Malvertising – The Idle Surfer’s Cybersecurity Threat

Studies show the average user sees up to 10,000 ads daily, meaning people are bombarded with popups and similar. Being annoyed with an ad is far from the worst thing that could happen online, as threat actors have caught up to how widespread ads are – and use them to their advantage. So, what’s malvertising?

Malicious advertising (or malvertising for short) is a cyberattack that consists in using ads in harmful ways. Threat actors use compromised ads to spread malware or set up phishing scams. Malvertising is difficult to detect but not as challenging to prevent.

Since detection is the hard part, the best way to fend off any malvertising attacks is to prevent them as best as you can. For that reason, learning what malvertising is, what isn’t, and its goal is the best way to go down that route.

What’s Malvertising?

Malicious advertising or malvertising is a relatively new cyberattack that threat actors use to inject malicious code into ads.

These ads will trigger hidden scripts to download malware without users knowing or redirect them to fake websites designed to steal money or information from people.

Unfortunately, detecting malvertising is difficult. Most threat actors use fake ads that look real or hijack legitimate ones to infect them with malicious code.

More importantly, these ads usually run through legitimate places until they’re detected and taken down.

Malvertising vs. AdWare

It’s easy to confuse malvertising with adware, but they are not the same thing. Both can be used with malicious intentions, though companies could ethically use adware.

The main difference between malvertising and adware is that the first is a cyberattack disguised as an ad, while the second one is a way to target users with certain ads.

Adware could be used to understand a user’s profile, so companies can better choose what ads to show that person.

Unfortunately, most adware is malicious in nature: it forces you to watch ads you wouldn’t otherwise. Some people consider this type of software to be malware.

What’s the Goal of Malvertising?

Most threat actors employ malvertising attacks to spread malware. Others do so to perform phishing scams. The end result is always the same: doing damage to unsuspecting users.

The common goal of malvertising is to spread malware. Hackers will hide scripts in compromised ads to get people to infect their devices without them knowing. Others prefer to trick users into downloading malware themselves.

Another goal of malvertising is redirecting users to fake websites. They’ll do their best to imitate an official site to have people download infected files or steal their login credentials. Others decide to run fake contests or sham e-commerce stores to steal bank information or credit card numbers.

How Does Malvertising Work?

Malvertising is a three-step process: getting ad space, placing a compromised ad, and performing a cyberattack.

A threat actor could get ad space in one of two ways: hijacking a legitimate user’s space or purchasing it. After that, they’ll place their ad, expecting people to stumble upon it and click it.

When that happens, users will download malware or access a fake website (designed to steal money or information from people). Malvertising attacks vary in nature, so it’s a good idea to recognize the most common examples.

Malvertising Examples

  • Fake Updates. One of the worst (and most ingenious) ways threat actors have of fooling people into downloading their malware is by using ads to broadcast fake updates. Most experts agree you have to update your software unless you want to fall prey to unpatched vulnerabilities: hackers take advantage of that information and trick people into downloading malware disguised as a patch.
  • Hidden Malware. Threat actors can hide malware and scripts within a small number of pixels. Doing so is complicated, but the main gist is this: by clicking on (and, sometimes, viewing alone) an ad, your device runs a malicious script that downloads malware into it.
  • Scareware. Similar to fake updates, scareware will fool you into downloading malware. A scareware popup will try to make you believe your device is ridden with malware – to get you to download malware. These ads will offer you the latest antivirus for free, and you’ll download the opposite if you click on them.
  • Other Scams. Malvertising attacks aren’t used to spread malware alone. Other hackers prefer a more straightforward way of acting. They’ll use malicious advertising to redirect users to fake websites to steal their information or money.

Why Is Malvertising Detection So Difficult?

There are countless ads online. The average user has to watch an unhealthy amount of them every day. It’s difficult to monitor for malicious activity when the sheer number of ads is too big to be true.

That’s not the worst part. It’s almost impossible for website owners to veto every ad before running one.

In fact, most website owners don’t choose ads. Third parties do. That third party will attempt to monitor the ads they run, but it’s impossible to catch one hacker performing malvertising attacks before someone gets infected.

Threat actors slip through the cracks because there are too many ads online. Although detection is difficult, prevention is far from impossible.

How To Avoid Malvertising

  • Install an Antivirus. Threat actors often attempt malvertising attacks to spread malware. Since malvertising is tough to detect, the second best idea is to detect malware that tries to infect your device. You can’t do so alone since there are more than a billion malware programs. An antivirus will do a nice job of detecting malware for you.
  • Update Your Browser. Developers are up to date about the latest cybersecurity trends. It’s the one thing that helps them get an edge over threat actors by patching any vulnerabilities they find. Malvertising is no different: updating your browser could be the difference between being safe from it or not.
  • Use Ad Blockers. We highly recommend installing an ad block you can trust. Make sure you do your research before picking one, as some of them are used to spread malware. With that being said, remember website owners run ads to make money, so you may want to whitelist certain websites to help entrepreneurs make money.

Known Cases of Malvertising

  • AdGholas. One of the first notorious cases of malvertising. This attack spread throughout known outlets such as Yahoo and MSN. It redirected users to a website that used several scripts to download and infect devices with malware without people knowing. AdGholas was so big it managed to get a fake privacy tool added to the Chrome store.
  • VeryMal. Like AdGholas, VeryMal hit a fair number of people (an estimated five million users). What made this malvertising attack seem rare is that it targeted Mac users. The methodology was similar to AdGholas too: it used hidden scripts to download Trojan malware.
  • COVID-19. Hackers used an Internet Explorer unpatched vulnerability to take advantage of people during the COVID pandemic. Threat actors displayed fake advisory notices online and exploited the outdated browser to install malware and steal login credentials from people.

Takeaways

Malicious advertising (or malvertising for short) is a relatively new way of attacking users. It consists in using ads for harmful purposes, such as scamming people or infecting them with malware. Unfortunately, detection is difficult. Nevertheless, updating your software and running routine antivirus scans are part of a good prevention strategy.

Herman

Herman McCargo is a Cyber Defense Analyst here at U.S. Cybersecurity. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.