Why Malvertising Might Show Up on Your Favorite Website

The notion that your computer might get a malware infection when you simply visit one of your favorite websites might be enough to give you nightmares. But it is a very real possibility. Cybercriminals are increasingly posting malicious advertising, or malvertising, on legitimate websites in order to spread malware.

You might be surprised to learn that it is not social media or shopping websites that are most likely to have malvertising. Technology, business, and search websites are the three most frequently exploited types of sites, according to Symantec's "2016 Internet Security Threat Report".

Fortunately, you do not have to quit visiting websites to protect your computer from malvertising. There are some measures you can take to minimize the chance of your computer getting a malware infection. To understand why these measures are necessary, it helps to know the malvertising basics, including how cybercriminals get malicious ads on websites.

Malvertising 101

In malvertising attacks, cybercriminals take advantage of the way in which browsers render web pages. When you visit any web page, all the content — including ads — is automatically downloaded by your web browser so that it can display the page. If one of those ads is malvertising, it, too, will be automatically uploaded.

Sometimes, malvertising contains code that redirects your web browser to a server where a malicious program called an exploit kit tries to find a known vulnerability. If one is found, the exploit kit uses it to install malware. The entire process typically takes less than a minute and occurs without you clicking a single link.

Other times, malvertising tries to lure you into clicking a link, which leads to a server with an exploit kit. In this case, the ad itself does not contain any malicious code. The attack's success depends on you clicking the link.

Another type of malvertising is popup ads. They can deliver a malicious payload as soon as the ad appears or after you click the "X" button to close it.

How Malvertising Gets on Websites

While it is feasible for cybercriminals to hack into legitimate websites and insert malicious ads, a much easier route for them is to pose as businesspeople who want to place ads online. Cybercriminals take advantage of the fact that there are many different ways to get ads on websites. For example, website publishers might accept ads directly from companies or advertising agencies, or they might run ads served by advertising networks.

The parties involved in the process often do not request much information from people submitting online ads, according to Symantec security experts. Plus, while some parties screen ads before accepting them, others do not.

Even if parties check the ads before accepting them, cybercriminals find ways around the inspections. For instance, cybercriminals might submit malvertising with the malicious code disabled, and then enable it after the ad is approved and posted. Another tactic is to submit legitimate ads at first to establish a good reputation with the party involved, and then later rotate in malicious ads.

Cybercriminals often remove the malicious code from their ads after an hour or two. They know doing so makes it more difficult to detect and track their malvertising attacks.

What the Digital Ad Industry Is Doing to Combat Malvertising

The digital ad industry is well aware of the malvertising problem and is taking steps to help fight it. For example, in June 2016, ad industry leaders met with members of the U.S. Federal Bureau of Investigation (FBI), U.S. Department of Justice, and the U.S. Department of Homeland Security to discuss the problem. This closed-door meeting was arranged by the Trustworthy Accountability Group (TAG) — a team created to tackle malware, advertising fraud, and other critical problems in the digital ad industry. Its members include executives from the world's largest brand advertisers, online media companies, ad agencies, and advertising technology companies, according to TAG.

What You Can Do to Protect Your Computer

It might take a long time (if ever) for the digital ad industry to prevent malvertising, so you need to take measures to protect your computer from it. For starters, make sure that your computer is running anti-malware software. Many anti-malware solutions do more than just detect and block known malware. They also detect and intercept known exploit kits as they attempt to leverage vulnerabilities, thereby preventing attacks. If your anti-malware solution does not provide this functionality, you can use standalone software for this purpose, such as Malwarebyte's free Anti-Exploit software.

Uninstalling the browser plugins (e.g., Adobe Flash Player, Java) you do not use is also a good idea. It gives cybercriminals one less attack vector. For the plugins you do use, you might consider taking advantage of a plugin feature found in modern web browsers. It automatically disables plugin activity, but lets you enable it on a case-by-case basis. Here is how it works: When a website wants to load plugin content, your browser will block it. Either an icon or message will appear letting you know that content is being blocked. If you want the plugin content downloaded and displayed, you can permit your browser to run the plugin by clicking the icon or message and selecting the allow option. You should do so, though, only when you are reasonably sure it is safe.

Another way to protect your computer is to regularly update your operating system software and applications (including browser plugins). The exploit kits used by cybercriminals in malvertising attacks look for known vulnerabilities in software. Patching known vulnerabilities helps eliminate entry points into your computer.

Avoiding temptation is also important. While modern web browsers block popups by default, you can manually disable this functionality. Avoid doing so, though, as popups can be malvertising. Also resist the urge to enable web content that has been blocked by your web browser or anti-malware software. That content might contain malicious ads.

Using an ad blocker is perhaps the best way to prevent malvertising attacks. Ad blockers remove or alter all advertising content on web pages. Some ad blockers replace ads with other content, such as news. Others simply leave broken links or holes where the ads would have been.

While effective, ad blockers are not without controversy. Ad blockers might inadvertently block non-ad content, causing a web page to display improperly or not at all. Plus, opponents point out that ad blocking reduces websites' revenue, which might lead them to no longer offering free web content.

Devise a Plan to Keep Your Computer Safe

Your IT service provider can help you plan and implement a strategy to protect your computer from malvertising and other types of cyberattacks. Together, you can keep cybercriminals and the nightmares they can cause at bay.