How to Avoid Being the Victim of Malvertising

Written by

Digital advertisers have been a major beneficiary of modern technologies.

Tapping into artificial intelligence, they have been able to segment customers, personalize campaigns and message them automatically at optimal times, and create increasingly attractive adverts at more productive rates.

In a recent Menlo Security survey, one in three UK consumers revealed that they believe that the majority of advertisements on websites and social media are generated by AI.

The merits are unquestionable from a productivity and results point of view for marketers. However, this industry-wide technological transformation also paves a path of opportunity for threat actors – namely through ‘malvertising.’

A form of highly evasive threat, malvertising is a novel, complex technique used by threat actors in which malware is embedded into digital adverts.

Here, exponents typically start by compromising a third-party web server to host malicious code within videos, banner adverts or other forms of digital adverts, which can be posted across many legitimate sites. If these are clicked, users will either be directed to a malicious website created using social engineering/spoofing tactics, or the malicious code will directly and immediately lead to the installation of malware on a user’s computer.

If malware does reach the endpoint, it can enable threat actors to wreak havoc. Adversaries may proceed to tamper with, delete or leak data, corrupt files, redirect internet traffic, monitor user activity and/or develop backdoor system access routes.

Malicious Ads Are Increasing, But Awareness of the Threats Remains Low

At Menlo, we’re unfortunately expecting to see a major spike in fake ads.

Threat actors can increasingly leverage a combination of image generators, like Midjourney and DALLE, and AI tools, such as ChatGPT, to develop increasingly convincing spoofed campaigns. And it makes sense for them to do so. Indeed, our survey shows that awareness of the threats of malvertising remains low at present.

While 70% of respondents revealed that they currently click on advertisements on the internet ‘to some extent,’ the same number also stated that they weren’t aware of the fact that their endpoint devices can be infected with malware by clicking on a brand logo.

This is night and day versus other attack mediums, with close to three-quarters (73%) recognizing they can be infected by malware hidden in an email link.

Further, it was also revealed that many weren’t aware they could be infected by clicking on social media ads (48%) or pop-ups and banners (40%), while less than a third (32%) wouldn’t trust any website not to contain malvertising.

This gap in awareness is worrying, particularly given how tricky it can be for internet users and publishers alike to actively discern between genuine and malicious ads, with both typically serving consumers through legitimate advertising networks.

Even the most credible websites are not immune to malvertising. Indeed, in a recent 90-day study, we found that the top three brands impersonated by malicious threat actors attempting to steal personal and confidential data were Microsoft, Facebook and Amazon.

Five Ways to Avoid Malvertising Attacks

At present, it’s estimated that roughly one in 100 online ads are currently malicious. And that’s only expected to increase moving forward.

So, how can consumers ensure they don’t become the victim of malvertising? Here, we highlight five key tips:

  1. Always check URLs before clicking: By hovering your mouse over an advert until the URL appears, you can check it properly before proceeding to click, looking to confirm that threat actors haven’t replaced certain characters to trick the eye.
  2. Confirm the brand logo looks genuine: When a logo is copied, it can appear stretched, squashed or pixilated, or the background colour may look strange. These could be signs that an advert is not legitimate.
  3. Consider what the advert is asking you to do: Threat actors do not care about measuring impressions like marketers do, meaning malvertising campaigns usually have a call to action, such as ‘click here.’ These should be treated with caution.
  4. Be cautious, no matter the credibility of the website. Whilst credible sites may have a higher vetting process for adverts, they are not immune to malvertising. The same rules apply – always take a cautious attitude to clicking on ads. 
  5. Beware of redirections. Be aware that the more ads you click on, the higher your chance of encountering malware. Each ad click will likely bring you to a website with less stringent vetting procedures than the last.

You’re only 3-7 clicks away from malware online. With the threat of spoofed, malicious ads only likely to increase, it’s more important than ever to proceed with extreme caution. Following these five tips, you’ll be better placed to avoid malvertising attacks in the first instance.

What’s hot on Infosecurity Magazine?