We’ve all seen questionable ads online. Whether they claim a problem with your computer, promise amazing results for everything from weight loss to wrinkle reduction, or offer something that seems too good to be true, we all like to think we know how to avoid trouble.
Unfortunately, today’s malvertising attacks are more insidious than ever. You don’t even need to click on an infected advertisement to encounter harmful malware, and the results can be devastating to your company. These attacks can distribute everything from viruses to spyware and ransomware that steal sensitive data, disrupt operations, and put your company at risk.
Let’s look at how these ads work and how to stop them to protect your business.
How Malvertizing Works
Malicious advertisements can appear anywhere, even on legitimate websites. Cybercriminals often purchase ad space from vendors that distribute ads to multiple sites without confirming their legitimacy. They unknowingly place the ads, which can attack unsuspecting users in several ways, including:
Drive-by Downloads
These attacks occur when a user clicks on the ad, which takes them to a page that immediately downloads the malware payload onto their device. Sometimes, simply visiting the infected page is enough to launch the attack.
Exploiting Vulnerabilities
Hackers use exploit kits to take advantage of their victims. These toolkits inject malware into advertisements, and when you click on the ad, the exploits attack vulnerabilities in your system to deliver malware.
Social Engineering
Hackers often use social engineering techniques like phishing to disguise their malvertising. In some cases, they steal credentials to bypass security measures meant to prevent them from buying ad space to commit click fraud.
Whatever the approach, the effects are the same. Learning to identify and thwart malvertising attacks will make your company a much harder target.
Recognizing Malvertising
While some bogus ads are obvious and riddled with misspellings, poor design, or obvious scam tactics (like fake celebrity endorsements or unrealistic promises), criminals know we’re on to them.
Although even legitimate websites can inadvertently host harmful ads, you’re not powerless against them. Because they can create more realistic ads, you must educate your employees to recognize the fakes that look innocent but mean bad news:
- Scam ads with urgent messages like “Your computer is infected” trick the victim into paying for “repairs” that cause more harm. Remind people to ignore these ads or reach out to IT with concerns.
- Fake installers that convince people to download fake software that steals login credentials, browsing history, financial information, and more. Controlling privileges and maintaining strict policies about what employees can download can prevent these attacks.
- Drive-by downloads that rely on users not updating their browsers. A security policy that requires immediate patching and updating can prevent these ad injections from taking hold.
Avoiding malvertising attacks on your business requires ongoing diligence, employee training, updated antivirus software, and plenty of skepticism. Together, these steps can protect your business against bad actors.
