This article describes the issue of “Malvertising” – what is is, where it comes from and how to stop it – as well as what steps we take to minimize it and what you can do if you notice it.
What is Malvertising?
Malvertising (Malicious Advertising) refers to the injection of malware (bots, viruses, etc) into otherwise legitimate advertising networks which cause websites to display unauthorized content. These schemes typically take the form of either “phishing” scams that attempt to get the user to provide personal information to a bad actor, or to install malware or use the computer’s resources to launch other attacks. The malvertising may be visually apparent – for example, a “spammy” pop-up alert which, when closed, redirects the user to another page or a new window opening with unexpected content. In other cases, the malicious code may run in the background without users being aware.
Scope of the problem:
Malvertising has been an ongoing problem for online publishers since at least 2008, but it’s prevalence increased significantly around 2015 and it has remained an issue for online advertisers and publishers due to the nature of ad networks and specific tactics employed by attackers that make it difficult to identify and remove. Malvertising can affect any website that uses display ads – the New York Times, the BBC, Newsweek, eBay, Spotify and other high profile websites and apps have all inadvertently hosted malware through malicious ads.
It’s extremely difficult to detect malvertising for several reasons including:
- When ads are initially submitted to an ad network, the malicious code is programmed to not execute (there may be a delay, or it is designed to rewrite itself at a certain point). This allows the code to pass any screening or tests the network may perform.
- Malvertising often performs tests to determine if the user has any anti-malware or security software installed and does not run unless it knows it can do so without being detected. It typically also checks to see if the user’s device is vulnerable to the attack and only attempts to execute if it is. This means that it will not run in most cases, and especially will not run when being tested by security or IT professionals, effectively evading those who are most likely to detect it.
- The ad with malicious code may not be displayed on every page view so while one user may see the ad, another will not. Additionally, the ad (or just the malicious portion of the code) may be set to run only over weekends or at night, making it difficult for the publisher or ad operators to view and trace the source of the ad.
- Malicious ads may only run for a short time, or run on-and-off intermittently, further making it difficult to identify one and block it while it’s active.
What you can do to identify and block malvertising on your site
Currently, the only method we can use to address malvertising is to identify the source of a malicious ad once it’s seen and block it. Once the source of the ad has been identified, we can block it from running across the network. To help us determine the source of the ad, please alert our support team by sending an email to firstname.lastname@example.org or email@example.com and include as much of the following information as possible/applicable:
- Screenshot or picture of the ad or pop-up message
- Site and page (URL) where it was seen/detected
- Date and Time when it was seen
- The geographic location (country, city, etc) where it was seen
- The type of device (iOS, Android, Windows, Mac, etc)
- Browser (Safari, Chrome, IE, etc)
- Connection type (WiFi/Broadband or cellular)
If we can see the bad ad, we should be able to capture the network traffic data to track down the source and block it.
Resources for more information
You may find the following pages useful to learn more about malvertising and how to address it: