October 6, 2016 By Fran Howarth 2 min read

Advertising enables free content. Without online advertising, many publishers would be forced to charge users through subscriptions or other methods of payment to view their content. On the flip side, it’s a way for companies to promote new services, products and discounts.

But advertising is also becoming increasingly attractive to cybercriminals as a vehicle for spreading viruses, spyware and ransomware. This has contributed to the rise of malvertising.

Malvertising 101

A portmanteau of “malicious advertising,” malvertising involves injecting malware into advertisements on legitimate websites or through online ad networks.

The first such exploits were observed less than 10 years ago and are now extremely widespread. According to The Register, incidents of malvertising increased by 260 percent in 2015, and the resulting damage is estimated at around $1 billion.

Malvertisements can take the form of normal ads, pop-ups or notifications to download or update fake software. Most malvertising campaigns are short-lived. In some cases, they start as benign ads and are generally placed on reputable websites. Cybercriminals inject viruses into the website’s code to turn legitimate ads into malicious ones.

After a mass infection is complete, attackers hide their tracks by quickly removing the virus from the code. In other cases, legitimate ads are targeted directly. Many major organizations have been attacked this way.

Prevention Techniques

While no method can guarantee protection against malvertising, users can take steps to reduce the likelihood of being infected. Basic security hygiene is key. This involves keeping all software up to date with the latest patches, including your operating system and web browser.

Anti-Exploit and Antivirus

Anti-exploit programs can shield devices from vulnerabilities aimed at operating systems and browsers. Some antivirus programs offer such capabilities as well. There are also separate programs that run alongside antivirus software to monitor browsers for malicious exploits. Some antivirus programs also offer safe browsing capabilities that alert users when a website is potentially harmful.

Ad Blockers

Ad blocking programs offer some defense against malvertising, and these options are becoming increasingly popular with users. Advertisers and publishers, however, have suffered backlash related to this software. According to The Wall Street Journal, the use of ad blockers cost the advertising industry $22 billion in 2015. Digiday, meanwhile, reported that some experts expect the cost to balloon to $35 billion by 2020. Websites are increasingly requiring users to disable ad blockers to access content.

Click-to-Play Plugins

Another way to combat malvertising pop-ups is to enable click-to-play plugins. This requires a user to actively click on a pop-up before it plays to reduce the chance of infection. Users should also disable unused plugins and ensure that all plugins in use are updated.

Malvertising is a nuisance that can affect anyone, from individuals to the largest enterprises. The best strategy is one of prevention through awareness. If something doesn’t look legitimate, don’t trust it.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today