“WARNING! Your iPhone is infected with virus and immediate urgent action is required!” – this was the pop-up that displayed itself on the face of Andrew Reed’s phone. A pop-up that was invoked because of an unintentional click to a website link that was displayed at the top of Google’s search results for “Cookie Recipes”. This seemingly innocuous message appeared to be an expediate notification of the presence of malicious software on Andrew’s iPhone. However, he knew this ad was fake, but on average, millions of victims of ‘malvertising’ don’t.
What is Malvertising?
The word malvertising is a portmanteau of ‘malicious advertising’. It’s the practice of embedding malicious software into legitimate looking ads that are displayed on websites and apps. Upon a user clicking into one of these infected ads, they are typically redirected to webpages that offer free downloads. These webpages are being hosted by a server, and once a user clicks the download button, malware is installed onto the user’s device within mere seconds.
To make matters even worse, malvertising is often used in conjunction with SEO or SERP (Search Engine Optimization or Search Engine Results Page) poisoning. This is the practice of embedding ads & website links with malicious code and then paying for them to appear at the top of search engine result pages like ‘Bing’. This tactic deliberately leverages the inherent trust and bias that users hold toward, not only the search engines, but also their results.
How Does Malvertising Occur?
Malvertising often takes place because of companies utilizing third-party software to showcase ads on their sites and services. Most companies don’t have internal controls or offices to provide direct oversight into these instances of software, so cybercriminals will generally face almost no resistance in manipulating them.
Attackers can essentially execute and hide malware inside of almost any element of an advertisement (the image or even a video), and because of this, it’s extremely difficult to identify when and how an ad has been compromised. Since most devices can automatically download these elements to properly display the ad, the infection will often happen without the respective user even knowing it.
What is an Example of a Malvertisement?
In the beginning of December 2024, Microsoft’s AI-driven “Defender Threat Intelligence” platform uncovered a massive, elaborate malvertising campaign that compromised more than one million devices globally. The attack, which has since been attributed to ‘Storm-0408’. The attack originated from illegal movie streaming websites that were embedded with malvertising redirectors. Malvertisements were embedded in the movie frames, and once clicked, would then redirect users to GitHub (a code sharing & hosting repository). Once on the website, end-users were prompted to download the movie for viewing, not knowing that malware had just been installed on their respective device.
Although embedded only on a handful of pirating sites, this attack was overwhelmingly successful in scale. Additionally, according to Microsoft, even certain company and enterprise devices were affected. This suggests that people were downloading pirated movies/videos on work-related devices, an action that could have cost a company millions of dollars.
What are Some Ways to Identify Malvertisements?
Despite its overall sophistication, there are some very easy ways to distinguish a malvertisement:
- Spelling mistakes: Misspelled words, which can also be typosquatting. This is the deliberate misspelling of domains to impersonate brands. Also, poor grammar indicates a lack of professionalism. Legitimate ads are made by professional organizations, meaning they’re less likely to allow these mistakes through.
- Promising too much: Promises that seem unbelievably generous or unrealistic can be a red flag for malicious intent. Big, flashing pop-ups offering a designer brand item or luxury goods for next to nothing are probably fake.
- Low-quality graphics: Blurry images or unusual design choices suggest the ad is not from a reputable source. Legitimate ads usually go through multiple rounds of editing to create high-quality images.
- Unexpected pop-ups: Ads that suddenly appear and try to grab your attention (“You’ve won a prize!”) might be trying to lure you into an online scam. Illegitimate pop-up ads often try to appear in front of your cursor, forcing you onto unsafe websites.
- Irrelevant content: Ads that don’t match your interests or recent searches may be fake. Some examples may include an ad for a new cryptocurrency site when you’ve never searched for one.
- Urgency or pressure tactics: Ads that pressure you into acting without thinking are often scams. For example, an ad may have a countdown timer or say you only have two hours to grab an incredible deal.
- Unusual URLs: If you hover over the ad and the URL address isn’t what you would expect, it could be trying to redirect you to a malicious website.
In Conclusion
Although malvertising isn’t a commonly uttered word across the various domains of broadcast media that will report on cybercrime, its prevalence is still more potent than ever. Cybercriminals are waiting, willing, and ready to exploit you via that enticing advert just seems too hard to not click on. Whether you are scrounging Google for cookie recipes or trying to catch the latest movie release without paying the exorbitant movie theater price, you must be prepared to perform due diligence in protecting your (and your company’s) devices from compromise.