What Is Malvertising and How Can You Prevent It?

Gavin Phillips Updated 21-03-2019

It is difficult to put an accurate figure on the impact of malvertising. At their peak between 2014-2016, malvertising campaigns lead security research firms to report millions of malicious advertisements across the web.


Whether the rate of malvertising incidents has risen or not, one thing is clear. Malvertising can do a lot of damage to an unsuspecting user. With the low entry level to malvertising, the threat remains active.

This guide which will help you understand what malvertising is, why it’s so popular, where it’s hiding, and what you can do about it.

What Is Malvertising?

“Malvertising” is a portmanteau of “malicious advertising.” In short, malvertising is the practice of using online ads to infect computers with various types of malware.

A malvertising attack (also known as a drive-by malware attack) can work in a variety of methods. However, there are two common techniques:

  • Pre-click: A malvertising campaign that uses a special script that automatically downloads as soon as the ad loads. The user doesn’t have to click anything; visiting the page containing the ad is enough. This allows an attacker to place malvertising in a landing page, or set up a malvertisement redirect chain to bounce users through several malicious pages.
  • Post-click: As it sounds; the user downloads the malware after clicking the malicious ad. Attackers still use malvertising redirects to keep users moving through numerous pages.

Malvertising can carry all kinds of malware types. It can be anything from adware to ransomware, to a piece of code that changes settings on your router. Exploit kits are a common malvertising payload. If successful, an exploit kit can open your system up to other malware types. Botnets, banking Trojans, and cryptojackers are also on the malvertising menu.


How Big a Threat Is Malvertising?

Judging the scale of malvertising can be hard. It is silent, and doesn’t come with the other common red-flags we train ourselves to spot. Vadim Kotov, Senior Security Researcher at Bromium, echoes this:

“The continued rise of malvertising is also of note, as it became so rapid and high-impact, largely due to its attacks on high-profile websites. Drilling down further, this year alone, there were malvertising attacks on more than a quarter of the Alexa 1,000. This class of attacks is fascinating as it represents a perfect symbiotic relationship between two discrete technologies that end up producing such detrimental effects.”

The main reason is that advertising is everywhere. Third-party-ad networks sell adverts to big sites like eBay, The Weather Channel, Rotten Tomatoes, and MakeUseOf.

Those sites display the ads in good faith. But if a malvertiser figures out how to insert a malicious ad into a legitimate ad network, there’s a chance it will appear on high-ranking websites before its caught.

Ad Networks Used as Malware Distribution Networks

The networks serving advertisements throughout the internet are largely automated, with only peripheral human involvement. This means attackers can take a chance.  If successful, their infected ad will sneak through the security systems of an internet advertisement network. Even highly trusted ad networks, like Google’s DoubleClick, have distributed malicious ads.


malvertising cyphort advertising flow

The automation means a majority of websites are unaware of precisely what will be displayed on their site, removing themselves from the selection process—and further distancing themselves from potentially malicious content.

malvertising cyphort advertising flow with vrius

One tactic for malvertisers to get their ads into trusted networks is by buying ad space for benign ads first. Once a reputation as a legitimate advertiser is established, the malware-laden ads begin. Because they’re under less scrutiny than new advertisers, they have a brief opportunity to slip these malvertisements onto websites.


Just-In-Time Malware Assembly

A newer method of getting malvertisements published is just-in-time malware assembly. This includes innocent-looking components of code in the ads that are downloaded separately to a victim’s computer. They’re then assembled and compiled into the malware payload.

This payload can then run or download additional components to complete the assembly. This is especially difficult to detect.


Malvertising Threat on Mobile

Malvertising is a particular threat to mobile users. How many times have you accidentally tapped an advert on a website while scrolling through? Or clicked an advert in a game as you try to speed through cooldown timers or lockout screens?


A malicious ad doesn’t differentiate between a “proper” click and an accidental click. Smartphone design doesn’t help, either. The screen is great for scrolling, but precise clicking is a different proposition.

Another smartphone issue is a lack of security programs. Many users simply don’t consider their smartphone security in the same manner as a desktop or laptop.

Where Does Malvertising Come From?

Common sense tells us to avoid the sketchier side of the internet. Think about the sites you’d normally consider to host malware or be privy to a malvertising campaign:

  • Pornographic sites
  • Sites offering other NSFW/NSFL content
  • Sites offering free software/cracks/keygens/warez
  • Sites offering Flash games
  • Illegal streaming sites
  • Torrent sites
  • Sites using “unreliable” TLDs, hosted in “questionable” countries
  • Sites offering coupons, savings, and questionnaires
  • Online dating sites
  • Betting sites

Unfortunately, you can find malvertising absolutely anywhere. Because of how third-party ad networks operate, infected ads can be spread to a wide variety of otherwise very trustworthy sites at high speed. While there are sites that are more likely than others to infect you with malware, you can be hit at any time with one of these ads.

Malvertising is a stealthy delivery method, too. However, RiskIQ’s research showed that in 2015, the most common form of malvertising was through fake software updates, especially for Adobe’s Flash plugin. They can also be spread through fake virus and malware warnings, though the prevalence of that particular method has decreased.

Fake spyware warning message

Note: The alert above looks legit, doesn’t it? Learn more about how to spot fake virus and malware warnings How to Spot and Avoid Fake Virus and Malware Warnings How can you tell if a virus warning is real or fake? Here's how to spot the warning signs and identify a fake virus alert. Read More so you’re never caught off guard or tricked.

Tracking Malvertising Campaigns

Back in March 2015, Malwarebytes announced it had tracked a particular campaign as it dynamically traversed various internet outlets, culminating in malicious advertisements seen on:

  • 1.3 billion monthly visits
  • 313.1 million
  • 290.6 million
  • 218.6 million
  • 102.8 million
  • 60.7 million
  • 51.1 million
  • 43 million
  • 31.4 million
  • 9.9 million

The injected malicious ads were designed to deliver the Angler exploit kit This Is How They Hack You: The Murky World of Exploit Kits Scammers can use software suites to exploit vulnerabilities and create malware. But what are these exploit kits? Where do they come from? And how can they be stopped? Read More . This is known to search for and exploit vulnerabilities in HTML, Silverlight, Flash, JavaScript, Java, and plenty more. Once the Angler EK is installed, it installs a variant of commonly seen ransomware TeslaCrypt or AlphaCrypt. With the potential to infect literally billions of users, the malvertising stakes are constantly rising.

How to Protect Yourself Against Malvertising

It looks like a mammoth task. The malvertisements are seemingly everywhere, but there are a few precautionary steps you can take:

Until there is a monumental shift in how the internet is funded, ads will continue to be served as part of our day-to-day browsing. Massive ad-networks aren’t going to disappear unless there is a viable alternative, inclusive of those existing advertising behemoths. They certainly won’t want to relinquish their profits.

And while each of the major ad-networks will be actively addressing the malvertising menace, there is still a major emphasis on self-protection.

Want a browser that features auto-script blocking and cares about your privacy? Check out Brave, a browser that takes your privacy seriously Brave Is a Faster, Safer, Non-Google Web Browser Made for Today’s Internet Brave is a new browser known to be faster and safer than Google Chrome. How? Let us show you its unique features and their impact. Read More .

Related topics: Ad-Blockers, Malvertising, Malware, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. dragonmouth
    March 21, 2019 at 4:05 pm

    All the more reason to use strict ad blockers and NoScript.

  2. Anonymous
    February 16, 2016 at 3:40 pm

    Ad Blocking isn't as simple as installing Adblock Plus. You need to have a good working set of blocking subscriptions. One of the easier ways to find subscription lists is from a Google search for "abp subs" (these work in other blockers such as ublock origin and ablock latitude as well). I suggest Easylist, Fanboy's Annoyances, Malware Domains, Spam404 and Adware Filters. It's a personal choice whether to add "Adblock Warning Removal" or Adblock Plus's own "Allow Non-intrusive Advertising", but I do those as well.

    Ad blocking needs to be configured for all available web browsers on a system, even if you have no plans to use them. It's definitely possible for something to attack a browser you're never use.

    Web browsers that do not support ad blocking (looking at you, Edge and Chrome on Android), should not be considered acceptable.

    You may also wish to use an Ad-blocking hosts file for your computer or rooted mobile devices. This is a blunt instrument compared to more granular blocking from a browser addon, but it also works regardless of the internet-enabled software being used and helps for systems that have a certain amount of advertising baked in (Android).

    Finally, having some degree of fine control over script execution above and beyond simple ad blocking is incredibly helpful from a security standpoint. I'm a big fan of proper NoScript, which runs wonderfully on Mozilla-derived browsers like Firefox, Seamonkey, Waterfox and Palemoon, but it's less functional on non-Mozilla platforms. An alternative option, particularly for less technical users, is uMatrix, which does exist and work on Chrome and Opera as well as Mozilla-type browsers.

    • Dann Albright
      February 18, 2016 at 12:45 am

      Thanks for all of this great advice—it makes sense that having the right subs for ad blockers would boost the efficacy of the software, though I haven't looked for any research that indicates that. And yes, being able to specify the types of scripts and plugins that your browser runs will definitely be a big help, especially with JavaScript and Flash being so prone to exploitation.

    • Roger Deep
      March 19, 2016 at 11:46 am

      You can use [Broken URL Removed] to have 3 sources and firewall rules to block most of the know ads companies and malware related stuff.
      Install and download those source files that will create a super HOSTS file, plus lot's of IP on the firewall that block ransomware and other bad IP's. Simple and free, but you do need to update it manually at least once a week.

  3. Anonymous
    February 16, 2016 at 2:53 pm

    "Even highly trusted ad networks, like Google’s DoubleClick"
    Trusted by whom? Google? Trusted to do what? To deliver malware?
    As far back as I can remember DoubleClick was always considered to be a sleazy purveyor of malvertising. Their URL was/is the first to be blocked in my Hosts file. Just because Google acquired them does not mean that DoubleClick's reputation or practices have been sanitized in any manner, shape or form.

    • Dann Albright
      February 18, 2016 at 12:43 am

      Trusted by a lot of web publishers to deliver ads—it's one of the biggest ad networks out there, and that wouldn't be the case if people didn't trust it. Whether that trust is misplaced or whether they serve more malware than another network is another issue. The fact remains that DoubleClick is huge.

  4. Anonymous
    February 16, 2016 at 2:07 pm

    ( From Other Thread )

    Some Months Ago, I Configured My AV To Warn Me And Block Any Programs Before Even Starting From My Download And Temp Folders.

    If I Can Not Install Software, I Have To Unblock That Feature And, Afterwards, Block It Again.

    Absolutely No Freaking MalWare Problems Since.



    • Dann Albright
      February 18, 2016 at 12:38 am

      Which AV are you using?

      • Anonymous
        February 19, 2016 at 12:36 am


        Version RP6 Is The Most Recent And The First Compatible With W10 - For Those Of You Who Can Not Live Without The **Latest And Greatest**.

        Thank You For Responding.