Malvertising: Definition, Techniques & Defence
Malvertising is a malware-delivery device that uses common website elements. Some forms of malware require a click, such as tapping on an ad. Others can launch without any user interaction at all.
Malvertising is relatively common. Estimates vary, but about 1 percent of all the ads you see online could hold this nasty element.
Let's walk through what malvertising is and what it entails. Then, we'll dig into methods web browsers and website owners can use to block these attacks before they begin.
What is malvertising?
Malware ads are a form of cyber attack in which hackers use a website you know and trust to execute dangerous code that puts your security at risk.
There are two primary forms of malvertising:
- Pre-click: Malware launches on your computer as the web page loads. You don't need to do anything to start it, and this form of attack is hard to stop.
- Post-click: You tap on an ad or some website element, and malware launches in response.
Some types of malvertising launch ad malware on your computer. These programs display advertising for products you don't want, or they redirect your searches to advertising websites. At the same time, the program mines data about you to send back to the hackers.
Hackers rely on known, trusted websites to launch these attacks. Visitors believe that anything on the site should be safe since they know the hosted company and have visited the site dozens of times.
Most websites use advertising to pay for design, content creation, hosting, licensing, and more. Running a sophisticated site can be incredibly expensive, and ads help to buffer the cost.
But ads tend to move through third-party brokers before hitting the site, and that means most website owners have no idea who is buying ads next to their content. If an attack begins, they may be the last to know about it. And they may feel powerless to stop it.
The most famous malvertising attacks took place in 2015 and 2016. Hackers embedded their threats on prominent sites such as Spotify, the BBC, and The New York Times. The malware infected thousands of people with code that stole their information, launched suspicious websites, and more.
Where can you find malvertising?
A malvertisement must appear within digital content. Hackers need to run code to make their attacks work, and they can't use the technique in printed materials.
In most cases, hackers choose content that is trendy or popular. For example, hackers crafted malvertising in coronavirus content in early 2020, as they knew consumers would be looking for information about the pandemic.
You might also see malware on small, poorly maintained websites, as hackers can place almost any ad there with little oversight.
But almost anything you could see on a website could have a malvertising component. Looking through a few malvertising examples makes the risk clear. You might encounter these problems in:
- Advertising. Popup ads and banner ads are an easy way to spread malvertising across the internet. Some entice people to click to receive a deal. For example, you might find one that encourages you to download antivirus software for a low price.
- Content. A link or button within a piece of content directs you to a landing page. As that piece loads, your computer takes in a tracking pixel that gives the hackers ongoing access.
- Movies. Advertisements or animations launch automatically through programs on your computer like Flash. Each time they do, malvertising takes hold.
- Artwork. A tiny pixel inside a photo loading on a web page could hold malvertising.
This list isn't all-inclusive. You may encounter many more examples of malvertising as you surf the web every day.
Measuring malvertising’s impact
Hackers are always looking for ways to take over your computer and your digital life. By now, many people are accustomed to dealing with threats coming at them from all sides. But malvertising is a bit unique, as it's risky for both users and owners.
As a user, malware could:
- Expose. A hacker could gain access to your passwords, your banking information, and more.
- Cost. Some malvertisers extort money to release their grip on your devices.
- Break. Some computers slow down or stop working altogether due to the added power needed to run the malicious code.
As a website owner, malvertising could result in:
- Ruin. Each download damages your reputation as a credible site.
- Loss. You could lose traffic (and associated fees) if people are afraid of your site.
- Liability. People who lose money due to malvertising could come after you for damages.
It's hard to put a financial figure on these losses. But know that plenty of people remain very worried about how malvertising could impact businesses and people.
Preventing malvertising
Think of the fight as occurring on two fronts. Website owners must do their part to keep these ads off their sites, but consumers must also take action. If