What is malvertising, how does it work, and how can you protect yourself?

The next time you see an eye-catching ad while browsing peacefully, keep in mind that It's not always just harmless advertisingBehind an attractive banner, an annoying pop-up An offer that seems too good to be true may be hiding a malvertising attack ready to infect your device even if you do nothing more than load the page.

This technique has become one of cybercriminals' favorite methods because Take advantage of legitimate advertising and trust in well-known websites to sneak in all kinds of malware: ransomware, spyware, Trojans, adware, and much more. Let's take a closer look at exactly what malvertising is, how it works, what types exist, what damage it can cause, and, above all, how you can minimize the likelihood of falling into the trap.

What is malvertising or malicious advertising?

The term malvertising comes from combining the English words “malicious” and “advertising”That is, malicious advertising. It refers to the use of online ads as a vehicle to spread malware, scams, and other dangerous content. The key is that the attack slips through... legitimate advertising spaces, usually managed by large advertising networks, and ends up appearing on pages that the user perceives as safe and trustworthy.

Instead of directly attacking the website or company where the ads are displayed, the criminals They infect advertising creatives or advertising supply chainsIn this way, the ads appear normal, are distributed through real platforms, and end up reaching thousands or millions of users without raising suspicion.

Malvertising can work in two main ways: through clicks on the ad, which lead the user to fraudulent sites or malicious downloads, or through drive-by downloadswhere simply viewing the page containing the ad is enough for the attack to be executed by exploiting flaws in the browser, in plugins such as Flash or Java, or in the system itself.

The most worrying thing is that we're talking about a technique that requires hardly any interaction: in many cases, The user doesn't even have to click on the ad. to end up compromised, which makes it a stealthy threat and difficult to detect at first glance.

How a malvertising attack works

To understand why it's so effective, it's helpful to see how a typical malvertising attack is orchestrated, from the moment the attacker prepares the campaign until the user is infected without realizing it. It all relies on the standard workings of online advertising, which are based on... ad networks, automated bidding, and mass distribution.

First, attackers create or manipulate advertisements (banners, text ads, videos, pop-ups, etc.) and insert malware into them. malicious code, scripts, or hidden redirectsThese ads usually comply with the visual and technical standards of the advertising platforms, so they pass the basic filters relatively easily.

They then send these creative assets to legitimate advertising networks or intermediaries (ad exchanges, programmatic buying platforms, etc.), which distribute them to thousands of websites that monetize their content with adsOften, neither the advertising network nor the publisher has full visibility of all the code behind each banner, so the attack goes unnoticed.

When a user visits a page with that advertising space, the browser makes a request to the ad network and The malicious creative is loaded along with other normal ads.From here, two things can happen: the user clicks on the ad and is redirected to a fraudulent website, or the mere act of displaying the ad executes, in the background, an exploit that attempts to take advantage of vulnerabilities in the browser, plugins, or system.

In the case of on-the-fly downloads, an invisible iframe or page elements that the user neither sees nor interacts with are typically used. These resources load a exploit kit which analyzes the system: browser version, installed plugins, operating system, location, etc. Based on this information, the command and control server decides what type of malware is most profitable to install on that specific machine.

Types of campaigns and malvertising techniques

Over the years, malvertising has evolved from exploiting very specific vulnerabilities (as happened with Adobe Flash in the first documented cases in 2007-2008) to deploying a fairly extensive catalog of tactics and Tricks to bypass controls and maximize the effectiveness of infections. These are some of the most common methods.

Steganography in advertisements

Steganography consists of hide information within another so that it goes completely unnoticed. In the context of malvertising, attackers hide malicious code within seemingly normal images: a banner, a product photo, or any graphic that is part of the advertisement.

Malware can hide in a small area of ​​pixels or in the image metadata; the advertising network and the user see a standard file with nothing unusual, but when the ad loads, The embedded code is extracted and executed. through associated scripts. This technique greatly complicates detection, even for advanced security solutions.

Polyglot images

So-called polyglot images go a step further: they are files capable of behaving simultaneously as valid image and as another type of executable file or scriptIn practice, this allows both the malicious payload and the code needed to launch it to travel within a single image.

Because they do not rely on visible external scripts, ads that use polyglot images They are more autonomous and difficult to filterThe file can be interpreted simultaneously by the browser as a graphic resource and by the JavaScript engine as code to be executed, without the user noticing anything unusual in the interface.

Scareware and alarmist pop-ups

Another classic example of malvertising is scareware: ads or pop-ups designed to scaring you with alarmist messages Messages like “Your PC is severely infected,” “Your system is damaged,” or “45 viruses have been detected” are designed to create a sense of urgency so you click the “fix now” or “scan for free” button.

By accessing that supposed “antivirus” or “cleaner”, you are actually downloading malware disguised as a security or optimization toolIn other versions of the scam, you are sent to websites that pretend to be the operating system or browser, showing you fake security analyses so that you pay for a non-existent cleaning.

Tech support scams

Closely related to scareware are tech support scams. Here, the ads redirect to pages that They impersonate Microsoft, Apple, or other major brands.displaying error messages and "technical support" phone numbers. The browser may even lock the screen with persistent dialog boxes so you can't close it normally.

If you call the number, you'll be answered by fake agents who ask for remote access to your computer, personal information, or payment for a "repair" service that not only doesn't fix anything but often leaves even more malware installed. This type of fraud has had high incidence among Windows users and Macand is largely fueled by malvertising campaigns.

Get rich quick scams and fake surveys

Another common hook in malvertising campaigns is the promises of easy money, incredible raffles, or surveys with exorbitant prizesYou've probably seen banners offering unrealistic monthly income, prizes like the latest mobile phones, or gift cards simply for filling in some information.

Behind these campaigns there can be anything from aggressive data collection strategies to installation of adware, spyware or even ransomwareThe pattern is the same as always: content that seems too good to be true, but is actually designed to lead you to infected websites or to get you to enter personal information without any guarantees.

Fake software updates

Fake updates are one of the most effective baits, especially on sites of streaming or content download. The ad indicates that You need to update Flash Player, your browser, a video codec, or some other program to continue watching what you want. In some cases, an installer is even downloaded automatically when you enter the page.

If the user installs that supposed update, it ends up introducing it into their system. spyware, adware, Trojans, or any other type of malwareOften bundled with a seemingly functional program to reduce suspicion, this is why it's so important to download software and updates only from official websites and not from banners or pop-up windows.

Malvertising versus adware: what are the differences?

Although the two concepts are often confused, it is important to clearly distinguish between malvertising and adware, because They are not the same, nor do they act the same.Both combine advertising and potentially harmful intentions, but the starting point and the way they operate differ.

In malvertising, the focus of the problem is on the advertising networks and campaignsThe ad arrives already infected from the advertising infrastructure and uses that channel to sneak malware onto the user's device. The infection occurs through the ad itself or the chain of redirects associated with it.

In the case of adware, an unwanted program is first installed on your computer (often included in free software installers or bundled with other software). apps), and from there That's the program that displays intrusive ads.In other words, the infection is already on the device and not on the ad network.

While malvertising can be used to distribute anything (ransomware, spyware, banking trojans, miners, etc.) cryptocurrencies, etc.), adware usually focus on generating revenue through mass advertising displayalthough it can sometimes also serve as a gateway for more serious threats.

History and evolution of malvertising

The first documented malvertising attacks date back to late 2007 and early 2008This occurred when a vulnerability in Adobe Flash was exploited to infect popular sites like MySpace and Rhapsody. Since then, the complexity and scope of these campaigns have continued to grow.

In 2009, even a prestigious publication like The New York Times was affected by an advertisement that registered companies in a huge botnetReaders were shown fake infection warnings and pressured into installing “security” software that was actually malware—a clear example of scareware distributed via legitimate advertisements.

From 2010 onwards, various industry reports indicated that there was already talk of billions of infected ad impressions on thousands of websites, with a significant jump in 2011 when platforms like Spotify suffered no-click automatic download attacks.

In the following years, major news portals and online services fell victim to malvertising campaigns: the Los Angeles Times, Yahoo.com (with the CryptoWall ransomware at play), networks like Google DoubleClick and Zedo, dating sites, adult video portals, MSN, and even the BBC's English-language website. Some studies estimated that, around 2015, more than a third of the world's most visited pages They had served some kind of malicious advertisement.

One particularly high-profile case was that of Zirconium, a threat actor that, according to various sources, bought around one billion ad impressionsusing forced redirects to send users to scam or malware websites. This single campaign is believed to have been present every week on more than half of all ad-monetized websites.

More recently, criminals have become even more creative: they reuse abandoned domains To serve malicious ads, they integrate cryptomining scripts into banners, rely on services like Coinhive to mine cryptocurrencies in the background, and generally adapt to an ecosystem where programmatic advertising makes control increasingly complex.

How malvertising can affect you

The really important question is: what can happen if your device is affected by malvertising? The short answer is that the consequences can be very seriousThis applies to both personal and business users. The malicious payload that reaches your computer depends on the attacker's objective and your profile as a victim.

Among the most common threats distributed by malicious advertising campaigns we find malware in all its variants: banking trojans to steal credentials and payment data, ransomware that encrypts your files and demands a ransom in cryptocurrency, spyware that monitors your activity, keyloggers that record everything you type, etc.

It's also common to find malware that floods your browser with banners and pop-ups, redirects your searches to sponsored pages, or manipulates results to trick you into clicking where you don't want to. In addition, there are "classic" viruses and worms that spread between devices, although nowadays the focus is more on threats with a direct financial return.

Another growing trend is malicious cryptocurrency mining (cryptojacking): the malware is silently installed and Leverage your computer's resources to mine cryptocurrenciessending the profits to criminals. This degrades the performance of your computer or mobile device, increases energy consumption, and reduces its lifespan. hardware.

In the corporate world, malvertising can be the gateway to compromising internal networks, stealing sensitive data, corrupting critical information, or even paralyzing an organization's operations. That's why, increasingly, Companies of all sizes are priority targets of these campaigns, not only domestic users.

Vulnerable platforms and devices

For years, Windows has been the primary target of malware attacks in general, and malvertising in particular, simply because It has a huge user base.However, thinking that other systems are safe is a mistake that can be costly.

Malicious advertising campaigns targeting specific browsers or add-ons can also affect Mac, Chromebook, phones Android, iPhone or tabletsIn the case of macOS, for example, there have been many campaigns of fake Flash updaters and scareware specifically designed for that environment.

The mobile devices They are especially interesting to attackers because They are always connected, accompany the user everywhere, and are commonly used for shopping, online banking, and sensitive communications.Furthermore, many people do not have the same levels of protection on their mobile phones as on their computers, nor do they update their operating systems or apps as often.

In business environments, where all types of equipment coexist (PCs, portableWhen corporate mobile phones, tablets, etc., are used and personal and financial data is handled, the impact of a malvertising attack can be enormous. Some reports have indicated increases of more than 50% in these types of incidents targeting companies during certain periods, which shows a clear trend of attackers targeting corporate entities.

Common methods of malicious code injection

To inject their code into the advertising chain, attackers have a wide range of entry points. They don't limit themselves to just visual creativity, but also exploit... any link in the advertising supply chain where they can introduce scripts or redirects.

One common approach is to compromise ad calls: every time a user lands on a page, the site requests ads from different third-party providers. If one of those providers has been compromised, can inject malicious code into the responsecontaminating the advertisement that will be shown to the user.

Another avenue is the creative elements themselves: banners that combine images and JavaScript can lead embedded scripts that execute downloads or redirects when they load. It is also common for ad landing pages to contain exploits or malware kits ready to attack as soon as the user arrives at them.

Behind the scenes, many ads pass through several URLs before displaying the final page: tracking systems, redirectors, affiliate platforms, etc. If any of these intermediate steps are compromised, can introduce your own malicious code into the chaincausing unauthorized downloads or data exfiltration.

Even tiny elements like tracking pixels (small snippets of code used to count impressions or collect statistics) can be abused. If an attacker hijacks these pixels, can intercept or modify the data flowor use them as a spearhead for hidden redirects.

How to detect and stop malvertising

Although some malicious advertising attacks are very sophisticated, there are a number of measures that can help you drastically reduce the risk of infection whether you are an end user or you manage a website with advertising.

On the user side, the first line of defense is having a good antivirus or security suite that analyzes web traffic in real time, blocks known malicious sites, and detects suspicious downloads before they run. Many modern solutions use cloud analytics and reputation systems to quickly identify new malvertising campaigns.

Another very effective tool is the ad blockers and anti-tracking extensionsBy preventing banners, pop-ups, and ad scripts from loading, you minimize the attack surface. As a side effect, you'll improve loading speed, save mobile data, and limit the tracking of your online activity.

Configure your browser so that plugins (such as Flash or Java, if still used) only run on demand using the function of “click-to-play” It adds an extra layer of protection: active content is not automatically loaded, so many exploitation attempts are thwarted.

Finally, it is essential to maintain operating system, browser, plugins and applications always up to dateMost walkthrough download campaigns rely on known vulnerabilities for which patches already exist, but which remain exploitable because many users do not update their systems frequently enough.

Good practices for preventing infections

Besides technical measures, your browsing habits and attitude towards the internet make all the difference. A little skepticism and good digital habits They will save you from many scares related to malvertising.

First, be wary of ads that ask for immediate downloads, request personal data without a clear reason, or Offering products and services with absurd discounts or for freeNobody gives anything away for free: if a banner seems too good to be true, it's very likely a trap.

Also get used to downloading programs, updates, and apps only from official websites or recognized stores (App Store, Google Play, manufacturers' websites, etc.). Avoid third-party download portals and, of course, don't install anything that arrives through a pop-up ad, no matter how convincing it may seem.

Disable or uninstall plugins you don't use, especially those that have historically been a magnet for exploits (Flash, Java, old media players, etc.). The less unnecessary software you have, the smaller your attack surface is. to the criminals.

Finally, reinforce security with strong passwords to configure your antivirus and other critical programs, and encourages the training and awareness in ciberseguridad Both personally and within your company, knowing the warning signs of malvertising and common social engineering techniques is a very effective barrier.

Malicious advertising takes advantage of the complexity of the advertising ecosystem and the trust we place in legitimate websites, but with an updated system, good security software, well-configured ad blockers, and a cautious attitude towards suspicious offers, It is possible to browse with much more peace of mind and minimize the impact of one of the most silent and widespread threats on the internet..