Malvertising: Dealing With Malicious Ads – Who and How?

My earlier posts presented malvertising examples and explored how malicious ads work and how they get deployed and protected. This note consider what might be done to handle the threats of malicious ads. Who can and should deal with this issue?

Spotting Malicious Ad Campaigns

Recommendations for ad networks for spotting potential malvertising campaigns include:

  • Validate the integrity and authenticity of the entity wishing to place the ad by reviewing their credentials and documentation and by conducting a background search with financial review companies. Unfortunately, the documents are easily faked and review companies provide very limited coverage.
  • Research advertisers with domain registry lookup tools looking for red flags, such as concealed contact details, recently-created or modified records or the use of webmail email addresses for domain contacts. This seems quite practical to me.
  • Examine Flash ads with analysis tools, such as automated analyzers or web proxies. Unfortunately, the authors of malicious Flash ads are very good at concealing malicious logic, making it very hard to examine these programs to identify malware characteristics. (Perhaps ad networks could refuse accepting Flash ads with scripts that seem obscure or obfuscated.)
  • Watch out for social engineering tricks, such as willingness to pay for the full campaign in cash, placing orders at the last moment or maintaining contact at odd hours. This is hard to do, considering how persuasive social engineers can be. Moreover, ad networks’ sales people might prefer to get paid and deal with the potential malvertisement later, rather than saying “no” to a new customer.

These practices are either not being followed or are ineffective, given the apparent popularity and effectiveness of malicious ads.

Who Can Deal With Malvertisements?

In an article that explored who should kill off malvertisements, Trend Micro’s Rik Ferguson pointed out that “website owners and ad networks alike suffer embarrassing brand damage when their customers are infected.” However, I am not sure brand tarnishing provides sufficient incentives to motivate companies to address the problem:

  1. A website might suffer embarrassment when displaying a malicious advertisement;
  2. The site apologizes and points a finger at the ad network that served the ad;
  3. The network apologizes and disables the offending advertisement;
  4. The world moves on and forgets about the incident after a few days.

Moreover, ad networks probably keep the money they were paid for the campaign that turned out to be malicious. This creates an incentive to look the other way even when the ad network’s sales staff notices red flags when processing the campaign.

The Role that Enterprises and Individuals Can Play by Blocking Ads

When describing his experience supporting LAN operations for about 4 years, Michael Robinson observed that the majority of malware infections in that environment occurred through malvertisements. In response, the company’s firewall engineers:

"Created rules to block traffic from 20 specific advertisers. By blocking only these sites, the number of malware infections on the LAN dropped by over 80%."

If blocking ads is as effective as what Michael experienced, then by adopting this practice on a larger scale—at the level network level as well as on individual workstations—organizations might create powerful incentives for ad networks to work more rigorously as investigating, identifying and responding to malvertising campaigns.

For now, individuals and organizations can minimize their exposure to malvertisements by minimizing their exposure to banner ads. Also, the standard practices for combating social engineering scams, client-side exploits and malware apply when dealing with the threat of malicious ads.

This note is part of a series of malvertising-related posts. You can also learn:

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more