Surging of Malvertising

Have you ever heard malvertising? Where does malware in the advertising industry hide? How is malware inserted?

What is Malvertising?


Malvertising is a cyberattack where cybercriminals inject malware into genuine online advertising networks and use them to infect the system of the user. They do this by planting malware-infected ads in places where ad publishers and advertising networks least expect them. This cyberattack is relatively new, and it can spread quickly through legitimate web pages without compromising the security of the web page.

What is Malware?


Malware is classified as malicious software that can penetrate a user’s computer and harness its system. The impact on the user is different, and most of them are harmful, like identity theft or phishing.

Types of malware include viruses, worms, Trojan horses, adware, spyware, ransomware, and scareware.

What is Malvertisement (Malicious Advertisement)?


A malvertisement is an advertisement on the Internet that is capable of infecting the user’s computer with malware. According to the network security company Blue Coat Systems Inc., malvertising is the current computer hijacking technique of choice for organized crime. Compromised computers can be used to create powerful botnets that can be used to carry out identity theft, corporate espionage, or other illegal activity.

How is malware inserted in malvertising?


Malware insertion processes are highly sophisticated, with a variety of insertion techniques.

If you think you will not be infected by not clicking on suspicious site or if you didn’t download a deceptive file, you’re mistaken. You do not have to actively click, as there are circumstances where malvertising runs pre-click.

Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site, which could be malicious.

Malware can also be found in the delivery of an ad – where a clean ad that has no malware before or after you click, it can still be infected. Malicious code can hide undetected, and the user has no idea what’s coming their way.

Where can malware hide?


Malware can hide in several spots and can infect a user in various ways – sometimes the user will need to click on an ad or link to trigger the infection, and sometimes no links are needed to unleash the malware.

• In the Delivery Path


There are two delivery pathways to serve an ad:

1 – Ad Calls / Pre-click

The first pathway is known as the “ad calls” or pre-click pathway. It is where the platform or exchange pushes the served ad to the user’s screen. These ad calls can go through many third parties, one of which may insert malicious code. Then the user gets infected without doing anything.

2 – Post-Click

The second delivery path is post-click. When the user clicks on the ad, a series of URLs are called to get to the final landing page. Malicious code can be inserted from one of the third parties involved in that delivery path.

• Embedded in the Creative


Malware might be embedded in a content/graphic piece.

For example, in HTML5, there is a combination of images and JavaScript that could contain malicious code. Another example is malware embedded in the Flash .swf file. The malicious code is activated when the ad loaded, not needing the user to click on anything.

In the case that there is no malicious code in the creative pre-click, there still might be a possibility for malicious code once the user clicks.

• Within a Pixel


A tracking pixel can be embedded in a variety of places, including a banner and on a landing page.

Pixels are usually found in ad calls; they are small pieces of code used to send data in a query string.

Typically, one will “shoot a pixel” to mark a specific interaction of a user. In the case of malware, the pixel transfers data to the “receiver” who responds by sending malware (for example, pop-up/under).

• Within a Video


It is not true that video ads can’t carry malware. The video player cannot protect against the malware. Take a typical standard video type, for example, a VAST video ad; this video ad contains pixels from third parties, and one of those embedded pixels has malicious code.

So once the user allows the video ad to load and play, they become infected.

Alternatively, there could be a malicious post-click URL at the end of the video ad. Also, a Flash file (.swf) itself can inject an iframe into the page, and this iframe will download the malware onto the user’s computer. The user does not even have to click on the video.

• On the Landing Page


A malicious URL could appear in the final landing page. It could be that the landing page itself, as well as the pathway, is clean, but there are items within the page for the user to click on which contain malicious code. One of the reasons this is so alarming is the user might consider themselves safe by this point, only to find that they became infected because they clicked on an (infected) element within the page.

• Within a Polite Banner

Malicious code could be found in the URL tags of a polite banner. (A polite banner is a pre-roll ad for a flash file that takes a couple of seconds to load.) Meaning, the actual flash ad is clean, but the ‘polite’ ad that keeps the user busy while it is loading, contains malicious code. Again, the user needs to take no action to become infected.

By infiltrating popular syndicated online ad services, thousands of sites can be infected at once. Unfortunately, websites that run third-party ads can do little to protect their visitors because syndicated ads are not under their direct control.

In fact, the company from whom they receive the ads may use ads from other publishers, so the original source of the advertisements can be several parties removed.

Malvertisement infections are becoming so prevalent that many security experts recommend that users block all pop-up ads and create an application whitelist that will only allow their computer to run programs that have been positively approved.

Rate this post

Leave a Comment

Your email address will not be published. Required fields are marked *