What Is Malvertising?

Malvertising is a form of cyberattack that uses real online ads to spread malware. Malvertising is achieved by inserting malicious codes into real ads which either redirect visitors to malicious websites or harm their computers immediately.

Malvertising is a common way of spreading malware. On average, one out of 100 online ads is malicious. Since online advertisements reach a wide audience, cyberattackers are also able to reach more people with malvertising. As far back as 2012, almost 10 billion ads were hijacked for malvertising. In 2017, 48 million online ads that suggested the download of malicious software were removed by Google and 79 million ads that tried to redirect visitors to malicious websites were blocked.

Malvertising Definition

Malware distributed through malvertising sometimes doesn’t need any form of action to be activated. This means users do not even have to click on malicious ads before their system is compromised. If visitors are careful enough not to click on a malicious ad but stay long enough on a compromised website, the malware will automatically download in the background and infect their computers.

What Is the Definition of Malvertising?

The word “malvertising” was coined by combining two words – malware and advertising. Malvertising simply means “malicious advertising.” The first-ever malvertising campaign started in 2007 and utilized a vulnerability in Adobe Flash software. Some of the affected platforms were Excite, Rhapsody and MySpace.

How Dangerous Is Malvertising?

Malvertising is very dangerous to any individual or website that falls victim to it. The scariest part is that people or websites can still fall victim even after exercising caution. When the malware deployed hits a computer or mobile device, the hardware, software and private information of the owner are at serious risk. Some of the damages caused by malvertising are listed below.

An image featuring malvertising danger concept

  • Malvertising reduces traffic and revenue for affected advertising networks or websites.
  • Affected websites may face lawsuits and be required to pay fines or compensation to site visitors for damages caused by malvertising.
  • Hardware or software failure of users’ systems leading to loss of files and data.
  • Attackers will have access to important credentials like passwords and Social Security numbers which can be used to steal or divert funds from the victim.
  • The victim’s personal or sensitive information can be leaked or used for blackmail.
  • The reputation of publishers is damaged.

What Is the History of Malvertising?

An image featuring malware concept

The first case of malvertising was recorded in 2007. The campaign was launched using a vulnerability in Adobe Flash software and lasted until early 2008. Some of the platforms affected were Rhapsody, MySpace and Excite.

In 2009, the Bahama botnet struck. Bahama botnet was the nickname given to the malvertising attack that worked by developing a botnet network of compromised computers for click fraud on pay-per-click ads across the internet. The New York Times Magazine was discovered to have had an ad that was part of the campaign. Through the weekend of September 11-14, attackers hacked The New York Times’ banner feed to trick readers into installing malicious security software by stating their computers were infected. To solve the problem, third-party ads were suspended by The New York Times with advice to readers posted on their tech blog.

It was not until 2010 that malvertising fully took off. The Online Trust Alliance (OTA) detected 3,500 websites carrying billions of ads containing malware. An Anti-Malvertising Task Force was formed that same year by the OTA.

By 2011, malvertising websites had increased by 240%. Through the use of the “Blackhole exploit kit,” Spotify witnessed one of the first instances of drive-by download – a malvertising technique where users don’t have to click on an ad to become infected with malware.

An image featuring malvertising warning concept

The Blackhole exploit kit was used again in 2012 to attack readers of the Los Angeles Times. A report released in 2013 by the cybersecurity company, Symantec (now known as NortonLifeLock), revealed that half of the websites scanned in 2012 were victims of malvertising.

In 2013, Yahoo suffered from a malvertising attack that used cross-site scripting (XSS) to infect the website’s visitors with the Cryptowall ransomware. The Cryptowall ransomware works by encrypting victims’ data and demanding payment of $1,000 in Bitcoin within seven days to have the user’s data decrypted.

Cryptowall was used again in 2014 to attack the now-defunct DoubleClick, Zedo, The Times of Israel and the Hindustan Times. More than 600,000 computers were infected and it was believed the attackers received ransom money of over $1 million.

An image featuring malvertising attack concept

In 2015, malvertising attacks were launched against the websites of Answers, eBay, Wowhead, Talktalk and many other organizations. McAfee also reported that malvertising was growing rapidly on mobile platforms.

In 2018, researchers at Malwarebytes found websites containing malicious ads encrypted with Coinhive scripts. Although Coinhive scripts are legally used, cybercriminals use the scripts to turn users’ computers into crypto mining machines without the user’s knowledge.

Today, malvertising attacks keep increasing and new threats are detected every day. Reducing the number of malvertising attacks has been challenging for advertising networks and websites which suggests this form of malware distribution will be around for a while.

How Is Malvertising Used?

An image featuring clicking on advertisement concept

The primary purpose of malvertising is for users to click on malicious ads, but that’s not the only way malvertising works. Most malvertising attacks are launched using reputable publishers since people trust the publishers and would not expect to have their computers or mobile devices infected with malware during website visits.

A typical malvertising attack starts by creating an ad infected with any type of malware. The ad is then submitted to an ad network for publishing. Once the ad network receives the ad, the ad codes are scanned to detect if the codes contain any prohibited or blacklisted URLs, but the malicious codes are designed to mask the real URL of the ad to the scanners. The ad is approved and sent out to reputable websites to display as a legitimate ad. Once the ad is published, the process of malvertising begins and is carried out in either of the following ways:

  • Redirections: Visitors of any website carrying a malicious ad will be redirected to a malicious website once they click on the ad. Most redirected ads lead to phishing attacks. The redirected websites are designed to look like trusted websites and users are tricked into providing personal information like their Social Security number.
  • Drive-by download: If visitors of a compromised website are careful enough not to click on any ads, the malware can still infect their systems if they stay long enough on the website for the malware to fully download on their system. The malware downloads in the background without the user’s knowledge. The malware installed can be used to erase files, watch the user’s activities, find vulnerabilities within the system or create external access so the “malvertisers” can steal the user’s information.

What Are the Types of Malvertising?

Cyberattackers carry out malvertising using various types and techniques. The types of malvertising commonly used are detailed below.

An image featuring stealing information concept

This type of malware creates a backdoor in the affected user’s system which attackers use to gain access to user data and personal information.

This malware is used to steal information from an infected system through online games. Once installed, the malware will create access for attackers to steal data. The information stolen is then transmitted through FTP, email, web or any other method.

This malware pretends to be an antivirus program. Fake AV works by showing users pop-ups of a non-existent virus and then convinces them to pay for fake AV software to remove the non-existent threats on their system. The fake AV malware prevents the user’s system from working properly so users tend to believe the threat is real.

What Are Examples of Malvertising?

Most malvertising attacks are successful because they are launched through trusted ad networks. Big names like Spotify, The New York Times and Forbes have all been victims of malvertising campaigns, unintentionally spreading malware to their site visitors. Some other examples of malvertising campaigns are detailed below.

1. RoughTed

An image featuring dangerous URL concept

RoughTed was a popular malvertising campaign with its first recorded sighting in 2017. RoughTed was able to evade several antivirus programs by continuously creating and changing new URLs, often through URL shorteners. The campaign leveraged the Content Delivery Network of Amazon’s cloud infrastructure and combined the noise with several redirections from ad networks. This made it extremely difficult to track and block the malicious websites the malvertising campaign was using to spread. RoughTed was also able to evade ad-blockers and used detailed fingerprinting of users. Users that visited compromised websites and had the requisite code were redirected to a tracking website once they clicked anywhere on the page.


The malicious sites used by this campaign distributed malware, fake updates embedded with adware and malicious browser extensions. RoughTed redirected traffic from streaming and file sharing sites through a series of intermediate sites to the Magnitude filtering gate and eventually led users to the exploit kit. RoughTed was estimated to have achieved over 500 million hits.

2. KS Clean

KS Clean uses trusted mobile apps to spread malicious adware embedded in the apps. Immediately upon a user clicking on an ad within the app, the malware will be downloaded in the background without the user’s knowledge or permission. A message will then pop up on the user’s screen notifying them of a security issue that they have to fix by updating the app. Once the user clicks “OK,” the malware will be fully downloaded and given administrative privileges. This allows the malware to display several pop-up ads on the user’s device. The attackers can then use the administrative privileges to install more malware.

What Are the Statistics About Malvertising?

Some malvertising statistics are listed below.

An image featuring malicious advertisement concept

  • One out of 100 ads is malicious.
  • 40% of malware on social media is from malicious ads.
  • In 2012, almost 10 billion ads were compromised through malvertising.
  • 47.5% of malvertising attacks in the last quarter of 2018 were through auto redirects while pre-click and post-click malware made up 25% and 7%, respectively.
  • In 2018, 300 million iPhone browser sessions were hijacked using a gift card scam.
  • In the third quarter of 2020, Facebook was the most affected website, accounting for about 52.4% of total malvertising.
  • Ad networks lost $19 billion to malvertising in 2018 alone.
  • Publishers lose an estimated $1.3 billion to malvertising every year.

Which Devices Can Malvertising Infect?

Malvertising can infect any device that can be used to click on an ad—basically any electronic device with a web browser and internet access. The devices malvertising can infect are listed below.

  1. Mobile phones (Android or iOS)
  2. Tablets
  3. Mac computers
  4. Windows PCs

An image featuring mobile malware concept

Mobile phones and tablets can be infected with mobile malware which overruns the device to steal data. Mobile devices affected by malvertising will experience fast draining of battery power, multiple app advertisement pop-ups, spam messages, non-downloaded apps showing up on the phone, etc.

Malvertising infects Windows and Macs in a similar way to mobile devices. Malvertising on a PC causes frequent browser redirects, warnings from an unrecognized app and multiple pop-up ads. Some users also get asked for ransom demands on files that the attackers could have stolen and encrypted. In many cases, users’ systems are completely shut down.

Is Malvertising Illegal?

Malvertising involves the upload of malicious content used to steal data and conduct other fraudulent and illegal activities. So yes, malvertising is illegal.

What Are the Laws Regarding Malvertising?

There are several laws against malvertising, and the punishment differs per country. According to New York’s law for example, in Code Section 156.05, “A person is guilty of unauthorized use of a computer when he or she knowingly uses, causes to be used, or accesses a computer, computer service, or computer network without authorization.”

An image featuring cyber law concept

The Computer Misuse Act 1990 is the cyberlaw for the U.K. The law states that unauthorized access to material stored in a computer, or crime committed with computers, or the ransoming of data, is illegal and punishable under law.

The Cyber Crimes Act of 2015, one of the many Nigerian laws against malvertising and other cyberattacks, states that “Any person who without lawful authority, intentionally or for fraudulent purposes does an act which causes directly or indirectly the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or any other form of interference with the computer system, which prevents the computer system or any part thereof, from functioning in accordance with its intended purpose, commits an offence and shall be liable on conviction to imprisonment for a term of not more than 2 years or to a fine of not more than N5,000,000.00 or to both fine and imprisonment.”

Germany equally has a body of laws to fight computer crimes. Section 202a states that “Any person who obtains without authorization, for himself or for another, data which are not meant for him and which are specially protected against unauthorized access, shall be liable to imprisonment for a term not exceeding three years or to a fine.”

How to Protect Yourself from Malvertising

Learning about malvertising protection is important because there is no absolute way to ensure 100% protection from malvertising. However, there are several methods for malvertising prevention. Users can protect themselves from malvertising using the following methods.

An image featuring advertisement blocking concept

  • Installation of ad blockers: Ad-blockers protect against malvertising by eliminating pop-up ads and reducing opportunities for users to fall victim to malicious ads. This is especially important because some malicious ads do not require clicks to infect a system.
  • Website safety: Users should learn how to recognize harmful websites such as the lack of “HTTPS” in the URL and also take other website safety precautions like avoiding clicking ads on web pages without confirming legitimacy, using strong passwords, clearing downloads often, ensuring to download only from legitimate sources, etc.
  • Installing antivirus and anti-malware: Antivirus software protects against malvertising by identifying and preventing malware downloads on devices in real-time.
  • Update device OS: Software updates usually include security developments that can help prevent malvertising by reducing the vulnerabilities that exist in the device software.
  • Disable browser plug-ins: Plug-ins are a major channel used by attackers for transferring malware so limiting the accessible plug-ins from a device’s browser will also help to reduce the risk of malvertising.

What to Do If You Become a Victim of Malvertising

The following should be done if you are a victim of malvertising:

An image featuring disconnecting from the internet concept

  • Make a criminal complaint.
  • Disconnect from the internet.
  • Run a diagnostic scan on the device with tools like Microsoft Defender for Windows.
  • Backup files to prevent loss when recovering data.
  • Update the operating system of the device.
  • Install an antivirus software application or update the existing one.

How to Remove Malvertising

Prevention is the most important step in keeping yourself safe, but sometimes malvertising manages to get through. In that case, removal is the next step. There are tools to help with the removal of malware, however, users can attempt to do this manually as well. Malvertising can be removed using the following methods.

An image featuring removing malware concept

  • Disconnect the device from the internet to ensure that connection to the server is paused and no further data is sent.
  • Put the device into safe mode to prevent the malware from loading and in a state where it can be removed easily.
  • Check recent installations or updates and running programs to see how each program is affecting the performance of the device and stop suspicious or unfamiliar programs.
  • Run a malware scanner to check your device and remove malvertising infections.
  • Verify device web browser and save necessary files and clear cache on the device.

What Are the Malvertising Removal Tools?

An image featuring removing malware concept

Malvertising removal tools are software or applications with the main function of preventing and removing malware from a device. These tools scan devices, detect, prevent, block, clean and remove malware and other viruses on a device. There are lots of malware removal tools but here are five good tools to stop malvertising:

What Is the Difference Between Malvertising and Adware?

One major difference between malvertising and adware is that malvertising is launched on a webpage so it’s a bigger threat to a wider audience while adware targets individual people. Malvertising affects users through ads and sometimes does not require users to click, but adware requires clicking to infect users.

What Are the Other Threats?

An image featuring a cyber attack concept

Cyberattacks are increasing with the advancement of technology which creates many other software threats asides from malvertising. Any malicious attack or illegal access to a user’s device or data for any purpose can be classified as a cyber threat. Some of these other threats include:

  • Doxing, which is the release of private information through hacking.
  • Denial of Service (DoS), which is an attack that prevents the infected device from responding to network requests to launch other attacks during that period.
  • Phishing, which is the use of false triggers to steal data or transfer viruses through emails and other channels.
  • Structured Query Language (SQL) Injection is used to receive information from SQL servers by including malicious code in the server.
Matthew Innes Matthew is an avid technology, security, and privacy enthusiast while also a fully qualified mechanical engineer. I love to see the crossover between these two fields. When he's not working or studying he can be found fishing, playing guitar, playing video games, or building something.
Leave a Comment