Malvertising (or malicious advertising) is a method used by cybercriminals to distribute malware through seemingly legitimate online advertisements.

As online publishers, search engines, and social media platforms rely more and more on ad revenue, and online ad placements grow in number and frequency, malware distributors have taken advantage of the opportunity to disseminate malicious payloads. Essentially, these distributors purchase ad space, typically from legitimate and sometimes even very well-known businesses to propagate malicious payloads onto computers and mobile devices.

Such malicious ads haven’t gone unnoticed, and Google alone blocked and removed a total of 2.7 billion ads in 2019, amounting to more than 5,000 ads blocked and removed per minute. Despite growing awareness and increasingly advanced techniques being used to identify and remove these malicious ads, however, malware distributors show no signs of discontinuing this practice, and it will likely continue for the foreseeable future.

How Malvertising Works

Malware distributors or “malvertisers” attempting to propagate malware through online ads do so in a variety of ways, but the simplest method is to dupe users into visiting a malicious site or downloading malware directly from a malicious ad.

Malvertisers often submit their ads to third-party ad vendors who, upon accepting the ads, distribute them across broad networks, landing them and their secretly malicious contents on a large number of sites very quickly.

Ad vendors are aware of the dangers that malvertising poses, and they actively work to diminish their spread, but malicious ad campaigns remain difficult to reliably detect before they have a chance to infect victims. Unfortunately, part of what makes these campaigns so successful is that they are frequently distributed unknowingly by trustworthy ad networks, and even companies like The New York Times, the London Stock Exchange, Forbes, and Spotify have all fallen prey to hosting malvertising on their respective sites in recent years.

Nearly half of all malvertising incidents take the form of an auto-redirect, where the user is circumvented out of the webpage they’re on and redirected onto a different website entirely. At this secondary website, the victim may be exposed to ransomware, phishing, or malicious ads that lead to malware.

Another common malvertising infection method is ‘drive-by downloading’, where victims don’t even have to interact with malvertisements to be infected.