What is Malvertising? Definition and protection.

The malicious ads are displayed to users with the help of a big advertising network. The adverts can be created and published by scammers and then distributed to the ad network. Once the adverts are sent to the ad network, they are displayed on legitimate websites and are presented to users as standard advertisements. Users click on the ads as they normally would, and malware is installed on their computers.

So, simply put, malvertising is a malicious advertisement. But what is interesting here, is that not only low-end sites and malicious pages are running ads that contain malware - even the big companies, such as Forbes, Yahoo, Spotify, The Atlantic have all been caught running these type of ads at least in the last 5 years

‍

How Does it Work?

The first question which can appear here is “How does it possible - malicious advertisement on legitimate websites?”, and the answer is really simple: the main reason here is that advertising networks in most cases don’t check the ads that they run. For example, if you want to run an ad for your chiropractor’s office, you can just pay for that and submit it, and an ad exchange service will put your advertisement all over the world, on every possible related to its website. There is nothing that can verify your services or that your ad is legitimate. If you want to run a malicious ad, you can just submit it - and that’s it.

In some cases, the ad networks are being hacked, in others - the ad networks are willfully running malicious ads for some purpose. Because of all these reasons, the result can be disastrous - malicious ads on your favorite sites, and you are the target.

The sure signs that the site is affected by the malicious ads is the following:

1. A “drive-by download”, which is usually possible via the browser and its components vulnerabilities, such as PDF readers, online players, and so on. In some cases, this logic can be hidden via the login forms or some other additional steps, so it can be hard to detect for the computer security specialists. In other cases, users by themselves can notice that website triggers their browser to download some executable files.
2. Multiple force redirections to the compromised or malicious websites - in this case, the user can be redirected to another website or page via the malicious ads that trigger redirections. Moreover, there can be a lot of additional mechanisms, such as pop-ups, Iframes, floating players, hidden links and buttons, and other things to trick the user into doing some actions.
3. More sophisticated examples, including actionable windows, pop-ups, and javascript execution which can take control over the browser and user’s actions (even to simulate them, such as click on links, force redirections, navigating, and so on).

And of course, all of these problems are heavily affect the website holders and companies - you probably won’t visit this type of website or page again, so the companies (for example, online stores, web publishers, news sites) lost their audience, traffic, visits, and money. Taking into account that it can be hard to detect and remove such types of ads, it’s not that easy to restore the reputation.

‍

How Is Malware Inserted Into Advertisements?

For a seasoned hacker, it’s not tough to carry out a malvertising attack as they are aware of the multiple ways to insert malicious content in the ads. Have a look at the most preferred ways that hackers adopt to convert an advertisement into malvertising.

• Manipulated ads: Hackers can infect one of the ads that a website is using and use them to dupe the victim.
• Malicious post-clicks: A user has to pass through multiple redirects to reach the landing page of an ad. Skilled hackers can insert malware in any of those redirects and infect the victim’s device or browser.
• Embedded ad malware: Embedding ad malware in the banner ad or text is a very common practice that hackers adopt. Mostly, this action is possible in websites using HTML5. Hackers can easily insert ad malware in the form of images or JavaScript. Also, Flash-format-based ads are prone to this method.
• Injecting malware in a pixel: Pixels are an essential part of ads as they are used to forward data on a server that is later used for user activity tracking. If, by any chance, a hacker succeeds in finding the pixel delivery path, delivering malicious code won’t be tough.
• Corrupted videos: There is no default malware protection in video players. They often used 3rd party pixels with no prior verification. Hackers often infect the mid or end-roll of the video.
• Malvertising with Flash video: Flash-based video players are preferred by hackers to introduce an infected iFrame on the ad page. iFrame downloads malware automatically. It won’t wait for the target to click on it. As soon as the target reaches the page featuring the iFrame, malware will be downloaded.
• ‍Through landing pages of reputed websites: Hackers are aware of the expertise required to inject malicious code as a clickable element on the landing page of a legitimate landing page. It has a higher success rate as users won’t hesitate to click on anything on such verified landing pages. History has witnessed attacks using Twitter and FB websites. As both are reliable websites, the number of victims is generally high.

‍

What Are The Main Types Of Malvertising Campaigns?

Many varieties of this threat exist. Based on the market trend in a specific location, the type of devices in use, and many other factors, this form of duping can have multiple varieties. Here are some of the most famous types.

• Earn a jackpot or win a prize

This is the most common malvertising type. Hackers use people’s greed for easy money to trap them. Hence, they design malicious ads claiming about a lottery, money-earning surveys, lucrative freebies, and so on. These surveys even targeted the iPhone, which claims to have an in-built ad-blocking facility.

• Toll-free customer care support scam

In the past, many Windows PC users have become a victim of this variety. The attack involves having an imposter Microsoft or Apple website that won’t close easily. The website is generally JavaScript-based. As the webpage or website won’t close easily, aimed victims will think that there is some problem with the website.

So, they will call on the toll-free number mentioned on the website in the hope of finding the remedy. The call will be directed to the threat actor, who will try to convince the victim that there is a serious issue with their systems and will offer a sure-shot solution as reliable tech support. Hackers will ask for a huge sum for this tech support, which doesn’t exist.

• Fake software updates  

Updating software versions is the most common practice and is advised to ensure seamless operations of used software. Hackers take the help of this approach to carry out a malvertising attack. Mostly, the attack involves Flash Player updates. The update notifications are so well-designed and are enough to lure the victims.  

Mostly, such update-related ads are released on streaming websites and platforms. Hackers will even claim the unavailability of content and accessibility is only possible after updates or installation. Such updates should be avoided.

• Scareware scams

In this kind, an illusion of serious defaults in the device/software is created. Hackers will display an ad claiming the device is at risk, or there is a serious threat detected. Scareware will be offered as a possible solution. If the victim is convinced and downloads the scareware, the attack is successful.

‍

Examples Of Malvertising

This type of attack is so common that even big guns like Forbes, Twitter, BBC, and Spotify have also become their victims. 

As most of the cases reported the attack roots in the complex ad network, organizations often fail big time to spot them early. And, by the time detection happens, serious damage has already happened.  

Have a look at some of the most famous malvertising examples from the real world:

• KS Clean

Conducted at a large scale, KS Clean was a notorious malvertising campaign that affected global mobile app users. It was embedded in multiple apps and used to come into action as soon as the app was downloaded. 

From that moment, the malware used to send multiple notifications making false claims of having serious security threats and issues. It offered a fake upgrade as a solution.

Once the prey agrees to go for an update, the malware is used to provide admin-like access to the hacker on the victim’s device. From there onwards, bad actors can do anything they wish to.

• RoughTed

It was a powerful malware that managed to bypass the anti-viruses and ad-blockers. It used the CDN of AWS to conduct the attack successfully.

‍

Malvertising vs Adware

Because of certain colliding and overlapping characteristics, malvertising and adware are often considered two faces of the same coin. They both differ from each other.

There is a high chance that adware is already present on your device when you purchase it. For instance, if you have editing software or an app on your device and see ads, the software/application is using adware to track your browser activities so that it can do targeted marketing.

At times, the gathered data is also shared with the 3rd party service providers. Pay-per-click is an ideal example of adware.

It’s not always that adware uses adware. It is often a part of verified and legitimate software/applications. This is not the case with malvertising. It’s all about using forced, ill, and unlawful means to dupe the targets with the help of an ad. The displayed ad is likely to have an intention to download malware on the victim’s device or direct it to another corrupted source.

Adware is mostly a software-based solution and follows the installation process of the concerning app. But, malvertising is mostly a web-based or browser-based tool. There is no installation involved. It can impact the victim from an online webpage or website as well.

Adware remains active and keeps logging the data as long as it’s active on the computer.  

It’s not specific and keeps the activities logged for all the websites and web pages. On the other hand, malvertising has a narrow scope. Only the internet users visiting the infected websites and clicking on the corrupted links of ads will be influenced and fall under the attack.

The intensity of the attack also varies. Adware generally doesn’t have ill intentions. The maximum it can do is log the browsing activities. It doesn’t want to take control of the system and even force users to take certain actions. Malvertising is mostly nefarious.

Depending upon the hacker’s intentions, malvertising can even help a bad actor to take full control of the aimed device.

How do I prevent malvertising?

Fortunately, most modern browsers like Google Chrome, Safari or edge able to prevent some of these dangers - so it’s better to keep your regular browser up-to-date. However, if you are concerned about yourself and the safety of your device, you should install specific browser extensions, such as ad-blockers.

Ad-blockers can block different types of ads (including malicious), trackers, and social analytics which can be used by different third-party companies to collect information about you and your interests. Besides this, some modern antiviruses also protect users from malicious websites and hidden malware.

Also, it may be useful to review your daily websites and resources to understand, if they can be risky or not for any reason. 

Conclusion

Malicious advertisements are more dangerous than one might think. These ads are spread via ad networks that are being used by many reputable and big websites. However, these ad networks are not responsible for the malicious ads that are shown on their website.

These ads are being spread by third-party advertisers that are using the ad networks to display their ads. This allows the advertisers to send their ads to many websites at once, without having to have their website.

Another worrying fact is that even if you close the page where the ad is being displayed, the malicious ad might still be loaded and displayed in the background, which can lead to problems such as information disclose, tracking, or even malware on your computer.