• All Articles

What is Malvertising? And how to stop it

By Giles

October 25, 2022

image

Contents:

 

What is Malvertising?


Many platforms in the ad tech industry have an idea about the most dangerous forms of Malvertising, but many don’t realize the extent of how many variations of malicious ads that cybercriminals have at their disposal. In this blog post we explain everything you need to know about this damaging activity that can ruin the reputations of ad serving platforms and the publisher websites the malicious ads are distributed on.

So, what is malvertising? Malvertising is a malicious form of advertising. It uses digital advertising to spread any number of techniques to cause harm to internet users by trying to steal their sensitive personal data, cause harm to end users devices that they use to browse the internet with by injecting them with malicious code and viruses, showing end users inappropriate ad creatives and landing pages, and non compliant ads that are not aligned with industry regulators including the Interactive Advertising Bureau (IAB), Google Chrome and the Coalition For Better Ads.

How is Malvertising distributed?


Cybercriminals, also known as Malvertisers, use the same advertising strategies as legitimate ad companies. However, they are constantly launching malicious ad campaigns via ad exchanges, ad networks and publisher websites. They use a large range of creative techniques and technologies to distribute their malicious ad campaigns. Once end users click on the ads or visit the ad’s landing pages they become a victim of a malvertising attack. For example in October 2022 researchers at Guardio have described a malvertising campaign related to extensions with more than 1 million downloads.

 

Why do cybercriminals use ads to distribute malvertising?


Some of the motivations to distribute malvertisements are:

  • Financial gain: Malvertising allows cybercriminals to exploit end users for financial gain in multiple ways. 
  • Low risk of being caught: The rewards of malvertising are high and the risk is low as it is very difficult to find and punish cybercriminals.
  • Easy to do: Cybercriminals can find exploit kits on the dark web easily and at low cost.

Read our blog post 5 things that motivate Malvertisers and how we stop them.

How does Malvertising work?


Many ad serving platforms are self-service or programmatic which means advertisers are free to upload ad campaigns using various different ad formats and the urls of the campaign's landing pages that the ads lead to. All ad networks and publishers should have a compliance solution by either using technology such as a technonogy solution like AdSecure and/or a team of humans manually checking the campaign and then approving the ads and landing pages before the campaign is launched and then displayed to targeted end users. Cybercriminals use a large range of tactics which are driven by their goals.

Goal 1: To fool the ad serving platform, DSP or publisher website in order to compromise adsecurity


The Malvertiser uploads ad creatives with landing page URL links for a legitimate ad campaign. Once the campaign is running the Malvertiser injects hidden code into the ad creatives and/or changes the URLs to the landing pages to begin their Malvertising campaign. The ad serving platform has no idea that this has happened and they become complicit in spreading the malicious ads to unsuspecting end users. It is imperative that the ads and urls are checked before the campaign is launched, and monitored during the lifetime of the campaign to prevent this.

Goal 2: To extort personal or financial data from end users


AdSecure categorizes this type of Malvertising as User Security violations. It includes Ransomware which holds the end user’s device's system captive while demanding a ransom. The malware restricts user access to the device by encrypting files on the hard drive or locking down the system and displaying warning messages with a telephone number to contact. The end user has to contact the cybercriminal and give private financial data to make a payment to gain access to their device again. Immediately exposing the end user to further financial exploitation.

According to AdSecure’s Violations Report Q1 & Q2 2022Scareware represented 5.9% of detections for the User Security category. Scareware are ads that claim the end user’s device is infected with a virus. Scammers often use the names of well-known companies that specialize in computer software to gain your trust. The pop-up advertisements aim to mimic genuine warning alerts generated by computer security software. You can see examples of some of the tactics used by Malvertisers in this blog post What is Scareware? The aim is to get end users to download useless anti-virus programs that can also contain many more pieces of software that can harm the device as well as trying to extract personal data from end users' devices.

What is Malvertising? And how to stop it

An example of a Scareware tactic detected by AdSecure

Phishing attacks consist of content that appears to act, or looks and feels, like a trusted entity, for example: a browser, operating system, bank, or government. The aim is to trick users into revealing their personal information. It is detected as a Phishing URL by AdSecure, the end user clicks on what appears to be a legitimate ad and is then taken to a landing page that will try to get the end user to compromise their passwords, phone numbers, or credit cards. AdSecure detected a significant increase of Phishing URL attacks, up +178.46% when comparing Q1 to Q2 in 2022.

What is Malvertising? And how to stop it

An example of a Phishing tactic detected by AdSecure

Browser Lockers are a script that runs in the web browser and its main purpose is to disable any form of action that can close the browser. All attempts to close the browser will result in a warning message box (Javascript alerts). It consists of a page that dupes the user by using a fake reason such as  loss of user data or files and asking the end user to pay in order to unlock their device, thus compromising their personal financial data.

Goal 3: To secretly take over the devices of end users 


In the past crypto enthusiasts could mine for crypto currencies from their home computer. But various currencies’ popularity surged, and mining required more computing power, much more than what most people's home computers could handle. This created a demand for more computing power to continue mining. Cybercriminals saw this as an opportunity and developed code to infect end users browsers who had clicked on a seemingly legitimate ad. Called Drive by mining, this secretly takes over the end user’s device using the device's CPU power to secretly mine for crypto currencies on behalf of the cybercriminals. This is still a major problem for ad serving platforms and in AdSecure’s last violations report, the crypto drive by mining violation had a 36.1% share of all User Security detections in Q1 to Q2 2022.

Goal 4: To download unwanted programs and software to end users devices


Many people confuse Malvertising as Malware, but as you have already learned in this blog post, Malvertising covers a huge range of different threats for ad serving platforms, publishers and of course, ultimately, for the end user. This section is about unwanted programs and software which is where Malware fits in. 

Malware is a general category of malicious code that includes viruses, worms and Trojan horse programs. It is used to disrupt computer operations, gather sensitive information, gaining access to private computer systems, or displaying unwanted advertising. This link shows you how a Malware campaign was detected and stopped in Turkey.

What is Malvertising? And how to stop it

An example of a Malware tactic in Turkey detected by AdSecure

Adware is software that downloads or displays unwanted ads when a user is online, collects marketing data and other information without the user's knowledge, or redirects search requests to certain advertising websites.

Goal 5: To send end users to unsafe URLs


Online advertising is based around advertiser URLs, whether that is the URL for the ad creative that is displayed or the redirects to websites and landing pages. Malvertisers are experts at exploiting URL redirections within the ad supply chain and can use obfuscated code within this chain to reach their goals. 

Malicious URLs are the most popular form of User Security violation used by Malvertisers, consisting of 86.2% of violations detected by AdSecure within this category between Q1 & Q2 of 2022. Malicious URLs host unsolicited content including spam, phishing, drive-by exploits, etc, and lure unsuspecting users in to becoming victims of scams such as monetary loss, theft of private information, and malware installation.

Malvertisers also commonly use Suspicious TLDs which are domains ending with .xyz, .gq, .country, .stream. They are popular with cybercriminals because they are usually cheaper to obtain than more universally recognised TLDs such as: .com, .org, .net, etc. This allows cybercriminals to register a chain of highly similar top-level domains, for example: abcd1.xyz, abcd2.xyz, abcd3.xyz and then spread their malicious attacks continuously. When one domain is flagged and shut down, the Malvertiser just moves the attack to the next one.

Then there are SSL non-compliant web addresses. Back in July 2018 Google began marking all HTTP websites and webpages as “not secure”. HTTPS allows for a more secure browsing experience, however some Malvertisers still use HTTP. Google flags this to the end user, stating that the website they are being directed to is considered unsafe, however some end users still click anyway, which then exposes them to unsecured items in the chain of resources. Additionally, because Google highlights an unsecure HTTP to the end user, this damages the publishing site’s reputation with them and can scare end users to not visit the publishers site again, which can lead to revenues being affected along with the quality of the website’s traffic sources.

Goal 6: To annoy end users with non-compliant ads


Annoying ads go against a good user experience which publisher sites are very conscious of. By offering a great user experience Publishers can guarantee repeat visits from end users, trust and confidence that browsing their website is an enjoyable experience and a better ranking from Google. But annoying ads displayed on a publishers site will create a negative user experience.

There are a large range of what AdSecure classifies as User Experience violations. In AdSecures' last violations report Q1 & Q2 2022, almost a quarter, 24.4% of scans, detected User Experience violations. Many of these violations go against Google and the Coalition For Better Ads guidelines, and should not be allowed to run on any ad serving platform. Let’s look a these in more detail:

  • Auto-downloads are ads that automatically download a file/executable/application without user interaction
  • Auto-redirects are ads that contain a script causing a web page to break out of any frames "framing" it, resulting in automatically redirecting the visitor to another website or page
  • Auto-redirects to app stores send end users to the app stores without user interaction
  • Auto-pops are ads that automatically trigger either pop-ups or tabunders without user interaction
  • Auto-vibrate ads automatically vibrate the user's device when reaching a landing page 
  • Back Button Hijacks are ads that contain a script that allows a Malvertiser to manipulate the end user’s browser history. It inserts one or several pages in the browser history, which then prevents the end user from going back to the previous webpage that the end user came from
  • JS Alerts on entry use a Javascript alert that pops up without end user interaction as they enter a website. JS Alerts on exit use a Javascript alert that pops up when the end user wants to close the active tab
  • Landing page errors, once an end user clicks on an ad, the end user receives an alert when the system identifies a broken/dead link: 404 Error, 5xx, timeouts, etc. in the landing page or when a broken link is identified in the path (intermediate redirect links inside the chain) between the click URL and the landing page
  • Permissions, once an end user has clicked on an ad a permissions request is asked to the end user to give access to their device’s camera, microphone, clipboard. Other Permission violations include Geolocation, asking to track the user’s location, or a Notifications request to send Notifications to the end user’s device
  • Uncommon Protocols where communication with the end user’s device may involve an uncommon protocol that can be used to activate undesirable actions like automatically opening an app or launching a Skype call

As you can see all the above are annoying to the end user and greatly impact the user experience of a website where the malicious ads are served.

Goal 7: To serve inappropriate ad creatives on websites that are damaging to online brand safety for publishers

A positive brand image for any business is very valuable, it is how the brand is perceived by the rest of the world. With so many threats from Malvertisers, an online brand's end user perception of 'being safe' can be damaged by Malvertisers. One of the key ways that a publisher site can damage its brand is by serving ads with inappropriate, unsavory, or irrelevant content next to the site’s content.

There should be increasing concern for online brand safety because it has always played an important role in the digital world, however, it is not always as the brand management teams expect - even the social media giant Twitter sometimes experiences brand safety complications.

Let’s look at an example, a publisher site that writes reviews of new cars. Even though campaigns are coming from legitimate advertisers, the website would not want to serve ads for alcohol products so as not to appear to be promoting drinking and driving, or ads that promote offers related to pornography such as sex toys. In Q1 & Q2 of 2022 AdSecure found that 32.3% of scans under the User Advisory category detected non-safe Adult content in ad creatives: nudity, pornographic images or cartoons, or sexual activities.

Other unsafe ad content detections offered by AdSecure include:

  • Racy: Creatives featuring skimpy or sheer clothing, strategically covered nudity, lewd or provocative poses, or close-ups of sensitive body areas
  • Medical: Creatives featuring medical content e.g. Viagra, male enhancement products, etc
  • Spoof: Creatives that feature original images that have been modified to make them appear  funny or offensive
  • Violence: Creatives that feature any type of violent imagery.

Additionally AdSecure allows the use of keywords to detect non-safe content in ad creatives such as guns, drugs, extremism, etc.

  • Ad Crypto: Ads that contain non-compliant cryptocurrency promotions. In July 2022 AdSecure detected a daily average of 8,957 violations for this category.

As you can see with the sheer volume of tools cybercriminals have available, Malvertising and unsafe ad distribution via digital advertising is a continual battle for ad serving platforms, ad networks and publishers. It is important for all of them to protect end users from being exposed to malicious ads. Malvertising can happen to any platform at some point in time, including giant ones like Google.

How can end users protect themselves from Malvertising?


It is the role of ad serving platforms and publishers to protect end users from Malvertising and ensure ad safety. However cybercriminals are cunning and Malvertising can slip into the ad supply chain easily. End users can help protect themselves by utilizing the following strategies:

  • Regularly checking that browsers, operating systems and plugins up to date
  • Download the latest security software updates such as Windows Security, iOS updates, etc
  • Only use legitimate, well known antivirus software
  • Never click on ads that feature spelling mistakes or bad grammar, a legitimate offer would never feature badly spelt texts in their advertising creatives
  • If a Scareware or Ransomware alert is triggered, simply turn off the device, repower and scan for threats using anti virus software
  • Never succumb to phishing requests asking for money, even if it seems legitimate. Cybercriminals pose as PayPal, banks, Microsoft, Apple and more to trap end users
  • Ensure that any downloads come from official websites, app stores or legitimate, verified sources.
  • Never click on a redirect to a website that is HTTP, although luckily Chrome flags this for end users to protect them
  • Report any suspicious ads or attacks directly to the publisher site where the ad was displayed. This can help the site stop the malicious ad campaign and this will protect other end users

How can ad serving platforms, ad networks and publisher sites protect themselves from Malvertising?


AdSecure is a Malvertising, ad safety and ad quality detection solution that protects ad serving platforms and publishers. Programmatic platforms are particularly vulnerable as we discovered when attending DMEXCO in September 2022, which you can read about in our DMEXCO Report: The need to highlight the importance of ad compliance.

AdSecure scans ad campaigns from the ad creative through to the campaigns landing pages, virtually interacting with the campaign, just like an end user would. Campaigns can be scanned before launch, and after launch to ensure nothing slips through the net. Many ad campaigns include more than one violation.

Malvertising 1 in 4 Scans Show Violations

In fact in Q1 & Q2 of 2022 AdSecure found that 1 in 80 scans revealed more than 4 violations detected per ad campaign. Making it a massive problem for ad tech companies monetizing online advertising. AdSecure has compiled several client Case Studies to show just how effective the solution is. 

Still have questions about what is malvertising or other forms of ad fraud and how to prevent them? Get in touch!

Share this article on