Malvertising: The dark side of Advertising

07 / Sep / 2015 by Nikhit Kumar 0 comments

Ever faced a situation when you click on an advertisement, nothing happens and you are just redirected to a random strange website which you do not like or probably, as soon as you click an ad, numerous pop-ups come up and close automatically. There’s a good chance that you might have clicked on a ‘malvertisement’. In this blog, we will see how hackers use malicious advertisements i.e. malvertisement to spread malware and take control of your computer/account within seconds, while you are waiting for the page to load.

What is it?

The term malvertising is made up of two words : malware and advertising.

A malware (short for malicious software) is a software, when executed on a system, damages and disrupts its working. For  example, Virus and Trojan Horse.

Online advertising is the method of marketing and advertising with the use of internet. The parties involved in online advertising are :-

1. Publishers - Publishers sell ad spaces on their websites. These ad spaces are then used to display advertisements.

2. Advertisers - Advertisers buy the ad spaces sold by publishers and provide advertisement for these spaces. They participate in real-time bidding to win the ad spaces.

3. Ad Network - An ad network connects the advertisers and publishers for displaying the ads on the publisher’s website. Google AdWords is an example of ad networks.

So, malvertising can be defined as the use of online advertising for spreading malware across internet.

The main concern

The main issue with malvertising is its reach. It can infect thousands of systems in no time, and that is just the beginning. Malvertising leads to installation of malware on the victim’s system. These malwares can be used to steal user details such as credit card information and can also assume control of the entire device on which they get planted. Also, these malwares may be Trojans that can destroy critical information of your system.

Attack Scenario

Malvertisement generally occurs in two common ways :-

1. Redirect – When the victim clicks on one of the malvertisements, he/she gets redirected to an infected website, which infects the user by installing some unwanted software on the victim’s machine.

2. Drive by Download – When the victim simply visits a  webpage and the code embedded in the malicious ad present on the webpage gets executed, thus downloading a malicious file on the victim’s system.

3. Fake virus reports and updates – When the victim is prompted that he/she has a virus or out-of-date application on his/her system . The victim then clicks to download and install the fake solution and gets infected.

How is it done?

The attackers take advantage of the trust that the victims have in the websites. To execute a successful attack, the attackers assume the role of advertisers and submit malicious ads to the ad network.  The inability of ad networks to properly check the integrity of malicious ads results in the submission of malicious ads along with the legitimate ads. Thus, the malicious ads get embedded into the website. Lots of big websites have suffered malvertising attacks in the past. The list includes The New York Times, Yahoo, and

Case Study: The New York Times

In September 2009, The New York Times suffered a classic malvertisement attack. When users visited the website, a prompt appeared stating that their system had been infected by a virus. They were further advised to install a particular anti-virus program to remove that virus. Once the users installed that program, their system was compromised.

The figure below shows the fake anti-virus program prompting the user to install it. Once the user chooses to install the anti-virus program, the malware gets installed on the user’s system.

nytimesvirus-fake-screen                                                                                                                Source:


The New York Times explained the reason of allowing this advertisement to infiltrate their website as,

“The creator of the malicious ad posed as Vonage, the Internet telephone company, and persuaded to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, said Diane McNulty, a spokeswoman for the Times Company. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.


1. Most of the malvertisements take advantage of unpatched or older versions of Flash, web browsers and Java. Check from time to time that you have the latest versions of these programs installed on your system.

2. An antivirus program should be installed to detect the malware and take actions against them.

3. Installing Ad Blocking plugins in your browser automatically blocks most of the web ads.

4. Using a Web Filter prevents users from visiting malicious websites. This can prevent ads from redirecting users to malicious sites known for drive-by downloads and other attacks.

Malvertising attacks are increasing and the payloads that the attackers use, are also evolving day by day. A strict ad policy is required to mitigate such attacks.


Leave a comment -