What is Malvertising?

Threat Type: Malvertising

Threat Category: Malware-Based Threat

Cyber Threat Indicators

Malvertising involves cybercriminals injecting malicious code into seemingly legitimate advertisements and digital ads.

These infected ads are then bought and displayed on reputable, high-traffic websites through legitimate advertising networks (ad exchanges, demand-side platforms).

The websites displaying the ads—and often the ad networks themselves—are unaware that the ad contains a hidden threat.

When a user views or interacts with the ad, the malicious code executes, potentially leading to a device compromise.

Core Characteristics

Malvertising attacks share several key characteristics that distinguish them from other forms of malware distribution:

Exploitation of Legitimate Channels: The core method is the use of trusted, large-scale advertising networks (like Google's ad network or similar platforms) to distribute the attack. This gives the malicious ad wide reach on reputable sites.

Minimal or No User Interaction Required (Drive-by Downloads): Many malvertising attacks don't require the user to click on the ad. Simply loading the web page that displays the infected ad can trigger the malicious code to run, exploiting vulnerabilities in the user's browser or plugins. This is known as a drive-by download.

Stealth and Evasion: Attackers employ advanced techniques to hide the malicious code, often delaying the execution of the payload or checking the user's system to see if it belongs to a security researcher or a bot before executing. This helps the ad bypass automated security scans by ad networks.

Targeting: Malvertisers can leverage the same precise user-targeting data as legitimate advertisers (e.g., location, browser type, operating system) to deliver specific exploit kits designed to compromise known vulnerabilities on the user's unique system.

Compromise of Trust: The attack is effective because the malicious ad appears on a trusted site (e.g., a major news publication), causing the user to drop their guard.

Common Examples and Tactics

Drive-by Downloads: The malicious code is designed to automatically execute when the ad is displayed, exploiting vulnerabilities in the browser or plugins (like an outdated Flash or Java). Malware is installed on the user's device without a click.

Malicious Redirects (Forced Redirects): The ad code automatically redirects the user's browser to an unknown, malicious website, often through a chain of intermediate servers to hide the source. User is landed on a phishing page or a site hosting an exploit kit.

Fake Software Updates/Warnings: The ad appears as an urgent pop-up claiming the user's system is infected or that their Flash/Browser needs updating immediately. Tricks the user into clicking a button, which then downloads actual malware disguised as a security patch or update.

Phishing Ads: The ad promotes an unrealistic offer (e.g., a "free" prize, "too-good-to-be-true" giveaway) and directs the user to a malicious landing page that imitates a legitimate one (e.g., a bank or major retailer). Aims to steal sensitive information like login credentials, credit card numbers, or other personal data.

Exploit Kits: Malicious code in the ad redirects the user to a landing page that hosts an exploit kit (a toolset designed to test the system for vulnerabilities). If a vulnerability is found, the kit exploits it to deliver malware like ransomware or keyloggers.

---

VIIEGO the human security agency for human security research and consulting in identity manipulation and fraud prevention to decode human behavior and secure your identity.

www.viiego.com | Protect What's Yours.