Scroll down to learn more about GeoEdge's ad security and verification solution!
GeoEdge University

What is Malvertising or Malware in Ads?

What is malvertising? Where does malware in the advertising industry hide? How is malware inserted? And how can one detect it?

The Basics

Malware is classified as malicious software that can infiltrate a user's computer and harness its system. The impact on the user can be quite harmful, like in the case of identity theft, or more innocuous and not felt by the user, as in the case of ad injection or click fraud. Types of malware include viruses, worms, Trojan horses, adware, spyware, ransomware, and scareware.* 

*For a full explanation of each type of malware, see our article entitled, “The Ultimate Guide to Malware & Other Online Security Threats.”

The Facts

Malware is occurring on publishers’ sites without their knowledge. Since sites sell their media through programmatic, third-party demand partners, and exchanges, it has become almost impossible to control the ads that are served – not without outside help anyway. In addition, hackers target specific sites and companies and insert malware through server or infrastructure hacks. 

Symantec discusses in their Internet Security Threat Report that malvertising has reached “new heights.” Cyphort Labs reports a 325% increase in malvertising from 2013 to 2014, and asserts that it is only continuing to increase, affecting over tens of millions of people from popular, well-respected domains.   

URL inspection

You can attribute malware to scripts and executable codes, but when it comes down to it, malvertising comes through the URL.

URLs that are embedded in a page or come with a server response after a user interacts with the page may lead to a malicious site, or alternatively, may prompt the user to download malicious code. 

How is malware inserted?

Malware insertion processes are highly sophisticated with a wide scope of insertion techniques. Many people think that if they don’t click on a suspicious site or download a deceptive file, they won’t get infected. However, users do not have to actively click, as there are scenarios where malvertising runs pre-click. Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site, which could be malicious. 

Malware can also be found in the delivery of an ad – where a clean ad that has no malware pre or post click (in its build and design), can still be infected whilst being called. Malicious code can hide undetected and the user has no idea what's coming their way.

A publisher can fully trust their direct partner (often the "premium" partners) to do their utmost to insert clean campaigns. However, with the use of programmatic RTB, third-party demand partners, and the hacker environment that shows no signs of slowing down, one can never know when they will be hit with malware.

Where can malware hide?

Malware can hide in a number of spots and can infect a user in various ways – sometimes the user will need to click on an ad or link to activate the infection, and sometimes no links are needed to unleash the malware. 

• In the Delivery Path

There are two delivery pathways to serve an ad:

(1) The first pathway is known as the “ad calls,” where the platform or exchange pushes the served ad to the user’s screen (this is the pre-click pathway). These ad calls can go through many third parties, one of which may insert a malicious code. Then the user gets infected without doing anything.

(2) The second delivery path is post-click. When the user clicks on the ad, a series of URLs are called to get to the final landing page. A malicious code can be inserted from one of the third parties involved in that delivery path.  

• Embedded in the Creative

Malware might be embedded in a content/graphic piece. For example, in HTML5, there is a combination of images and JavaScript that could contain malicious code. Another example is malware embedded in the Flash .swf file. The user does not have to click on the ad to be infected – the malicious code is activated when the ad loads. In the case that there is no malicious code in the creative pre-click, there still might be a possibility for malicious code once the user clicks.

• Within a Pixel 

A tracking pixel can be embedded in a variety of places, including a banner and on a landing page. Pixels are usually found in ad calls; they are small pieces of code used to send data in a query string. Typically, one will “shoot a pixel” to mark a certain interaction of a user. In the case of malware, the pixel transfers data to the “receiver” who responds by sending malware (for example, pop-up/under).

• Within a Video 

There is a popular misconception that video ads can't deliver malware. Many believe that the video player protects against malware, however, this is not the case. Take a typical standard video type, for example, a VAST video ad; this video ad contains pixels from third parties and one of those embedded pixels contains malicious code. So once the user allows the video ad to load and play, they become infected. Alternatively, there could be a malicious post-click URL as the end of the video ad. In addition, a flash file (.swf) itself can inject an iframe into the page and this iframe will download the malware onto the user’s computer. The user does not even have to click on the video.

• On the Landing Page

A malicious URL could appear in the final landing page. It could be that the landing page itself, as well as the pathway is clean, but there are items within the page for the user to click on which contain malicious code. One of the reasons this is so alarming is the user might consider themselves safe by this point, only to find that they became infected because they clicked on an (infected) element within the page. 

• Within a Polite Banner 

Malicious code could be found in the URL tags of a polite banner. (A polite banner is a pre-roll ad for a flash file that takes a couple of seconds to load.) Meaning, the actual flash ad is clean, but the ‘polite’ ad that keeps the user busy while it is loading, contains malicious code. Again, the user needs to take no action to become infected.