Key Takeaways

• Malvertising embeds malicious code in legitimate-looking ads that can infect devices without requiring user clicks

• Publishers lose an estimated $1.13 billion annually to malvertising attacks

• Magecart attacks on eCommerce platforms increased by 103% in the first half of 2024

• Simple prevention includes ad quality tools, working with trusted partners, and regular security scans

Ever clicked on a normal-looking ad only to have your browser start acting weird? Chances are you've experienced malvertising. This sneaky tactic is a growing headache for publishers who just want to make money without hurting their visitors.

What is Malvertising?

Malvertising (malicious + advertising) happens when bad actors inject harmful code into legitimate online advertising networks. Unlike obvious spam, these ads look totally normal and often appear on trusted websites.

What makes malvertising so dangerous is that users don't always need to click on the ad to get infected - some versions can download malware automatically when the ad loads (known as "drive-by downloads").

"The most sophisticated malvertising campaigns can infect users without requiring any interaction at all," says Jake Munroe, cybersecurity analyst at Sentinelone. "This makes them particularly dangerous to both publishers and their audiences."

How Malvertising Works

The process typically follows these steps:

1. Creation: Attackers create normal-looking ads with hidden malicious code

2. Distribution: They submit these ads to advertising networks

3. Delivery: The compromised ads get served across publisher websites

4. Infection: When users view or click the ads, the malware activates

The worst part? Most publishers never know they're serving dangerous ads until users complain or their website gets flagged by Google.

Common Types of Malvertising

Malvertising comes in several forms:

Pre-click Attacks

These don't require any user interaction - just viewing the page activates the malware. They often exploit browser or plugin vulnerabilities.

Post-click Attacks

These need the user to click on the ad before the malicious action starts. They commonly use social engineering to trick users into downloading fake software updates or entering personal information.

Malicious Redirects

These hijack your browser and send you to sketchy websites that try to install malware or steal information.

According to BlackFog, "Malvertising can lead to ransomware attacks when users are redirected to exploit kits that identify vulnerabilities on their devices."

Real Impact on Publishers

Malvertising isn't just annoying - it damages your business:

• Revenue loss: Infected sites often see traffic drop by 30% or more

• Brand damage: Users associate your site with security problems

• SEO penalties: Google may blacklist your site if it detects malicious ads

• Legal issues: You could face liability if user data is compromised

A report from the Interactive Advertising Bureau estimated that publishers lose approximately $1.13 billion annually due to malvertising attacks.

Recent Malvertising Trends

Malvertising keeps evolving. Recent trends include:

• Magecart attacks on eCommerce platforms increased by 103% in the first half of 2024

• Polymorphic malware that changes its code to avoid detection

• Targeting of mobile devices thru in-app advertising

• Exploitation of programmatic advertising weaknesses

"The sophistication of these attacks has grown exponentially," notes CrowdStrike. "Attackers now use machine learning to create ads that can bypass traditional security measures."

How to Protect Your Site from Malvertising

You don't need to be a security expert to reduce malvertising risks:

For Publishers:

1. Use ad quality tools like Confiant or GeoEdge to scan for malicious ads

2. Work with reputable ad networks that prioritize security

3. Implement ads.txt to prevent unauthorized inventory sales

4. Regularly scan your site for suspicious activity

5. Keep your CMS and plugins updated to patch security holes

For Users:

1. Use ad blockers when browsing unknown sites

2. Keep browsers and operating systems updated

3. Install reputable antivirus software

4. Be cautious about clicking ads, especially those promising incredible deals

The Bottom Line

Malvertising isnt going away - in fact, it's getting more sophisticated. As Okta points out, "The most effective defense combines technological solutions with human vigilance."

By understanding the basics of malvertising and implementing simple security measures, publishers can protect both their revenue and their audience. In the constantly evolving world of ad monetization, security isn't just nice to have - it's essential.

A real-world example? In late 2023, a major malvertising campaign called "ScamClub" infiltrated premium publishers through programmatic channels, affecting millions of impressions before being detected. This campaign specifically exploited weaknesses in real-time bidding systems, showing how even sophisticated ad tech can be vulnerable.

This article is part of our Monetization Minis series, designed to help publishers understand key concepts in digital monetization.