How To Detect, Block & Prevent Malvertising Attacks on Web & In-App Users

How to remove malvertising at scale?

Due to the nature of programmatic advertising and real-time bidding, publishers face an influx of malvertising, low-quality and irrelevant advertising. Publishers can use a combination of advanced AI capabilities to remove Malvertising and create a relevant and engaging user experience.

Malvertising or malicious advertising occurs when bad actors deploy malware attacks or infection via online advertising. Programmatic advertising is particularly vulnerable to malvertising attack since publishers are not directly connected to advertisers, and don’t directly control the online ads that appear on their sites.

In programmatic advertising, ad networks like Google AdExchange collect bids from multiple demand-side platforms (DSPs) that purchase inventory on behalf of their clients. The ad network selects the winning bid, and delivers the URL of the auction winner’s ad creative directly to the end user’s browsers, allowing advertisers to load code on that user’s device.

Nefarious players have multiple opportunities to exploit legitimate advertising networks and ad servers, leading to growth in malicious advertising. That’s a problem for publishers, as it can cause their audiences to stop engaging with the site or app, write negative reviews, issue complaints on social media, and a host of other brand sustainability issues.

The growing malicious activity has led to widespread skepticism about ad quality. Publishers are increasingly threatened by the potential loss of revenue while advertisers are concerned about reduced visibility and wasted spending.

Yet, it’s incredibly difficult for publishers to address malvertising attacks alone. Since each user is served a different ad and ads come from a huge pool of sources, they are extremely difficult to trace. In fact, it’s nearly impossible for ad ops teams to recreate their user’s negative experiences, detect a malware attack or trace the source of a malvertising campaign or harmful ads .

Concerns about malicious ads and irrelevant advertising have driven users to adopt ad blockers. The rise in adoption of ad blockers threatens the future of ad supported media. Publishers and advertising networks need sustainable and scalable solutions to deal with malicious advertisements.

Types of malvertising attacks

There are two broad-based tactics used in a malvertising attack. The first is a code-based method that occurs pre-click and delivers unwanted software to the user’s computer pre-click. The other is social engineering, which occurs post-click.

  • Malware Ads (Pre-Click) 

These types of malvertising work take advantage of fraudulent code which on the user’s mobile device or computer, thanks to ad loads via programmatic advertising. The fraudster utilizes that code to automatically redirect users to deceptive scams.

For instance, a user may scroll down a page and encounter a pop-up that redirects them to another site that displays a message from their mobile carrier, but leads them into a trap. That’s because the ad call provides the fraudsters with a ton of information about the users, making it easy for criminals to create malicious content that looks legitimate, such as calls to install antivirus software.

  • Malvertising in Landing Pages (Post-Click) 

Post-click attacks include various forms of social engineering to lure users into their traps, such as sensational clickbait stories, fake software updates, or offers for fake products. The goal is to either deliver malware or to obtain sensitive information that can be sold on the dark web.

Another scheme prompts users to pay for items or services that don’t exist, don’t work as promised, or are too good to be true. These promotions can range from anti-aging cream to investing in cryptocurrencies or equities via trading apps that themselves are fraudulent. In these scenarios, users are led to a malvertising website that encourages them to invest their money in what they believe to be some kind of an exchange when in reality it just goes into the pockets of the scammers.

The goal of all social engineering malvertising campaigns is to prompt users to click on a link and download malware, and once they do, any number of negative events can follow.

Fraudsters have been favoring social engineering tactics over code-based ones lately because they deliver better returns. In fact, the returns are so good that nefarious actors are willing to bid high CPMs in the open exchanges for users they believe they can fleece out of their money. This is a significant turn of events, as one strategy publishers have deployed in the past to keep bad actors off of their sites was to keep floor prices in a range that criminals were not willing to pay. That isn’t the case anymore.

  • Malicious Website Clone

Cloned websites are malicious websites designed to look like legitimate websites but are actually used to spread malware. Ads can be used to redirect victims to these fake websites, where users are asked to complete forms like a “connect with us” or fake surveys that include sensitive information, such as their credit card numbers or other PII data. Some even include a tech support scam where users are asked to provide personal information in order to access help in solving a computer problem.

  • Malicious Extensions & Add-ons

More resources are on the cloud than ever before, which means that web browsers are frequently used to access sensitive information. This makes browsers a prime target for criminal activity, often through the use of malicious browser plug ins and add-ons.

Browser extensions are small blocks of code that run in the browser and allow users to do things like easily capture screenshots or edit pictures. They are often featured in the latest security articles because they are an increasingly popular way for malvertising criminals to install malware or deliver malicious software, even when users think they are using a secure browser.

  • Ransomware Ads

Ransomware is a type of malicious software that encrypts files and systems, blocking access to them and making them unusable. The criminals then demand a ransom payment from the infected organizations or users in exchange for enabling access.

There are many ways to inject malicious code like ransomware, but one way is through an infected ad. In some types of online ads, the ransomware is only downloaded when the user clicks on the ad. In other types of infected ads, a click isn’t required—the ransomware is downloaded as soon as the webpages load from the ad networks.

Ransomware ads are attractive to criminals because they often result in enormous profits. In 2021, the average payout for a ransomware attack, which can be spread via programmatic advertising, was an astounding $1.4 million.

  • Trojan Ads

Trojan horse malware is a file, program, or piece of code that is delivered inside legitimate software but is used for an illegitimate purpose, for example to steal data or insert additional malware into the infected device. A trojan ad is an ad that leads users to trojan malware when they click on it.

  • Spyware Ads

Spyware ads are a type of malvertising that takes information from a user’s computer or operating system without permission or the user even being aware of what is happening. Some spyware is created by data mining companies to gather information about the users browsing habits while other spyware is created by criminals to capture emails, passwords, and credit card information.

Spyware ads often offer users free software that they can download—things like browser extensions and apps to edit pictures or create screensavers. When the user responds to the infected ad and downloads the software, the spyware begins to run in the background, capturing the user’s information and often impacting the performance of the computer.

  • Ad Malware Phishing

Phishing attacks are designed to get users to share personal information like login data or passwords. For example, it could be banner ads or other types of online advertising that notify users that they’ve won a prize. When users click on the ad, their device is attacked.

How to detect malvertising?

Identifying the various clickbait tactics, or the misleading and deceptive elements in an ad or website requires a lot of sophisticated software and AI working in conjunction, especially when it comes to social engineering schemes.


It’s more difficult to identify the social engineering schemes than it is to identify malicious code. GeoEdge has built a detection engine comprised ofmany layers, each of which searches for a different element of malvertising attacks. For instance, one layer analyzes the text contained in the ad creative as well as the text on the associated landing page. A machine learning layer analyzes images on the landing pages to ensure that they are not being used as bait or in a switch scheme. Another layer looks for cloaking mechanisms that redirect users, while yet another looks for the tests that scammers run in their search for users (a legitimate campaign will not run these tests, so their presence is a good indication of malvertising).

Another layer looks for similarity of code. Bad actors know we’re looking for them, and will modify their code or domain in order to circumvent detection. However, we can still detect them by looking for patterns in the code that has been missed by antivirus software.

How to block malvertising at scale?

The only way to block malvertising is to intercept the ad that has won the auction in real time, and prevent it from being shown to the user. When ads do not meet the publisher’s brand suitability and ad format standards, or represent a legitimate advertiser and campaign they must be blocked on the pre-impression level.

The many layers of GeoEdge’s detection engine are not siloed. The data and insights from each layer are aggregated and assessed holistically, focusing on preventing malvertising. “For instance, our detection engine will combine a piece of text that is used with a specific image and check to see if it includes a call to a domain that is similar to a scam we’ve identified in the past. If we see such patterns, we will automatically deem the ad fraudulent and prevent it from being served to a user.” Amnon Siev, CEO at GeoEdge

Simultaneously, GeoEdge provides publishers with a piece of code they can integrate with their website that allows us to monitor ads before reaching their users. We can intercept the ad in real-time and ensure it was sent by a legitimate advertiser and meets all brand standards. If we block an ad because it is malicious, we notify the ad exchange that sent it that we are removing malvertising so that it can update its exclusion list.

How to prevent malvertising?

A protection tool that extends across the entire ad delivery process and includes optical character recognition, image recognition, and context analysis to analyze campaigns on a real-time basis is critical to preventing malvertising. In addition to blocking ads, the tool should also include automated demand reports about the incident’s origin.

It’s incredibly challenging for publishers to address malvertising alone—malvertising attacks happen too frequently. It’s impossible for ad ops teams to recreate the bad experiences of their users, as each user is served a different ad. What’s more, bad ads can come from any number of sources and be viewed on both computers and a variety of mobile devices, making them impossible to trace.


To fight malvertising effectively, publishers must identify online threats on multiple platforms, including, but not limited to the following:

  1. Malicious Extensions & Add-ons Ads
  2. Forced Browser Notifications Ads
  3. Fake Antivirus & Cleaners Ads
  4. Fake Software Updates Ads
  5. Fake VPN Ads
  6. Gift Card Scams Ads
  7. Tech Support Scams Ads
  8. Financial Scams Ads
  9. Misleading Product Offers Ads
  10. Brand Infringement Ads


GeoEdge automatically identifies any issue of concern to the publisher on any of these platforms and removes those ads proactively. It targets bad content, content concealing secret messages, embedded scripts, problematic ad formats, ransomware, other malware, and other online threats,.

GeoEdge’s machine learning engine identifies both the content of ads and the landing pages they lead. Our solution can also understand the behavior of the ad unit and analyze whether it violates the publisher’s standards. If it does, GeoEdge utilizes advanced ad blocking to proactively stop the ad from being served to a user.

How to stop & get rid of malvertising

So, how do you protect yourself against malvertising campaigns? Malvertising and fraud are challenging problems, but they’re not impossible to overcome. By following these five steps, you can stop malvertising and ensure both your users and brand reputation are protected from the schemes of bad actors.

  1. Craft a brand suitability framework to articulate what brand suitability means for your brand and audience. Look for a tool that allows you to create and apply granular rules to enforce security, content, and user experience standards.
  2. Adopt an anti-malvertising protection tool that extends across the entire ad delivery process, including both the ad and the campaign’s landing pages. Use a tool that includes optical character recognition, image recognition, and context analysis to analyze campaigns on a real-time basis.
  3. Make sure your toolkit is stocked with a transparency solution to efficiently review the ads that appear on each site and determine if they meet the criteria laid out in your brand suitability strategy. Some ads may be “edge” cases that require you to make a determination if they meet your standards. Real-time solutions will take it from there to enforce your rules going forward.
  4. Take ad quality control down the last mile by automatically informing your demand partners of malicious ads and other online threats on their end. Adopt an anti-malvertising solution that not only automatically blocks malware attacks, malicious code, and malicious ads but mitigates the issue with automated demand reports about the incident’s origin. Streamlining malvertising and malicious ad mitigation not only lightens the load on publishers but contributes to an overall cleaner environment.
  5. Ensure your Ad Ops team is up-to-date on new and evolving ad quality challenges. From financial scams and brand infringement to post-click cloaking attacks, your team should be aware of the latest threats to your audience. Partner with an ad quality vendor and use the latest lexicon to accurately define the bad ads that can wreak havoc on your audience.

GeoEdge does all that and more. Learn how it works here.

Maximize Your Profits By

Eliminating Bad Offensive Malicious Auto Redirect Ads

Test drive GeoEdges anti-malvertising solution and gain the freedom to maximize your ad revenue without quality concerns.
Receive the same benefits as paid members
More than a free trial. It’s immediate protection.
Start Your 30-Day Free Trial

Free Trial


No credit card or commitment required

450+ Publishers & Platforms