In this three part series we look at popular ad formats that can be corrupted with Malware. In part one we look at Popunders.
What is a Popunder?
A Popunder is a large format full screen online advertisement. It is displayed by opening a new browser window after an interaction from the user with a website (e.g. click), usually via some sort of JavaScript. The new window opens behind the one that is currently being viewed by the user. It does not interrupt the user experience. When the user closes the page he is viewing, the Popunder remains for the user to see.
Why do cybercriminals target this format?
Because Popunders usually remain unnoticed until the active browser window is closed or minimized, the user may not notice the advertisement/malvertisement for a while. Usually an ad networks Compliance team’s approval process for Popunders is less strict than for other ad formats because ad networks offering this format tend to be more flexible, for example this format is not available on Google.
How do they do it?
The cybercriminal will submit a ‘clean’ Popunder to an ad network during the review process. Once approved the cybercriminal can then inject malware script into the Popunder. Many cybercriminals will inject the malicious code for a limited time to avoid detection of the Popunder’s content change.
What examples has AdSecure seen of malicious advertising using this format?
Our system has detected the following malicious advertising on Popunders:
- Malicious/Phishing URLs
- Malware downloads (including ransomware)
- Crypto-jacking
- Scareware
- Browser Lockers
AdSecure’s advanced crawler technology can detect changes in a Popunder’s content that is injected with Malware. Contact us to find out how we can protect your users and keep your advertising safe.
