When you click on digital ads, have you ever received notifications flagging up risks, and warning about malware? If so, it’s worth taking them seriously. Online adverts are one of the most effective vectors for ransomware and other nasty agents via a phenomenon known as “malvertising.” But what is malvertising and how can you guard against it?

What is malvertising? A quick introduction

All of us have heard of advertising – the promotion of products via written, graphical, or video content. It’s everywhere we go, from billboards beside the road to the videos we watch on YouTube. And most of the time, that’s not a problem. Sure, it’s annoying to have your videos broken up by ads, but the ads themselves aren’t malicious.

That’s not the case with malvertising, a word created by fusing the words “malware” and “advertising”. A malvert is very different to a legitimate ad. Instead of delivering information about a product or service, it intends to deliver malware straight to the viewer’s computer.

Malware isn’t good news at all. It’s malicious code which intends to do harm, from harvesting your social media passwords, to holding your system to ransom. And even in its mildest forms, it’s something we want to avoid.

How does malvertising work?

What is malvertising doing that’s so difficult to detect? Well, the secret is the way that malverts mimic normal content. The ads we see on the web and malicious versions are extremely similar. All an attacker needs to do is add a tiny amount of code to the script that launches the ad.

When this code is activated, it bypasses links to retailers or service providers. Instead, it directs the user to a site of the attacker’s choosing. This could be a fake website designed to look similar to the legitimate destination.

Alternatively, it could just use this site to inject malware onto your system, before routing you directly back to your original destination. This might feel like a minuscule delay to the user, but in that interval, their system could have been completely compromised.

Some well-known malvertising examples

You might question how dangerous malvertising really is. After all, we click on millions of ads every day, and our computers aren’t (to the best of our knowledge) infested with trojans. But the effects of malvertising attacks are very real, and attackers are becoming more inventive all the time.

Here are just a few examples that caught out famous websites and plenty of unsuspecting users:

The New York Times rogue antivirus episode

Back in 2009, malvertising examples weren’t well known, and hackers definitely had the edge when catching out website owners – including one of the world’s most respected newspapers.

For days, the New York Times included a normal-looking banner ad for an antivirus package. This banner was skillfully created and looked just like a normal provider, prompting thousands of readers to click through. And when they did, they were infected immediately with some pretty nasty malware.

Spotify takes a hit from dodgy Windows Recovery tools

Cutting edge music streaming site Spotify has had its own embarrassing brush with malvertisers. In 2011, their ad network started running a batch of banners encouraging users to download a Windows Recovery tool – the kind of handy security tool that sensible users might be interested in adding to their system.

However, the actual tool delivered the opposite of security – unleashing a torrent of malware. And this wasn’t even something users could avoid. The way the attack was structured meant that malware was released without users even clicking on the banner. That’s how insidious the practice can be.

Microsoft Network falls victim to malvertisers

Microsoft’s home page, MSN, has repeatedly been flagged as at risk from malvertisers, primarily due to its use of the AdSpirit network to deliver adverts.

In 2016, this resulted in a huge attack involving adverts for the retailer Lidl that were served to German users. Using the Neutrino and RIG exploit kits, attackers were able to work their way into AdSpirit code, beaming a nasty ransomware agent called CryptoWall directly onto users’ machines.

Yahoo’s ad network is compromised

In 2015, online giant Yahoo also became a high profile malvertising victim. Despite running one of the most sophisticated security operations around, the company forgot to ensure that its advertising partners had the same attention to detail. And when AdJuggler’s code was compromised, thousands of Yahoo users suffered.

As with the Spotify attack, users didn’t have to show any interest in the ads. They just needed to be on the same page as one of the rogue banners, and their system was put at risk.

Many of these examples also involved the manipulation of Macromedia Flash – one of the web’s most notorious weak spots. And in all cases, site owners expressed surprise and confusion about what could be done. However, from a user perspective, things aren’t quite so gloomy.

How to avoid becoming a malvertising victim

None of us want to become a ransomware victim or to have our personal details stolen for criminal purposes. So it makes a lot of sense to immunize our systems against malvertising attacks. And there are a number of measures we can take to do so:

1. Update your Java and Flash tools

There’s a reason why browser developers and site owners are constantly encouraging users to upgrade their versions of Java or Macromedia Flash. Older versions are full of security holes, opening the door wide open for malware. So always upgrade when the chance arises. And do the same for your browser as well.

2. Use adblockers when possible

In many cases, users running adblockers minimize the risks attached to malvertising. By simply blocking off banner ads and popups, these tools can keep away some digital dangers before they have a chance to do harm.

However, they aren’t practical for everyone. Many sites demand that users turn their adblockers off (because they seriously harm online revenues). And some malvertisers have found workarounds which render adblockers much less safe. So they shouldn’t be used in isolation.

3. Install a reliable VPN

Above all, make sure your web usage is protected by a high-quality Virtual Private Network (VPN). When used with adblockers and antivirus, VPNs provide all the protection you’ll need. They encrypt your data, so personal details won’t be available for malvertisers to harvest. Many also come with cutting-edge anti-malware tools – blocking malverts at the root.