How Malvertising Works: How the Bad Guys Make Money

by Geoff Stupay, on Dec 28, 2020 9:00:00 AM

One of the most confusing parts about malvertising, and malware in general, is understanding how the perpetrators use these techniques to actually make money. There are a lot of smoke and mirrors, a ton of different players, and lots of money changing hands.

This article walks through some of the most common categories by which malvertisers make money off their efforts, but is by no means an exhaustive list.

Bad actors make money through malvertising in a variety of ways including:

-- Article Continues Below --

New call-to-action

Visit the Complete Malvertising Resource Center

Phishing Schemes

One of the most common goals of malvertising is to simply steal personal information. Phishing schemes, usually associated with email, are campaigns built to get users to willingly give away their personal information.

Often, these attacks will send users to a landing page that may look legitimate and have a great offer or enticing reason to get them to enter their information. A common example seen in the malvertising space is the message that you’ve won a free gift card and all you need to do to claim said gift card is enter some personal information.

google search results mobile

With phishing schemes, malvertisers usually make money by collecting personal information and then selling it on underground markets for a profit

In addition to selling this data for nefarious purposes, bad actors can also turn around and sell the data using traditionally “legitimate” methods. They’ll collect data about individuals and sell it to companies looking for leads to target with their marketing efforts, which means your users start getting spammed.

Malware Installation

Another common goal of malvertising is to infect end user devices with malware with the goal of somehow profiting from it. This is done by getting a user to unwittingly download malicious software either from the ad itself or through the resulting landing page the ad directs users to.

Malware injections can also lead to the installation of browser hijacking programs that allow control over a user’s web browser.

Once a user’s device or browser is infected, there are a variety of things malware can do to drive profit for those responsible for creating it:

  • Harvesting personal information and login credentials: Similar to phishing, malware can be used to log keystrokes and capture passwords, banking information, or personal information that can then be sold on underground markets or used to directly access personal banking funds.
  • Selling fake advertising impressions: Once installed on a browser or device, malware can manipulate your browsing traffic. Some schemes may divert the victim's clicks to advertisements located on criminal webpages. The criminals make money from ad networks by generating traffic to their customers' ads.
  • Phishing schemes: With control over a user’s web browser, over time, bad actors can send users to more fake phishing pages as they browse.
  • Ransomware: This type of attack holds the end-user device hostage and demands ransom (often in the form of a Bitcoin payment) for access back to the device and the data stored on it.
  • Spammers: Another common monetization tactic is to rent out the infected end user device to spammers. They may use a social media account to spread fake links or use the device to send spam messages from an IP address that hasn’t been recognized as a spammer and blacklisted yet.
  • Denial of service attacks: Malware may also use the device as part of a distributed denial of service (DDoS) attack where requests are sent from many infected end user devices to a single location with the goal of overwhelming the attack target and shutting down its operational function. Often the target is offered the option of paying a ransom to have the attack stop.

Read the Case Study

How cleanAD Completely Eliminated Malicious Redirects, Freeing up 60 Hours of AdOps Efforts per Week, for Venatus Media

Read the Case Study

Selling Fake Advertising Impressions

Another common malvertising tactic is for bad actors to pose as an “agency” that has advertising units to sell, or an affiliate in the digital advertising chain, each of which are paid out on a cost per click basis.

Using various tactics to force clicks that are not real, bad actors are able to charge for a very high number of click throughs that are not actually real, thus driving their profits higher.

They have even gotten smart about finding a way to generate higher value clicks using methods like video stuffing.


A Crypto-mining attack is a display ad that looks legitimate on the surface but loads a background script which can hijack CPU cycles on an end-user device in order to mine for cryptocurrencies, all without the user knowing this is happening or providing their consent.

Some of them even use the device's full CPU power, causing load times to suffer and users to get frustrated.

Read the Guide

Malvertising: What You Need to Know to Prevent It

Malvertising prevention is essential for any publisher with an expansive online presence, and shoring up your lines of defense is a worthwhile investment.

Read the Guide

Money Laundering

Often, malvertising may simply be a front for money laundering operations. Because of the distributed nature of the digital advertising ecosystem, it is very easy for bad actors to set up a number of entities through which money will change hands. 

In the fake advertising impressions example above, the bad actors may well be the very customers paying for the impressions. This effectively means they are paying themselves, but in the process, the original source of the money is hidden, making it “clean.”

The Bottom Line

There is a highly organized cybercrime community, with many different players, that lies at the foundation of the malvertising ecosystem. Knowing who is doing what, how they are making their money, and how it is changing hands is nearly impossible.

What is possible is completely blocking the negative effects their actions have on your end-users.

Protecting the experience your users have on your website is your top priority. And, in the process, if you can take away some of the profit from the bad guys, well, that is just icing on the cake!

The Complete Guide to Malvertising


Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates