What is Malvertising?

Malvertising is the use of online advertising to distribute malware with little to no user interaction required. Attackers inject malicious code into legitimate digital ad networks, which then serve harmful ads on trusted websites. These ads can automatically install viruses, ransomware, or spyware on a visitor’s device.

The term itself is a combination of “malicious” and “advertising”. Unlike some online threats that require a user to be tricked into clicking a bad link, malvertising is uniquely dangerous because it can infect a computer or mobile device without a single click. This type of attack is often called a “drive-by download”.

It works by exploiting the complex and automated system of programmatic advertising. Attackers pose as legitimate advertisers to purchase ad space on a network. The ads they create may look harmless at first, but they contain hidden code designed to execute when the ad is loaded in a user’s browser.

Because these ads are distributed through major ad networks, they can appear on highly reputable, high-traffic websites. A user could be reading the news on a major media outlet’s site and become a victim. This makes malvertising a serious threat to users, publishers, and advertisers whose brands can be damaged by association.

The evolution of malvertising follows the evolution of online advertising. Early versions were simple and relied on pop-ups. Today, the methods are far more sophisticated, using obfuscation and redirection to hide the malicious activity from both the ad networks and the website owners.

The Technical Mechanics of a Malvertising Attack

Malvertising attacks succeed by manipulating the intricate, high-speed systems that deliver digital ads to your screen. The process is a chain of events, designed to evade detection at every step while targeting vulnerable users with precision.

It begins with the attacker’s setup. They often create shell companies or impersonate real businesses to appear as legitimate advertisers. This allows them to create accounts with ad networks or demand-side platforms (DSPs), the software used to buy advertising in automated auctions.

Next, they design the ad creative. This is the visual part of the ad you see, like a banner or a video. The creative itself typically looks benign and professional, promoting a fake product or a real brand without permission. It is designed to pass the initial, often automated, quality checks of the ad network.

The malicious component is hidden. The attackers embed a small piece of code, usually JavaScript, within the ad tag. This code is often obfuscated, meaning it’s scrambled to be unreadable to humans and difficult for security scanners to analyze.

When a user visits a website that sells ad space, the ad delivery process kicks off. The publisher’s site sends a request to an ad exchange, announcing it has an ad slot available for a specific visitor. This request includes data about the user, such as their location, device type, and browsing history.

This triggers a real-time bidding (RTB) auction. The malvertiser’s DSP receives the ad request and places a bid to show its ad to this user. Because they are not promoting a real product, they can afford to bid on a massive volume of impressions, winning auctions for fractions of a cent.

Once their bid wins, the ad exchange instructs the user’s browser to fetch the ad creative from the malvertiser’s server. This is the moment the attack transitions from the ad network to the end user’s device. The entire auction and delivery process takes less than 200 milliseconds.

The ad’s hidden script then executes in the browser. This is where the infection chain truly begins. The process typically follows a few key steps:

• Redirection: The initial script often does not contain the main payload. Instead, it redirects the user’s browser to a different server controlled by the attacker. This is a tactic to avoid having the malicious server’s address blacklisted by the ad network. Sometimes multiple redirects occur in a chain to further hide the final destination.
• Fingerprinting: The attacker’s server, often called a landing page, inspects the visitor’s device. It silently probes for information about the operating system, browser version, and installed plugins like Flash or Java. This process, known as fingerprinting, creates a profile of the user’s system to check for specific, known vulnerabilities.
• Exploit Kit Delivery: If a known and unpatched vulnerability is detected, the server delivers an exploit kit. These are pre-packaged toolkits designed to take advantage of specific software flaws. The browser, tricked by the ad, downloads and runs the exploit kit’s code.
• Payload Installation: The exploit kit uses the vulnerability to gain control and secretly install the final malware payload onto the victim’s device. This payload could be anything from ransomware that encrypts all the user’s files to a banking trojan that steals login credentials or a cryptominer that uses the computer’s resources to mine cryptocurrency.

The most dangerous part of this entire sequence is that it can happen automatically. The user does not need to click the ad or approve a download. The simple act of the malicious ad loading on the page is enough to trigger the attack, making it a stealthy and effective method for widespread malware distribution.

Malvertising Case Studies in Action

To understand the real-world consequences of malvertising, it is helpful to look at how it impacts different types of organizations. These scenarios show how the same core threat can cause very different problems for publishers, advertisers, and their customers.

Scenario A: The E-commerce Retailer

An online fashion retailer, let’s call it “StyleSpree”, launched a major retargeting campaign to bring previous visitors back to its site. They worked with several ad networks, including a mid-sized network known for its competitive pricing. This network had less stringent security checks than its larger competitors.

Attackers identified this weakness. They compromised the mid-tier network and specifically targeted StyleSpree’s campaign. They replaced the legitimate retargeting ads, which showed products users had previously viewed, with malicious ads that looked identical. When these ads were served to former visitors, they silently installed a keylogger and a banking trojan.

The problem surfaced when StyleSpree’s customer service team received a flood of complaints. Customers reported fraudulent charges on their credit cards shortly after making a purchase on the site. Their investigation, along with reports from cybersecurity firms, traced the infections back to users who had seen a StyleSpree ad.

The damage was immediate and severe. StyleSpree had to pause all advertising, cutting off a primary revenue channel. They issued a public statement, damaging the brand’s reputation and eroding customer trust. The financial impact included not only lost sales but also the high costs of customer support, chargeback fees, and forensic IT services to investigate the breach.

To fix this, StyleSpree terminated its contract with the insecure ad network. They instituted a new, rigorous vetting process for all ad partners and began using an ad security vendor to scan all their ad tags in real time, blocking malicious creatives before they could be served.

Scenario B: The B2B Software Company

A B2B SaaS company, “LeadFlow CRM”, used display advertising on business-focused news sites and professional social networks to generate leads. Their goal was to get project managers and executives to sign up for a free trial of their software.

A sophisticated attacker targeted LeadFlow by using a technique called cloaking. They bought ad space on the same sites, creating ads that looked exactly like LeadFlow’s. When the ad network’s crawlers scanned the ad, they were shown a safe, clean landing page. However, when a real user from a specific IP range (like a corporate office) clicked the ad, they were redirected to a malicious page.

This page hosted a drive-by download that installed spyware on the user’s work computer. The spyware was designed to search for and exfiltrate sensitive corporate documents, intellectual property, and financial plans. The attack was discovered when one of the targeted companies’ security teams detected unusual data traffic leaving their network.

LeadFlow CRM’s brand was now associated with corporate espionage. They were not the attackers, but their brand was the bait. Potential clients blacklisted them, and their sales team faced difficult conversations about security. The incident caused significant reputational harm in their specific B2B market.

The solution required a multi-pronged effort. LeadFlow worked with the publishers and ad networks to remove the imposter ads and ban the fraudulent advertiser. Internally, they implemented a stricter Content Security Policy (CSP) on their own website and landing pages to prevent such unauthorized redirects. They also invested in a brand monitoring service to detect fraudulent uses of their company name and logo in online ads.

Scenario C: The Online News Publisher

A popular news website, “The Daily Chronicle”, relied on programmatic advertising for most of its revenue. To maximize their income, they worked with over a dozen ad exchanges and supply-side platforms (SSPs), including some smaller ones that promised higher fill rates.

A malvertising group purchased ad inventory on The Daily Chronicle through one of these less secure SSPs. The ad they served contained a JavaScript-based cryptomining script. This script did not install anything permanent on a user’s machine, but it hijacked the user’s CPU resources while they had the news article open.

Readers started complaining that their computer fans would spin up and their entire system would become slow and unresponsive whenever they visited The Daily Chronicle’s website. The user experience was severely degraded. Tech-savvy readers quickly identified the cause, and discussions on social media and forums advised people to use an ad blocker on the site.

The impact was a slow but steady decline in key metrics. The site’s bounce rate increased, time-on-site dropped, and ad blocker usage among their audience grew significantly. This directly hurt their ad revenue and their search engine rankings, which are influenced by user engagement signals. They were losing both money and audience loyalty.

To resolve the issue, The Daily Chronicle used ad quality scanning tools to pinpoint which ad partner was serving the malicious script. They immediately severed ties with that partner. Furthermore, they implemented the `sandbox` attribute for all ad iframes on their site, a technical control that restricts ads from performing certain actions, like running intensive scripts or triggering unwanted pop-ups.

The Financial Impact of Malvertising

The cost of malvertising extends far beyond a single infected computer. For businesses caught in the crossfire, the financial damage can be substantial and long-lasting, affecting revenue, operational costs, and brand value.

For publishers, the most direct cost is lost revenue. When users have a bad experience due to slow performance or malware warnings, they are likely to install ad blockers or stop visiting the site altogether. A smaller audience means less ad inventory to sell. Furthermore, if a publisher’s domain is flagged for serving malicious content, legitimate ad networks may temporarily or permanently block them, causing a catastrophic drop in income.

Consider a publisher earning a $5 effective CPM (cost per thousand impressions). If a single malvertising incident causes 10% of their one million monthly visitors to install an ad blocker, they lose 100,000 ad-viewing users. This translates to a direct revenue loss of $500 per month, or $6,000 per year, from just one incident.

For advertisers, the costs come from brand damage and wasted ad spend. When a brand’s ads are used as a lure for malware, customer trust is broken. This can lead to boycotts, negative press, and a long-term decline in brand equity. The money spent on the ad campaign itself is also wasted, as it actively harms the very customers it was meant to attract.

There are also significant operational and cleanup costs. Businesses whose employees are infected must spend money on IT resources to investigate the breach, clean infected devices, and restore data from backups. In cases where data is stolen, costs can skyrocket to include legal fees, regulatory fines under laws like GDPR or CCPA, and credit monitoring services for affected individuals.

The indirect costs are often the most damaging. A damaged reputation is difficult to repair and can take years to recover from. The loss of customer loyalty and the chilling effect on new customer acquisition can impact a company’s bottom line for a very long time.

Strategic Nuance: Beyond the Basics

Understanding malvertising requires looking past common assumptions and adopting advanced strategies. Many widely held beliefs about online safety are not sufficient to protect against modern, sophisticated attacks.

Myths vs. Reality

A prevalent myth is that malvertising only occurs on illegal or low-quality websites. The reality is that attackers prefer high-traffic, reputable sites. Major platforms like Forbes, The New York Times, and Spotify have all been used to serve malvertising in the past. Attackers go where the users are, exploiting the trust people have in established brands.

Another dangerous misconception is the idea that not clicking on an ad keeps you safe. As detailed earlier, many malvertising attacks use drive-by downloads. These require no user interaction beyond the page loading. The ad executes its malicious code the moment it is rendered by the browser, making passive browsing a potential risk.

Finally, many people believe their antivirus (AV) software provides complete protection. While AV is an essential layer of security, it is not foolproof. Malvertisers use polymorphic code, which constantly changes its signature to evade detection by traditional AV programs. They also use cloaking and other techniques to hide from security scanners, making real-time prevention at the source a critical need.

Advanced Protective Tactics

For publishers, moving beyond basic ad quality checks is essential. A robust Content Security Policy (CSP) is a powerful tool. A CSP is a set of rules you define that tells a browser which sources of content (scripts, images, etc.) are approved to be loaded on your site. A well-configured CSP can prevent a malicious ad from loading its harmful scripts from an unauthorized domain.

Using the `iframe sandbox` attribute is another strong technical defense. This HTML attribute restricts the permissions of the content within an iframe, where ads are typically served. It can be used to block pop-ups, script execution, and plugin loading, effectively neutralizing many common malvertising techniques without blocking the ad itself.

For advertisers, due diligence on ad partners is key. Don’t just focus on reach and price. Ask ad networks detailed questions about their security procedures, their process for vetting new advertisers, and their incident response plan. Insist on transparency through standards like `ads.txt` and `sellers.json` to reduce the risk of ad fraud and ensure you are working with legitimate partners in the supply chain.

Abisola

Meet Abisola! As the content manager at ClickPatrol, she’s the go-to expert on all things fake traffic. From bot clicks to ad fraud, Abisola knows how to spot, stop, and educate others about the sneaky tactics that inflate numbers but don’t bring real results.

View all posts by Abisola (Abisola)