Written by Ivan Belcic
Published on February 11, 2021

What is malvertising?

Malvertising (malicious advertising) is the use of online advertising to spread and install malware or redirect your traffic. Cybercriminals inject infected ads into legitimate advertising networks that display ads on websites you trust. Then, when you visit a site, the malicious ad infects your device with malware — even if you don’t click it.

This article contains :

    How does malvertising work?

    The online advertising industry is a complex web of relationships and transactions between publishers — the websites you visit — and a whole hidden world of advertising machinery. This includes ad exchanges where publishers and advertisers buy and sell ad space (known as inventory), advertising networks that supply ads across a wide range of websites, ad servers that store and deliver the online ads, and additional parties. Within this space are many opportunities for a clever hacker to inject malicious content.

    Here’s how a basic malvertising attack works:

    1. A cybercriminal buys ad space on a website or from an ad network.

    2. The cybercriminal supplies an infected ad to be displayed in the space they purchased.

    3. The malvertising attack happens when either:

      1. You click the ad, or...

      2. The website loads the ad and your device is infected automatically. Many infected ads can attack you on their own, without requiring a click.

    In reality, it’s often more complex than that. Due to the fragmented nature of online advertising, your browser needs to contact a variety of ad-related servers when it loads a website. One server delivers the online ads, another might play a video ad, and a third server might trigger a pop-up. This happens again when you click an ad as well.

    Attackers can intercept these traffic requests from your browser and forcibly inject malicious code or divert your traffic somewhere else. This is how forced redirect ads work. During the online journey from your browser to the advertiser, the attacker intercepts your traffic and infects you with malware or sends you to an unwanted destination.

    What’s the difference between malvertising and adware?

    Malvertising is often confused with adware because both involve ads. The primary difference between the two comes down to the source of the attack. Adware is a type of malware that sits on your device and causes you to see ads you otherwise wouldn’t encounter. Conversely, malvertising ads are hosted on legitimate websites — there’s no need for the malvertising attacker to pre-infect your device before you’re shown a malicious ad.

    an illustration showing how malvertising works by embedding malware in online adsMalvertising attacks use legitimate online advertising networks to spread malware.

    Different types of malvertising

    Since the world of online advertising has become so diverse, cyberattackers have developed a range of malvertising strategies in response. Here are some of the more common types of malvertising campaigns.

    • Steganography is the millenia-old technique of concealing secret messages or images inside other text or images. Cybercriminals have adopted steganography to hide malicious code inside images that are shown as ads. Hackers just need to alter a few pixels, leaving the difference indiscernible to the naked eye. The code can directly infect your device or trigger subsequent stages of an attack.

    • Polyglot images take steganography a step further. Not only do they incorporate malicious code, they also contain the scripts needed to execute that code and start the attack. That’s where the name comes from — the images can “speak” multiple languages instead of just hiding one thing at a time. 

    • Tech-support scams try to fool you into thinking there’s something wrong with your computer. Tech-support scam ads will take over your browser with malicious code and then prompt you to call a phone number for help. When you do, you’ll be connected with a scammer who’ll do their best to separate you from your money.

    • Scareware is similar to the tech-support scam in that it wants you to believe that your computer has a problem — in this case, that you’ve been infected with a virus or other malware. You’ll get a pop-up loudly announcing that malware has been detected on your device and urging you to download their “solution.” The software you’ll get from scareware is always useless, and in some cases may even be malware itself.

    • “Get rich quick” schemes and fake surveys are everywhere on the internet. These ads will pop up and take over your screen, then promise big payoffs for filling out a survey, leaving a review, or completing some other trivial task. Any ad with an offer that seems too good to be true likely is.

    • Fake software updates prompt you to download software updates, often for security or performance reasons. When you do, you’ll get bloatware, potentially unwanted programs (PUPs), or possibly even malware instead. Always download software updates directly from the manufacturer’s website.

    The risks of malvertising

    It’s just an ad, so how bad could it be? Depending on the type of malvertising attack, the answer ranges from “a little” to “very.” Through malvertising, cybercriminals can:

    icon_01Steal your personal data. Cybercriminals can use malvertising to install spyware that harvests your personal data and sends it back to the attacker. Malicious ads can also redirect you to fake versions of real websites that trick you into entering your username, password, and other information as part of a pharming attack. Hackers will then sell the stolen data to other cybercriminals looking to commit identity theft or other crimes. 

    icon_02Extort money from you. If an infected ad installs ransomware on your computer, you’ll likely face an extortion attempt. Ransomware locks down your files and demands you pay a ransom to decrypt your files. But you never know whether or not you can trust the cybercriminal to follow through on their promise. After all, they are a cybercriminal.

    icon_03Cause chaos. Some cybercriminals just want to watch the world burn. Others may seek to sabotage businesses or other institutions. In that case, computer viruses and other malware will do the trick. All it takes is for one person in the office to unwittingly infect their device, and then all the devices on the same network are vulnerable.

    With real-time protection against malware, fraudulent websites, and more, AVG AntiVirus FREE will protect you against the risks of malvertising. Scan and detect malware before it can infect your computer and steer clear of fraudulent websites with our world-class cybersecurity solution.

    Malvertising examples

    When hackers slip infected ads into the most popular advertising networks, they can spread malware on some of the world’s most trusted and widely read websites. Malvertising attacks have hit MSN, Reuters, The New York Times, YouTube, Spotify, The Onion, and numerous other popular websites and services.

    Here are three recent malvertising campaigns that made especially large waves.

    2020 COVID-19 attack

    Cybercriminals targeted Internet Explorer users with a COVID-19–related malvertising attack through a fake advisory notice. The attack used the Fallout exploit kit to hack people still using the outdated Internet Explorer browser, which Microsoft no longer supports, and install malware that could steal personal data and passwords.

    2019 VeryMal attack

    Lasting only two days, the VeryMal malvertising attack is significant because it hit two ad exchanges that supply ads to many top publishing outlets. The malware specifically targeted Mac users, dispelling the notion that hackers target only PCs. The steganography-based attack redirected users to a spoofed website that installed the Shyler Trojan malware, disguised as a Flash update.

    2016 AdGholas attack

    The massive AdGholas malvertising attack hit Yahoo, MSN, and other big-name outlets with a fake ad for privacy software. Without requiring any user interaction, the steganographic ad attempted to redirect victims to a malicious landing page that used several Flash exploits to download and install malware. Cybercrime group AdGholas has even succeeded in getting its fake privacy tool added to the Chrome store as an official extension.

    How to prevent malvertising

    Since many malicious ads can attack you as soon as they load in your browser, refusing to click is not enough. To properly protect yourself against malvertising campaigns, follow these cybersecurity guidelines:

    • Get a strong antivirus. A trustworthy antivirus tool will give you real-time protection against malware downloads and installs. Consider it your first line of defense against not just malvertising and malware, but a whole range of other online threats, too. It’ll help remove malware from your phone or computer, whether you got it via malvertising or another way.

    • Use current software. Many malvertising attacks, such as the COVID-19 campaign discussed above, work by exploiting existing software vulnerabilities to infect victims. Software updates often come with security patches that plug up these weaknesses. Updating your software is one of the best ways to ward off these attacks. If you’re still using Internet Explorer, now’s time to upgrade to a more secure browser. Speaking of which…

    • Use a secure browser. Secure browsers are designed with special features that keep you extra-safe against online threats like malvertising. The free AVG Secure Browser includes a built-in ad-blocker that will prevent ads from loading on your device in the first place. And it protects you in real time against malware, phishing sites, and identity theft.

    • Use an ad blocker. If you block ads from showing up in your browser, malvertising campaigns won’t reach you. Ad blockers are great for a variety of reasons, and this security bonus surely is one of them.

    • Practice smart website safety. Learn the telltale signs of spoofed websites, such as a lack of HTTPS encryption or an incomplete terms and conditions page. Learning how to determine whether or not a website is safe can help you avoid pharming traps.

    • Disable browser plugins. In your browser settings, you can set which plugins can run by default. Since many malicious ads exploit plugins to execute their attacks, disabling plugins can stop them in their tracks. And if you do use plugins, always keep them updated. This was a bigger risk when Adobe Flash was still active, but Adobe has graciously killed the vulnerability-plagued plugin for good.

    Protect against the dangers of malvertising with AVG AntiVirus FREE

    AVG AntiVirus FREE scans and detects any traces of malware in real time, including the sneaky malware used by malvertising attackers. Anytime a malicious ad — or anything or anyone else — tries to infiltrate your device to steal your personal data or install malware, AVG AntiVirus FREE will block the attack before it can harm you. Protect yourself today with the cybersecurity tool trusted by hundreds of millions of people around the world.

    Protect yourself against malvertising with AVG AntiVirus

    Free install

    Protect yourself against malvertising with AVG Mobile Security

    Free install
    Ivan Belcic