ways. While annoying, legitimate adware programs are typically installed with user consent (though often buried in lengthy terms of service agreements). Some adware crosses into malicious territory when it tracks users extensively, displays deceptive ads, steals passwords or session cookies, or proves difficult to remove.
The key distinction lies in consent and purpose. Legitimate adware serves marketing purposes and can be uninstalled through normal channels. Malvertising, however, exists solely to compromise systems and steal data or money.
Real-world Malvertising examples
Understanding how malvertising manifests in actual attacks helps illustrate why this threat is so concerning for cybersecurity professionals.
Angler Exploit Kit Campaign
This sophisticated attack demonstrated the power of drive-by malvertising. The Angler Exploit Kit automatically redirected website visitors to malicious pages without requiring any clicks or downloads. Once redirected, the kit exploited common vulnerabilities in Adobe Flash, Microsoft Silverlight, and Oracle Java to install malware silently.
The attack was particularly effective because it targeted widely used browser plugins that many users hadn't updated. According to the FBI's Internet Crime Complaint Center, exploit kits like Angler were responsible for a significant portion of malware infections during their peak operation.
RoughTed Campaign
The RoughTed malvertising campaign showcased how attackers can evade traditional security measures. This operation circumvented both ad blockers and antivirus solutions through dynamic URL generation and sophisticated traffic routing.
What made RoughTed particularly concerning was its use of legitimate infrastructure. The attackers leveraged Amazon's cloud services and content delivery network to make their malicious ads appear more trustworthy and harder to block. This is now known as domain fronting, where an attacker uses legitimate infrastructure such as AWS and Cloudflare to masquerade their malicious servers and domains.
KS Clean Mobile Malvertising
This campaign specifically targeted mobile users through in-app advertisements. The malicious ads would trigger fake security warnings, claiming the device was infected and needed an urgent "security update." Users who agreed to the update actually installed malware that granted attackers administrative access to their devices.
These examples share common characteristics: they targeted trusted platforms, used social engineering to increase effectiveness, and leveraged legitimate infrastructure to avoid detection.
Protection strategies against Malvertising
Defending against malvertising requires a multi-layered approach that addresses both individual user behavior and organizational security policies.
Individual user protection
Keep software updated: Regular updates to browsers, operating systems, and plugins close security vulnerabilities that malvertising exploits. Enable automatic updates when possible to ensure you receive security patches promptly.
Use Ad Blockers and security extensions: Quality ad blockers can prevent malicious advertisements from loading. Choose reputable options like uBlock Origin or AdBlock Plus, and keep them updated.
Disable unnecessary browser plugins: Adobe Flash and Java plugins are common targets for exploit kits. Disable these plugins unless absolutely necessary, and configure browsers to ask permission before running them. It is also possible to allow-list certain domains and restrict plugins from loading on un-approved websites.
Deploy comprehensive Antivirus solutions: Modern antivirus software can detect and block many malvertising attempts, especially those involving known malware families.
Organizational protection measures
Network-level filtering: Implement DNS filtering and web application firewalls to block access to known malicious domains and ad networks.
Employee education: Regular cybersecurity awareness training should include information about malvertising and safe browsing practices.
Endpoint detection and response: Advanced endpoint protection can identify and contain malvertising attacks even when they bypass traditional security measures.
Regular security assessments: Conduct periodic vulnerability assessments to identify and remediate security gaps that malvertising might exploit.
Why traditional security often fails
Malvertising presents unique challenges that make traditional cybersecurity approaches less effective. The sheer volume of digital advertisements—billions served daily—makes comprehensive screening nearly impossible. Ad networks prioritize speed and revenue, often leaving insufficient time for thorough security reviews.
The legitimate appearance of malvertised content also poses detection challenges. These ads come through established advertising channels and may appear identical to legitimate advertisements until activated. Many security tools struggle to differentiate between legitimate ads and malicious ones without triggering false positives that could disrupt normal business operations.
Additionally, the rapid evolution of malvertising techniques means that signature-based detection methods often lag behind new attack variants. Cybercriminals continuously adapt their methods to evade detection, creating an ongoing arms race between attackers and defenders.
Frequently Asked Questions
Yes, malvertising increasingly targets mobile users through in-app advertisements and mobile web browsing. Mobile devices face unique risks because users often have fewer security protections installed compared to desktop computers.
While ad blockers significantly reduce malvertising risk by preventing many advertisements from loading, they're not 100% effective. Some malvertising can bypass ad blockers, and users may whitelist sites that later serve malicious ads.
Absolutely. Major websites like The New York Times, BBC, and Forbes have all been affected by malvertising campaigns. The attacks typically originate from compromised ad networks rather than the websites themselves.
Malvertising infections can spread rapidly, especially in environments with shared network resources or inadequate endpoint protection. The speed depends on the specific malware deployed and the organization's security posture.
While most advertisements are legitimate, it's safest to avoid clicking on ads for unfamiliar products or services, especially those that seem too good to be true or create urgency. When interested in an advertised product, consider navigating directly to the company's official website instead.
Staying vigilant in the digital advertising landscape
Malvertising represents a fundamental challenge in our heavily relied-upon digital world. As online advertising continues to grow and evolve, so do the opportunities for cybercriminals to exploit this ecosystem. The attacks succeed because they abuse the trust relationships between advertisers, ad networks, publishers, and users.
The most effective defense against malvertising combines technological solutions with informed awareness. Organizations must implement comprehensive security measures while educating users about the risks inherent in digital advertising. Individual users benefit from understanding that even trusted websites can inadvertently serve malicious content through compromised advertising networks.
Moving forward, the cybersecurity community must continue developing advanced detection methods that can identify malvertising without disrupting legitimate advertising. This includes improving collaboration between security vendors, ad networks, and publishers to create more secure advertising ecosystems.
Remember that cybersecurity is an ongoing process, not a one-time implementation. Regular updates, continuous monitoring, and adaptive security strategies provide the best protection against malvertising and other evolving cyber threats.
Related Resources
Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
