What is Malvertising?: Examples, Risks, and Prevention

In today’s interconnected digital space, cyber threats are not only increasingly complex but are also present everywhere on the internet, placing enormous risks to both businesses and organizations. Some of these new-generation cyber threats include malvertising, a type of malicious malware combined with advertising, whereby legitimate advertising networks are used to distribute harmful software to users. Such an insidious cyber-attack may lead to system compromise, loss of sensitive data, and massive financial and reputational losses. In 2023, about 6.06 billion malware attacks were detected worldwide, embedding malware in the threat landscape and keeping malvertising among the top concerns. This points out an urgent need to understand and, consequently, take prevention measures to counter malvertising.

In this article, we will discuss malvertising definition, its history, and real-life malvertising examples, and understand how businesses can safeguard their assets. The more you know about malvertising, the better prepared you and your company will be in terms of recognizing, preventing, and reacting to such a subtle attack.

What is Malvertising?

Malvertising is a nefarious practice in which cyber attackers embed malware code into online ads, which then appear on legitimate websites without the owners’ knowledge. Unlike other forms of malware, which may rely upon users visiting malicious sites, malvertising exploits trusted advertising networks to reach an enormous audience. Such advertisements can infect a user’s device without requiring any interaction (which is also called a drive-by download) or by luring users to click on them, automatically downloading malware.

Did you know the Magecart attacks on the eCommerce platforms increased by almost 103% in H1 2024? The majority of these attacks entail the injection of malicious code into online adverts to capture customer details associated with making payments, thus showing a direct connection between malvertising and financial theft. The insidious nature of malvertising, in general, is its ability to avoid raising red flags or any signs of compromising users’ systems, making it stealthy and an effective tool for cybercriminals. Furthermore, infiltration into ad networks opens the door for attackers to bypass traditional security controls, putting website visitors and the website itself in harm’s way.

History of Malvertising

Understanding the evolution of malvertising is crucial, as it provides insight into how cyber threats evolve and become more sophisticated. This section will narrate the development of malvertising, from its nascent origins up to the present. We’ll discuss some of the important milestones and shifts in tactics that cybercriminals have gone through, which explain how malvertising has changed in tandem with advancements in technology and security measures.

1. Early Days (2007-2010): Malvertising first emerged in late 2007, when attackers started embedding malicious code into simple online banner ads. Most of these early malvertisements were unsophisticated, with many relying upon user interaction, such as clicking an ad to initiate the download of malware. The main purpose in those times was to spread malware and adware in their most basic forms.
2. Increased Sophistication (2010-2015): As cybersecurity defenses improved, so too did the attackers’ methods. The next wave of malware attackers exploited vulnerabilities in web browsers and plugins such as Adobe Flash and Java to conduct drive-by downloads of malware via ad banners without user interaction. The malvertising campaigns became both more targeted and complex in nature, using exploit kits that automated the process of scanning for and then identifying vulnerabilities in users’ systems. This was a period of immense growth in both the scale and severity of malvertising attacks.
3. Targeting Ad Networks (2015-2019): By targeting respectable ad networks, cyber attackers knew they could spread malvertising to any regular user who visited high-traffic websites. Notably, several renowned platforms unknowingly served their users with malvertisements during this period, a factor that increased the scope and damage of attacks. The growth of malware has been facilitated by the trust users place in well-known websites.
4. Shift to Ransomware (2019-2020): As ransomware became a lucrative model for cybercrime, the main focus of malvertising campaigns shifted to the delivery of ransomware payloads. Using sophisticated forms of malvertisements, attackers infected systems with ransomware and encrypted data belonging to victims, demanding hefty ransoms for its return. The stakes, in this case, became manifold, along with a greater urgency for rational defense mechanisms.
5. The Emergence of Ad Fraud (2020-Present): Ransomware attacks through malvertisements have become major threats to individuals and businesses alike. There has been some convergence of techniques between ad fraud and malvertising over the past couple of years. On average, 560,000 new pieces of malware are detected every day, contributing to the increasingly growing pool of threats that different forms of malvertising take. Cybercriminals don’t use advertising platforms only for malware distribution but also as a source of fraudulent ad revenue. While malware is used for distribution, the attackers monetize by manipulating ad metrics and conducting fraudulent activities like click fraud.

This evolution has brought up a dual threat in the fight to combat malvertising, requiring security strategies to become more sophisticated and multilayered.

How to Identify Malvertisements?

Identification of malvertisements is the first important step in preparing the counter strategy. In this section, we explain the typical signs and other red flags that are associated with malicious advertising. By learning to identify such malware ads, businesses can become proactive and avoid getting victimized by these cyber threats.

1. Suspicious Links: The first sign of a malvertisement is its suspicious link. Before clicking an ad, hover your mouse over it to preview the link. Malicious ads often use misspelled URLs or extra characters in the URL to bypass filters and appear much like a legitimate website. For instance, instead of “www.google.com,” an ad might link to “www.go0gle.com“. Recognizing such links in advance will save you from landing on a malicious site.
2. Aggressive Pop-ups: Malvertisements have been using very aggressive pop-ups to distract the attention of a user into doing some immediate action. If there is any advert that opens up a number of windows that you can’t seem to close or popups keep appearing, then it could be a malvertisement. Normally, malvertisers avoid intrusive pop-ups. However, the appearance of such popups may be a warning that you should not avoid.
3. Suspicious Behavior: Ads that redirect to unknown websites unexpectedly, start unsolicited downloads, or even trigger browser warnings raise suspicion. If an ad behaves in a manner not characteristic of normal online advertising, then extra caution is needed. Unjustified downloads can especially be a thing to consider, as you can never know when malware can get installed on your device involuntarily.
4. Low quality in design: Most malicious advertisements are of low professional design quality compared to legitimate advertisements. These advertisements might have low-resolution images, spelling or grammatical errors, mismatched fonts, and color mismatches. Usually, cybercriminals do not invest too much time or resources in high-quality design. Hence, recognizing all these aesthetic shortcomings is important to identify malvertisements.
5. Urgent calls-to-action: Most of the malvertisements try to use scare tactics or urgency notes to make users take immediate action. Examples of messages include “Your computer is infected! Click here to fix now!” or “Limited time offer! Download now!” which are clearly targeted at bypassing rational judgment. Legitimate ads would not typically employ high-pressure tactics, so urgency could be one point of suspicion.

What’s the Difference Between Malvertising and Adware?

While adware and malvertising both involve advertisements and might be considered to cause harm to user experience, they are different kinds of threats that differ in nature and implication. In this section, we will compare the two and discuss the main differences in their delivery methods, the ability of users to acknowledge the threat, their purpose, consequences for devices, and difficulties with their removal.

Comparative Analysis

By referring above table, we can say that malvertising penetrates systems by embedding malicious codes in online advertisements, which, through various channels, get rendered over legitimate websites. Users may get infected without interacting with them. The subtlety in this approach means users often remain unaware until much damage has occurred, such as data theft or system compromise.

By contrast, adware tends to travel under the radar of bundling with free software, in which users knowingly download and install, often clicking through their agreement to the adware component when installation prompts mislead them. Designed foremost to serve unwanted ads and spy on users for marketing purposes, adware is generally less destructive than malvertising. Adware mainly just causes a nuisance, causing sluggish system performance and seriously intrusive ads, but it only rarely involves severe system infections.

The malvertising installs malware in the form of software or code that might be harder to remove as it could employ advanced hiding mechanisms, like rootkits or even polymorphic code that changes with every infection to evade detection by traditional antivirus solutions. On the other hand, adware is usually much easier to remove either by using standard uninstallation functions or by using special adware removal utilities.

How does Malvertising work?

In present times, it has become very important to understand how malvertising works before businesses can defend against it. In this section, we will outline the stages of malvertising attacks, ranging from the creation of malicious ads to monetizing the attack by cybercriminals.

1. Creation: In stage 1, cybercriminals create malicious adverts that look attractive. So, they may use logos, branding, and other elements of popular products so that no suspicion is raised. Undisclosed code within the ad can take advantage of weaknesses in web browsers to enable it to download malware upon being clicked or by just viewing it. Such careful design bypasses the preliminary security checks by ad networks and websites.
2. Exploitation: In stage 2, The attackers compromise the ad networks, which are often reputable ad networks, by posing as legitimate advertisers, where they buy ad space and submit their malicious ads for serving across a wide varied number of websites that participate in the ad network distribution. In this way, the malvertisements can reach a wide audience without directly compromising the individual sites themselves.
3. Implementation: In stage 3, as soon as users access those infected websites hosting these ads, the attack begins to execute malicious code. Depending on the attacker’s strategy, that ad will either redirect the user to a malicious website, ask the user to download a file, or it may automatically start a drive-by download that exploits browser vulnerabilities. Sometimes, the user does not even have to click on the ad, merely loading the page is enough to initiate the attack.
4. Exploitation: In stage 4, the installed malicious app or code will then be able to conduct any number of activities once it has the access required on the user’s device. This could include stealing sensitive information like login credentials or financial data, installing ransomware to encrypt the user’s files, or adding the device to a botnet for use in larger-scale attacks like DDoS assaults. The malware may also create backdoors for future access.
5. Monetization: Finally, in stage 5,  the cybercriminals monetize their efforts. This would include selling stolen data on the dark web, asking for certain ransom payments to decrypt the files, mining cryptocurrency by using compromised systems or leveraging the botnet threat for other profitable attacks. The resulting financial losses from successful malvertising campaigns are sometimes unbearable and may lead to disruption in business operations.

How Do Malvertisements Affect Businesses? (Impact of Malvertisements)

Malvertisments pose significant risks not only to individual users but also to businesses of any size. In this section, we will be looking at the ways in which malvertising impacts an organization. Understanding these impacts underlines the importance of proactive security measures to protect corporate assets and customer trust.

1. Monetary losses: The financial impact could directly affect organizations in a variety of ways. Critical financial information, such as credit cards or other banking information, may be stolen by cybercriminals and used to conduct fraudulent transactions or theft. Alternatively, an attack using ransomware might leave the organization coerced into paying large amounts for access to their data. Even if no ransom is paid, the costs associated with recovering from an attack, such as IT remediation, data restoration, and system upgrades, can be significant.
2. Data breaches: Malvertising can lead to the unauthorized revelation of confidential corporate data, such as intellectual property, customer information, and employee records. Breaches could also mean regulatory penalties, legal liabilities, and mandatory disclosure requirements. Such sensitive data exposure will erode competitive advantage and harm relationships with customers and partners.
3. Reputation damage: Trust is one of the most important assets for an organization. A successful malvertising attack that exposes customer data or disables service can seriously affect a company’s reputation. Customers may lose trust in the ability of an organization to safeguard their information, with serious loss of business and negative publicity. It can take a lot of time and resources to rebuild consumer trust once it has been lost to a security incident.
4. Operational disruption: Infected systems can cause significant operational downtime. Malware can be used to shut down critical systems, corrupt business data, or bring down a network. This disruption will paralyze business operations, delay projects, and, consequently, lead to missed opportunities. Furthermore, the productivity losses and associated costs can have a substantial impact on the bottom line.
5. Increased costs of security: In the aftermath of a malvertising attack, organizations often have to make substantial investments in cybersecurity to prevent any more similar incidents from happening. These investments may include security infrastructure upgrades, the establishment of new policies and procedures, and even employee training programs. These investments are necessary but unplanned expenses that strain budgets.

Types of Malvertising Campaigns

There are several methods employed by malvertisers in order to carry out the attacks, and each of them is constructed in a way that abuses different vulnerabilities and user behaviors. Acquiring such knowledge can enable businesses and users to become more vigilant and thus implement specific defenses against various types of cyber threats.

1. Redirects: One of the simplest forms of malvertising comes through ad redirects, which redirect users from a legitimate website to a malicious one. In this way, if an infected ad is clicked or sometimes not even viewed, it automatically opens an ad redirect to a site designed for either downloading malware in that computer or collecting personal information. These malicious sites can resemble valid ones, making it hard for users to distinguish between them.
2. Exploit Kits: An exploit kit is basically an automated tool that tries to attack any vulnerability within a user’s system, such as web browsers, Flash, and Java. Malvertisements using exploit kits may spread malware without requiring any user interaction beyond visiting a webpage hosting the ad. This means if any of these vulnerabilities are found, the payload is delivered without the knowledge of the user. This makes exploit kits particularly dangerous as they can silently infect systems.
3. Fake Software Updates: Some pop-up notifications appear that show a message that the user’s web browser, media player, or antivirus is outdated and should be updated straight away. They often look pretty convincing, as they flash logos of some known companies. If clicked, the user downloads malware disguised as a system update. In this case, the malware can be difficult to detect and may install persistent malware.
4. Browser Lockers: Browser lockers use malware or malvertisements to hijack the user’s browser by filling it with a full-page popup that is not easily closable. These are messages retrieved in an unauthentic way, such as claiming some kind of virus on that computer or illegal activity that again requires some form of payment to unlock the browser or face legal consequences.  The intimidating messages force users into paying some fees or disclosing their personal information. This attack vector leverages fear to victimize an employee of an organization or any individual.
5. Phishing Ads: Phishing ads gather sensitive information from the users, which includes login passwords, credit card numbers, or personally identifiable information. The ads might show some attractive offers or could also be made to look like login pages of popular services. Once clicked, the user is taken to some fraudulent forms where they give out their confidential information to these cyber attackers willingly. Phishing advertisements make use of trust and curiosity for data theft.

Malvertising Attack Examples

Real-world malvertising examples underpin the severity and widespread nature of this form of cyber threat. This section provides a closer view of several notable malvertising incidents that have affected millions of users and high-profile organizations. The cases discussed here give insights into the tactics employed by attackers and the importance of adequate security measures.

1. Attack on Yahoo! with Malvertising (2014): In December 2014, Yahoo! fell victim to a malvertising attack that affected more than 200 million users. The hackers injected malicious code into the legitimate adverts, which then redirected users to several hacked websites hosting the Neutrino exploit kit. These sites then utilized browser vulnerabilities to install malware without any user consent. The incident highlighted vulnerabilities in trusted ad networks and made Yahoo tighten up its security protocols accordingly.
2. Spotify (2011): In 2011, Spotify was hit by a malvertising campaign. Malicious ads started to appear on users’ default web browsers, taking users to malware-infected sites. The drive-by download attack used a Spotify ad network that was vulnerable, meaning users did not have to click the ad to get infected. Several platforms were targeted, including desktops and mobiles, indicating the risks associated with ad-supported freemium services.
3. Los Angeles Times (2012): The Los Angeles Times became a victim of a malvertising attack that utilized one of the most notorious tools called the Blackhole exploit kit, which uses outdated software vulnerabilities. In this case, users become infected just by visiting, all because of drive-by downloads that don’t require any interaction. This incident came amidst a broader wave of malvertising campaigns that leverage high traffic and user confidence at major news outlets to spread infection.
4. Angler Exploit Kit (2015): In 2015, the Angler Exploit Kit distributed ransomware through malvertising on large websites, such as Yahoo and MSN. When users clicked their ad, several exploit kits took advantage of browser vulnerabilities by deploying malware. Angler was responsible for large-scale ransomware attacks during its peak, underlining a growing threat of malvertising in rampant infections and ransomware attacks.
5. eBay Malvertising Incident: Researchers found a vulnerability in the “item description” field of eBay stores. The defect allowed attackers to insert malicious JavaScript code using a technique called “JSFuck,” bypassing the XSS filters on the website. Using this, malicious actors set up fake eBay stores with embedded code in them, which tricked users into downloading malware or submitting sensitive information via phishing pages. This vulnerability took place across the web, iOS, and Android platforms of eBay.

How to Avoid and Prevent Malvertising?

The preventive measures against malvertising not only involve technological solutions but also user awareness. Following are some practical steps to be taken by organizations to protect themselves from malvertising attacks. So, let’s get started:

1. Block advertisements with ad blockers: Ad blockers can block advertisements from displaying on web pages, so there’s no chance of malvertisements being served to your browser. Therefore, these tools will reduce exposure to possible threats by blocking both legitimate and malicious advertisements. While ad blockers may affect the revenue of content creators who depend on advertising revenue, they do protect against malvertising.
2. Keep Software Up to Date: Keep your operating system, browsers, and plugins updated. Malvertisers often leverage the outdated security weaknesses present in the software, which gets resolved in update patches. Also, automatic updates ensure timely patches to guard against these types of cybercriminals.
3. Educate the employees: One of the extra lines of defense an organization can have against malvertising is employee awareness. Employee training sessions should introduce employees to suspicious ads and the importance of safe browsing. Encourage employees to avoid clicking on unknown ads, downloading unsolicited ad files, and entertaining urgent calls to action in ads.
4. Implement web filtering solutions: Web filtering applications block known malicious sites and prevent malicious scripts from running. The control over what content is allowed to be accessed within your network dictates the protection against malvertising and other web-based attacks.
5. Network Traffic Monitoring: Periodic analysis of network traffic can reveal patterns that might indicate a security breach in action, such as malware infection. Intrusion detection systems and network monitoring tools would notify administrators of suspicious activity, thus enabling quick response to the possible attack by malvertising.
6. Employ Endpoint Protection Solutions: Advanced endpoint protection solutions such as SentinelOne’s Singularity™ Endpoint can detect and neutralize threats before they cause harm. Singularity™ Endpoint from SentinelOne is designed to provide adaptable and resilient protection, detection, and response, securing every endpoint across infrastructures around the world.
7. Periodically carry out routine security audits: Periodic security audits are capable of revealing your digital infrastructure’s vulnerabilities, which include those that might enable malvertising. Audits should incorporate testing defenses against simulated attacks, reviewing security policies, and assurance regarding compliance with best practices laid down for the industry.

How Can SentinelOne Help?

SentinelOne scans your endpoints and networks in real-time with its advanced AI threat detection. It instantly identifies and blocks harmful malvertising attacks before they occur. The platform prevents potential damages to users or systems; instead of focusing solely on signature-based detection, which may often miss new evolving threats, SentinelOne leverages behavioral analysis and other threat detection models. It monitors how code behaves after it’s run. If an ad injects bad scripts into your browser, that behavior is what is identified and acted on based on deviations from normal activity.

If malvertising is detected, SentinelOne can automate the process of quarantining an infected system. It will block processes associated with bad behaviors, and reverse changes made by malware. SentinelOne cancels the possibility of wide-scale damages by stopping malvertising at entry points without any human interference. The platform integrates global threat intelligence to monitor emerging malvertising campaigns and techniques. In this way, its solutions are proactive enough to detect threats early; they implement necessary security patches and updates.

Most malvertising attacks exploit flaws in browsers or ad-serving networks. SentinelOne’s anti-exploit technology identifies and blocks various forms of exploitation of this weakness. It is one more layer of protection against malicious advertisements. You can explore SentinelOne’s core product offerings and book a free live demo here.

Conclusion

Understanding malvertising is essential in present times, where cyber threats are constantly evolving. Malvertising poses a serious threat to organizations as it uses trusted advertising networks to install malware in the user’s system with the objective of stealing sensitive information. We discussed above how dangerous this kind of threat can be and how much harm it can cause to businesses. However, with the discussed prevention best practices and methods, you can stay one step ahead of these malicious actors. Businesses should ensure that proactive measures are in place through proper defense mechanisms, employee education, and periodic evaluations of security.

We understand that every business has different security needs and that’s why one ideal solution can be to rely on endpoint protection tools. Advanced security provided through solutions like SentinelOne’s Singularity™ platform is one of the best options businesses can opt to keep malware or malvertising at bay. Leveraging real-time detection, automated response, and adaptive machine learning, these solutions allow an organization to stay ahead of threats by protecting its valuable assets.

FAQs

1. What is malvertising, and how can I protect myself from it?

Uses ad blockers, and enables click-to-play for web browsers to prevent malicious code from automatically executing on ads. Download apps from only trusted sources and keep your software up-to-date to stay protected.

2. What are some examples of malvertising campaigns?

Some famous examples of malvertising campaigns are Storm-0216, DoubleClick and Zedo, RoughTed, and KS Clean.

3. How do I remove malvertising from my browser?

You can remove malvertising on your web browser by doing the following:

• Clear browser history and cache: This removes any saved data that could harbor malvertising.
• Update browser and plugins: Ensure your browser and any ad-blockers or security extensions are up-to-date.
• Run antivirus or antimalware scans: A full scan will identify and remove any related threats.
• Disable or remove suspicious browser extensions: Check for unfamiliar or untrusted add-ons.

4. How does malvertising differ from adware?

Malvertising displays legitimate ads that activate malicious content when you click on them. Adware is just software that displays unwanted ads or popups on websites, but it doesn’t contain malware.

5. What should I do if I suspect a malvertising attack on my system?

Report the malvertising attack immediately to the concerned authorities. Disconnect from the internet and run a thorough scan of all your resources. Notify web administrators and the ad network about these malicious ads for further investigation. Use SentinelOne to prevent future malvertising attacks.