Internet users are exposed to hundreds of ads a day, which are distributed by various advertising networks. Unfortunately, automated ads can be used for spreading malicious software. Even legitimate ad networks can be used by hackers to spread malicious code, due to the high volume of ads that they are paid to distribute. Malware spreaders will hide code within legitimate-looking ads that can redirect users' computers to connect to a malicious server to install malware. The worst malvertising connects users' computers to an exploit kit that runs analysis on the defending computer, looking for vulnerabilities and exploiting them. From there, attackers can install malware, ransomware or gain full access to the computer and sensitive information.
Early malvertising attempted to trick users into clicking their banner ads, such as claiming their computer was already compromised by viruses and that they should install their antivirus. These days, users don't even have to click on the malicious advertisement for it to run exploits, which can start automatically and in the background.
Attackers take advantage of the automated nature of online advertising, with large companies turning to networks to choose which ads to display on their website. Although most reputable advertising networks examine the advertisements they serve, malicious code can still slip through the network's checks. Malvertising has made its way to large websites, including The New York Times, BBC, AOL and the NFL as recently as 2016, according to the Center for Internet Security.
The effects of malvertising
The risk of malvertising infecting users' computers has created a dilemma between internet users and ad distributors. To defend against malvertising, users are advised to update the scripts that ads run on, such as Java, Flash and Microsoft Silverlight, as well as to keep their anti-malware software up to date. However, to further ensure they avoid malicious advertisements, users will stop ads completely by installing ad blockers or by disabling certain scripts like Java and Flash from running on their browser. This leads to a loss of revenue for the website displaying ads, which, in turn, may prompt those companies to prevent ad-blocking users from using their site.
Your website may also be flagged by search engines for hosting malware, affecting your SEO and even blacklisting your site from showing up in search results.
According to the Interactive Advertising Bureau, malvertising costs the digital marketing industry more than $1 billion due to lost revenue from ad blocking in addition to the costs incurred with investigating and curbing malvertising.
While ad networks work to improve safeguards and prevent malvertising from being distributed to their partners, there are a few things you can do to prevent malicious advertising from affecting your users and ruining your reputation. It will require some vigilance on your part to make sure visitors are protected when entering your website.
Be sure you deal with reputable advertising networks that run fraud detection on their advertisements. You also need to examine the ads your website is running. You can do so safely using domain research tools like DomainTools.com that let you examine URLs without entering them.
According to Google's anti-malvertising guide, you should search for suspicious redirects and iframes. If the ad's script contains suspicious code, including encrypted code, it should be treated with suspicion. Remove the ad from your website and report it to your ad network. If your network allows you to swap it out with another, then do so. If this is a frequent issue, then it's advised you switch to a different ad network.
There are several ad verification services that act as watchdogs for your website. Companies such as Geoedge and Media Trust have add-ons that scan through advertisement code to backcheck it against trusted sources and look for suspicious code.
Be sure to protect your own computers and servers when dealing with suspect ads, as you can also be a victim of malware from the malicious ads. You can be targeted with ransomware that can lock down your whole website, so be sure to keep backups and strong anti-malware software.
If your website is flagged by a search engine for distributing malware, you can usually file an appeal to that search engine, such as Google or Bing, when you've removed the malvertising.
As with any malware, malvertising is invasive and continually changing. While ad networks and the online advertising industry is and should address malvertising, and the use of third-party ad verification tools and antimalware is recommended, it ultimately comes down to you to make sure your website is not spreading malware. Those precautions won't outmatch a knowledgeable and vigilant eye on the code that goes through your website.