Advertising is the life blood of the internet. Some of the world’s biggest and most influential tech companies earn a large chunk of their revenue through harmless and safe advertisements, but some of the most successful cybercriminals also rely on advertising.

When good ad networks are tricked into delivering malware, it’s known as malvertising. Malvertising is often confused with adware, which is illegitimate software that displays ads and redirects searches to ad sites — neither are what you might call safe advertisements.

The Good News and Bad News About Malvertising

The ad verification company GeoEdge reported last year that automatically redirecting malvertising attacks cost $1.13 billion per year, and that figure is rising. The organization noted that pre-click attacks constitute around half of all malvertising attacks.

Malvertising uses legitimate advertising networks to spread malicious code, often on legitimate websites. The attacks tend to have three stages: First, the attacker needs to fool the advertising network and violate their terms of service without getting caught. Second, they need to create or modify some malware payload that exploits a technical vulnerability. Finally, the attacker’s ad will typically need to socially engineer users into taking actions that compromise their own security and/or that of their organization.

Malvertising takes a very special skillset that most cybercriminals don’t possess. Namely, the attacker has to be extremely skillful at advertising. They must understand the methods, tools and skills required to get people to engage with ads and also know how to bypass security systems.

Malvertisers also have to act quickly. Once they start victimizing a user, the clock is ticking on the victim reporting the attack, the ad network shutting the threat down, and the exploited vulnerabilities being patched. The window of opportunity is often measured in months or even weeks.

This is a different from most malware attacks, where cybercriminals can continue exploiting the long tail of unpatched systems for years. With malvertising, even if vulnerabilities are inconsistently patched, ad networks will shut down the delivery system — that’s the good news.

The bad news is that malvertising campaigns are, by their very nature, almost always brand new.

How to Spot a Malicious Advertising Attack

How can you tell which ads are safe and which may contain threats? Effective malvertising usually offers giveaways or gift cards, which can make people click because they think they’re getting a great deal. And malvertisers have an advantage over legitimate advertisers: They don’t have to actually deliver on the deals they promise, so they can offer fantasy products or amazing deals — anything to get the user to click or visit a site.

Pre-click malvertising attacks, or “drive-by downloads,” don’t even require user action. By simply visiting a website, a user can inadvertently download malware from a malvertising script. Post-click malvertising, on the other hand, tricks the user into clicking on what look like safe advertisements, but the clicking action downloads malware or re-directs the browsing session to a malicious site.

Not all websites are created equal when it comes to the risk of malvertising. Users are far more likely to encounter malvertising on gambling, pornographic, dating or streaming sites or through torrenting. Because malvertising is simply a delivery method for malicious code, the attack itself could manifest as anything from garden-variety malware to more complex viruses or ransomware. Malvertising cybercriminals often go after financial information like credit card data or other banking credentials, but they could also be looking to access an organization’s network.

Recent Malvertising Developments

A major malvertising event hit the news recently after a massive hijacking of more than a billion sessions during a six-week crime spree through August and September. The pre-click malvertising campaign was perpetrated by a threat group called eGobbler, and it redirected victims to sites that were designed to impersonate users’ mobile carriers. In reality, the sites were packed with malicious payloads, and the main objective of the campaign appears to have been stealing credentials.

Another campaign, Ghostcat-3PC, sought to infect web publishers in the U.S. and Europe with malware that hijacked browsing sessions. The campaign quickly evolved its methods and pushed out four different versions of the malware over a period of just a few months.

Malvertising can be extremely lucrative, so expect to see more major attacks like these in the years to come. Fortunately, there are steps users and enterprises can take to help defend against malicious advertising attacks.

How Users Can Protect Against Malvertising

Successfully defending against malvertising requires cooperation between users and security professionals. To that end, here’s what individual users can do:

  • Find the “click to play” option on your browser and turn it on. That option turns off automatic downloading and execution of plug-ins. Once this feature is activated, you’ll be asked if you want to download and install a given item every time.
  • Use a paid ad-blocker for any personal systems that could be used to access company resources. Paid offerings will likely be more effective than free ones.
  • Install a reputable antivirus tool on your device.
  • Don’t click on offers that look too good to be true.
  • Avoid accessing shady websites, especially on work-connected devices.

How Organizations Can Defend Networks From Malicious Ads

To safeguard against malvertising, organizations should bolster their general defenses against malware and remain watchful for social engineering tactics like phishing attacks. Specifically, companies should do the following:

When it comes to malvertising, we must expect the unexpected. Effective advertising brings results, and that’s why malvertising will remain an effective way of attacking systems. Stay prepared with the right tools and training to protect yourself and your organization from these malicious ads.

More from Endpoint

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…