What is Malvertising?

Malvertising is an ambiguous term referring to malicious online advertisements; some cause malware infection while others track user behavior.

Malvertisements or malvertising are a malicious variety of online advertisements generally used to spread malware. However, that definition is somewhat dated as the term has evolved. While it’s easy to call an ad that redirects to malware a malicious one, it is often hard to differentiate between fraudulent and legitimate online ads.

For example, there are any number of legal online ads that any reasonable observer would characterize as malicious or fraudulent. On the other hand, there are likely benign ads that are flagged by some advertising networks as malicious or fraudulent on superficially technical grounds. However, there are also vast swaths of online ads that are completely and unquestionably malicious.

Allow us to begin with the outright malicious advertisements:

The most obvious, easily definable type of malicious advertisements are those that – when clicked on – redirect users to websites that will infect the user with malware or install some other unwanted software, unless that person is running an antivirus product capable of blocking the infection. Users running out-of-date operating systems and browsers are especially vulnerable to this and other forms of malware infection.

“These websites have not been compromised themselves, but are the victims of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.”

This unwanted or malicious software can serve any number of functions. If it’s malware, it could contain a keylogger for stealing login credentials or other sensitive data, it could pull users into a spam-spewing botnet, it could be a banking trojan, a rogue antivirus application, ransomware like CryptoLocker, or virtually any other type of malware that’s been written about here or elsewhere.

A recent example is the ad network AppNexus, who was accused of posting malvertisements on the websites of TMZ, Java.com and others.”These websites have not been compromised themselves, but are the victim of malvertising,” the security firm Fox-IT told Threatpost. “This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.” This type of malvertisement is easy to spot and universally accepted as illegal.

Now let’s transition into the grey area:

As many have pointed out, malvertisements don’t necessarily have to contain what is universally considered malware. They could install tracking cookies without proper permission to do so, they could install a legitimate piece of software without your consent, they might clandestinely collect user information or exceed their stated scope in some other way.

These sorts of malicious or fraudulent online advertisements are certainly frowned upon. In many cases, an advertising network could suspend these types of ads or require that they be changed in order to comply with the appropriate guidelines. Some ad networks have shady guidelines and will let nearly any type of advertising fly. Similarly, some ad networks probably do a better job of policing their content and clients than others. In a lot of cases, offending networks will be called out by researchers and ultimately the media. Sometimes the pressure catalyzes change; sometimes the pressure accomplishes nothing. You can opt-out of specific ad networks, but doing so is convoluted and perhaps antiquated and who knows if anyone actually pays attention to these lists.

Then there are the legit ads that seem clearly fraudulent:

This is definitely the hardest category, but nearly everyone will be familiar with what I am referencing. These promote pills and tricks that can’t possibly be real and advertise for jobs where you can make tens of thousands of dollars per month working from home. Some claim “you’ll never believe what [some person] did!” Others make hyperbolic references to your past being exposed online or new rules near where you live that will affect you in some way.

Some of these kinds of ads leads to well-meaning businesses, for sure. At the same time, a lot of these ads straddle the line between fraud and legitimacy. In the end, someone decides these are appropriate.

A story I wrote at the beginning of 2012 is a great, though admittedly outdated, example of this: one security company classified CounterClank as a strain of Android malware while another characterized it as an aggressive advertising network. In the end, it doesn’t really matter who was right, because with many online ads, maliciousness is a matter of perspective.

How do you protect yourself?

Don’t click on shifty looking ads, even if they boast pictures of attractive people, issue seemingly relevant warnings or offer fast money and magic pills. My personal recommendation is that you only ever click on ads for things that you would actually want to buy. If someone is offering yousomething with an advertisement, then think twice, because advertisements generally attempt to get you to buy something.

On viruses for Palms, ecosystems and continuity

A while ago we “celebrated” 10 years since the first smartphone malware emerged. While we made the first Symbian antivirus in 2004, it doesn’t mean that we had no mobile security products before that. It was hard to unearth and boot an antique handheld from early 2000s, and even harder to find, install and launch our old software. Yes, it’s long obsolete, but there’s a reason for all these efforts. Read about it in our new blog post.