Malicious Ads: 3 Different Attack Delivery Methods to Know About in 2020

by Jeff Matthies, on Nov 11, 2020 9:00:00 AM

Malvertising is an evolving landscape in which bad actors are constantly finding new ways to infiltrate user experiences and profit off your unsuspecting audience. The key to learning how to prevent malvertising is to understand how it is executed, which is why we’ve created this series of blogs to provide an overview of the different attack types. It is important to note that these are the attack types that we see as of the time this article was written, and we plan on updating these articles regularly when we recognize new attacks as they happen (because they inevitably will).

Anatomy of a Malvertising Attack

There are really three important steps to the delivery of malware, and that make up the anatomy of a malvertising attack:

  1. Delivery Method: The delivery method for that attack (e.g. how the malicious code gets to the end-user)
  2. Set-Up: The methods bad actors use to appear legitimate (e.g. how they bypass checkpoints meant to identify malicious code)
  3. Attack Triggers: The way in which the attack is executed (e.g. the type of malicious behavior or code that is being executed.

-- Article Continues Below --

Q3 Malvertising and Ad Revenue Insights

This article focuses on number one in the equation, or the delivery method for the attack. Read more about how bad actors bypass protections (coming soon!) and the different types of attacks that can be executed in the user’s browser experience once the code has made its way there in these companion articles.

The 3 most common malvertising attack delivery methods are:

  1. Client-Side Injections
  2. Advertising Frames
  3. Cloaking via Advertising Frames

1. Client-Side Injections

Client-side injections insert malicious code into a user’s browser via a compromised device or connection on the part of the website visitor themself, rather than from a publisher website.

In this case, the users will have no idea that they have a compromise. They will only feel the effects as they happen on the websites they visit.

Unfortunately, despite the fact that it isn’t the fault of the publisher website, these compromises can affect a user’s experience on the website, and, as the publisher, you’ll get the blowback and frustration that results.

Some of the ways that a user’s devices or network can introduce a compromise that affects their experience on your website are detailed below.

Network Connection

In some cases, the compromise can be from the network connection a user is connected through. Public wifi networks are notorious for this.

For instance, a bad actor may spoof an airport wifi network to get users to connect through their fake network. When viewing websites over this connection, the bad actors can inject malicious code at the browser level which in turn affects the experience a user has on the pages they visit through their browser.

Browser Extensions

Another common way in which malicious code is injected into browsers is through browser extensions. This has become increasingly prevalent as browser extensions have gained popularity.

As of August 2019, there were “188,620 extensions available on the Chrome Web Store,” with some extensions surpassing the 10 million user mark. Most users download extensions to increase productivity or make life easier, without really vetting what is in the extension or who published it.

Browser extensions can inject code and create actions on website pages users visit without them ever knowing the extension was the cause.

Some of the most common issues we see related to extensions are:

  • Snippets of code that will hijack a website (and user experience on said website)
  • Journey hijacking (when an extension deliberately pulls a user off a website and sends them somewhere else)
  • Advertising replacements, where an extension will replace the advertising a user was supposed to see on a site with something else

Because browser extensions hold the highest level of permission to execute actions within a browser, they can override the code and actions of a website itself.

Local Viruses

Another method for executing a client-side injection is the compromise of the user's device itself. If a user has malware on their device, the operating system may use that vantage point to inject malicious code into the browser.

Read the Guide

Malvertising: What You Need to Know to Prevent It

Malvertising prevention is essential for any publisher with an expansive online presence, and shoring up your lines of defense is a worthwhile investment.

Read the Guide

2. Advertising Frames

The most well-known delivery method for malvertising is through the use of an advertising frame on a publisher’s website. At its core, an ad unit on a publisher site is basically just a place where a publisher is allowing a third party to execute code on their website in exchange for payment.

Malvertisers have gotten very good at using this as an avenue to execute code in nefarious ways. Many of the players in the advertising chain—like DSPs, SSPs, and the publishers themselves—have put in whatever safeguards they can to ensure that what advertisers are passing to them to execute is actually an ad (rather than something else), but must keep improving and evolving to stay one step ahead of attackers.

Each safeguard that is put in place against bad actors is typically overcome with a new method for sneaking in malicious code or hiding negative activities. Having comprehensive protection of your entire website is the only way to truly stay ahead of the ways in which the “bad guys” take advantage of the ad units on your page.

3. Cloaking: New Advertising Frame Delivery Sub-Type

Cloaking misuses native features of advertising platforms to get ads that might otherwise be banned in front of end-users.

Many advertising platforms have the ability for users to provide what’s called “dynamic creative” where, based on user signals, different versions of the creative may be displayed.

An example might be by country, where an advertiser would provide different versions of the creative to be shown in different languages depending upon which country the user was visiting from.


Bad actors use this feature against the advertising platforms by hiding the creative they don’t want the platform to know about under conditions that only users would see. For instance, if the platform is based out of the US, they may put perfectly safe creative in for US audiences, but create click-bait creative for users in European countries to see (since the platform will never check the creative from a European IP address).

This click-bait style creative will usually force the user over to a landing page for a phishing or cryptocurrency scam.

The most common things we see bad actors take advantage of swapping are:

  • Images: Bad guys will utilize cloaking to swap in a clickbait image or fake news that would otherwise be banned.
  • Clickthru URLs: Bad guys will utilize cloaking to swap in landing pages that are scams or fraudulent.


Because the methods and signals for executing this type of delivery are often the same as legitimate uses of dynamic creative functionality, it can be hard to programmatically distinguish them from legitimate dynamic creatives.

The Bottom Line

There are many different methods the bad guys employ to get malicious ads onto publisher websites. Most importantly, this list changes constantly over time as they find new ways to get around the safeguards put in place by publishers.

Your best bet is to have a solution that doesn’t rely on knowing who the bad guys are, but on using behavioral analysis to catch new and novel attacks as they arise, no matter how they are ultimately delivered to the end-user.

Q3 2020 Smart Report

Topics:MalvertisingMalvertising 101

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates