Malvertising, the growing problem of malware-laden ads.

Where would you expect ads to be positioned on a website? In the header at the top of the page? In a sidebar on the right side of the screen? There is no doubt that advertisements have entered our mental models and have become commonplace. The most popular websites and apps host some form of advertisement space. As the idea of the Internet of things progresses towards reality, advertisers are working diligently to capitalize on any platform to reach users. All of these efforts by advertisement companies to reach users is not going unnoticed. Websites usually host advertising networks that deliver ads to users. Attackers no longer need to compromise a website to push malware to users; they now simply just need to inject malware-laden ads into advertising networks.

This phenomenon shouldn’t seem ground breaking as most of us, I hope, know not to click on shady ads that promise instant cash or unbelievable deals. Modern “malvertising” has evolved to incorporate pre- and post-click functions. Pre-Click functions such as auto-download and auto-run can infect a user without any interaction with that user. Post-click functions such as auto-redirect cause clean-looking ads to direct the user to malicious websites.

Most internet users know of the dangers lurking behind questionable advertisements. The scary part, however, is how deep into trusted sites these malware-laden ads have gone. In 2009, the banner feed of the New York Times was hacked and urged users to install rouge security software. In 2011, ads on Spotify auto-downloaded malware onto user’s computers. Even Yahoo and Google ad networks have seen major infections. Cyphort labs, a leader in malware defense, sampled the top 100,000 most visited domains to see how many domains served an infected ad. The results showed a troubling upward trend.

Screen Shot 2015-11-14 at 2.37.48 PM

I believe that advertisement companies must double down on security efforts before aggressively perusing ways to reach users. If users of popular websites must be constantly on guard about malicious ads, are the ads even working?


6 thoughts on “Malvertising, the growing problem of malware-laden ads.

  1. Thanks for sharing those data and trending about malvertising, and I am definitely one of the users who suffered a lot from Malertising in the past few years. Computer virus and malware can damage our system and some of them are extremely hard to clean up thoroughly, and they have caused me lots of frustrations and angers during some of my busy weeks that I had to use lots of my previous studying times to search ways to remove them and fix the system. I have learned each time and became more and more cautious to avoid them, but the malvertising techniques also kept evolving and they become more innovative and hard to identify or avoid. In my past experiences, Most of the Malware and ads bundle cookies are from free software/ torrents downloading websites, those website contains many Malware links, and the virus will spread widely to the system after installing the software (post-click). Lots of people are suffered and have been taken advantage by Malvertising and Phishing scheme, and they are huge cyber security issue that damage computer, decrease productivity, and even cause financial losses to big corporations, and I think government should create new related criminal laws and develop new tracking technologies to punish those Malvertiser and hackers.

  2. It is really quite surprising the amount of effort these individuals go to in order to infect another person’s personal computer. We, as the honest citizens that we all are, must know how to arm ourselves from such malicious attacks into our personal lives and prevent those who wish to do wrong from getting there way. We better arm ourselves by indeed first knowing what is out there and what to avoid.

  3. As cyber security increases so do hackers and malware. I thought that big name companies were more prone to these viral ads but this shows that virtually no one is truly secure on the Internet. I think one step in the right direction to counteract malware-laden ads would be to inform users of the possible risks connected to these ads and that auto-downloading is very common. Hopefully, most users are aware of phishing schemes and do not provide their password to site that say there was a crash they need to fix. However I think many users are unaware that hackers can obtain information just from clicking on the link which can automatically download personal information. The first step to solving this problem is understanding where it came from, attacking the source, and increasing online security to protect websites from malware-laden ads.

  4. Recent research results show that the network advertisement has become the biggest threat to the security of mobile devices and sensible approach is to avoid compromising browsing on the mobile device. Pornography is often highly effective and widely used in the spread of malicious software vector, accounting for 16% of malicious attacks, while the network advertising is 20%.
    Now more and more users use mobile technology, which also increases the threat of mobile attacks, so mobile security needs to be paid attention to. At the same time, in order to navigate safely and meet the demand for network security, but also concerned about the safety of the Barracuda series product line.

  5. It’s scary to know that trusted websites are being hacked by malware companies. Obviously, when you visit lesser-known sites, and see the large “click here!” and “download” buttons, you know to avoid them; however, it is surprising that the banner for The New York Times was hacked into. I think the best way to solve this problem is to not only increase security on these websites and implementing Adblocker software (like Johnathan said), but also increase the knowledge and information internet users have. If internet users learn more about malware-laden ads, they will be less-likely to download unfamiliar ad ons, even if they are coming from trusted sites like Google, Yahoo, and The NY Times.

  6. I was surprised to learn that malware-laden ads had become so sophisticated and robust in their operations. I found it especially important (and surprising) that these ads can now download files without having user interaction. It’s strange to me that this issue hasn’t garnered more attention as this represents a big liability to users. Many individuals operate with a mental model that says “my computer won’t get infected if I don’t click on any sketchy links,” which doesnt hold up in the face of ads equipped with auto download and auto run. I’m left thinking about the possibility of technologies like Adblocker software being used as a deterrent or security measure against such malvertising. In addition I’m wondering how much we will see security measures evolve in response to these issues.

Leave a Reply