What is Malvertising? How to Protect Your Website and Customers from Fake Ads

November 13, 2019 - Ensighten

No website is immune to malvertising. Here we explain the scope of the problem and how you can fight back against cybercriminals using fake ads to infect customers with malware.

Advertising is a vital revenue stream for digital companies. Unfortunately, it is also another way in which cybercriminals target legitimate websites and their customers for financial gain.

When good ad networks are tricked into delivering malware, it’s known as malvertising. (Not to be confused with adware, which is where illegitimate software displays ads and redirects searches to ad sites, which can still cost firms valuable businesses.)

This year, cybercriminals launched a widescale malvertising campaign against major browsers such as Chrome, Safari, Opera and Edge, generating more than a billion malicious advertising ad impressions over the past few months. Dubbed eGobbler, it pushed malware and spam-laden ads through online advertising networks onto the web browsers.

Here are some other examples of high-profile malvertising campaigns this year:

  • One campaign, Ghostcat-3PC, sought to infect web publishers in the U.S. and Europe with malware that hijacked browsing sessions. The campaign quickly evolved its methods and pushed out four different versions of the malware over a period of just a few months
  • In March, a modular fileless botnet malware called Novter was distributed via several top 100 websites in the U.S. Novter contains ‘sleeper’ modules that are remotely activated. They render antivirus software useless, hijack the computer for click fraud campaigns or bring up a technical support scam page in the victim’s browser
  • Elsewhere it was discovered that Adsterra, an ad network based in Cyprus, had continued connecting to a malicious server used in an extensive 2018 malvertising campaign until recently – despite claiming to have blocked the malicious activity and improved its defences

These attacks are just the tip of the iceberg; ad verification company GeoEdge reported last year that automatically redirecting malvertising attacks cost $1.13 billion per year, and that figure is rising.


What is malvertising?

Despite the malicious code, malvertising takes on the appearance of everyday ads such as pop-ups, paid ads, banner ads, and more.

Malvertising also takes advantage of the same methods that distribute normal website advertising. Cybercriminals submit infected graphic or text ads, which both work if they use JavaScript, into legitimate advertisement networks, which often can’t distinguish harmful ads from trustworthy ones.

Put simply, malvertising campaigns piggyback on legitimate online advertising networks and popular websites to push malware, such as ransomware exploit kits, to millions of unsuspecting targets at once.


How does malvertising work?

Hackers rely on two main methods to target websites or browsers.

The first is an advertisement that tries to get the website visitor to click on it – this might be an ‘alert’ – most of us have seen the fake warnings pop-up telling us that the computer has been infected with malware, and we need to click the button to get rid of it. Or perhaps they will say the user has won a competition and they must click to claim their prize. Such tactics use social engineering to scare or tempt users into clicking on a link – but if they do, they will be infected.

The other method is known as a ‘drive-by download’. In this case, the infected ad uses an invisible web page element to do its work. The user doesn’t even need to click on the ad to trigger the malicious activity. Just loading the web page hosting the ad (or a spam email or malicious pop-up window) redirects you to an exploit landing page, which takes advantage of any vulnerabilities in the browser or holes in the user’s software security to access their machine.


A growing problem

Malvertising and phishing are not a new cyberthreat. But using distributed ad networks to serve up malicious ads on legitimate websites – like in the case of eGobbler – is enabling cybercriminals to lure more intended targets to their malware.

The problem is also that malvertising can appear on any company’s website, leveraging the trust visitors have in those sites. If a user discovers they have been the victim of an attack, they are unlikely to want to visit that website again.

“Malvertising can appear on any advertisement on any site, even the ones you visit as part of your everyday internet browsing,” notes security vendor Malwarebytes.


Customer journey hijacking

An increasingly common variant of malvertising is customer journey hijacking, where a third party injects unwanted software into your website visitors’ browsers without their permission. It allows customers to be targeted by unauthorized ads which plague them with product ads, pop-ups, banners and in-text redirects, disrupting their experience and driving them to competitor websites. Session hijacking is the primary goal for the majority of malvertisers, where a user, through no fault of their own, is moved to another website or landing page.

With these ads re-directing your customers to other companies’ websites, the result is abandoned shopping carts, lost revenues, potential loss of customer loyalty and brand damage.


Preventing a malvertising attack

Unfortunately, no website is immune to malvertising, and ad-blocking software can be ineffective at preventing attacks.

Within a corporate environment, user awareness and education about the dangers of unsanctioned downloads is important – but more difficult for a retailer selling goods or services to customers via their website.

It is therefore essential to be able to block unauthorized ads and other forms of malware. Through the Ensighten solution you can block any unauthorized ads and stop your customers from being diverted to other websites.

Elsewhere, you can manage third-party technologies by allowing only approved vendors, and managing and updating policies in real time to prevent data leakage.

Speak to Ensighten today about how you can keep your website safe from malvertising.




Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Ad injection guide

Learn more about malvertising and how you can protect your website to ensure you are not losing revenue to cybercriminals

Read Now

Journey hijacking blog

Learn about customer journey hijacking and how to protect your brand and your customers from injected ads

Read Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against malvertising

Book Now