Malvertising: Definition, Techniques & Defense
Malvertising is a malware-delivery device that uses common website elements. Some forms of malware require a click, such as tapping on an ad. Others can launch without any user interaction at all.
Malvertising is relatively common. Estimates vary, but about 1 percent of all the ads you see online could hold this nasty element.
Let's walk through what malvertising is and what it entails. Then, we'll dig into methods web browsers and website owners can use to block these attacks before they begin.
What is malvertising?
Malware ads are a form of cyber attack in which hackers use a website you know and trust to execute dangerous code that puts your security at risk.
There are two primary forms of malvertising:
- Pre-click: Malware launches on your computer as the web page loads. You don't need to do anything to start it, and this form of attack is hard to stop.
- Post-click: You tap on an ad or some website element, and malware launches in response.
Some types of malvertising launch ad malware on your computer. These programs display advertising for products you don't want, or they redirect your searches to advertising websites. At the same time, the program mines data about you to send back to the hackers.
Hackers rely on known, trusted websites to launch these attacks. Visitors believe that anything on the site should be safe since they know the hosted company and have visited the site dozens of times.
Most websites use advertising to pay for design, content creation, hosting, licensing, and more. Running a sophisticated site can be incredibly expensive, and ads help to buffer the cost.
But ads tend to move through third-party brokers before hitting the site, and that means most website owners have no idea who is buying ads next to their content. If an attack begins, they may be the last to know about it. And they may feel powerless to stop it.
The most famous malvertising attacks took place in 2015 and 2016. Hackers embedded their threats on prominent sites such as Spotify, the BBC, and The New York Times. The malware infected thousands of people with code that stole their information, launched suspicious websites, and more.
Where can you find malvertising?
A malvertisement must appear within digital content. Hackers need to run code to make their attacks work, and they can't use the technique in printed materials.
In most cases, hackers choose content that is trendy or popular. For example, hackers crafted malvertising in coronavirus content in early 2020, as they knew consumers would be looking for information about the pandemic.
You might also see malware on small, poorly maintained websites, as hackers can place almost any ad there with little oversight.
But almost anything you could see on a website could have a malvertising component. Looking through a few malvertising examples makes the risk clear. You might encounter these problems in:
- Advertising. Popup ads and banner ads are an easy way to spread malvertising across the internet. Some entice people to click to receive a deal. For example, you might find one that encourages you to download antivirus software for a low price.
- Content. A link or button within a piece of content directs you to a landing page. As that piece loads, your computer takes in a tracking pixel that gives the hackers ongoing access.
- Movies. Advertisements or animations launch automatically through programs on your computer like Flash. Each time they do, malvertising takes hold.
- Artwork. A tiny pixel inside a photo loading on a web page could hold malvertising.
This list isn't all-inclusive. You may encounter many more examples of malvertising as you surf the web every day.
Measuring malvertising’s impact
Hackers are always looking for ways to take over your computer and your digital life. By now, many people are accustomed to dealing with threats coming at them from all sides. But malvertising is a bit unique, as it's risky for both users and owners.
As a user, malware could:
- Expose. A hacker could gain access to your passwords, your banking information, and more.
- Cost. Some malvertisers extort money to release their grip on your devices.
- Break. Some computers slow down or stop working altogether due to the added power needed to run the malicious code.
As a website owner, malvertising could result in:
- Ruin. Each download damages your reputation as a credible site.
- Loss. You could lose traffic (and associated fees) if people are afraid of your site.
- Liability. People who lose money due to malvertising could come after you for damages.
It's hard to put a financial figure on these losses. But know that plenty of people remain very worried about how malvertising could impact businesses and people.
Think of the fight as occurring on two fronts. Website owners must do their part to keep these ads off their sites, but consumers must also take action. If these attacks stop working, hackers may stop deploying them.
As a website user, you can:
- Update. Ensure that you always update your programs to help you avoid the latest exploits.
- Protect. Download antivirus software and ad-blocking software to keep hackers from launching attacks.
- Set up. Walk through your browser settings for vulnerabilities. Some suggest turning off video auto-play, for example.
Symptoms of malware could include:
- Poor performance. Your computer may seem slow, or it may stop working altogether.
- Unusual activity. Searches you once ran now lead to completely different pages. You may have programs on your computer that you don't remember.
- Complaints. Your contacts may tell you that you're sending them odd notes.
Anytime you see symptoms like this, you should take action. Run your antivirus software and shut down anything that seems odd. If you're working on a network computer, alert your IT specialist immediately.
As a website owner, you can:
- Evaluate. Do you need to run ads on your website? Are the risks you take worth the potential revenue you could generate?
- Supervise. Ensure that you know about every ad that runs on your site. Look them over personally. Check back frequently, as some actors replace approved ads with malignant versions when they think you're not watching.
- Dictate. Set rules about the ads you will and won't accept. You may not allow scripts, frames, or other tech in anything on your site.
- Check. Use tools like this one from Google to test the safety of your site.
It's your duty as a website administrator to ensure that you offer a safe experience for all of your visitors. If you think you're serving them malvertising, you must take action.
At Okta, we deal with threats like this all the time. We can help you protect your company against a crippling hacking attack. And we can help you recover from attacks after they happen. Find out how we can help.
What Is Malvertising? And How to Protect Against It. (December 2020). CSO.
Malvertising: What You Need to Know to Prevent It. (August 2020). Cybernews.
Malvertising. Center for Internet Security.
Warning as Dangerous Coronavirus Malware Is Sent to Millions: Here's What You Need to Do. (March 2020). Forbes.
Beware of Malicious Ads That Can Harm Computers Without a Click. (May 2014). CNBC.
How to Tell Safe Advertisements from Dangerous Malvertising. (October 2019). Security Intelligence.
Malware. (November 2015). Federal Trade Commission.
Safe Browsing Site Status. Google.