What is Malvertising?

Bart Lenaerts-Bergmans - October 17, 2022

What is Malvertising

Malvertising — or malicious advertising — is a relatively new cyberattack technique that injects malicious code within digital ads. Difficult to detect by both internet users and publishers, these infected ads are usually served to consumers through legitimate advertising networks. Because ads are displayed to all website visitors, virtually every page viewer is at risk of infection.

How Does Malvertising Work?

Malvertising attacks can be complex in nature, leveraging many other techniques to carry out the attack. Typically, the attacker begins by breaching a third-party server, which allows the cybercriminal to inject malicious code within a display ad or some element thereof, such as banner ad copy, creative imagery or video content.

Once clicked by a website visitor, the corrupted code within the ad will install malware (malicious software) or adware on the user’s computer. The attacker may also redirect the user to a malicious website and leverage spoofing or social engineering techniques to advance the attack.

Malvertising attacks may also execute an exploit kit, which is a form of malware that is designed to scan the system and exploit vulnerabilities or weaknesses within the system.

Upon installation, the malware delivered via malvertising attacks operates as any other form of malware. It can damage files, redirect internet traffic, monitor the user’s activity, steal sensitive data or set up backdoor access points to the system. Malware may also be used to delete, block, modify, leak or copy data, which can then be sold back to the user for ransom or on the dark web.

Though somewhat less common, it is possible to conduct a malvertising attack without having the user interact with the ad. These attacks include:

  • A “drive-by download,” which exploits browser vulnerabilities to install infected files on the system while the user is passively viewing the ad.
  • A forced redirect of the browser to a malicious site.
  • Executing Javascript or Flash to display unwanted advertising or malicious content.

Malvertising vs Ad Malware (Adware)

Malvertising and adware are two terms that are sometimes used interchangeably, though they are substantially different.

Unlike malvertising, which launches an attack via an infected ad, adware is a program that can be used to track a user’s web activity in order to display relevant or personalized ads. All malvertising is considered malicious in nature, whereas some forms of adware are included in legitimate software packages. While adware often stokes concerns regarding data privacy and security, it does not allow cybercriminals to assume control of the system or alter, exfiltrate or delete data.

Examples of Malvertising

Many reputable organizations, including The New York Times, BBC, Spotify, Forbes and the NFL have been involved in malvertising attacks in recent years. In many such cases, the attack stemmed from a compromised ad network, which made it nearly impossible for the organization to identify such risks.

Specific attacks include:

  • Angler Exploit Kit. This malvertising attack was an example of a drive-by download. It automatically redirected visitors to a malicious website where an exploit kit was able to exploit vulnerabilities in common web extensions, such as Adobe Flash, Microsoft Silverlight and Oracle Java.
  • RoughTed is a malvertising campaign that was able to circumvent both ad-blockers and many ant-virus solutions through a series of dynamic URLs. The cybercriminals behind RoughTed leveraged a complex ad exchange network, as well as the Amazon cloud infrastructure and its Content Delivery Network (CDN), to carry out this attack.
  • KS Clean is a malvertising campaign that targets malicious adverts within mobile apps. Once downloaded, the malware would trigger an in-app notification alerting the user to a security issue and promoting them to upgrade the app. However, if the user agreed to the upgrade, it actually completed the installation process and granted cybercriminals administrative privileges to their mobile device.

How to Avoid Malvertising

Malvertising is extremely difficult to detect and avoid for both consumers and publishers. This is because of the incredible volume of digital ads being created and the rapid rate at which ads are circulated within a digital ad exchange. This means that publishers themselves often cannot directly oversee the ad verification and assessment process.

Generally speaking, it is also very difficult for cybersecurity experts to identify exactly which ad is malicious because the ads on a webpage constantly change. Further, most malvertising attacks require the user to interact with the infected ad. This means that not every website visitor will be affected by a malicious ad, which makes it more difficult to narrow down the offending advert.

While difficult to prevent infection from a malvertisement, users can take steps to reduce their risk:

  • Ensure that all software and extensions, including web browsers, are up to date.
  • Install antivirus software and ad blockers to reduce the risk of running a malicious advertisement.
  • Avoid using Flash and Java or allowing these programs to run automatically when surfing the web.

Publishers have a responsibility to protect their visitors from malvertisements. Steps they can take include:

  • Thoroughly evaluate third-party ad networks that will be responsible for selecting, vetting and running ads.
  • Scan ad creative intended for display to discover malware or unwanted code.
  • Avoid the use of JavaScript or Flash in ads.
  • Engage a trusted cybersecurity partner to offer customized recommendations based on the organization’s digital advertising activity.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.