What is Malvertising? Understand How It Works & How to Protect Against It

Malvertising affects users around the globe every day — and its effects are often immediate and visceral. Malvertising is, to the broader public, the face of ad security and quality. More accurately, to those in the industry, malvertising is the face of the enemy of ad security and quality. Malvertising has been around for as long as digital advertising has, and malware has been around as long as it’s been possible to compromise the security of devices, programs, and platforms. The internet has made crime bigger in scope and easier in practice. Within the web’s hidden darknet, criminal enterprise is thriving.

We’re here to explain what malvertising is, how it behaves, and how it can be prevented in today’s world. We’re here to underline the threats to users and to other digital businesses, to describe warning signs of malvertising before they become a serious problem, and to illuminate a path forward, where publishers can monetize their ad inventory and ad platforms can trade freely with their partners without the overhanging threat of malvertisers driving away their audiences and damaging their bottom line.

“Malvertising” simply refers to malicious advertisements. More specifically, the term refers to all the ads that are designed and deployed with explicit malicious intent or launched by bad actors.

There are many different forms of malvertising categorized by the various actions triggered when the malicious ad reaches the user’s screen, the vector of attack, and other factors. But the common element is the use of the ad creative, browser vulnerabilities, or any weak points along the ad supply chain, to negatively affect the end user.

When malvertising reaches its target user’s computer or device, it deploys the ad payload, which is whatever malicious content the ad delivers. In many cases, infected ads contain malicious code, which is a script engineered to execute an action, regardless of the user interaction with the infected ad. In other cases, they may use ״drive by download״ to get users to download malicious computer programs or flash files (like the now-retired Adobe Flash).

There are several paths malvertisers can pursue to reach their target user on sites via standard display, video, or in-app environments.

Malvertising comes from third parties that use ad calls to gain access to a publisher’s online advertising slots and/or the creative that renders in them.

Often a malvertiser will execute a media buy starting from the DSP, just like any legitimate advertiser. In other cases, the scammer will insert malicious code via inventory reselling, or some other unsecured point in the ad network or the supply chain for online ads.

For the malvertiser, it’s an efficient and scalable method of causing harm. There’s no need to take control of the publisher’s entire website or server, and typically there’s no need for the user to perform any action other than loading a web page. A malvertising campaign can have international reach and can be targeted to particular geographic regions, demographics, or device types.

Auto-Redirect

Scammers often use auto-redirects to inject malicious code. In this exploit kit, malicious code takes over the ad unit, expanding the creative to fill the screen and giving the user no visible option to close the ad. The creative directs or links unsuspecting users to a malicious landing page, the app store, or a phone number for a phishing scam.

URL malvertising

Ad scanning tools at points along the supply chain will scan ad creative intended for suspicious URLs, but malvertisers get past the scanners in web browsers by using cloaking—hiding their real URLs within code that looks legitimate (for example, resembling the URL of a legitimate company) to a scanner or human QA. The cloaked URL slips past these relatively low-tech security measures and reaches the user’s screen undetected.

Malicious ad cloaking

Cloaking is a technique used by malvertisers to disguise both the creative the user sees and the landing page it leads to. The malvertiser will launch a campaign using ad creative in disguise, appearing harmless and legitimate at first glance. Scanning will reveal a landing page URL that also appears to be legitimate.

Yet, when the ad reaches a human environment, its code will automatically swap that false creative for the real creative the malvertiser wants the user to see. The code will also make the real, malicious URL interactive for the user, so it links to the problematic page. The landing page may even appear legitimate to the user—counterfeiting the design and branding of a premium publication or brand, and/or with a URL that appears to represent a well-known company.

This whole process is designed to take advantage of the audience’s trust in the brand they think they’re interacting with, and the publisher that hosted the ad. But the malicious landing page will, with or without the user purposefully initiating a download, deliver malicious code or malicious software to the user’s device or prompt the user to begin communicating directly with the malvertiser, who will try to extract personal information or money from the user.

Malvertising campaigns

Malvertisers evaluate consumer behavior and trends within various countries and create attack blueprints including various creatives and landing pages to suit the targeted users. Like traditional marketers, they test the effectiveness of their campaigns with probing attacks to gauge which campaigns are most effective. Many campaigns utilize sophisticated clickbait techniques to infect users with a malicious programs such as showing ads with content related to local celebrities on ad networks specific to the user’s location. For example, a user in Argentina will see content about an Argentinian celebrity, and a user in India will see an Indian celebrity.

These are some of the common tactics used in malvertising campaigns:

Malicious Browser Extensions: These ads show useful browser extensions. When the user downloads the extension, in addition to what it is supposed to do, it also installs malware or spyware on the user’s device.

Fake Antivirus & Cleaners: In this tactic, ads are disguised to look like system messages telling the user that they need to install an anti-virus or cleaning program to keep their device safe. However, when they click on the ad, instead of installing legitimate software, malware is installed.

Suspicious VPN: These ads show videos, but when the users try to view the video, they are told they need to download a VPN to watch it. When they do so, they also install spyware or malware.

Tech Support Scams: These scams put pop-ups on the users device that cover the entire screen. The pop-ups direct users to fake support agents who instruct users to “solve” the issue by downloading software that is actually malware.

Fake Software Updates: These ads are disguised to look like system messages telling users that they have a program that needs to be updated. When they click to update, they unintentionally install malware.

Mobile Malvertising campaigns

The small screen offers unique opportunities for malvertisers. Mobile users are often in a hurry, looking for a quick solution, and have little patience for interruptions. The delicate response on small screens makes erroneous clicks on ads an inevitable phenomenon.

Unfortunately, there is sometimes a symbiotic relationship between app developers and ad platforms. If an ad platform is paid on a CPI (cost per install) basis, and if a developer relies on that platform to distribute ads to drive app downloads, then the platform is essentially incentivized to run more ads from unfamiliar buyers. This makes it easier for bad actors to slip their campaigns through.

Malvertising on landing pages

In many malvertising campaigns, the most harmful elements are not actually carried in the ad itself. Often, the creative will function like a normal ad at first, and only when the user clicks through will they land on a page that contains malware or a setup for a scam. That’s why it isn’t enough to install antivirus software—in order to protect users, anti-malvertising efforts need to inspect not only the ad creative, but the landing page behind the ad as well.

Placing malicious code

In some cases, the bad actor will place malicious code in the ad creative either when the ad is called, or post-click.

Redirecting Pop-Ups

In this method, when the user opens a website or application, the bad ad will take over the screen. From there, it might direct the user to the app store to download an unwanted app. In other cases, it might show a message saying the user has won a gift card, or been invited to take part in a survey, or been exposed to a system risk that can only be fixed by clicking through.

There are several paths malvertisers can pursue to reach their target user. Here are some of their options, which can execute on sites via standard display, video or in-app environments:

Malvertising is a tactic used to get users to install malware, either directly in the digital ads, or by directing the user to a page on a malicious website where they are prompted to download a malicious program.

Malware-infected computers can impact the user experience, appearing frightening or annoying. In other situations, the user might not even notice that anything has happened. But no matter how the user experiences it, ad malware is a criminal enterprise. Examples of malvertising often include using unwanted advertising to install spyware in order to get ahold of the user’s credit card or financial data, either to steal money from them or to sell that data to other criminals.

These are common types of malware used in malvertising campaigns:

Beyond the general categories of malvertising, the digital media industry has seen several prominent and recurring malvertising campaigns in recent years. These campaigns have been detected by GeoEdge, whose security researchers quickly came to understand the campaigns’ behaviors and characteristics. Here are some pervasive, distinct malvertising campaigns GeoEdge has studied:

In many malvertising campaigns, the most harmful elements are not actually carried in the ad creative itself. Often, the creative will appear on the page to function like a normal ad, and only when the user clicks through will they land on a page that contains malware or a setup for a scam. As such, anti-malvertising efforts need to inspect not only the ad creative, but the landing page behind the ad. And unfortunately, an anti-virus just won’t cut it.

How Do Malvertisers Evade Detection?

Cloaking hides both of these pieces — the creative the user sees, and the landing page it leads to. The malvertiser will launch a campaign using ad creative in disguise — as it passes down the supply chain, the creative will appear to be harmless and legitimate at first glance. Scanning will reveal a landing page URL that also appears to be legitimate. When the ad reaches a human environment, its code will automatically swap that false creative for the real creative the malvertiser wants the user to see. The code will also make the real, malicious URL interactive for the user, so it links to the unsecure landing page. The landing page may even appear legitimate to the user — counterfeiting the design and branding of a premium publication or brand, and/or with a URL that appears to represent a well-known company. This whole process is designed to take advantage of the audiences trust in the brand they think they’re interacting with, and the publisher that hosted the ad. But the malicious landing page will, with or without the user purposefully initiating a download, deliver malware to the user’s device; or prompt the user to begin communicating directly with the malvertiser, who will try to extract personal information or money from the user.

Malvertising has historically been challenging for publishers and platforms to combat because of the technical sophistication of malvertisers. Digital professionals often speak of malvertising prevention as a game of Wac-a-Mole because whenever they come to understand one campaign, bad actors confuse them by deploying new tactics through new vectors of attack. Publishers and platforms/networks rarely have the resources to keep up with new attacks on their own, and need assistance from an ad quality vendor, whose technology is advanced enough to continually block even brand-new malvertising attacks. In 2020 and 2021, the industry saw a dramatic increase in attacks that totally evaded ad scanners — because the creative in these campaigns doesn’t use malicious code, but instead uses a creative that plays with the user’s psychology and engagement with page content.

Examples of Fake Ads

The strategy is to entice the audience to click on an ad, where they’re led to an unsafe or untrustworthy landing page. With the COVID pandemic keeping millions of people at home and extremely online, the industry saw a rapid uptick in ads featuring:

The small screen offers particular opportunities for malvertisers. Users on mobile are often in a hurry, looking for a quick solution, so they have little patience for interruptions. Small screens with delicate response make erroneous clicks on ads a nearly inevitable phenomenon. Unfortunately, there is sometimes a symbiotic relationship between app developers and ad platforms: If an ad platform is paid on a CPI (cost per install) basis, and if a developer relies on that platform to distribute ads to drive up downloads of the application, then the platform is essentially incentivized to run more ads from buyers they’re not necessarily familiar with yet. This makes it easier for bad actors to slip their campaigns through.

Auto-redirects affect both mobile and desktop, but especially mobile. GeoEdge research found 72% of all redirects occurred on mobile.

An auto-redirect can send a user directly to the app store for the same reason a user can easily click through from, say, a browser or an email, to content in an app that’s already on their device. (Think of clicking through a link to see particular content in Twitter, LinkedIn, or your health provider’s app containing COVID test results.) The malicious redirect, however, will commonly no longer work after the first time it’s launched, making it challenging for publishers to trace and troubleshoot manually.

The GeoEdge team estimates that malicious activities cost industry stakeholders publishers upwards of $1B million annually, including identification, documentation,and remediation

Malvertising costs publishers and ad networks valuable time and resources they spend looking for malicious ads and in loss of potential revenue.

Malvertising attacks are detrimental to a publisher’s reputation, so businesses need to act swiftly in order to protect their users from harm and reassure partners. However, the process of tracing the source of a bad ad — including communicating with demand sources and other supply-chain partners — is time-consuming and exacting, and it takes digital professionals away from the projects that help move the business forward.

Furthermore, the more malvertising they experience, the more likely users are to take matters into their own hands and install ad-blocking software, which limits the publisher’s ability to monetize their sessions. “How to install ad blocker?” was one of the most searched phrases in 2021 and ad-blocking software has become a real threat to publishers’ livelihoods.  Experts estimate that ad blockers cost publishers between $16 billion to $78 billion per year globally. Aside from the fact that these ad blockers prevent publishers from monetizing users’ sessions, some ad blocking software makes for a worse user experience. The software may slow down page load, and some ad blockers don’t even block all ads, but allow ads from buyers who have paid the software developer to be whitelisted with ads that could still contain malvertising.

When users choose to avoid a website because they believe it’s unsafe or the publisher doesn’t value their engagement, there’s a ripple effect on the business’s bottom line because the publisher loses the ability to monetize the lifetime value of that user. Having a reputation for hosting bad ads not only decreases traffic but also harms the publisher’s efforts to solidify relationships with business partners. Diminished traffic and reputation drive down CPMs and open the door to new ad quality issues from malicious or low-quality advertisers for whom higher CPMs would be a barrier to entry.

Without the aid of trustworthy, high-tech solutions for detecting malvertising or malware and keeping it from your site and platform, the process can be daunting. Low-tech or standard processes can be heavily manual, error-prone, and reactive rather than proactive. For many web publishers who choose to handle malvertising outbreaks on their own, the first sign they see of their site being affected will be from users, reaching out via email or social media. And frequently, malvertising attacks occur after business hours or on weekends. An attack can set off a mad dash to remove the bad ads from the site and try to trace them back to their demand sources — especially frantic when an attack comes during nights or weekends, as is often the case.To say the least detecting unwanted advertising is difficult. So how do anti-malvertising researchers detect malicious advertising?

Curious how the pros do it?

Malvertising has historically been challenging for publishers and platforms to combat because of the technical sophistication of malvertisers. Digital professionals often speak of malvertising prevention as a game of Wac-a-Mole because whenever they identify one campaign, bad actors confuse them by deploying new tactics through new attack vectors. Publishers and platforms/networks rarely have the resources to keep up with new attacks on their own, and need assistance from an ad quality vendor, whose technology is advanced enough to continually block even brand-new malvertising attacks. In 2020 and 2021, the industry saw a dramatic increase in attacks that totally evaded ad scanners — because the creative in these campaigns doesn’t use malicious code, but instead uses a creative that plays with the user’s psychology and engagement with page content.

Publishers and ad platforms/networks use any combination of common preventative methods to stop malvertising attacks before they reach audiences including:

Common indications that you are being targeted for malvertising if you see a sudden increase in CTR, an in-banner video, or negative social media mentions, there is a good chance that you are being targeted for malvertising.

The CTR in the 2020s is generally low, but clickbait-style “fake ads” favored by malvertisers today have an unusually high CTR. This ostensibly positive development might actually indicate your site is under attack and your users are being duped.

The presence of banner ads with video is not necessarily a sign that you’re currently under attack, but it’s a good indicator that one or more of your demand partners has been compromised, or is dropping the QA ball. Tell your demand partners if you’re seeing IBV, and ask for details about their security measures.

When a user wants to complain to a company, it’s often faster and more convenient for them to do so on Twitter, Facebook, or a customer review site than it is to email the company. A publisher or customer support team must remain vigilant and search for mentions of the company’s name in connection with ad malware or a malvertising attack.

Without the aid of trustworthy, high-tech solutions for detecting malvertising or malware and keeping it from your site and platform, the process can be daunting. Low-tech or standard processes are often heavily manual, error-prone, and reactive rather than proactive.

For many web publishers who choose to handle malvertising outbreaks on their own, the first sign they see of their site being affected will be from users, reaching out via email or social media. An attack can set off a mad dash to remove the bad ads from the site and try to trace them back to their demand sources, a process that is especially frantic when an attack occurs outside of business hours or weekends, as is often the case.

That’s why detecting unwanted advertising is difficult. So how do anti-malvertising researchers detect a malicious ad? They often use advanced tools like:

• Signature Based
• Checksumming
• Reduced Masks
• Known Plaintext Cryptanalysis
• Statistical Analysis
• Heuristics

Malicious advertising is so complicated that it makes sense ad security and quality is a thriving subset of the digital ad industry. The rapid spread of auto-redirects alone spawned a cottage industry of solutions aimed specifically at stopping redirects. But in choosing an ad quality partner, it’s important to choose a provider who has proven success in combating a wide range of ad security and quality issues, not just the malvertising trend du jour. In vetting a partner to help prevent malvertising and a wide variety of other security and quality threats ask whether your potential partner has these characteristics.

GeoEdge is unique among cybersecurity and ad quality vendors in that it enacts all of these characteristics, and serves as a committed partner to your business rather than simply a vendor. True ad quality partnership transcends malvertising and malware and addresses the countless subtleties and unseen threats in digital media. Reach out to the GeoEdge team today to learn what we can do together to detect and stop malvertising.