What is Malvertising?

Malvertising is short for “malicious online advertising”. It causes a dependable website to temporarily wreak havoc when the ads they display are infected. It uses online promotion company networks and web pages to intentionally spread malware to people and businesses.

The contaminated code is hidden well and lives on sites you probably use daily. They look like any regular ad, but the code redirects your personal information to other servers where it can steal data, learn your computer habits and location, and send you a customized infection that will tempt you to make a purchase of a fake product or service.

It is a huge problem, according to a 2013 US Senate report showing online marketing exceeded all other forms of public relations in popularity and use. Agencies like Trust In Ads have become necessary to make people more aware of online attacks and how to prevent them by learning ‘sharing best practices’. Once you’ve become conscious of the malware, the damage has already been done; your personal information has been accessed, you’ve been scammed out of money, or your hard drive is being held for ransom.

How does it happen?

Online advertising contracts provide service through third-party marketing companies. The promotion space is sold over and over to different businesses who bid for better spaces where consumers are more likely to see them. The marketing networks control the sharing and selling with constantly rotating information. They are also self-regulating and don’t take any additional steps to protect the public.

Buyers can configure ads to appear according to the website visitor’s specific browser or operating system, their locations, search keywords and more. This is of tremendous value for criminals to profile their victims while concealing themselves.

Cyber criminals replace authentic ads with malicious material on this self-service platform fairly easily through weak security points in the system. Ads look very normal and go undetected. You don’t have to click on them or perform any action for the malware to work. You go to a site you visit often and your web browser, plug-ins, or PDF reader is already infected through holes in security programs. It places an ad asking you to download something the criminal already knows you might be tempted to buy or inquire about from previously scraping information about your habits.

When you visit a web page or landing page, it appears fine and you start reading. It has some ads that you mostly ignore. Some only require you to open the page while others have dialogue boxes to click or buttons to ‘like’ their information. This is called Clickjacking and Likejacking; using a contaminated text or button to begin a malicious download.

If you are lucky, you notice your anti-virus pops up to warn you and you have a chance to determine the validity of a threat. These often go unnoticed or ignored.

Why this Scam Works so Well

  • Security holes can’t be patched fast enough and there is too much data to control. Hackers find it easy to take advantage.
  • It works as well as hacking the site on which the malicious ads appear without the risk of actually having to break into that brand’s web servers.
  • Ad servers rotate content to many different customers and numerous brands belonging to one company. It’s an opportunity to hack multiple websites at once.
  • Ad content is rotated at random which makes the hacker and the malicious material harder to find and investigate.
  • Ad servers rely on republishing third-party content from many different versions of sources (HTML and CSS files, images, Flash and JavaScript programs) providing the necessary security holes for an attack.

What is the point?

Malware is used to make money. Cyber criminals gain access to private data to trade, the sell fictitious products, steal logins and passwords to redirect to a fake product site, take advantage of data breaches to get private data, generate pay-per-click advertising revenue from clients, and use fake social media ads to collect data from you and your followers. They scrape banking industry data and pirate SMS texts to charge you high usage rates through surveys and contests. They can even encrypt your hard drive and hold the data until you pay a Bitcoin ransom.

How does it affect consumers?

This malicious activity causes consumers to be continually bombarded with unwanted advertising that slows our computers and compromises our safety. We are subject to identity theft, financial distress and the destruction of personal files and computing equipment. These invasions of privacy are emotionally disturbing. You have no concept of when and where your stolen data will resurface. The constant threat and preventative measures can seem exhausting.

Ignoring the risks can lead to an attack both at work and at home.

What Can Consumers Do About It?
Be wary of suspicious, new process names in the list of programs running in your task manager. They often use very similar names to the real ones as a disguise and you will need to look carefully. There may be a user name listed that you don’t recognize as well.

Make sure emails from your friend have actually been sent by them by checking the URL address. Don’t open email attachments unless you know who they are from and be sure to scan them before opening. Some email providers scan automatically for you.

Be careful when downloading any files from the Internet especially executable (.exe or .com on Windows) files that can cause the most harm.

If you have a portable driver, don’t leave it on auto-run. Keep it disabled. Don’t trust portable drives you don’t personally own and scan anything coming from an external source.

Virus Symptoms

Your access to the Task Manager is disabled.

There are noticeable spikes in CPU or GPU power consumption and the computer fans are working hard when there is not a large program currently running.


Run anti-virus scans on a regular basis from an external CD, if possible, so you don’t end up infected before the anti-virus scan completes.

There are programs that block advertising that can help block tracking, malware domains, banners, pop-ups and video ads even on social media sites.

Manually enable each plug-in in your browser when you use it. Most web browsers load Flash and other plug-in content as soon as you open a page. You don’t really need as many plug-ins today. You may be able to get rid of the Java browser plug-in no longer used by many websites. Netflix no longer uses Microsoft’s Silverlight, so you may be able to uninstall that too. Malvertising uses these plug-ins as entry points.

Always run program updates to browsers, flash, Java, and others. They contain recent security patches and are always at risk of attack. Run a free anti-exploit program to protect your browser, Microsoft programs, PDFs, and plug-ins. It monitors for techniques browser exploits use and can run in addition to your anti-virus. Google Chrome, Internet Explorer, and Microsoft Edge browsers use sandboxing technology to prevent these exploits from evading the browser and doing damage to your system.

Use a firewall if connecting to a public network and other network machines.

Backup your hard drive on a regular basis and you will be able to restore it if it is attacked.

Protecting Businesses

Run an anti-virus on your server.

Every time a consumer’s anti-virus pops up to warn them that your ad network tried to infect them, your business reputation is harmed.

Serving ads for your customers’ websites under contract harms your customers’ reputation too.

Deploy security patches more quickly, eliminate unnecessary applications, and educate employees with examples to help keep them from opening malicious attachments or clicking on links out of curiosity. Restrict administrative rights. These measures can avoid nearly 90% of attacks. Despite security, employees are the most important defense to help secure company data.

Well Known Malicious Attacks

  • Yahoo was attacked through the use of malicious Flash ads. According to Malwarebytes, it was determined to be the largest malvertising attack to date.
  • A malicious activity called Zero-Day targeted Firefox when it lacked the protection of sandbox technology that other browsers use. Windows has been the main focus of malware attacks for years, but one focused on a browser or common plug-in will infect Linux, and Mac like this one did.
  • The Angler virus is just one of many destructive malware programs being delivered through malicious advertising. It uses a “drive-by” download, pointing a user’s browser to a malicious website with an exploit kit. It finds vulnerabilities in the user’s site without the need to have the user engage by clicking or downloading to be affected. In May 2015, thousands of web pages infected with Angler were discovered every day including major news sites the Daily Mail and Forbes.

The Forbes “30 Under 30” list featured a well-known security researcher and drew a large number of visitors to read the list. Forbes asked readers to turn off ad blockers in order to view the article because advertisers pay to support the site’s efforts to provide the public with free content for its readers. But visitors were immediately attacked by pop-under malware stealing passwords, personal data and banking information, and locking up hard drives in exchange for Bitcoin ransom.

  • A malvertising campaign in June 2015, targeted servers running Revive Adserver which provided advertising services powering nearly 7500 other ad servers worldwide. Since ad servers feed content into multiple sites for multiple brands, it increased the target for criminals and made a global impression.

Some malware requires the user to click either “Yes” or “Cancel” in a dialogue box. Both choices run the function to remove the legitimate popup, add a placeholder, and submits the form which redirects your computer to another server.

You risk your privacy visiting any health-related web page including Healthcare.gov. According to a Sophos article by Mark Stockley, “An analysis of over 80,000 such web pages shows that nine out of ten visits result in personal health information being leaked to third parties, including online advertisers and data brokers”.

Data Mining, Advertisers and Malvertising Criminals

The advertisers and the criminals pushing the exploit kits have a lot in common. Both manipulate consumers into giving them something. They each monitor and track us and are hard to escape. They deliver viruses and scrape money from every online visitor. They need a targeted delivery system, the widest distribution, and as many oblivious participants as they can manage.

Online advertisements are annoying and distracting and threaten our privacy using cookies to track people as they browse across the web to serve more relevant ads, and online data brokers collect and sell profiles of consumers to the advertisers. Scammers purchase ads on social media sites get people to purchase services like fake technical support.

Unfortunately, the content on websites that people want to access without seeing those annoying and potentially harmful ads costs money and advertising pays for that content.

What Now?

Solving the malvertising problem would require the cooperation of a lot of website operators, ad networks, and consumer and business audiences concerned about protecting personal information and preventing the next data breach.

When you take your device to a website, it connects to dozens of other URLs as web browsers accept connections to deliver ads, video files and other interactions that provide convenience when consumers go online. Malicious advertising attacks rely on a trusted destination as a lure. Be sure to follow preventative measures and learn safe sharing

Have You Been Hacked?

*Cyber breach data provided by Have I Been Pwned

Enter your email or username to see if your information was compromised.

Have You Been Hacked?