Read the full report below or enter your email to download the PDF.
Malvertising prevention is essential for any publisher with an expansive online presence, and shoring up your lines of defense is a worthwhile investment.
Malvertising is executed by smart and creative hackers, and to be the victim of a malvertising attack is intense and expensive.
A 2015 study of the internet supply chain identified things like malvertising costs, fraudulent impressions and infringed content, and researchers found that $8.2B that could be gained back if these threats were neutralized. Despite this, malware financial fallouts increased 11% between 2018 and 2019.
Malvertising is a complex, pervasive reality with no one solution or single answer. To tackle it, you first must know what you’re up against.
Because this isn’t a game—and so much is at stake—here’s a primer on the subject.
This guide will provide thorough insight so that you can:
Already realize you have gaps? cleanAD has the most innovative and effective anti-malvertising solution on the market. Our behavioral approach is a revolutionary way to stop malvertising in its tracks.
--- Article continues below ---
Malvertising is a malicious attack that impacts legitimate websites by bad actors purchasing and submitting ads that appear to be normal, but in fact execute malicious activity when displayed.
For example: using injected code, hackers can hijack the user experience through ad units on a publisher website. Sometimes this will show up as malicious redirects, client-side injections, unauthorized audio ads, clickjacking, video stuffing, and pixel stuffing. This can have immediate, devastating effects.
In the cybersecurity industry, malvertising is the term used to refer to adverts launched by cybercriminals. These ads can inhabit any site, anywhere on the internet.
The hazards of bad online ads to “Consumer Security and Data Privacy” was early identified by a Senate subcommittee. Sponsored by the U.S. Government Homeland Security and Government Affairs, this permanent subcommittee began with the intent to see the hidden realities behind bad ads and malvertising.
In its early days, the subcommittee worked with Yahoo! Inc. and Google Inc. (in addition to other businesses) and found that the malware attacks dubbed “malvertising” had struck over half of internet users at some point.
The subcommittee further found that “hidden hazards” included:
The Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency—another Homeland Security and Government Affair organization—works in several ways to reduce the threat of malvertising and malware attacks against citizens.
As these bodies work behind the scenes to find and eliminate threats, they also issue public warnings and guidance on things like how to handle email attachments and how to avoid social engineering/phishing scams. There are also special recommendations from the CISA related to shopping online.
They state that the three primary ways that internet users are targeted by cybercriminals are:
The outcome of malvertising runs the gamut, from undermining a publisher’s credibility, to reaching further and infecting individual devices.
Malvertising is often confused with ad malware, but they aren’t exactly the same thing.
There is an important distinction here. Malvertising uses legitimate ads and ad networks to deliver malware. In this process, a cybercriminal pays for an ad, which is then displayed on a legitimate website.
By contrast, adware is a form of malware. These are unwanted advertisements which can vary in level of threat. Some are merely irritating, and others can be trojan horses for serious viruses.
The two most common ways that consumers encounter malware or malvertising is through pop-up or banner ads. These may cleverly look like legitimate parts of a website, But hackers can use iframes, which will redirect to an exploit landing page. This common strategy redirects users to a page where they are then vulnerable to malicious code. This code then attacks their devices.
Advanced processes are required to detect some forms of malvertising. Cybercriminals can be highly intelligent and launch high-level threats through malvertising. As quickly as their code is detected, it may be deleted.
This presents a huge challenge for traditional forms of detection.
If you are still employing static forms of malvertising prevention, you may also be experiencing a decrease in page sessions, return visits, and overall engagement metrics.
Instead, the best malvertising detection uses something called behavioral analysis. This will be covered in more detail later. Learn more about behavioral analysis to eliminate malvertising threats.
Malvertising is directly connected to the larger advertising ecosystem.
Ads flow through in a couple of different steps:
According to clean.io’s own research, 90% of threats in Q2 of 2020 originated from nine SSPs. There were three phases of attacks throughout the quarter, and the attacks began with smaller, probing campaigns that then scaled into widespread attacks.
However they end up playing out, these malvertising campaigns always cause damage.
Sometimes called “bad actors,” other times called “cybercriminals,” the perpetrators of malvertising grow with the industry. This is one reason why old forms of anti-malware software are quickly becoming obsolete.
As fast as a trend or behavior is identified, it disappears. This is because the criminal realizes they’ve been spotted and quickly shrink from view, only to re-launch elsewhere.
Here are some examples of some of the more newsworthy attacks in the past couple of years:
RoughTed: Reported in 2017, RoughTed could bypass ad-blockers. Its evasion of anti-virus programs was achieved as it created new URLs. It was incredibly difficult to track and could deny access to the malicious domains through which it was propagating.
KS Clean: Hidden in a mobile app, KS Clean targeted users through bad ads. The background download would prompt a security issue alert. Once the user “upgraded” their app to resolve the issue, the malware would gain access to admin. This would then permit limitless pop-up ads on the device.
These are just a couple of issues that circumvented traditional ad-blockers, prompting a deeper dive into behavioral analysis approaches. clean.io is proud to have been at the forefront of that venture, finding newer and more successful ways to outmaneuver cybercriminals.
Malvertising is not one-size-fits-all. There are many forms of malvertising attacks and many ways in which they deceive and destroy. Here is an overview of the larger categories and more common types of malvertising attacks.
Users are smart enough to “not click” on ads that look illegitimate or suspicious. The problem is that malvertising criminals are smarter than ever about how to craft ads that look legitimate. When an online ad pops up or is present on the banner of a reputable site, users are more likely to trust it.
Oftentimes—as detailed in this article—malvertisers are actually paying for clicks. This makes detecting a malicious ad even harder, because it functions in every way (on the front end) as a credible ad.
Ad fraud detection is an entire industry.
Back in 2018, the Department of Justice released details about a huge success in the fight against ad fraud. They had issued seizure warrants which allowed the FBI to take 31 domains and data from nearly 90 servers.
What they found were botnets and large-scale digital advertising fraud. The fake ad network they had uncovered used nearly 2,000 servers and created ads on fake websites, spoofing domains and earning over $7M in revenue from commercials. This is just one example of how ad fraud victimizes publishers and businesses online.
Ad blockers are the leanest line of defense against malicious ads and were one of the first “solutions” to blocking ads on browsers and devices. There are numerous issues with ad blockers. First, cookies on a website can interfere with ad blockers, and browser settings, bugs and other extensions can impact their effectiveness.
Even savvy users may not be able to create comprehensive enough filter lists or ironclad settings to fully block malvertising, and some forms of malicious code can detect and disable ad blockers.
Malicious code describes any code anywhere within a system of software or script that has undesired effects, breaches security or causes damage. Because it is an application security threat, it is not controllable through traditional antivirus software.
Malicious code is the key commodity in malvertising. It is extraordinarily valuable and effective, and when inserted at the right moment in an ad chain or activity, it finds vulnerabilities and leads users down paths to incur greater harm.
Malicious software is a broader delineation that can be part of malvertising efforts. While not the heart of the strategy, like malicious code is, malicious software attacks networks and computers.
This may be on the other end of a piece of downloaded malicious code and can manifest as:
Malicious software can shut down devices and entire networks if it is unwittingly installed.
Malicious payloads are what are delivered to a device as the result of any malicious activity. Destructive payloads infect accounts, destroy data and send offensive messages. These can lie dormant on devices or even networks, and once triggered, malicious payloads can wreak havoc:
Malicious payloads are executed through downloads or use logic bombs to activate when a set of criteria are met.
In 2018, hackers took advantage of the Google Ad network to launch a massive malvertising campaign. Few platforms are as trusted as Google. There are over 5.6B searches on the platform each day.
Five countries were implicated in the malvertising campaign that victimized cryptominers on Coinhive. Suspicious traffic was spotted. At an increase of 285%, investigators looked into the network traffic to Coinhive and found that it came from DoubleClick ads.
These ads contained embedded scripts. Using a legitimate ad, cryptocurrency miners were targeted and exploited by hackers. This kind of cryptojacking is a trendy process that harkens back to the classic strategy of using malware to hijack computers. Once a hacker is in, they can mine small amounts of cryptocurrency and slowly steal a lot of money.
Tracked back to the ads as it was, this is an illustration of the complexity and effectiveness of malvertising.
Mobile ad platforms have been seen as a powerful tool for digital marketers. In essence, they monetize online traffic. Digital publishers provide the property and digital advertisers, the content. Much like commercial deals, ads are monetized based on metrics like visibility, which comes from site traffic.
Ad platforms and online ad agreements allow companies to meticulously target content to users. Since most of the world is online everyday, the value of online ads can be immense. Of course, advertising platforms are also the primary space where users succumb to malvertising threats.
Ad platforms are most profitable on smartphones and other smart devices, where American adults spend most of their time. At last count, eMarketer reported that the average U.S. adult spends nearly three hours every day actively on their smartphone. Most people are never “logged off” entirely. This makes for a vast and ready audience for targeted ads.
Some familiar mobile ad platforms are:
Knowing how ad platforms are set up can provide insight into their vulnerabilities and the opportunity for costly malvertising attacks.
Ads have to be presented somewhere.
Similar to knowing where a newspaper ad would be placed, advertisers want to secure coveted space on an ad platform. For instance, you can buy pop-up ads, banner ads or social media ads. Important calculations determine whether it’s ideal to show up in someone’s Facebook feed versus a retargeted ad on the next site they visit. This ad space impacts the return on ad spend (ROAS) of an ad.
Ad networks are the technology platforms that broker the relationship and transactions between publishers and advertisers. Examples of ad networks include Google AdSense, Taboola, Facebook Audience Network, Apple Advertising and Epom.
Networks like these provide numerous options and multiple channels for ad delivery.
A primary method by which cybercriminals deploy malvertising campaigns is through exploit kits. These packaged exploits target commonly used software such as Java, Adobe, and Microsoft Silverlight.
Exploit kits perform the basic functions of diverting web traffic, scanning vulnerable applications, and running malware. In contrast to typical forms of malware, the end user doesn’t download or open anything to invite harm. The exploit kit works silently as users are browsing the web and are often slipped in through malvertising.
Most commonly, an exploit kit will follow this sequence:
Once infected, prevention is obviously a moot point. The solution is to invest in anti-malware and anti-malvertising tools that catch efforts like these before they even happen.
This is best done by predicting behavior, which is the approach cleanAD takes. (Go here to learn more.)
An example of this is the Angler Exploit Kit. This was a leading exploit kit discovered in 2013. Following in the footsteps of Blackhole EK, Angler is still responsible for a lot of EK traffic. It primarily targeted Internet Explorer, Flash player and Silverlight.
By exploiting vulnerability patches, Angler EK distributed numerous kinds of payloads.
By 2016, it was infecting computers without requiring a file download, and continues to evolve and most commonly infect Windows hosts. The domains and IP addresses associated with the Angler Exploit Kit are constantly changing, which makes traditional methods of detection obsolete.
Malvertising poses many threats. Appearing innocent enough, it has two victims: businesses and end users.
The problem is that attacks happen quickly and leave a wake of destruction for both the properties they hijack and the end users they exploit. It appears that malvertising often happens in cycles and campaigns. Its power lies in its ability to affect one user at a time. Done in great enough quantity, it can devastate online properties and erode consumer trust.
Just how common is malvertising?
The data shows that malvertising happens, and it often happens in an organized way.
As we’ve seen, malvertising may target specific software applications, browsers or ad platforms.
While there isn’t a significant enough understanding of “who” and “when,” the largest malvertising takedowns have occurred because experts noticed observable patterns. These campaigns are profitable enough that the perpetrators let them go on too long, leaving time and trails in their wake.
An example of this was with a large malvertising campaign that entailed the launch of 100M ads. The Hong Kong based advertisers compromised a vast amount of ads by buying on legitimate ad platforms. Once redirected, end users got the payload along with the consequences of the scam. These malvertisements first showed up in Windows 10 desktop applications, and once the thread was pulled, more than 100 additional domains were found.
Known as “fiber ads,” this cybercriminal enterprise went further and brokered ad placement deals on behalf of other clients. Finally, ad platforms started noticing and blocking the buyer.
Unfortunately, getting to the origin point of attacks like these is extremely difficult. Whether or not the “kingpin” is ever caught (and sometimes they are), anyone who owns a web property or uses the internet needs to be aware of the threat of attacks like these.
Most internet users are conditioned to categorically ignore pop-ups and not click on ads that look out of place, however malicious advertisements on social media may be a little harder both to spot and to resist.
Facebook, which owns Instagram, is one of the largest ad platforms. Of course, this means that it is also a major target for malvertising scams.
A 2019 cybercrime study reports that cybercriminals readily exploit the trust users have in social media platforms. Cybercrime on social media, including through malware distribution and malvertising, earns criminals $3.24B a year.
As many as 40% of malware problems on social media platforms come from malicious ads. Once the malicious code is activated, it’s only a matter of time before an innocent Facebook or Instagram scroll can result in theft and destruction.
The Federal Trade Commission explains that phishing attacks aren’t just in the form of emails that attempt to steal your social security number.
Phishing is a comprehensive attack plan that can reach end users through texts, social networking sites and online stores. These can come in the form of pop-ups and may look like ads or software alerts.
Phishing could have expensive outcomes, costing Americans about $57M a year.
Mobile devices are now a primary target for cybercriminals. The sheer prevalence of their use makes them an easy avenue through which to infiltrate and wreak havoc on users.
Mobile devices are uniquely susceptible to attacks. Two powerful reality checks this year alone have been the increase of mobile click fraud and the upswing of malvertising around the COVID-19 pandemic.
Mobile click fraud has to do with fake ad clicks and is a $24B industry.
This kind of fraud happens everyday. Cybercriminals use bots or even manual processes to generate high numbers of fake ad clicks. This amounts to a massive waste of ad spend for businesses. In the months of the COVID-19 pandemic, there was a 62% increase in mobile click fraud.
In the first 100 days of the COVID-19 pandemic, there was a 30% increase in cases of impersonation fraud.
Bad actors are taking advantage of this pandemic, with automotive and education platforms hit especially hard. Studies of automotive sites that lacked ad fraud protection lost as many as 9% of pageviews per user session to redirects and takeover ads. Industries that were already suffering due to buyers having to stay at home invest more in online ads, making them a bigger target for malvertising.
Malware and unwanted software are related.
Unwanted software is deceptive. For example, users may find that software changes browser settings or changes a homepage. Unwanted software may also leak information and not provide disclosures.
A popular mechanism for bad actors includes pop-ups that disrupt the visitor’s browsing experience with the goal of getting the visitor to click on it and download harmful malware onto their personal device. The prompts can range from false updates to browsers or software programs, or the promise of free items on the other side of the ad.
In this day and age, website visitors are no strangers to sponsored advertisements. Whether a banner ad at the top of a website or paid ads breaking up the text in online articles, few people are surprised by their presence.
What may surprise people is that those advertisements are another common mechanism for fraudsters to deliver malicious ads. While less obnoxious in generating clicks than disruptive pop-ups, their familiar appearance makes it easy to expose users to malicious intent.
In some instances, fraudsters don’t even give visitors the option to click. They release infected ads that automatically redirect visitors from the page they’re on, to pages laced with malware.
This type of malvertising is especially dangerous to publishers because when visitors are automatically redirected to a new page or site because of a malicious ad, it doesn’t count as a revenue-generating event.
Not only does this impact ad revenue, but it also disrupts the user’s experience and can result in lost loyal customers.
Malvertising threats are real, immanent and constantly changing.
Typically, anti-malvertising software has used a litany of defenses that include:
There’s no way around it: malvertising is a lucrative industry with a big payday for cybercriminals.
Whether they are stealing small amounts at a time, hijacking user experiences or launching full-scale attacks on a system, they can make some serious money. Obviously, this is the reason they do it. But the profit for them represents a major cost to their victims.
Above and beyond the stats already provided, here are some sobering truths about the cost of malvertising:
The real cost of malvertising includes a variety of elements:
Bad ads are highly circulated and cleverly disguised. Anyone can fall for them and without the right protection, that fall could be devastating.
cleanAD is here to provide the right protection for publishers, preventing frustration for their end users.
Late in 2019, the Department of Homeland Security published an entire public awareness campaign for online holiday shoppers. It warned them of the dangers of malvertising and supplied boiler plate advice that included changing passwords and only shopping at reputable retailers.
While end users may be reasonably alert to the potential of bad ads, website owners and administrators have a lot more skin in the game. A single malvertising breach could erode user trust and bring operations to a grinding halt.
Because of this prevention is of prime importance.
URL redirects are a core strategy for malvertisers. Once redirected, end users will fall for downloads or be vulnerable to executed exploit kits. While search engines have internal processes for detecting redirects, it may take too long for them to find and blacklist sites like this.
Instead, companies should have their own protocol in place. These could include:
Redirect issues are usually the most important form of malvertising to uncover, as they cause the most frustration for users. They are, however, not the only attacks against which you should protect your site.
Some regular processes should be implemented to protect your website from malvertising. Malware in general may be avoided if you do these things:
The best way to protect your website from malvertising is to invest in anti-malvertising software.
Anti-malvertising software protects page views and blocks threats.
Many software programs pre-scan an environment in the hopes of detecting malicious activity. This has limited benefit and plenty of pitfalls.
Instead, cleanAD uses a patented behavioral analysis method. Our process works in realtime to detect and prevent malvertising attacks.
These are the three most common methods anti-malvertising software programs will use.
When malvertising first surfaced, the first generation of prevention solutions utilized static analysis. The most common static analysis solutions included offline scanning wherein an advertiser registers creative for a new campaign and then an ad quality solution scans the creative in an offline environment to ensure legitimacy.
This led to the next generation of malvertising prevention – URL blocklisting. Blocklisting is essentially the compilation of suspicious URLs that bad actors have been using and have been identified as malicious and blocked from reentry.
Sophisticated malware can be written to detect a sandbox testing environment, preventing the delivery of its malicious payload until it is on a live site. As malvertising continues to evolve, this kickstarted a new generation of prevention solutions to thwart bad actors – behavioral analysis.
Rather than taking a reactive approach to malvertising prevention, cleanAD analyzes the behavior of the ad to determine if it exhibits the characteristics of malicious ads.
The result? This makes malvertising unprofitable for the bad actor.
When that happens, not only will your users be protected when they visit your site — bad actors are also discouraged from targeting your website in the first place.
Disruptive ads impact more than individual sites.
Many anti-malvertising tools will work at a specific point in the timeline of a malvertising attack. Some work before the bad actor has paid, and others block before the creative has rendered. Both of these types of tools run the risk of both false positives and negatives.
The best case scenario to ensure you are catching bad actors more frequently, and with assurance that the actor is bad is to select a tool that captures malvertising as the malicious payload is being executed, but not earlier.
When an entire platform requires protection, you don’t want to just detect and eradicate instances of malvertising: you want to find and eliminate the bad actors themselves. This requires actionable data.
The timeline of a malicious ad is typical, predictable and sequential:
In this process, the most common tools to prevent malvertising on a platform work at numbers three and five. Pre-scanning works in advance and can catch bad actors. Blocklists can catch bad actors but only if their identity is known.
Number eight is where cleanAD comes in to save the day, well after the other anti-malvertising software has ceased to be useful. With behavioral analysis, we can preserve revenue, give you fewer false positives, and be far more effective at actually stopping bad actors.
Redirects are a dead giveaway that malware is at work. If this issue is evident, you may want to backup your system and then run anti-malware software. This will perform scans similar to an anti-virus but is more specifically looking for malware and malvertising code.
Malware security is becoming more common and may be packaged with an antivirus software.
Malware attacks and infections can result from malware programs or directly from a hacker.
The act of blocklisting removes known bad actors and potential threats. The National Security Agency issued information about blocking ad content on the web:
The end goal of malvertising is to steal something from end users. These are the people who have used their computer or mobile device to innocently browse the internet and ended up as the victims of a malvertising attack.
While it's clear that malvertising costs company’s big time, it’s also a serious threat to end users. Malvertising can execute payloads that steal data, money and shut systems down.
There are a few ways you can protect your computer as an end user from malware and malvertising:
The kinds of damage malvertising can inflict are varied… and harsh.
Malvertising poses immanent and real threats to a personal or business computer.
In addition to damage to a device itself, malware deployed by malvertising can get your personal information, which could include things like your banking credentials and identity.
Malvertising and exploit kits may set into motion a “drive by” effect. This means that malicious ads, in addition to redirecting to harmful landing pages, set a chain of events into motion that have negative effects on the end user.
Site visitors (and their own computers and systems) may be subject to:
Once in, a malware attack may continue to thrive until it’s found and fixed. If it has replaced code or enacted ransomware, malware removal may not be simple at all.
Infected ads don’t just require website security or antivirus software. A real malvertising attack needs real anti-malvertising software. And a computer isn’t the only device at risk.
Most often, mobile malware is targeting smart devices. No operating systems are immune to mobile malware and you, as the device owner, should have programs installed that protect against it.
The average home or office computer has a full scope of anti-viral and even anti-malvertising protection. Very few people have the same commitment to safety on their mobile devices. This makes them an easy and common target for hackers.
Thousands of malware and malvertising attempts occur on your smartphone each year. There are some user-level efforts you can make to protect yourself, which include:
Sometimes, it’s as simple as following the cybersecurity steps you already know about and do on a computer. Understand that your password hygiene, software updates and anti-malvertising or anti-malware software are just as important on your phone as they are on your desktop or laptop.
At the end of the day, smartphone users must rely on the websites they visit to fully protect them from malvertising attacks as there is only so much they can do themselves.
cleanAD has led the way with proprietary anti-malvertising processes for both publishers and platforms. Our cutting-edge approach leverages behavioral analysis to provide the most effective protection against malvertising on the market.