Malvertising Explained: How To Spot And Steer Clear Of It

Malvertising attacks have been in the news recently. Microsoft Threat Intelligence uncovered a campaign they called Storm-0408 that may have impacted nearly a million devices after users downloaded malware from GitHub. Once machines were infected, criminals gained access to people's login details, OneDrive accounts, and even cryptocurrency wallets. The malicious GitHub repositories have now been removed, and Microsoft Defender has been updated to detect the malware used in the attack.

Malvertising is serious business. The Q4 2024 report by Gen Digital (the company that owns Norton, Avast, Avira, and AVG) reported that "Malvertising continued to serve as a major vector for scams and malware, comprising 41% of all blocked attacks this quarter, the largest share of any single threat type."

But what is malvertising? Firstly, you need to understand that malvertising can refer to several different kinds of cybercriminal attacks, and the tactics employed by cybercriminals have changed over time. This means that a lot of the information on the web is now out of date. We'll look at how malvertising has changed since the 2000s and 2010s and show you what steps you can take to protect yourself.

Changing and evolving is in the nature of malware and cyber-attacks. Hackers need to adapt as security measures get tightened up. Malvertising is usually defined as the practice of embedding malware within seemingly legitimate online ads. However, it can also refer to advertisements or sites which redirect users to malicious downloads. It is also often combined with a practice called SEO poisoning, where criminals subvert search engine algorithms to place misleading links at the top of results pages.

It was first identified as a threat in 2007, with malicious code being embedded in banner ads on legitimate websites and has gone through several iterations since then. High profile attacks in the 2010s used embedded ads on reputable news sites to install ransomware on users' computers. In 2016, websites including the New York Times, Newsweek, and the BBC inadvertently hosted malicious ads. These exploited a flaw in Microsoft Silverlight, a now-defunct browser plugin for playing videos and animations, similar to Flash.

Dangerous code could be hidden anywhere within an ad, making it difficult to detect. In some cases, a device could become infected even if the user didn't click on anything, a technique known as a drive-by download. Since the discontinuation of plugins like Flash and Silverlight, drive-by downloads are no longer an issue (until, possibly, they pop up again in another guise). Modern malvertisements like Storm-0408 required users to click on a fake ad first.

The recent attack detailed by Microsoft Threat Intelligence affected users of several illegal movie download websites. Ads were embedded in movie frames, which, when clicked, would redirect people to another website pretending to be a malware security or tech support website. This site prompted them to download a file from GitHub or other code repository. Once downloaded, the malware installed hidden software and sent stolen information, like passwords or personal data, to the cybercriminals.

Given that these malvertisements only appeared on a couple of specific pirating sites, it seems remarkable that this particular scam managed to affect almost one million devices. Clearly, a lot of people are using these sites, as the one million incidents would only account for a small percentage of those on there. The attack, according to Microsoft security experts, also affected "enterprise devices" which suggests that some people are downloading pirated movies on their work computers.

It would have been comparatively easy to avoid this particular attack, and not just by avoiding illegal movie download websites in the first place. Users needed to first click on a scaremongering advert that appeared within a movie and then download an unknown program from GitHub. SEO poisoning attacks, however, tend to be a bit more subtle.

SEO (or SERP) poisoning is a practice that positions legitimate-looking URLs at the top of search engine result pages (SERPs) like Google. It has become popular with cybercriminals as a means of spreading malware and ransomware. Ads paid for by cybercriminals can appear on Google results home pages. Sometimes, the keywords and URLs are intentionally misspelled. For example, SlashGear.com could be changed to SlasshGear.com or SlashGeer.com or simply have a different domain name like SlashGear.io. This practice, known as typosquatting, catches people who only type the first few letters and don't check the search results too carefully. Recently, there have been more examples where the URL on the results page looks legitimate but redirects to a different site.

This issue was widely reported last year when people looking to download the Arc web browser fell prey to malvertising scams. Googling for 'Arc download', brought sponsored results that looked like the real website at arc.net/ but were actually malvertisements. They even displayed the legitimate URL on the Google results page, but when clicked, it directed users to a page with a different URL that was a spoof of the legitimate site. When users clicked the link to download, it would install malware. There have been numerous similar scams over the past few years, with malvertisements appearing on Google search results, pretending to be Amazon.com  and open source software downloads for WinSCP, PuTTy, Mozilla Thunderbird, and Microsoft Teams.

Spotting and avoiding malvertising depends on the sort of scam that's being employed. In the 2010s, when malvertisements could execute without you having to do anything, the first indication that you might have that you have been the victim of a malvertising attack is discovering that your computer had been hacked. However, these attacks usually relied on weaknesses in Flash and Java and fell out of favor when people stopped using the plugins. Security firms advised removing these plugins and firmed up protection of other ad-based loopholes.

Security software companies like Norton and McAfee are constantly improving to combat new types of attack. Microsoft Defender updated its product following the Storm-0408 attacks. Ensuring that you have anti-virus and anti-malware software and keeping it updated should be your first port of call when protecting yourself. You can also consider identity protection software and using a VPN. Installing an adblocker will also guard against in-page malicious adverts. Security experts are regularly monitoring scams and while staying one step ahead of hackers is impossible, they are responding as fast as they can to new threats and incorporating their findings into their products. You should also make sure you aren't making any classic cybersecurity mistakes like clicking links indiscriminately or failing to update your devices' software.

Vigilance is key here, especially if you are downloading software onto a device. Before you click on a download button on a website or on a repository like GitHub, you need to do your research. If you are searching for the name of a product or company, check your spelling. Typosquatters are looking for misspelled keywords like "Nvida" or "Micosoft". Avoid using the sponsored links on a Search engine results page. Scroll down to non-sponsored content.

Next, check the URL. Scammers and hackers register similar and likely-sounding domain names to catch people out. If you are looking to download software, find out what the correct URL is from tech publications (or even Wikipedia). If you go to the source directly rather than using a search engine, you are more likely to end up in the place you intend to be. You should also check the web page before clicking to download. Bad actors will often recreate the landing page of the site they're spoofing, but they don't do much more than that. If there's no option to click on other pages like a products page, contact page, or terms and conditions, then it's definitely suspect.

Lastly, if you're using macOS, be wary of any site that tells you to right-click to open its link. This is a trick used to bypass security protections. On macOS, Gatekeeper is designed to prevent untrusted applications from running without user consent. You can, however, manually override these security settings, and this is exploited by malicious actors to trick users into running harmful software.