Many longtime internet users will remember receiving pop-up ads warning that their computers were infected with a virus. In nearly all cases, the ad’s specific claims were bogus; the purpose was to scare users into paying for a questionable tech support service or to drive them to a site that would actually infect them with malware.

While browser-based pop-up blockers have largely killed off that particular scam, malicious advertising — or malvertising — is still causing serious damage. Purveyors of malvertisements use an increasingly broad range of techniques to insert malware into ads that run across the web on large advertising networks.

How Malvertising Works

In most cases, threat actors create fake advertisements laden with malware and try to slip them past security checks at large ad networks. These infected ads can then sneak malware onto a web user’s computer, even if he or she doesn’t click on the ad. These so-called drive-by downloads are particularly effective against users who don’t regularly update their software.

The cost of malvertising is huge: A report from ad verification vendor GeoEdge estimated that the threat costs the online advertising industry more than $1.1 billion a year, and anticipated the cost rising another 20–30 percent in 2019.

Know Your Malvertisers

A lack of transparency in the digital ad supply chain “makes loading malicious ads through legitimate ad networks rather painless,” said Alex Calic, strategic technology partnerships officer for The Media Trust, a vendor of digital advertising and app security products. “The sheer number of ads and the large number of digital partners, many unknown to each other, along the supply chain make tracing the malicious code back to the correct offending party extremely difficult.”

It’s tough for ad brokers to keep up with the threat actors, added Jason Hong, associate professor at Carnegie Mellon’s School of Computer Science.

“It’s a cat-and-mouse game. Ad networks need to scan ad submissions for malware, but it can be really hard because attackers have a really strong economic incentive to keep innovating new ways of spreading malware.”

Call in Back-Up

The online advertising industry needs more processes to check submitted ads, added Corey Nachreiner, chief technology officer (CTO) of network security vendor WatchGuard Technologies.

“There are many web tools and frameworks that can help ad brokers escape or remove certain types of web code, such as JavaScript,” he said. “The brokers simply need to check the HTML ads being submitted to them, and make sure they only have clean content and don’t try to invisibly redirect to any off-site source.”

Ad brokers can also require more information from new customers as a way to validate them, he added. But attackers can hide malware in images and other elements, meaning that security teams may need to do more than simply scan the ads.

“Malvertising campaigns regularly slip under the radar of the advertising networks because they typically aren’t spotted until the first victims speak out, by which point it’s already too late,” said Gavin Hill, vice president of product and strategy for cybersecurity vendor Bromium. “Concealing malware within objects or images within the site, or forcing redirects for certain users, makes it extremely difficult for the advertising networks to spot malicious adverts being delivered.”

Using sophisticated tools to hide the malware in the ads, attackers can create highly targeted malvertising campaigns that fuse cybercrime and targeted marketing, Hill added.

“It’s all too easy for cybercriminals to exploit networks for their own gain,” he said. Threat actors can “deliver malicious code to vulnerable users that don’t suspect a thing.”

Broaden Your Thinking

Hill called for a holistic approach to fighting cybercrime by understanding “how the vast cybercrime economy operates.” Hong agreed.

“It really needs to be an entire community effort in combating malvertising,” he said. “Ad networks are the front line and need to improve their malware detection capabilities. We also need to hit the attackers’ finances, too, making it harder for them to monetize.”

To protect themselves from malvertising, consumers should prioritize patching. Users need to keep their software up to date to protect against malicious ads targeting known vulnerabilities.

“On end-user client side, patch, patch, and patch,” said Oliver Münchow, security evangelist with cybersecurity prevention firm Lucy Security. “And beware of the risks associated with downloads and clicks.”

In the end, maintaining your patching cadence and implementing only necessary and heavily vetted browsing tools should be a part of any routine security program. But keeping an extra eye on malvertising strategies and expanding knowledge of threat campaigns overall should help solidify another wall of the data security fortress.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…