Malvertising, defined as malicious ads found on the internet, is a type of threat that has only recently begun to enter the public consciousness. With the basics of online security still a major concern for governments worldwide, it wouldn’t be unfair to say that the average social media or email user is still getting to grips with terms like phishing, pharming, spyware, and the now-ancient Trojan horse virus.
To stress that latter point, the Group of Seven – or G7 – made internet hazards one of the discussion points at its May 2021 summit, along with global concerns like human rights and climate change. The G7, which counts the United States and the United Kingdom among its members, hopes to make content providers responsible for any illegal activities that occur on their platforms or websites – including malvertising.
Security company GeoEdge explains that a malvertisement can only be created if a third party has access to a business’ online ad slots. The code inserted in these infected advertisements can then be hidden or ‘cloaked’ to prevent its discovery at some point between insertion and the target user. As the people who deal in malvertisements stay hidden too, it can appear that a trusted brand is responsible instead.
For example, back in 2015, online criminals hijacked Yahoo!’s ad network for a week to infect visitors with ransomware, which locks users’ computers until a sum of money (usually, in cryptocurrency) is handed over. Back then, however, a significant amount of malvertising originated from the now-discontinued Adobe Flash. The video player, now supplanted by HTML5, was notorious for its poor security.
Several years later, though, malvertising is still around and still enjoying success even on sophisticated platforms like Facebook. The key to ‘why’ lies in the complexity of the online advertising ecosystem, which is based around third-party agencies serving first-party companies such as Nike or Apple. These smaller networks are much easier to infiltrate than titans like Google yet, through adverts, they feed to the same users in the end.
Of course, Google, Twitter, and Facebook are the source of a huge number of advertisements too, courtesy of their own ad managers. These can (and have) been used in illegal attacks. In one example, a crime group hijacked the Facebook page of a Chicago DJ to threaten another company to pay up on a ransom demand. Put another way, it was a roundabout way to embarrass the Italian Campari Group after they refused to be extorted.
While this isn’t malvertising as we’ve already described, it nevertheless demonstrates how easily Facebook can be leveraged for crime. The entire campaign cost just over $500 and reached 7,150 people. However, it’s a drop in the ocean compared to the number of people that could have been exposed in the Yahoo! incident. The search giant recorded 7bn visits a month back in 2015.
Like most online threats, the biggest obstacle to preventing malvertising is public knowledge. Unless you’re already tech or web-savvy, you’re unlikely to be aware of this type of activity, especially as it favours discrete action over fireworks.