Don’t Be a Victim of Malvertising: Stay Safe with These Tips
Whatsapp Pinterest

Is there a passing day without news of a new online threat? It could be a classic example of confirmation bias. But the cost and technical requirements of powerful malicious software is falling. It is also becoming easier to locate and purchase this software online, using equally untraceable payment methods.

This is why we are seeing a rise in advanced malware reaching our computers.

We’re also seeing greater variance in the methods of malware delivery. Aside from increases in phishing, spear phishing, vishing and SMiShing campaigns New Phishing Techniques To Be Aware of: Vishing and Smishing New Phishing Techniques To Be Aware of: Vishing and Smishing Vishing and smishing are dangerous new phishing variants. What should you be looking out for? How will you know a vishing or smishing attempt when it arrives? And are you likely to be a target? Read More , security researchers have noted a significant rise in malvertising.

What Is Malvertising?

Malvertising is the process of injecting malicious advertisements into a webpage via legitimate advertising networks. They have a particular allure for attackers. As adverts are displaying almost uniformly throughout the internet, malefactors can push their attacks toward “high value targets,” affecting almost anyone, anywhere. Malvertising campaigns often go unnoticed, providing a reasonably high return for those injecting the ads, as well as carrying the potential to expose millions of unsuspecting users to the malware itself.

What Is Malvertising Malwarebytes

It can be hard to judge the scale of malvertising. It is silent, and doesn’t come with other common red-flags we train ourselves to spot. Vadim Kotov, Senior Security Researcher at Bromium echoes this:

“The continued rise of malvertising is also of note, as it became so rapid and high-impact, largely due to its attacks on high-profile websites. Drilling down further, this year alone, there were malvertising attacks on more than a quarter of the Alexa 1,000. This class of attacks is fascinating as it represents a perfect symbiotic relationship between two discrete technologies that end up producing such detrimental effects.”

If malvertising is all around us, how can we steer clear of it? As you’ll see from the list we’ve put together: with difficulty. But you can at least verse yourself in some of the more common online locations where you’re likely to run afoul.

Against Convention

Common sense tells us to avoid the sketchier side of the internet. Think about the sites you’d normally consider to host malware Which Websites Are Most Likely to Infect You with Malware? Which Websites Are Most Likely to Infect You with Malware? You might think that porn sites, the Dark web or other unsavory websites are the most likely places for your computer to be infected with malware. But you would be wrong. Read More or be privy to a malvertising campaign. I’m sure you’ve included some of the following:

  • Varied pornographic sites
    • Sites offering other NSFW/NSFL content
  • Sites offering free software
  • Sites offering cracks/keygens/warez
  • Sites offering Flash games
  • Streaming sites
  • Torrent sites
  • Sites using “unreliable” TLDs, hosted in “questionable” countries
  • Sites offering coupons, savings, and questionnaires
  • Online dating sites
  • Betting sites

I’m sure you can think of more, but as a quick list of places you’d consider somewhat untrustworthy, we’ve covered the bases. Some are obvious — pornographic, NSFL (Not Safe For Life), cracks, Flash games — and should always be visited with caution. Users may well visit the other sites listed and have a perfectly acceptable time, with no security issues in sight.

And herein lies the problem. By its very nature, malvertisers can inject malicious content What Is An SQL Injection? [MakeUseOf Explains] What Is An SQL Injection? [MakeUseOf Explains] The world of Internet security is plagued with open ports, backdoors, security holes, Trojans, worms, firewall vulnerabilities and a slew of other issues that keep us all on our toes every day. For private users,... Read More into anyone of these “sites of ill-repute.” Correspondingly, extremely popular sites traditionally considered “trustworthy” can also be affected, as can any site containing the following containers for advertisements:

  • Pop-ups
  • In-text or in-content advertisements
  • Web widgets
  • iFrames
  • Flash, Silverlight, JavaScript

Malvertising can be particularly potent and extremely stealthy. A user may not even have to engage with the advert (other than have it flash upon the screen) to pick up an infection, though most malware is delivered through false software updates and false malware warnings.

Trustworthy Site Breaches

The infected adverts can be injected into any network, so there aren’t really any genuinely “safe” sites. There are actually numerous examples of major sites, of varying industries, succumbing to malvertising, many of them within the past few months.

Over 1bn Users

Back in March, security researchers Malwarebytes announced they’d been tracking a particular campaign as it dynamically traversed various internet outlets, culminating in malicious advertisements seen on:

  • – 1.3b monthly visits
  • NYTimescom – 313.1m
  • – 290.6m
  • – 218.6m
  • – 102.8m
  • – 60.7m
  • – 51.1m
  • – 43m
  • – 31.4m
  • – 9.9m

The injected malicious ads were designed to deliver the Angler exploit kit This Is How They Hack You: The Murky World of Exploit Kits This Is How They Hack You: The Murky World of Exploit Kits Scammers can use software suites to exploit vulnerabilities and create malware. But what are these exploit kits? Where do they come from? And how can they be stopped? Read More , known to search for and exploit vulnerabilities in HTML, Silverlight, Flash, JavaScript, Java, and plenty more. Once the Angler EK is installed, it installs a variant of commonly seen ransomware TeslaCrypt or AlphaCrypt. With the potential to infect literally billions of users, the malvertising stakes are constantly rising.

The Pirate Bay

Malwarebytes again observed a live malvertising campaign when extremely popular torrent site The Pirate Bay was struck. The adverts injected into the site redirected unwitting users to landing pages for the Magnitude exploit kit, where they were then infected with the heavyweight and notorious Cerber ransomware. Malwarebytes senior security researcher John Segura explained a little about the sudden uptick:

“Magnitude EK is one of those exploit kits we don’t hear about as much in comparison to others such as Angler EK or Nuclear EK. Its unique URL pattern makes it easy to spot from the clutter of network traffic captures because it uses chained subdomains typically ending in a shady Top Level Domain like pw (Palau Pacific island)… Perhaps this increased activity is due to the fact that Magnitude EK is the third exploit kit to leverage the latest Flash Player vulnerability (CVE-2015-7645) recently patched by Adobe.”

The Pirate Bay has experienced a number of setbacks Why Safe Torrenting Died With The Pirate Bay Why Safe Torrenting Died With The Pirate Bay As far as "popular" torrenting is concerned, the comparative safety that existed at The Pirate Bay is gone, and safe torrent downloads with it. Read More throughout the past few years, and this was compounded early last week when the major browsers of Google Chrome, Mozilla Firefox, and Safari declared they would be actively blocking the site. Firefox users reported receiving a message stating “This web page at has been reported as a web forgery and has been blocked based on your security preferences.”

While the Safe Browsing Site Status of “dangerous” was momentarily removed, it has now been reinstated, pointing to ongoing issues.­ You can check the status of The Pirate Bay and any other site using Google’s Safe Browsing technology.


We traverse the internet from extremely popular and well respected news outlets, through the world of torrents and file sharing, into the second largest pornography site in the world. xHamster, who reportedly accumulate half a billion hits per month (wow!) was party to a massive malvertising campaign, again focused on installing the Angler exploit kit.

In this case, to lower the chance of detection, the attackers had programmed the redirection chain (where the advert redirects to a malicious landing page) to only execute once per IP, meaning if you weren’t caught out on your first visit, you were potentially safe on your return.

Unluckily for xHamster and its users, this is the second time the massive porn repository has been targeted by a malvertising campaign, with the second attack echoing the first.

Why Is Malvertising on the Rise?

Malvertising is on the rise for a number of reasons, starting with the monumental reach of the ad-networks serving the countless infected websites, and the low cost, maximum return nature of serving malware via this method.

Cyphort Malvertising Network Analysis

There are other explanations, too. The networks serving advertisements throughout the internet are largely automated, with only peripheral human involvement. This means attackers can easily take a chance in the hope their infected ad makes it through the security systems of an internet advertisement network. Equally, this automation means a majority of websites are unaware of exactly what will be displayed on their site, removing themselves from the selection process – and further distancing themselves from potentially malicious content.

Cyphort Malvertising Network Analysis with Virus

The system itself can be further gamed by persistent malvertisers. Instead of attempting to slip their malicious ads into an existing trusted network, they build their own legitimate reputation. Once the major ad-networks accept this growing positive reputation, the malvertisers can begin to insert malicious content, granting themselves some breathing space before their activities are discovered.

So… How Do I Stay Protected?

It looks like a mammoth task. The malvertisements are seemingly everywhere, but there are a few precautionary steps you can take:

Until there is a monumental shift in how the internet is funded, ads will continue to be served as part of our day-to-day browsing Publishers Need to Stop Whining About Adblock Publishers Need to Stop Whining About Adblock Ad-blocking seems like a natural option for any consumer because of a simple reason: it's an easy way to get rid of an annoyance. Read More . Massive ad-networks aren’t going to disappear unless there is a viable alternative, inclusive of those existing advertising behemoths. They certainly won’t want to relinquish their profits. And while each of the major ad-networks will be actively addressing the malvertising menace, there is still a major emphasis on self-protection.

Do you think there should be a major shift in how the internet is funded? Or should ad-networks work harder to ensure they are malicious-content free? Let us know what your thoughts below!

Image Credits: What is Malvertising? via, Online Advertising Complexity via Cyphort SlideShare

Explore more about: Malvertising, Malware, Online Advertising.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Neoalfa
    May 23, 2016 at 8:55 am

    "Do you think there should be a major shift in how the internet is funded?"

    Should it? No. Could it? Yes. Content producers and news networks in particular could go the way of the crowd-funding. Give the consumers quality content and they'd be more than happy to contribute.

    "Or should ad-networks work harder to ensure they are malicious-content free?"

    Everyone that puts something on the internet should be responsible of keeping their contect malicious-free, just as it's the user's responsibility to know of the threats they can find on the internet.

  2. Riley
    May 18, 2016 at 5:48 pm

    "Do you think there should be a major shift in how the internet is funded?"

    One of many interesting observations made in the book "Future Crimes" by Marc Goodman is that Facebook's ad-driven model produces average revenue of US$5 per year per user. Goodman's comment was that he'd happily pay Facebook US$10 per year to leave him alone.

    Regardless of the medium, advertising never has enough. If you want to understand what advertising wants for the Internet, look at the complete wasteland that advertising has made of broadcast media.

    I imagine a sort of access gateway that I pay, say, US$20 per year or so. If I then access a given ad-free site via that gateway, the site is credited with some very small amount of money from my account. (I can even imagine that access gateway providing a user setting that informs me if a given site's per-visit payment expectations exceed a certain threshold.

    What anyone with any sense surely must realize is that "advertising supported" inescapably becomes "advertising destroyed". Surely the human species deserves better from its communications media?