Malvertising: how ads can become more than just annoying

Malvertising, a portmanteau of malicious advertising, is an interesting technique to spread malware which leverages the omnipresence of online ads in today’s internet landscape. It’s basically malicious adverts which will try to infect unsuspecting users when the ads are loaded or clicked upon.

Fox-IT reported about a large scale malvertising campaign this week in the Netherlands. This campaign targeted some very popular websites (,,,, …). This is less than one month after the campaign which targeted international websites (,;, …) and used the Angler exploit kit (reported by Malwarebytes).

How it works

Malvertising works through malicious ads that are placed on unsuspecting websites. These websites have no idea they are hosting malicious content. The ads can be regular ads which are hacked and injected with malicious code, or they can be malicious ads placed by a someone who is merely posing as a regular company wanting to advertise.

A malicious ad can try to infect your computer in many different ways, both with and without user interaction (click).

The most straightforward way of attacking is by using a simple redirect upon click. When a user clicks on the ad he will be redirected to a malicious website where he gets infected with malware. This website can, for example, be hosting the very popular exploit suite called “Angler exploit kit”. If you want more information about how this box o’fun works, you can read this interesting article.

This is however not a very efficient way of attacking, since users usually don’t click on many adverts. A “better” way is to use scripts that are executed when the ad loads. This attack mode is very popular since it requires absolutely no user interaction.

Let’s take for example a harmless news website. This website uses advertisements to generate revenue, so it can continue to provide free content. A malicious advertiser has managed to place an advertisement on the website (by buying a slot). The advertisement isn’t necessarily malicious from the onset. It can be replaced by the malicious advertiser when he wants to launch the “campaign”. Once the malicious ad is in place, the fun begins.

For those of you who are not familiar with how third party advertising works, I will give you a quick 101 to get you up to speed. As you may or may not know, the web generally works on HTTP (Hyper Text Transfer Protocol). It is a protocol which describes for example how a browser asks a webserver for a certain webpage.

The browser first sends a GET request to the webserver. The server then responds with a GET response. This GET response contains the backbone of the webpage-to-be-displayed (and can also contain for example cookies etc). This backbone is much like a blueprint. Every element of the webpage is defined on this blueprint, along with the location of the content on the web. The browser will then send out more requests to gather all the individual elements of the webpage (for example images or ads). These follow-up requests are not necessarily aimed at the webserver hosting the webpage, since the content can also be located on external (third party) webservers. When you have for example a simple webpage of company A which is showing an ad of company B, the browser will first request the page from webserver A, and then look for the advert of B by sending a request to webserver B. The owner of website A basically has little or no control over the content provided by company B, since it’s not hosted on A’s server.

Now that you’re up to speed you can see how an advertising company places its third party content (ads) on a website, and how a malicious advertiser can abuse this mechanism to reach unsuspecting users.

So let’s stick with the example above, but add a malicious advertiser we call C. C has bought an advertisement slot on the website of company A, and has placed a malicious advertisement. When a user visits the webpage of company A, the advertisement of C is loaded along with the other content. This advertisement secretly opens an iFrame. This is an invisible box that is able to secretly navigate to a webpage. The C iFrame points to an angler kit landing page on a malicious webserver, making the user connect to this server which is controlled by C. Now the malicious webserver can probe the user and his browser for vulnerabilities, and infect the machine with malware (drive by download) if such vulnerabilities are found.

Now you’re probably thinking “how come someone is able to affect my computer when all I’m doing is surfing the web?”. The answer to this question is very straightforward. Normally it would be impossible for someone or something to place and run malware on your computer from a remote site without your consent. Unfortunately there are security vulnerabilities in certain software you use, which can be exploited. These can be vulnerabilities in the browsers themselves, or plugins such as Adobe Flash, Adobe Reader, … when left unpatched.

The image below was published by McAfee Labs in 2015 and shows the distribution of zero-day attacks by vulnerable application. We notice Adobe Flash being a major victim of such attacks. This is one of the reasons why the web is trying to evolve away from Flash, since it’s very prone to security holes.

Can I stop it?

There’s a few easy steps you can take to minimize the odds of getting infected by a malvertisement. The best and biggest advice is to update those browsers and plugins! Make sure you are using the latest version of your browser, preferably a browser which uses sandboxing to prevent malware from breaking out of the browser environment.

The next pointer is to disable advertisements by using an adblocker. For the general user this is a win-win situation since you get rid of the annoying ads and diminish the risk of getting infected through a malvertisement.

The final pointer is to deploy some form of malware protection. There are a number of anti-malware or anti-exploit suites available.

source-trustwave, source-howtogeeksource-malwarebytes

Leave a Reply

Your email address will not be published. Required fields are marked *