Malvertising affects users around the globe every day — and its effects are often immediate and visceral. Malvertising is, to the broader public, the face of ad security and quality. More accurately, to those in the industry, malvertising is the face of the enemy of ad security and quality. Malvertising has been around for as long as digital advertising has, and malware has been around as long as it’s been possible to compromise the security of devices, programs, and platforms. The internet has made crime bigger in scope and easier in practice. Within the web’s hidden darknet, criminal enterprise is thriving.
We’re here to explain what malvertising is, how it behaves, and how it can be prevented in today’s world. We’re here to underline the threats to users and to other digital businesses, to describe warning signs of malvertising before they become a serious problem, and to illuminate a path forward, where publishers can monetize their ad inventory and ad platforms can trade freely with their partners without the overhanging threat of malvertisers driving away their audiences and damaging their bottom line.
What is Malvertising?
“Malvertising” simply refers to malicious advertisements. More specifically, the term refers to all the ads that are designed and deployed with explicit malicious intent or launched by bad actors.
There are many different forms of malvertising categorized by the various actions triggered when the malicious ad reaches the user’s screen, the vector of attack, and other factors. But the common element is the use of the ad creative, browser vulnerabilities, or any weak points along the ad supply chain, to negatively affect the end user.
When malvertising reaches its target user’s computer or device, it deploys the ad payload, which is whatever malicious content the ad delivers. In many cases, infected ads contain malicious code, which is a script engineered to execute an action, regardless of the user interaction with the infected ad. In other cases, they may use ״drive by download״ to get users to download malicious computer programs or flash files (like the now-retired Adobe Flash).
There are several paths malvertisers can pursue to reach their target user on sites via standard display, video, or in-app environments.
How Malvertising Works?
On A Landing Page
In the Delivery Path
Embedded In the Creative
Within a Pixel
Within a Video
Malvertising comes from third parties that use ad calls to gain access to a publisher’s online advertising slots and/or the creative that renders in them.
Often a malvertiser will execute a media buy starting from the DSP, just like any legitimate advertiser. In other cases, the scammer will insert malicious code via inventory reselling, or some other unsecured point in the ad network or the supply chain for online ads.
For the malvertiser, it’s an efficient and scalable method of causing harm. There’s no need to take control of the publisher’s entire website or server, and typically there’s no need for the user to perform any action other than loading a web page. A malvertising campaign can have international reach and can be targeted to particular geographic regions, demographics, or device types.
Scammers often use auto-redirects to inject malicious code. In this exploit kit, malicious code takes over the ad unit, expanding the creative to fill the screen and giving the user no visible option to close the ad. The creative directs or links unsuspecting users to a malicious landing page, the app store, or a phone number for a phishing scam.
Ad scanning tools at points along the supply chain will scan ad creative intended for suspicious URLs, but malvertisers get past the scanners in web browsers by using cloaking—hiding their real URLs within code that looks legitimate (for example, resembling the URL of a legitimate company) to a scanner or human QA. The cloaked URL slips past these relatively low-tech security measures and reaches the user’s screen undetected.
Malicious ad cloaking
Cloaking is a technique used by malvertisers to disguise both the creative the user sees and the landing page it leads to. The malvertiser will launch a campaign using ad creative in disguise, appearing harmless and legitimate at first glance. Scanning will reveal a landing page URL that also appears to be legitimate.
Yet, when the ad reaches a human environment, its code will automatically swap that false creative for the real creative the malvertiser wants the user to see. The code will also make the real, malicious URL interactive for the user, so it links to the problematic page. The landing page may even appear legitimate to the user—counterfeiting the design and branding of a premium publication or brand, and/or with a URL that appears to represent a well-known company.
This whole process is designed to take advantage of the audience’s trust in the brand they think they’re interacting with, and the publisher that hosted the ad. But the malicious landing page will, with or without the user purposefully initiating a download, deliver malicious code or malicious software to the user’s device or prompt the user to begin communicating directly with the malvertiser, who will try to extract personal information or money from the user.
Malvertisers evaluate consumer behavior and trends within various countries and create attack blueprints including various creatives and landing pages to suit the targeted users. Like traditional marketers, they test the effectiveness of their campaigns with probing attacks to gauge which campaigns are most effective. Many campaigns utilize sophisticated clickbait techniques to infect users with a malicious programs such as showing ads with content related to local celebrities on ad networks specific to the user’s location. For example, a user in Argentina will see content about an Argentinian celebrity, and a user in India will see an Indian celebrity.
These are some of the common tactics used in malvertising campaigns:
Malicious Browser Extensions: These ads show useful browser extensions. When the user downloads the extension, in addition to what it is supposed to do, it also installs malware or spyware on the user’s device.
Fake Antivirus & Cleaners: In this tactic, ads are disguised to look like system messages telling the user that they need to install an anti-virus or cleaning program to keep their device safe. However, when they click on the ad, instead of installing legitimate software, malware is installed.
Suspicious VPN: These ads show videos, but when the users try to view the video, they are told they need to download a VPN to watch it. When they do so, they also install spyware or malware.
Tech Support Scams: These scams put pop-ups on the users device that cover the entire screen. The pop-ups direct users to fake support agents who instruct users to “solve” the issue by downloading software that is actually malware.
Fake Software Updates: These ads are disguised to look like system messages telling users that they have a program that needs to be updated. When they click to update, they unintentionally install malware.
Mobile Malvertising campaigns
The small screen offers unique opportunities for malvertisers. Mobile users are often in a hurry, looking for a quick solution, and have little patience for interruptions. The delicate response on small screens makes erroneous clicks on ads an inevitable phenomenon.
Unfortunately, there is sometimes a symbiotic relationship between app developers and ad platforms. If an ad platform is paid on a CPI (cost per install) basis, and if a developer relies on that platform to distribute ads to drive app downloads, then the platform is essentially incentivized to run more ads from unfamiliar buyers. This makes it easier for bad actors to slip their campaigns through.
Malvertising on landing pages
In many malvertising campaigns, the most harmful elements are not actually carried in the ad itself. Often, the creative will function like a normal ad at first, and only when the user clicks through will they land on a page that contains malware or a setup for a scam. That’s why it isn’t enough to install antivirus software—in order to protect users, anti-malvertising efforts need to inspect not only the ad creative, but the landing page behind the ad as well.
Placing malicious code
In some cases, the bad actor will place malicious code in the ad creative either when the ad is called, or post-click.
In this method, when the user opens a website or application, the bad ad will take over the screen. From there, it might direct the user to the app store to download an unwanted app. In other cases, it might show a message saying the user has won a gift card, or been invited to take part in a survey, or been exposed to a system risk that can only be fixed by clicking through.
Malware slithers its way through advertising into users’ devices in a variety of ways – through everything from direct-sold campaigns to indirectly sold ads from exchanges or networks. Secure your site with real-time protection.
Malicious Ad Delivery Methods
There are several paths malvertisers can pursue to reach their target user. Here are some of their options, which can execute on sites via standard display, video or in-app environments:
The payload will then be deployed when the ad loads on the page. The creative may appear to be “clean,” because the bad URL is cloaked and is only revealed when the page loads or the user clicks on the ad.
A bad actor inserts harmful code into the supply path as the ad is being called.
The user clicks on a malicious ad. A series of URLs are called to bring up the ad’s landing page. Malicious code may be inserted by any third party along that path.
Just like any tracking pixel, a malicious pixel signals to the malvertiser that the user has interacted with the ad in a specific way — at which point the pixel triggers the payload.
How scammers get past platforms (DSP) Malvertsing detection:
The campaign is submitted to the DSP and undergoes pre-flight review for ad quality issues and spec compliance./span>
Automated tools inspect the creative’s code for potential hazards.
The cloaked “bad URL” has successfully hidden the identity of the buyer and the nature of the campaign, and the campaign begins to progress along the supply chain.
The bad ad is designed to reveal its real URL to a human user and to hide it in a non-human environment. Scanners are non-human environments. Ad platforms and other vendors fail to detect the bad code via simple scanning.
Because the real URL is cloaked, it fails to match against platforms’ and publishers’ lists of prohibited URLs (known bad actors and unwanted advertisers).
Impression & Payday
The ad reaches the user’s screen, where the payload is deployed directly to the user and their device.
Just as malvertising and malware are frequently conflated, so are malvertising and adware. Again, there’s a difference.
Malvertising Malware Types
Malvertising is a tactic used to get users to install malware, either directly in the digital ads, or by directing the user to a page on a malicious website where they are prompted to download a malicious program.
Malware-infected computers can impact the user experience, appearing frightening or annoying. In other situations, the user might not even notice that anything has happened. But no matter how the user experiences it, ad malware is a criminal enterprise. Examples of malvertising often include using unwanted advertising to install spyware in order to get ahold of the user’s credit card or financial data, either to steal money from them or to sell that data to other criminals.
These are common types of malware used in malvertising campaigns:
Malicious code takes over the ad unit, expanding the creative to fill the screen, with no option to close the ad. The creative directs or links the user to a malicious landing page, the app store, or a phone number for a phishing scam.
With or without their consent, or full knowledge of its contents, the user downloads an exploit kit, which executes a malicious action on the user’s device or browser.
A script written to copy itself and spread to other devices.
Software, sometimes downloaded willingly by the user, that creates a backdoor for bad actors to enter
Software that sends data to the malvertiser about the user, who is not aware it’s on their device.
The ransomware payload locks the user’s device or account, and prompts them to pay to unlock it. Ransomware as a service is a subscription-based model that enables cybercriminals to use readymade ransomware tools to execute ransomware attacks.
The ad creative tells the user their device is at risk, and prompts them to download a malicious “solution.” For example, fake flash updates.
Examples of malvertising campaigns
Beyond the general categories of malvertising, the digital media industry has seen several prominent and recurring malvertising campaigns in recent years. These campaigns have been detected by GeoEdge, whose security researchers quickly came to understand the campaigns’ behaviors and characteristics. Here are some pervasive, distinct malvertising campaigns GeoEdge has studied:
The online advertisements in this type of attack redirect the user to malicious websites that resemble a local or regional law enforcement site. The malicious code then takes over the browser, changing to a full-screen box with no exit option, and displays a message telling the user they owe a fine, and that paying the “fine” will unlock their browser.
GeoEdge identified this bitcoin-related cloaking scam in early 2021. It fingerprints the user’s computer or device and environment, focusing on factors like time zone and IP. It often shows a sensationalistic or clickbait-style message in the creative, which can be served through server-side and client-side channels. When a non-targeted user clicks on the ad, they are taken to a harmless site. When a targeted user clicks, they are taken to a malicious site with a cryptocurrency scam.
When this threat first appears at the DSP level, it does not have its payload and often counterfeits the URLs of popular websites to bypass creative scanners. After several days, platforms are acclimated to the campaign’s presence, and at that point, its ads are deployed with the malicious payload.
Morphixx uses IP data to geotarget users and serve a personalized message in the creative and landing page, which is common practice in contemporary ad targeting, but previously less common in malvertising. The message appears to be from the user’s ISP, using the ISP’s branding and local language. The page prompts the user to complete a survey or sweepstakes, which is the means to extract sensitive information. Sometimes these landing pages will go so far as to include comments from fake users about the survey and the rewards they won.
Malvertising in Landing Pages
In many malvertising campaigns, the most harmful elements are not actually carried in the ad creative itself. Often, the creative will appear on the page to function like a normal ad, and only when the user clicks through will they land on a page that contains malware or a setup for a scam. As such, anti-malvertising efforts need to inspect not only the ad creative, but the landing page behind the ad. And unfortunately, an anti-virus just won’t cut it.
How Do Malvertisers Evade Detection?
Cloaking hides both of these pieces — the creative the user sees, and the landing page it leads to. The malvertiser will launch a campaign using ad creative in disguise — as it passes down the supply chain, the creative will appear to be harmless and legitimate at first glance. Scanning will reveal a landing page URL that also appears to be legitimate. When the ad reaches a human environment, its code will automatically swap that false creative for the real creative the malvertiser wants the user to see. The code will also make the real, malicious URL interactive for the user, so it links to the unsecure landing page. The landing page may even appear legitimate to the user — counterfeiting the design and branding of a premium publication or brand, and/or with a URL that appears to represent a well-known company. This whole process is designed to take advantage of the audiences trust in the brand they think they’re interacting with, and the publisher that hosted the ad. But the malicious landing page will, with or without the user purposefully initiating a download, deliver malware to the user’s device; or prompt the user to begin communicating directly with the malvertiser, who will try to extract personal information or money from the user.
Trends in Malvertising: Fake Ads
Malvertising has historically been challenging for publishers and platforms to combat because of the technical sophistication of malvertisers. Digital professionals often speak of malvertising prevention as a game of Wac-a-Mole because whenever they come to understand one campaign, bad actors confuse them by deploying new tactics through new vectors of attack. Publishers and platforms/networks rarely have the resources to keep up with new attacks on their own, and need assistance from an ad quality vendor, whose technology is advanced enough to continually block even brand-new malvertising attacks. In 2020 and 2021, the industry saw a dramatic increase in attacks that totally evaded ad scanners — because the creative in these campaigns doesn’t use malicious code, but instead uses a creative that plays with the user’s psychology and engagement with page content.
Examples of Fake Ads
The strategy is to entice the audience to click on an ad, where they’re led to an unsafe or untrustworthy landing page. With the COVID pandemic keeping millions of people at home and extremely online, the industry saw a rapid uptick in ads featuring:
Misrepresented Medical Equipment
This includes ads for subpar face masks, COVID tests/treatments that don’t even exist, treatments and equipment that aren’t government-approved for medical use, and products that don’t resemble the images used to advertise them.
Throughout 2020 and 2021 bad actors sold hard-to-find medical equipment at predatory prices, a tactic premium publishers generally don’t want their advertisers to employ.
Tabloid-Style Celebrity Images
These include classic clickbait “celebrities in peril” headlines (“You won’t believe what happened to…”) and ads suggesting falsely that a celebrity has endorsed the product.
In an environment where audiences are online for much of the day and also on edge, waiting for solutions to COVID-related issues, these fake ads are especially effective and dangerous. To combat them, publishers and platforms need to be able to inspect landing page content.
Mobile Malware Threats
The small screen offers particular opportunities for malvertisers. Users on mobile are often in a hurry, looking for a quick solution, so they have little patience for interruptions. Small screens with delicate response make erroneous clicks on ads a nearly inevitable phenomenon. Unfortunately, there is sometimes a symbiotic relationship between app developers and ad platforms: If an ad platform is paid on a CPI (cost per install) basis, and if a developer relies on that platform to distribute ads to drive up downloads of the application, then the platform is essentially incentivized to run more ads from buyers they’re not necessarily familiar with yet. This makes it easier for bad actors to slip their campaigns through.
Auto-redirects affect both mobile and desktop, but especially mobile. GeoEdge research found 72% of all redirects occurred on mobile.
How Auto-Redirects Work
An auto-redirect can send a user directly to the app store for the same reason a user can easily click through from, say, a browser or an email, to content in an app that’s already on their device. (Think of clicking through a link to see particular content in Twitter, LinkedIn, or your health provider’s app containing COVID test results.) The malicious redirect, however, will commonly no longer work after the first time it’s launched, making it challenging for publishers to trace and troubleshoot manually.
Placing Malicious Code
The bad actor will place malicious code in the ad creative either when the ad is called, or post-click.
Not Detecting in Real-Time
Because of when and where the bad code is inserted (that is, while it’s en route to the user), the ad platform/network would not have been able to detect it — at least, not without a proactive solution for detecting and blocking bad ads.
When the user opens a website or application, the bad ad will take over the screen. From there, it might direct the user to the app store to download an unwanted app. Or, it might show a message saying the user has won a gift card, or been invited to take part in a survey, or been exposed to a system risk that can only be fixed by clicking through.
Phishing Scam / Prompt
If the user clicks through, they will be directed to a phishing scam or a prompt (obfuscated or not) to download malware.
The GeoEdge team estimates that malicious activities cost industry stakeholders publishers upwards of $1B million annually, including identification, documentation,and remediation
The Cost of Malvertising for Publishers & Platforms
Malvertising costs publishers and ad networks valuable time and resources they spend looking for malicious ads and in loss of potential revenue.
Malvertising attacks are detrimental to a publisher’s reputation, so businesses need to act swiftly in order to protect their users from harm and reassure partners. However, the process of tracing the source of a bad ad — including communicating with demand sources and other supply-chain partners — is time-consuming and exacting, and it takes digital professionals away from the projects that help move the business forward.
Furthermore, the more malvertising they experience, the more likely users are to take matters into their own hands and install ad-blocking software, which limits the publisher’s ability to monetize their sessions. “How to install ad blocker?” was one of the most searched phrases in 2021 and ad-blocking software has become a real threat to publishers’ livelihoods. Experts estimate that ad blockers cost publishers between $16 billion to $78 billion per year globally. Aside from the fact that these ad blockers prevent publishers from monetizing users’ sessions, some ad blocking software makes for a worse user experience. The software may slow down page load, and some ad blockers don’t even block all ads, but allow ads from buyers who have paid the software developer to be whitelisted with ads that could still contain malvertising.
When users choose to avoid a website because they believe it’s unsafe or the publisher doesn’t value their engagement, there’s a ripple effect on the business’s bottom line because the publisher loses the ability to monetize the lifetime value of that user. Having a reputation for hosting bad ads not only decreases traffic but also harms the publisher’s efforts to solidify relationships with business partners. Diminished traffic and reputation drive down CPMs and open the door to new ad quality issues from malicious or low-quality advertisers for whom higher CPMs would be a barrier to entry.
Anti Malvertising: Techniques for Detecting Malware
Without the aid of trustworthy, high-tech solutions for detecting malvertising or malware and keeping it from your site and platform, the process can be daunting. Low-tech or standard processes can be heavily manual, error-prone, and reactive rather than proactive. For many web publishers who choose to handle malvertising outbreaks on their own, the first sign they see of their site being affected will be from users, reaching out via email or social media. And frequently, malvertising attacks occur after business hours or on weekends. An attack can set off a mad dash to remove the bad ads from the site and try to trace them back to their demand sources — especially frantic when an attack comes during nights or weekends, as is often the case.To say the least detecting unwanted advertising is difficult. So how do anti-malvertising researchers detect malicious advertising?
Curious how the pros do it?
Known Plaintext Cryptanalysis
How To Prevent Malvertising?
Malvertising has historically been challenging for publishers and platforms to combat because of the technical sophistication of malvertisers. Digital professionals often speak of malvertising prevention as a game of Wac-a-Mole because whenever they identify one campaign, bad actors confuse them by deploying new tactics through new attack vectors. Publishers and platforms/networks rarely have the resources to keep up with new attacks on their own, and need assistance from an ad quality vendor, whose technology is advanced enough to continually block even brand-new malvertising attacks. In 2020 and 2021, the industry saw a dramatic increase in attacks that totally evaded ad scanners — because the creative in these campaigns doesn’t use malicious code, but instead uses a creative that plays with the user’s psychology and engagement with page content.
Publishers and ad platforms/networks use any combination of common preventative methods to stop malvertising attacks before they reach audiences including:
URLs and domains used by undesirable advertisers — including bad actors in the ad ecosystem — should be proactively blocked. However, blocklists only work well at stopping known bad actors, not newly-emerging threats. Also, bad actors can evade blocklists by frequently changing the URLs they use.
Because malvertising campaigns evolve and spread so quickly, real-time protection is the most comprehensive and fail-safe protection. A well-established real-time solution, like GeoEdge’s, will be able to detect patterns in creative code that resemble already-known malvertising code — thereby allowing the publisher or platform to stop and inspect a new potential threat before it’s trending. Automated QA also speeds up in-house workflow, and allows publisher and platform teams to focus on more strategic monetization efforts.
Manual review may be time-consuming, but it’s still an important part of malware prevention. There is always a place for human insights drawn from an understanding of the full context in which the user will be seeing the ad.
All legitimate entities along the ad chain should scan creatives for potential hazards — all stakeholders need to contribute to a safe and transparent marketplace. However, scanning is a fairly basic security measure, and it looks at only a sample of all the ads coming through. Even without cloaking — which is designed to evade scanners — bad ads could easily pass.
Understanding your prospective ad partners’ history of managing malvertising threats (or failing to do so) can help you make the right decisions, with the right level of risk, for your business. Talk with your industry peers about their experiences with your prospective partners as well.
How To Spot Malvertising?
Common indications that you are being targeted for malvertising if you see a sudden increase in CTR, an in-banner video, or negative social media mentions, there is a good chance that you are being targeted for malvertising.
The CTR in the 2020s is generally low, but clickbait-style “fake ads” favored by malvertisers today have an unusually high CTR. This ostensibly positive development might actually indicate your site is under attack and your users are being duped.
The presence of banner ads with video is not necessarily a sign that you’re currently under attack, but it’s a good indicator that one or more of your demand partners has been compromised, or is dropping the QA ball. Tell your demand partners if you’re seeing IBV, and ask for details about their security measures.
When a user wants to complain to a company, it’s often faster and more convenient for them to do so on Twitter, Facebook, or a customer review site than it is to email the company. A publisher or customer support team must remain vigilant and search for mentions of the company’s name in connection with ad malware or a malvertising attack.
How To Remove Malvertising?
Without the aid of trustworthy, high-tech solutions for detecting malvertising or malware and keeping it from your site and platform, the process can be daunting. Low-tech or standard processes are often heavily manual, error-prone, and reactive rather than proactive.
For many web publishers who choose to handle malvertising outbreaks on their own, the first sign they see of their site being affected will be from users, reaching out via email or social media. An attack can set off a mad dash to remove the bad ads from the site and try to trace them back to their demand sources, a process that is especially frantic when an attack occurs outside of business hours or weekends, as is often the case.
That’s why detecting unwanted advertising is difficult. So how do anti-malvertising researchers detect a malicious ad? They often use advanced tools like:
- Signature Based
- Reduced Masks
- Known Plaintext Cryptanalysis
- Statistical Analysis
The threat of malvertising is too great to digital company’s users, partners and overall business to manage it after the fact — and today’s malvertisers are too wily for anything other than real-time blocking to suffice.
Malvertising is truly the tip of the iceberg, and a real ad quality partner addresses less-obvious threats to users, as well as the concerns advertisers have about the environments where their ads appear.
Automation allows your in-house teams to focus on growing your ad-related business, not just maintaining the business you have.
Don’t make the mistake of focusing on one vector of attack, at the expense of the next vector malvertisers might favor.
For brand safety, for good user experience, and to secure users’ trust in a publisher’s website, ad content and page content must be aligned. Among publishers, 91% believe heavy-handed and overly broad blocklists hurt their overall revenue. More control over categorization allows in more of the right ads for the right environment.
When GeoEdge blocks an ad, it inserts a clean ad the publisher has approved in advance, so the user’s session will still be monetized fully.
Look for a reputable partner who has persevered through several waves of malvertising trends, and has shown a positive track record throughout. A trustworthy partner should have deep experience and a commitment to continued research and product development.
A reputable ad quality partner must deliver not just technology, but human response and understanding. Look for customer support that responds rapidly and internalizes the needs and desires of your business.
Anti-Malvertising Ad Protection Software
Malicious advertising is so complicated that it makes sense ad security and quality is a thriving subset of the digital ad industry. The rapid spread of auto-redirects alone spawned a cottage industry of solutions aimed specifically at stopping redirects. But in choosing an ad quality partner, it’s important to choose a provider who has proven success in combating a wide range of ad security and quality issues, not just the malvertising trend du jour. In vetting a partner to help prevent malvertising and a wide variety of other security and quality threats ask whether your potential partner has these characteristics.
GeoEdge is unique among cybersecurity and ad quality vendors in that it enacts all of these characteristics, and serves as a committed partner to your business rather than simply a vendor. True ad quality partnership transcends malvertising and malware and addresses the countless subtleties and unseen threats in digital media. Reach out to the GeoEdge team today to learn what we can do together to detect and stop malvertising.
GET STARTED WITH GEOEDGE TODAY
Start increasing your revenue flow and protect your brand reputation!