How do malvertising attacks occur, and how can you protect against them?

Malvertising, as it sounds, is a portmanteau – that is, a combination of ‘malicious advertising’. Malvertising occurs when hackers manage to inject malicious code into an online ad, and use a genuine online advertising network to spread the ad across the web. Malvertising often uses malicious code called an ‘exploit kit’, which detects vulnerabilities on the user’s browser or a web app, and uses these vulnerabilities to install malware. Once installed, the malware can allow access to the user’s computer, infiltrate a network, steal sensitive data, such as financial data, or even use ransomware to encrypt the user’s files and demand payment.

Malvertising can appear on ads provided by even the biggest, most popular and most reputable advertising networks, leading to infected ads appearing on highly trusted websites and tricking users into believing they are legitimate. Sometimes, malvertising triggers a drive-by attack, which no user interaction is needed to trigger – the user only needs to navigate to the page with the malvertising on it, and the malware is downloaded automatically.

Due to the sophisticated ways in which hackers hide the malicious intentions of their ads, malvertising has appeared on some of the world’s most well-known websites, giving even the most careful user a false sense of security.

As online advertisements are so popular, a very large number of ads are submitted to ad networks, making it hard to detect every ad containing malicious code. In addition, many times the ads being displayed on a particular page are changed very frequently, so two users visiting the same page may not see the same ads, and only one may become the victim of malvertising. This makes it very difficult to track the culprit.

Defend Against Malvertising

Is malvertising the same as adware?

Malvertising and adware are both malicious, and contain ads, but that’s where the similarity ends. Adware is usually installed without a user’s knowledge, or bundled with other software, and runs on the user’s computer. The adware will display ads directly to that particular user. In contrast, malvertising exists on live web pages, and malicious ads are shown to a wide audience. In order to become a victim of malvertising, the user must visit a particular page, or click on the ad.

Who does malvertising affect?

• Website owners: For a trusted website owner, such as a well-known retailer or service provider, if users visit their website and become infected with malware, their reputation will be badly damaged due to security concerns that could drive people away.
• Advertising networks: Advertising networks may lose customers if they are found to have been displaying malicious ads.
• Users: Of course, if a user becomes a victim of a malvertising campaign, this can lead to their device becoming compromised. The hacker could then steal financial data, such as bank or credit card details, and use it to withdraw money or make transactions. The malicious code could also lead to a ransomware situation, whereby the computer is locked, or data is encrypted, and the user is pressured into paying a ransom to release it.

How does malvertising work?

The first step in the malvertising process is that the hackers create an infected ad. Then, they use an ad network to buy advertising spaces on websites. The hackers provide the network with the infected ads, which are then displayed in the spaces they bought. Sometimes there are numerous parties involved, such as different servers for different types of ads, creating an opportunity for cybercriminals to find a way to infiltrate and inject malicious code into existing ads.

Once a user visits a web page with one of these malicious ads, or clicks directly on the ad, one of the following things could happen, depending on the type of malware with which the ad is infected:

1. The malicious ad could redirect the user to a malicious website that is completely different from the one appearing in the ad, sometimes through numerous redirects to successfully avoid detection by the advertising network.
2. The ad could redirect the user to a fake version of the legitimate site that appears in the ad, to carry out a phishing attack and gather valuable user data.
3. Malicious code could run, which begins the automatic download and installation of malware onto the user’s device, whether it’s a desktop, laptop, or mobile.

What does malvertising look like?

There are no hard and fast rules for identifying malicious ads, as they can look just like legitimate online advertising. With that being said, here are some particularly suspicious things to look out for:

• Pop-up ads:  These are notoriously sketchy, especially ones that encourage software downloads to ‘protect your computer’.
• Website ad banners: Sometimes these banners promise rewards or special offers. Think before you click – if it’s too good to be true, it could well be malicious.
• Ads with a fake button: Some ads have a fake close button or OK button, when really clicking on the ad can launch a malware download.
• Any ad provided by a third party on a website: Ssadly, no ad network is completely immune, and therefore, no website ad can be trusted completely.
• Text ads inside content: Sometimes ads are just text, often containing hyperlinks. Clicking on these links could also trigger malicious code to run.

Preventing malvertising attacks

Tips for everyone

• Keep your software up-to-date, especially applications that access the web, including browser extensions. Every application should have the latest security patches to ensure vulnerabilities used by browser exploits are kept to a minimum, decreasing the chance that a malvertising campaign will be able to successfully breach your device.
• Use ad blockers that will prevent ads from displaying, thus stopping malicious code from launching a malware download.
• Use security software such as antivirus and firewalls. Remember to keep them all up-to-date, to protect against the latest threats.

Tips for organizations

Educate users about cyber threats like malvertising, and provide guidance for how to browse the web safely, including not clicking on suspicious links or ads.

Use an advanced security solution to make browsing the web safer for all users. Remote browser isolation (RBI), for example, allows users to browse the web as normal, while running all active code in an isolated container in the cloud, away from the endpoint. Only safe rendering data is sent to the user’s browser, where they interact with it just as they would with the actual website – only without risk. The container is destroyed once the user stops browsing, along with any malicious code, so it can never reach the end user’s computer at all.

Tips for website owners

Work only with reputable online third-party ad vendors, especially ones that are known to take proactive steps and precautions to prevent malvertising.