Malvertisements are a malicious advertisement distributed in the same was as a legitimate online advertisement. It is one of the common practices to use spread malware. Cybercriminals use the advertising strategy by pretending as legitimate campaigns. Those malvertisements will either attempt to download malware directly onto visitor’s system/devices or redirect visitors to websites meant to spread ransomware, viruses or other malicious programs. The process of creating malvertisements and spreading malware is called malvertising. Malvertising is a favoured medium for criminal behaviour as it takes advantage of consumer trust in both companies running campaigns and advertising networks.

Ad networks are responsible for distributing real and fraudulent advertisements. The reliability of a website does not necessarily determine and has also been irrelevant to some extent to whether or not it will contain malvertisements. But saying that at the same time is the best place to be not infected with malvertisements. Recent examples have proven that even the most well-known, legitimate sites can distribute malvertisements unknowingly. In recent years, reputed sites such as Forbes, The New York Times Online, London Stock Exchange, Spotify etc have all been negatively impacted by malvertising campaigns that infected visitors with malware.

Malvertisements vs Adwares

People, in general, are confused in between malvertisements and Adwares as they both deal with affecting online advertisements. Adwares are a program running on a victim or user’s system which is packaged with other legitimate software’s. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.

Key differences between malvertisements and adwares are:

1.    Malvertisements involves deploying or injecting malicious code on a publisher’s web page. The targeted audience of malvertisements are not individual or selected users whereas Adware, however, is only used to target individual users.

2.    Malvertisements are only dangerous and affects users that view the infected webpage or website whereas adwares once gets installed keeps on operating on user’s computer.

How Malvertisements Distribution Works?

Malvertisements are distributed via the same methods as normal online advertisements. Infected graphic files are submitted to a legitimate advertisement network with hopes that the advertiser won’t be able to differentiate between trustworthy ads and harmful ones. Advertisements generally attract and encourages viewers to click. When approved by the advertisers these malicious advertisements are added or distributed on legitimate sites. In some cases, cybercriminals will even re-register expired, but previously legitimate, domains to disguise themselves as a trustworthy domain. Criminals can use redirects to send clickers to a malicious site, and users remain ignorant because they expect redirects when clicking on an ad. While on the malicious website, code will run in the background which will attempt to download malware onto the device. This unintentional download of a virus or malicious code is known as a drive-by download. Malvertisements often use drive-by attacks to download ransomware onto targeted computers. Advanced forms of malvertisements can even install malware on visitor’s devices directly from the legitimate website that is displaying the ad and without any interaction from visitors.

Malware Insertion Techniques

Attackers or people with malicious intent use several delivery mechanisms to insert their malicious codes into advertisements.

1.    Malwares in Advertisements calls: When a website shows a page featuring an ad, the ad exchange delivers advertisements to the user through a variety of third parties. An attacker can compromise one of these third-party servers, who can attach malicious code to the ad payload.

2.    Post click malware injection: Users who click on an ad are typically redirected between multiple URLs, ending with the ad landing page. If any of the URLs along this delivery path are compromised by an attacker, they may execute malicious code.

3.    Malware in Text or Banner Advertisements: Malware may be found in a banner ad or text message. For instance, an ad can be delivered in HTML5 as a combination of images and JavaScript which may contain malicious code.

4.    Malware within a pixel of an image: The pixels are embedded with codes in an advertisement call. A legitimate pixel sends data to the server for tracking purposes. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.

5.    Malware within video: Video players don’t protect against malwares. Examples can be videos based on flash or specific video format such as VAST. Video format VAST contains pixels from third parties, which could contain malicious code. Videos based on flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner and attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.

Malvertisements: With or Without User Interaction

Common malvertisements generally need user interaction in order for the malwares to be downloaded in a victim’s system or infect the victim/user’s system. User interaction can be victims clicking on an unsafe malicious advertisement. Following attacks or things might happen on users viewing or interacting with malvertisements:

1.    Download or installation of malwares on the computer or systems viewing those malicious advertisements.

2.    Redirect the user or victim to a malicious site.

Some advanced malvertisements can affect or cause harm to a user’s without user interaction. Malvertising might perform the following attacks on users viewing the malvertisements without clicking it:

1.    A “drive-by download” — installation of malware or adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.

2.    Forced redirect of the browser to a malicious site.

3.    Displaying unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.

Identification of Malvertisements

  • Advertisements that do not look like they were made by a professional graphic designer.
  • Advertisements that have spelling errors.
  • Advertisements that promise miraculous cures or celebrity scandals.
  • Advertisements that do not match your recent/typical search history or browsing behaviour.

Malvertisements Mitigations and Best Practices:

  • Antivirus software can protect against some drive-by downloads or malicious code executed by malvertisements.
  • Ad blockers offer good protection against malvertising, because they block all ads, together with their malicious elements.
  • Using browsers that block ads or have an ads-free experience by default such as Brave, Cliqz etc.
  • Avoiding the use of Flash and Java can protect users from many vulnerabilities that are commonly exploited by malvertisements.
  • Updating browsers and plugins can prevent many malvertising attacks, in particular those which operate before the user clicks the advertisements.
  • Visit only secure and known websites.
  • Resist clicking on ads, even if they appear to be from reputable companies or businesses.
  • Follow news about compromised websites and potential malvertising campaigns to protect yourself from known malvertising threats.

The writer- Ashutosh Nath Rimal, a Cyber Security enthusiast, He is pursuing a master’s degree in Cyber Security. He is currently working with CyRAACS as an Intern in Technical Services. CyRAACS is a one-stop for Cybersecurity Consulting services with expertise in a spectrum of Cyber Security services.

Add Your Comments

Your email address will not be published. Required fields are marked *

Free Consulting

    Contact us

    Please get in touch using the form below
    I agree to receive email reports, articles, event invitations and other information related to CyRAACS services. I understand I may unsubscribe at any time by clicking the link included in emails.*
     I have read and accept the Privacy Statement and Terms of Use.