Malvertising is growing fast – here’s how to avoid it

MalvertisingThe security industry is flooded with research showing that malvertising is a major and fast-growing threat.

  • Yahoo! was hit in July by one of the largest malvertising attacks ever seen, said Jerome Segura, Malwarebytes' Senior Security Researcher.

We dig into this threat below to show you how to avoid it.

What is malvertising?

Malvertising is the use of online ads to spread malware.

By creating malicious ads, attackers can use the massive reach of online ad networks to infect more users with ransomware, trojans, and other hazards.

Types of malvertising

  1. Drive-by download

The fastest-growing type of malvertising requires no interaction from the user. Infection begins once the user visits a site and the malicious ad is loaded.

The user’s system is penetrated through software vulnerabilities found in common applications such as Flash and Java. By keeping all software up to date, users can avoid many of these attacks.

However, a recent spike in zero-day attacks means patching will not help in all cases. (More on this below)

  1. Redirects

Though becoming less common, some malvertising requires interaction from the user. In one example, the user clicks an ad and is redirected to a malicious site that installs malware on the system. 

  1. Fake viruses and updates

 Another common malvertising tactic is to claim that the user has a virus or out-of-date application. The user clicks to download and install the fake solution and becomes infected.

Types of malware installed

The type of malware spread by malvertising varies. The payload can be anything from an application that secretly mines for Bitcoins, or it could be a standard banking Trojan.

Two types of malware that are popular in the recent wave of malvertising, according to Invincea, are ransomware and click-fraud malware.

Ransomware typically encrypts a victim’s files and demands a ransom to unlock them. Click-fraud malware secretly clicks ads to defraud advertisers and generate income for the attacker.

Flash is the biggest target

Adobe Flash is the application most targeted by today’s malvertising attacks. Several zero-day exploits for Flash have recently been discovered in online ads, and there have even been calls to “get rid” of Flash by some.

As you can see in this chart from Bromium’s report, Flash is having its turn in a long cycle of favorite applications to exploit:



Criminals change tactics constantly. Internet Explorer (IE), Java Runtime Environment (JRE), and other applications have been major targets in the past, and we can expect the cycle to continue.

Why is malvertising growing?

Many trends are contributing to the rapid rise of malvertising.

Online ads are convenient for crime

Ad networks give criminals a fast and easy way to reach thousands, even millions, of potential victims for malware.

Buying ads is typically cheap, anonymous, and automated. Advertisers can pay less than a hundred dollars and reach thousands of websites. They can target the ads by site topic, region, and even web browser.

Also, ad networks make buying and uploading ads as fast and easy as possible. By removing barriers, the networks can sell more ad space. Unfortunately, this also makes it easier for attackers to slip in.

All of this gives criminals (and legitimate companies) a fast and easy way to spread their message.

Websites have no control over ads

The internet economy runs on advertising. Without ad revenue, many websites would not exist.

By joining an ad network, websites can easily turn site traffic into revenue. The sites dedicate space to show the ads, and the network pays based on the number of impressions or clicks.

But other than choosing where to show ads on their sites, the site owners have no control over the ads' content. The networks determine which ads are shown, and the ads change every time a page loads.

So websites can show ads that harm visitors without realizing it. Even if they knew, they could not stop the ads from showing without removing the network’s ads completely – and that may kill a site's only revenue stream.

Networks struggle to detect bad ads

Major ad networks serve billions of ads a day. Uncovering the tiny percentage that are harmful is a major task.

The top networks, such as Google Display Network or Yahoo! Bing Network Contextual Ads, have more resources and expertise. They tend to be better at blocking malvertising than the smaller networks.

“These traditionally have more resources and stricter controls… Overall the number of incidents for the major ad networks is much, much lower than those that are less reputable,” said Segura in an interview with AdAge last week.

And there are many smaller networks with fewer resources. Here’s a list of 44.

Major networks infiltrated

Although the major ad networks are typically better at detecting malicious ads, they cannot eliminate the problem completely. Websites such as, Yahoo!, and YouTube have been hit by malvertising campaigns – partly because they are huge targets.

The chart below from Bromium shows that more than half of all malvertising originates from news and entertainment websites.



Attackers are able to use ad networks to reach some of the most popular sites on the web. That gives them access to vast amounts of traffic, which is helping to spread this threat.

More zero-day exploits

Malvertising attackers are using newly discovered vulnerabilities in common applications to penetrate users’ systems.

These zero-day attacks target vulnerabilities that have not been patched by software vendors. That means anyone using the application is vulnerable.

The combination of a drive-by download with a zero-day attack for an application as widespread as Flash is a frightening prospect. Millions of users are vulnerable, and they only have to load the wrong webpage to be infected.

Malware detection evasion improves

Attackers are improving how they side-step detection by anti-virus and intrusion detection systems.

A growing trend is for malware to build and install itself in a series of steps, rather than loading and installing a full package. The victims gradually receive snippets of malicious code that build into full-scale infection.

As attackers become more adept at avoiding detection and gain access to larger networks and websites, this threat will continue to accelerate.

Attackers gain ROI

 Attackers are business-minded. They are in it for the money. As long as malvertising earns a strong return on investment, they will continue to use it.

Whether attackers are buying ads with their own funds or with stolen credit card information is an open question. But for a relatively small investment, a criminal outfit can vastly expand its number of malware infections, thereby pulling more revenue from its click fraud, ransomware, and other efforts.

As long as attackers continue to receive high returns on investment, malvertising will continue to remain a threat.

How to avoid malvertising

The rise in zero-day exploits and detection evasion in malvertising is concerning. But there are several steps you can take to better protect your systems and clients from these attacks.

Never browse as an administrator

Malware typically requires administrator-level access to install. By logging into a workstation as a standard user when browsing the web, you can prevent drive-by downloads and other attacks from installing malware without your knowledge.

For example, if you are logged in as a standard user and a website attempts to force software onto your machine, then you will be required to enter the administrator’s password before the installation can take place.

This can prevent many (but not all) types of malware from installing automatically without your consent.

Disable Flash

Adobe Flash is the most targeted application in the recent wave of malvertising. You can disable the Flash plugin in your internet browser, or require Flash to have permission to run, by changing your browser settings.

Here’s how to disable Flash in Internet Explorer and Chrome. Mozilla announced last month that Firefox now blocks Flash by default until further notice.

A downside to this approach is a potential loss of functionality on certain websites, especially some web videos and animations. Many companies are transitioning from Flash to HTML5, but Flash is still widely used.

Disable Java

 Although not a primary target in the recent wave of malvertising attacks, Java (developed by Oracle) is another application that is prone to vulnerabilities and often the target of exploits and attacks. Oracle provides instructions for disabling Java on its website.

However, just like Flash, Java is widely used across the web. Disabling it may prevent some applications, such as web conferencing and ecommerce sites, from working properly.

Block ads with plugins

Plugins such as AdBlock Plus are available for major internet browsers. These tools will automatically block most web ads.

Although blocking ads can harm the Internet economy – preventing free websites from generating revenue – you will be able to help prevent malicious ads from harming you and your clients until this problem is stamped out.

Filter websites

Preventing users from visiting malicious websites is always a good idea. Web filtering can help prevent ads from redirecting users to malicious sites, and it can prevent users from directly visiting sites known for drive-by downloads and other attacks.

Stick with the basics

Basic security practices – such as maintaining updated software, anti-virus, and network security – should always be followed.

Although some attacks use zero-day exploits and are hard to prevent, many attacks use old exploits that have long since been patched. And although some malware and virus variants are new and novel, some are well-known by anti-virus vendors and easily blocked.

So keep your guard up, keep your systems patched, and keep your users educated.

Related resources



Ransomware Prevention: 5 ways to avoid a crisis

Wire Fraud: How an email password can cost you $100,000

Internet Crime and Scams from FBI Annual Report

Top 7 Network Attack Types in 2015 So Far

Written by Calyptix

 - August 14, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram