What is Malvertising: From A to Z with Examples

Man

Professional
Messages
3,225
Reaction score
1,053
Points
113
Malvertising is a type of digital fraud in which attackers use fake ads to distribute dangerous code, generate traffic on websites, steal personal data, or illegally access users' social media accounts. Or simply deceive people into selling goods through fake stores.

The word malvertising consists of two English words: “malware”, which translates as “malicious program”, and “advertising”, which translates as “advertising”.

According to a report by cybersecurity experts, in 2019, every hundredth ad was malicious. And in 2017, according to Google, the system removed more than 100 such ads every second, totaling more than 190 million. Of these, 79 million led to sites with dangerous content, 66 million were trick-to-click ads (containing a deceptive message), 48 million tried to convince users to install unwanted software.

Contents
1. The principle of malicious advertising
2. Methods of distributing malware through advertising
3. The difference between malvertising and adware
4. Examples of malvertising
4.1. Zirconium and 28 Fake Advertising Agencies
4.2. Tag Barnakle and 120 hacked ad servers
4.3. ScamClub and the attack on iOS and macOS users
4.4. eGobbler and Phishing
4.5. VeryMal and advertising for Apple with shorthand
4.6. NoTrove and selling traffic
4.7. Malicious advertising in Skype
5. WordPress, Adobe Flash – who became a victim of malicious advertising
6. Is it easy to deceive an advertising platform?
7. How to recognize fake online advertising
8. How to protect yourself from malicious advertising (malvertising)

The principle of malicious advertising​

The fraudster creates a campaign on any advertising platform and places an ad on a high-traffic site. From the ad, he places a link to a malicious site.

Externally, such an ad looks quite legal, ordinary and attractive, and the audience trusts the traffic platform. But as soon as the user clicks on the ad to the attacker's resource, either malware is downloaded to his device, or he independently performs actions that compromise his device or personal data.

Advertisements are not always placed through, for example, Yandex Direct or Google Ads. The resource owner can also cooperate with some agency, therefore, they place advertisements on their pages using special software or code.

Advertising platforms filter fraudulent and malicious ads, but attackers find new vulnerabilities or use advertising “bombardment”, where the simple human factor comes into play, so the ad is passed by the moderation service.

Methods of distributing malware through advertising​

The types of malvertising used by scammers differ in the methods of distributing malicious code, but are generally similar.
  • Automatic loading
Drive-by Download, or forced automatic download, is a malware distribution technology in which software is downloaded to the user's device automatically when the user visits a site via a malicious advertisement. That is, the user saw an advertisement on a familiar site, clicked on it and ended up on a site with fraudulent "filling", which was immediately installed on his device.
  • Download on click
Click to Download, also called click-to-download, is a technology in which malware is downloaded to a device after the user performs a certain action. For example, he followed a fraudulent advertisement to a cybercriminal's website and clicked to download some program that pretends to be real software, but is actually malicious.

The difference between malvertising and adware​

The terms adware and malvertising can be confused, as both refer to advertising fraud.

Malvertising differs from adware in that it is itself an advertisement with dangerous content, while adware is a malicious program downloaded by the user to their device.

Adware is a program that runs in the background non-stop on the user's device. As soon as the user goes to a site that monetizes its content by placing ads, the malware replaces the ads with its own. Since the malware sits on the user's device, it collects all the marketing information about the owner to show relevant ads.

This is how attackers generate fake impressions, clicks, and leads.

Examples of malvertising​

The scale of malicious advertising is impressive. Dozens of fraudulent groups and individual attackers work on it.

Zirconium and 28 Fake Advertising Agencies​

This was the name of a large-scale fraudulent campaign organized in February 2018 to generate fraudulent traffic and distribute malware. To carry out the attack, the attackers created 28 fake advertising agencies.

The scammers took care to create a reputation and make their agencies look real. Fake accounts on social networks were even registered for the company's "specialists".

Once the attackers had earned their agencies a sufficient reputation, they began posting malicious ads. The fraudsters posted dangerous ads on traffic resources more than 1 million times.

To generate traffic for subsequent sale or distribution of malware, the scammers used forced redirect technology to sort visits. As soon as a user clicked on an advertisement, he was redirected to an intermediate site, then he got to one of the sites belonging to the Zirconium group, and then to one of the promoted resources.

The attack was discovered and reported by specialists from the Confiant company. According to experts, 16 advertising platforms and 2.5 million users fell victim to the attackers. 95% of the victims were located in the United States.

The fraudsters targeted users' PCs, ignoring mobile traffic. The operating system did not matter.

Tag Barnakle and 120 Hacked Ad Servers​

In 2020, the Tag Barnakle hacker group hacked 60 advertising servers, through which they injected fraudulent advertising onto webmasters' websites. As soon as the site loaded in the user's browser, the server replaced the real ad with a fraudulent one. The user who clicked on the ad was redirected to a resource with malware instead of the advertised product or service.

The attacks were incredibly large-scale. According to rough estimates, hundreds of millions of users could have suffered at the hands of the attackers.

ScamClub and the attack on iOS and macOS users​

Hackers exploited a vulnerability in WebKit that redirected macOS and iOS users to scam sites. Cybercriminals abused a zero-day vulnerability in Safari and Google Chrome browsers for iOS based on WebKit (CVE-2021-1801).

The attackers' goal was to obtain payment data, mainly from users of iOS mobile devices. The fraudsters placed malicious ads on third-party sites through advertising aggregators, using the streaming principle with the expectation of filtering and blocking most of their ads. As a result, the malicious ads were displayed more than 50 million times.

On their websites, which users accessed via advertising, the scammers sold fake gift certificates.

eGobbler and Phishing​

More than 500 million sessions were compromised by the eGobbler hacker group in April 2019, which exploited a vulnerability in the browsers of iPhone and iPad (Chrome for iOS) owners and redirected them to malicious sites. Most of the fraudulent resources were located on .world domains.

Thanks to a browser vulnerability, attackers injected a script that allowed the fraudulent code to escape the iframe sandbox and direct the user to their site. In addition, the code could even trigger a pop-up notification on a legitimate resource.

The group was previously known for an attack that delivered 800 million malicious ad impressions in February 2019. At that time, the ads redirected victims to phishing sites and non-existent technical support resources.

VeryMal and advertising for Apple with shorthand​

The hacker group VeryMal targeted Apple device users. They used shorthand to place malicious ads and hid fraudulent code inside images. In 48 hours, they managed to compromise about 5 million sessions.

The attack looked like this: the attackers bought advertising space on websites and posted ads with an image containing malicious code. In the same slot where the ad was located, JavaScript code was additionally loaded, which filtered out those users whose browsers did not support Apple fonts. The extracted code redirected victims to third-party sites, where they were asked to update their software, usually Adobe Flash Player.

According to Malwarebytes, the ads contained the malicious Shlayer botnet, which is used to install adware.

NoTrove and selling traffic​

The hackers from the NoTrove hack group specialize in malvertising. The group has been operating since 2010. They have 3,000 IP addresses and 2,000 domains at their disposal, which the hackers use to generate and sell traffic.

Cybercriminals tricked victims into clicking on ads offering them free high-value items, such as PlayStation consoles, and redirected them to scam sites, survey pages, and malware downloads using multiple redirects.

Essentially, they were running malicious ads and redirecting traffic to those who would pay for it - other bad actors, affiliate marketing agencies, etc.

Red is a random set of characters that presumably represents the campaign. Green is the campaign type (scam, survey, software download). There are 78 options in total. Blue is the main domain.

According to RiskIQ, the group was able to generate so much traffic on one of its sites that the domain reached position 517 in the Alexa rankings, surpassing popular sites such as Vice News, NFL.com, TechCrunch, HackerNews, and SlashDot.

Malicious advertising in Skype​

In March 2017, Skype users noticed the appearance of malicious advertising that looked more like ransomware. The main screen of the application displayed a banner advertising an alleged update for Adobe Flash Player. However, after clicking on the link from the banner, malware was downloaded to the user's device.

According to experts, the attackers targeted computers running Windows. When the application was launched, obfuscated JavaScript was triggered. The open application was deleted via the console, then a PowerShell command was launched that downloaded a JSE file. To download such a file, the attackers used multiple domains that were immediately deleted after the user's device was infected. The Domain Generation Algorithm (DGA) was probably used to generate fake malicious domains.

Experts were unable to “catch” the malware, but they are inclined to assume that it was an analogue of the Locky ransomware, which was spotted in early 2017 in conjunction with the Kovter click fraud botnet.

WordPress, Adobe Flash – Who Became a Victim of Malicious Advertising​

Malvertising victims include not only ordinary users, but also major portals and brands, including Spotify, WordPress, The New York Times, The Atlantic, and Adobe Flash. These companies were subject to fraudulent attacks, so they unknowingly distributed malware through advertisements, which damaged their reputation in the eyes of their audience.

Is it easy to fool an advertising platform?​

All you need to create malicious advertising is an account and the ability to create advertising campaigns.

The British magazine Which conducted its own investigation, during which it was discovered that it is not difficult to create and place fraudulent advertising on a well-known advertising platform.

Journalists came up with a non-existent brand and started promoting it. The results of the experiment are as follows:
  • Google Ads published the fake ads within an hour of their creation.
  • Facebook (owned by Meta, an organization banned in Russia) partially blocked advertisements, but allowed the page itself to be promoted.

Following the results of such an experiment, questions immediately began to pour in about whether it is worth trusting advertisements at all? If it is so easy to get to a malicious site.

Despite all the attempts of advertising platforms and individual organizations to stop such advertising, it still continues to exist and is gaining momentum. The measures taken seem insufficient.

How to spot fake online advertising​

Let's take a look at what you can do to detect malicious online advertising:
  • Check if the URL used in the ad matches the landing page. Scammers usually try to hide their real domain name because it does not have a good reputation.
  • Research the advertiser's company to see if it actually exists: check if it has a current address, a registry entry, and other contacts and references.
  • Look for reviews - these can also help you understand whether a company exists and offers genuine products or services.
  • Check the comments section - users who have fallen victim to malvertising scams often try to comment on ads to prevent the scam from happening again.

When it comes to online stores or aggregator sites, be suspicious of:
  • products that are hard to find, especially if they are not available on other sites;
  • too low prices, because low prices are a great way to attract attention and interest.

Fraudsters do everything possible to deceive gullible users and force them to click on malicious ads. That is why they use any tricks, psychological and technical, to generate and/or sell fraudulent traffic, steal personal data, extort money, compromise devices, download malware.

How to protect yourself from malicious advertising (malvertising)​

Each malvertising attack has its own warning signs. To recognize them and avoid becoming a victim of fraudsters, we offer several tips and tricks:
  • Ask yourself, does the ad look real, legitimate? Does the information it presents make sense? Well, think about who would give away a new PlayStation console for free.
  • Use an ad blocker to block all ads from appearing while browsing any website.
  • If you are interested in an advertising offer, do not rush to click on it - search for the advertised company or product and visit the official website.
  • If you doubt the authenticity of the offer, it is better not to click on the ad.
  • For the safety of your device, install an antivirus on it. This guarantees protection from most malware.

Advertising brings significant income to owners of information sites. The number of Internet users in the world in 2020 increased to 4.54 billion people. That is why the fraudulent technology called malvertising is so widespread.

Are you a webmaster and monetize your site by placing ads? To protect your site from bots, clickers and malicious advertising, install Botfaqtor protection on your site, which blocks most threats in the field of click fraud and generating fake traffic.
 
Top