Malvertising is on the rise. Malvertisements are ads that have been infected with malware. They can be difficult to detect because they look like legitimate advertisements until you click them. Once malvertisments infect your computer, they will try to trick you into installing more malware or giving up sensitive information. In this article, we’ll discuss malvertising and how you can avoid malvertisements from affecting your device!

(Image credit: Sectigostore.com)

Above is an example of a malvertisement pop-up that you have likely experienced. In this example, the user is greeted by an ad supposedly from Costco. But in reality, the ad likely has nothing to do with Costco and will lead the user to a page encouraging them to download a malicious program or code.

This ad is relatively obviously a malvertisement because it uses language that a company like Costco wouldn’t (such as providing an exact device reference), but other malvertisements aren’t as obvious, especially those posted on legitimate sites.

When browsing the web you will commonly experience 2 types of malvertisements.

1. Illegitimate ads that lead to a malicious site or download
2. A legitimate ad that has been hijacked to link to a malicious site or download

How to Spot Malvertisements

Most malvertisements are luckily relatively obvious. And there are a few steps to decide if an ad is a malvertisement.

On the website

When on a website there are a few ways to assess malvertisements

Sketchy Website: Before looking at the actual ad, consider the site you are on. Is the site a site like Techcrunch.com that generally caters to corporate advertising? Or is it a site like Piratebay that already offers illegitimate downloads and is not picky about advertisers?

If the site is professional and clearly choosy about advertisers more likely than not the ads are safe. If the site is not choosy about advertisers and the ads seem to be incoherent, clickbaity, or have an offer too good to be true, there’s a high likelihood you will run into malvertisements on that site.

Incoherent Ads: Legitimate ads tend to be targeted. For example, Tech Crunch will likely feature mostly ads based on technology products and services. And if you have data tracking in your browser, services like Google Ad-sense will display ads relevant to you. For example, if you just moved and have been shopping for patio furniture you will see ads for patio furniture and related products.

On the other hand, illegitimate ads will not be targeted. For example, the ones you see that are auto-generated referring to aging celebrities, weird weight loss tricks, and government tax benefits in your state.

Low-Quality Ads: Businesses spend thousands on advertising. And they want to make sure the ad is perfect. Legitimate ads will use crisp font and images, and all elements will line up.

Malvertisements on the other hand will often look low quality. They will use low-quality pictures, have spelling or grammar errors, assets like logos may have off placements, etc. Some are obviously very low quality whereas others like those trying to imitate a legitimate ad may look off only after glancing for a moment.

Clickbait Ads: If an offer is too good to be true or the ad is using clickbait, there’s a high likelihood the ad is fake and is likely a malvertisement. Ads saying you just won a new iPhone, or that your favorite celebrity has gained 600 pounds in 3 months is likely fake.

When you Click on the Ad

Let’s say you did click on an ad because it either looked legitimate, lured you in with clickbait, or just piqued your curiosity. Malvertisements will take you to a page that clearly isn’t right most of the time. Here are some examples:

A file share site link: If you have immediately been taken to a file-sharing site LEAVE! What you clicked on is almost certainly a malvertisement.

A page with more ads: If you were brought to a page with a bunch of extra ads and basically no content, they are trying to push you through a funnel that will either make them ad revenue or eventually lead you to download malware.

A blank page that prompts download: If the ad leads to a blank page and prompts a download either via the page or your web browser pop-up system, this is almost certainly a malvertisement.

Landing page will have other links or won’t allow you to go back: A page might be designed to constantly reload and never let you return to your previous page. And likely won’t include any links on the page to go to another page.

Hacking Legitimate Ads

Although most malvertisements are distributed as separate advertisements, the malvertisement that is likely to cause the most destruction is when a legitimate ad has been hijacked to link to a page containing malware.

This can happen in a couple of ways:

• The ad account (Google AdWords, Bing advertisements, etc) has been hacked and the URL attached to the advertisement has been manually changed.
• The website domain attached to the ad has been DNS hijacked and now points to a site containing malware

DNS Hijacking

DNS hijacking is the act of changing the DNS to point to a different IP address. If an attacker was able to change a website’s DNS it would result in you visiting malicious websites without knowing they are bad or infected.

DNS hijacking affects sites big and small. Lately, businesses associated with cryptocurrency have been massive targets for DNS hijacking. For example, Bitcoin.org was attacked and the attackers led users to a site claiming they would double the users’ money deposited into supposedly a bitcoin.org wallet. Bitcoin.org hackers steal $17,000 in ‘double your cash’ scam (bleepingcomputer.com)

Most sites on the internet are held by domain registrars such as GoDaddy, Enom, Namecheap, etc. This means that if those registrars are infiltrated, hackers can gain access to either a specific account or portfolio of domains. For the end-user, this means even if a site seems too big to suffer from DNS hijacking, they aren’t. You should maintain caution when clicking on ads and leave if you spot any of the signs listed towards the beginning of this article.

Hacking an Advertising Account

Another way to redirect users is to simply hack the credentials of the advertiser’s account. If there is no 2FA or other security features defending the account, it’s as easy as discovering the username and password.

Once in the account, all a hacker must do is edit an active campaign to have a new URL. And because many ads don’t show the direct URL at first, it can be very difficult for you to notice anything wrong with an ad.

Unfortunately, although more difficult, hacking legitimate advertisements is a very effective way to trick users into visiting a malicious site. Legitimate advertisements already look good, and features like URL to differentiate the ad from a legitimate one are very difficult to spot.

In the case of malvertisements created from hijacked legitimate ads, it’s best to be critical of sites you visit and make sure you do not download anything. If the ad is for a downloadable solution, it’s best to leave and visit a site you can verify is legitimate to download the product.

Summary

Growing with the overall increase in malware over the years, malvertisements have become a greater threat. And unfortunately, malvertisements work because they pique curiosity, mask themselves as legitimate products, and strike when you are performing normal searches. They are difficult to defend against. Please use the tips outlined in this article to protect yourself.

The Changing Face of Ransomware

Malvertisements are part of the new changing face of malware. Malvertisements are just another example of how cybercriminals are getting more creative.

Out of all types of malware, ransomware is arguably the type that is adapting most rapidly. Ransomware is innovating and finding new ways to target you so we prepared this article so you can learn about the Changing Face of Ransomware (link).