Understanding and avoiding malvertizing attacks

A padlock resting on a keyboard.
(Image credit: Passwork)

Online advertisements can be an annoying interruption to our normal browsing habits. However, they are often necessary because they serve as the primary funding source for the otherwise free websites we use daily. Ever wonder how those ads end up on your screen? Well, there’s a fascinating supply chain behind the ads, and it’s interesting to pick apart.

Typically, a website that serves ads does not hand-pick the specific advertisements displayed on its platform. Instead, it chooses ad categories to block, allocates ad space, and then displays whichever ads its advertising vendor provides. Advertisement vendors are responsible for sourcing advertisers and websites to display their advertisements. But what if those advertisers aren't legitimate? What if they're threat actors or scammers looking to lure potential victims with seemingly legitimate software or help fixing your computer? This malicious use of ads is referred to as malvertizing.

Malvertizing uses many of the same tactics as social engineering, relying heavily on persuasive language and attention-grabbing images to drive a sense of urgency or fear. This encourages victims to act quickly without inspecting the legitimacy of the website linked in the ad. Malvertizing attacks are becoming increasingly sophisticated, with cybercriminals leveraging trusted platforms like Facebook and other social media networks to distribute malicious content. By exploiting the trust and reach of these platforms, attackers can reach a wider audience and potentially compromise more victims. This also makes it more challenging for users to distinguish between legitimate and malicious ads.

Adding to the complexity, threat actors employ techniques to mask their identities and evade detection. This can include social engineering tactics such as phishing, token theft, or infostealers to gain access to legitimate ad accounts. By hijacking trusted accounts, attackers can bypass security measures designed to prevent malicious organizations from buying ad space.

Chris Henderson

Leads Threat Operations and Internal Security at Huntress.

Three common types of malvertizing attacks that users should be aware of are:

Scam Malvertizing: Attackers will display ads with language similar to “Your computer is infected, call us immediately to remediate!”. Once a victim calls, the scammers will typically convince their victim to install software to initiate a remote control session of the victim’s computer. They’ll then overwhelm the victim with misinformation, hoping to confuse them into believing that the situation is too complex to understand, and then ask them to pay money to remediate the non-existent security concern.

Fake Installer Malvertizsing: A common technique that delivers malware directly to the victim, posing a more significant threat. Attackers disguise themselves as legitimate software vendors to deliver a modified version of the software that typically includes an infostealer or initial access mechanism. These attacks aim to catch the victim while they are in a hurry to install the software. Often, we see QuickBooks used as a lure, with attackers sponsoring malicious ads designed to be displayed next to legitimate QuickBooks links. The malicious ads then lead to a cloned QuickBooks website that serves users as a compromised installer. Similarly, fake browser extensions imitate legitimate ones, tricking users into installing them. Once installed, they can capture sensitive data, including browsing history, passwords, and credit card information, putting both individuals and businesses at significant risk.

Drive-by-download Malvertizing: These malicious ads require no engagement from the viewer; simply loading them in your browser is enough to install a new web extension or download malware. This tactic heavily relies on the victim not keeping their browser up to date and utilizes previously known and patched vulnerabilities. There is a reason your browser is constantly asking you to update it; these updates keep the browser secure against newly discovered weaknesses. Keep your browser updated, and don’t make attackers’ jobs easier.

Avoiding attacks

To avoid falling prey to malvertizing attacks such as scam malvertizing, it's essential to think critically before engaging with any suspicious ads. If you receive an ad claiming you are a victim and need to call for support, stop and ask if the claim even makes sense at face value. How would this vendor be aware you had a virus on your computer? Does Microsoft really have a division of staff proactively buying ad space to inform its customers there may be a virus on their computer? While answering these questions generally requires at least some level of technical acumen, there are other tale-tale signs that an ad may be a scam. Many of these scams claim to be Microsoft technician support or their security team. Check to see where the ad is going to take you. If the domain is not www.microsoft.com, then you can almost guarantee it is going to be a scam, especially when coupled with a message claiming it is time-sensitive or extremely critical.

Preventing yourself from falling victim to malvertizing requires a careful eye, taking a moment to stop and think about the claims of an ad, ensuring you are being redirected to a legitimate site, and clicking that ‘update’ button every time it shows up in your browser. To defend against malvertizing, advertisers should implement more rigorous checks on the advertisers and their content to ensure legitimacy. Additionally, employees should be trained to identify suspicious emails, websites, and online ads, empowering them to avoid falling victim to these attacks. Threat actors are using more and more legitimate tools maliciously, advertisements included. A healthy dose of skepticism never hurt anyone, so the next time you see a suspicious ad, be cautious and ensure it’s legitimate before clicking on it.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Leads Threat Operations and Internal Security at Huntress.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Hands typing on a keyboard surrounded by security icons
The psychology of scams: how cybercriminals are exploiting the human brain
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
A representational concept of a social media network
The Attention Alchemists: crafting gold from social engineering
A man falling into a mobile phone screen.
Safer Internet Day: how to avoid online scams and stay safe online
Concept art representing cybersecurity principles
Cybercriminals cashing in on holiday sales rush
female graphic designer pointing with finger on laptop computer during collaboration with male colleague on common project in coffee shop
How sites are falsely blaming ad blockers for site breakdowns
Latest in Pro
cybersecurity
What's the right type of web hosting for me?
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
construction
Building in the digital age: why construction’s future depends on scaling jobsite intelligence
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale