Malvertising, or malicious advertising, is a cyberattack technique that injects malicious code into digital ads. Difficult to detect by both internet users and publishers, these infected ads are usually served to consumers through legitimate advertising networks.
Malvertising uses what looks like legitimate online advertising to distribute malware and other threats with little to no user interaction required. Because ads are displayed to all website visitors, virtually everyone exposed to these malicious ads is at risk of having their device compromised if proper precautions are not taken.
How Does Malvertising Work?
In some cases, malicious actors will compromise a third-party server, which allows the cybercriminal to inject malicious code within an advertisement, such as banner ad copy, creative imagery or video content. Recently however, Google Ads have become increasingly used by malware operators to spread malware to unsuspecting users searching for popular products. Cyber criminals purchase advertisements that appear within internet search results using a domain that is similar to an actual business or service.
When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result. These advertisements link to a webpage that looks identical to the impersonated business’s official webpage.
These malicious advertisements have been used to impersonate the the websites of popular products and services such as cryptocurrency exchanges, Notepad++, Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird and Brave to name just a few.
By impersonating the official websites of popular products and services, threat actors distribute trojanized versions of software. A trojan is software that appears to be one thing (e.g. a legitimate software application), but actually is malware. Google Ad campaigns are being used to distribute malware in the guise of legitimate software tools.
Deceptive Links
Google has controls in place to prevent ads from being displayed that include links directly to sites that host malware. To circumvent this control, cyber criminals will typically send anyone who clicks on one of their malicious ads to an intermediary site first, and then redirect the visitor to a web page containing the malware which is often hosted on Github, Dropbox or OneDrive.
This activity often makes use of seemingly credible websites with typo-squatted domain names that are surfaced to the top of Google search results in the form of malicious ads during searches for specific keywords. The moment one of these disguised sites is visited by a victim (one who actually clicks on the promoted search result), the site immediately redirects them to the rogue site. From there they are redirected to the malicious payload.
The ultimate objective of such attacks is to trick unsuspecting users into downloading and installing malevolent programs or potentially unwanted applications.
How to Protect Yourself From Malvertising
Having a high-quality and up-to-date antivirus program will go a long way towards detecting and stopping many types of malware. You may also consider using ad blockers, however there are workarounds hackers can exploit that will still leave you vulnerable.
Beyond that, storage operators and staff should keep an eye out for suspicious ads and browse the web mindfully. Take the following steps to avoid accidentally falling into a malvertising trap:
- Before clicking on an advertisement, check the URL to make sure the site is authentic. Note that a malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- As the first few results on a given search term are usually promoted ads, it is safer to skip them and scroll down until you see the project’s official website search result and use that instead.
- Rather than search for a business or financial institution, type the business’s URL into an internet browser’s address bar to access the official website directly.
- If you visit a website frequently, bookmark its URL and use that to access it instead of searching for it every time.