Features 23.12.2024
Malvertising 101: How Brands Can Prevent Malicious Ads Destroying Their Reputation
The National Cyber Security Centre (NCSC) recently published its first malvertising guidance document for brands.
Features 23.12.2024
The National Cyber Security Centre (NCSC) recently published its first malvertising guidance document for brands.
The digital advertising industry is an unsung hero for the British economy. According to IAB UK, it contributed £129bn in gross value added (GVA) in 2022, employing two million people and increasing sales for UK firms investing in digital ads by £73bn. But the benefits go even further than that. The IAB claims online ads save UK households £18bn per year by providing free access to digital services. So, it should be a concern that threat actors undermine the complex ecosystem underpinning this economic success story.
By using digital ads to distribute malware, cyber criminals threaten to erode consumer trust in websites and online services and critically damage the reputation of the brands that advertise online. That’s why the National Cyber Security Centre (NCSC) recently published its first malvertising guidance document for brands.
Put simply, malvertising (malicious advertising) is a technique for distributing malware or redirecting users to malicious sites. This is achieved either by luring the victim into clicking on the ad or via a ‘drive-by-download’, where simply visiting the page triggers a malware download by exploiting a browser/OS/software bug. Lures could include quizzes and competitions, giveaways, videos, fake news articles, and fake security alerts (scareware).
“Malvertisers may also use campaigns to test and refine new malware delivery techniques or probe vulnerabilities in ad systems, browsers and devices” Kevin Curran
Crucially, the malicious ads are served using legitimate ad networks and may namecheck legitimate brands to reach and entice a broad user base. Just like genuine digital advertising, malicious ads come in all sorts of different shapes and sizes, including popups, banner ads and paid search ads. At a high level, they end up on publishers’ sites and search engines because ad networks can’t differentiate between malicious JavaScript submitted by threat actors and legitimate code.
Unfortunately, the UK had the highest incidence of malvertising in 2023. According to Confiant, 0.56% of impressions in 2023 were judged to have “security violations”, way above the global average of 0.26% and nearly double that of the US. Although the share doesn’t seem particularly high, the sheer number of impressions monitored by Confiant – reaching one trillion for this study – means that as many as 560 billion people may have been served malicious ads in the UK.
Among the most popular malvertising techniques Confiant observed last year was cloaking – where the final malicious landing page is hidden from the ad platform providers. Other common malvertising categories include fake updates, cybercrime scams, and forced redirects. In general, these may lead to downloads of ransomware, spyware, adware, infostealers, or any other type of malware. They could also take users to a branded phishing page designed to harvest personal and financial information. In some cases, they even direct the victim to a tech support scam site designed to scare them into paying for unnecessary tech products or services to ‘clean’ their machine.
According to IEEE senior member, Kevin Curran, malvertising might also be used to commit ad fraud, to spread disinformation, or to conscript compromised machines into botnets.
“Malvertisers may also use campaigns to test and refine new malware delivery techniques or probe vulnerabilities in ad systems, browsers and devices,” he tells Assured Intelligence. “Their objectives reflect a combination of economic, ideological and strategic motivations, exploiting gaps in digital advertising security to achieve their goals.”
Curran, a professor of cybersecurity at Ulster University, argues that the complexity of the advertising supply chain is one of the biggest malvertising challenges facing brands – and, indeed, the entire industry.
“The digital advertising ecosystem involves multiple layers of intermediaries, including advertisers, ad networks, exchanges, demand-side platforms, and publishers, each adding points of vulnerability. Programmatic advertising, which relies on real-time automated transactions, further complicates the process by making it difficult to manually vet ads or trace the origin of malicious content,” he explains.
“This complexity is compounded by indirect partnerships and the global nature of ad supply chains, where varying security standards create opportunities for exploitation. Malvertisers exploit these gaps by embedding malicious code deep within the chain or using evasive techniques like ad rotation to bypass detection. The lack of transparency in how ads are sourced and delivered often prevents advertisers and publishers from identifying vulnerabilities, making accountability difficult when incidents occur.”
Another complicating factor is that brands and publishers also need to make money from their digital ads, so any efforts to secure the ecosystem must not impact legitimate advertising or the user experience.
“Smaller publishers, in particular, may prioritise revenue over security, creating additional risks,” says Curran. “As a result, combating malvertising in such a fragmented and opaque environment requires advanced detection tools, rigorous vetting of partners, and industry-wide collaboration to enhance transparency and accountability.”
Morten Mjels, CEO of cybersecurity consultancy, Green Raven, also cites ad supply chain complexity as a challenge for security practitioners.
“Utilise threat intelligence tools to understand your external threats, such as domain permutations and other risks” Morten Mjels
“It is hard to predict such attacks as they might not require any internal information to execute. However, the good ones will likely create domain permutations to direct traffic to their site,” he tells Assured Intelligence.
“Also, as companies grow, the risk of becoming a victim of malvertising increases too, so it is important to manage your supply chain carefully and monitor traffic, as dips in regular traffic to a website could be an indicator of [malicious activity].”
The NCSC’s guidance calls for brands to be more exacting of their advertising partners, demanding they implement stronger know-your-customer (KYC) checks to weed out bad actors and employ effective cybersecurity at a hardware and software (ad code) level. It also advocates improved threat intelligence sharing across the digital ad ecosystem, robust reporting and acknowledgement of suspicious activity, and deployment of malvertising detection and removal services.
Transparency is also key. The NCSC argues: “You should expect your partners to be willing to demonstrate how they reduce user harm and to openly signal their commitment to securing end users and your advertising spend.”
Curran agrees that any effort to combat malvertising needs to roll out across the digital ad supply chain.
“Securing against malvertising involves working with trusted ad networks and limiting the number of intermediaries in the ad supply chain to reduce vulnerabilities. Employing advanced security tools like real-time ad verification, malware scanners, and content delivery networks helps detect and block malicious ads before they reach users. Technical safeguards, such as content security policies and regular software updates, are essential to prevent exploitation,” Curran says.
“Continuous monitoring for unusual activity and maintaining a rapid response plan ensures swift mitigation when malvertising is detected. Educating internal teams and users about malvertising risks strengthens awareness, while regular security audits help identify and address vulnerabilities.”
Green Raven’s Mjels argues that due diligence and vendor management are essential to minimise risk across the ad supply chain.
“Furthermore, utilise threat intelligence tools to understand your external threats, such as domain permutations and other risks,” he adds. “Having strong cybersecurity which combines traditional security, compliance, and risk assessments can significantly reduce the likelihood you will be a victim.”
IEEE’s Curran claims that sourcing ads through private marketplaces or direct deals can also help reduce the potential for miscreants to enter the digital ad ecosystem.
“Advocating for stronger industry-wide transparency and security standards can further minimise exposure to malvertising threats,” he concludes. “A proactive, multi-layered approach is key to maintaining a secure digital environment.”
To help brands mitigate the risks associated with malvertising reputation abuse, the NCSC recommends that digital ad partners are put in place to do the following: