Malvertising – why fighting adblockers gets users’ backs up

Thanks to James Wyke of SophosLabs for doing the hard parts of this article.

Making malware predictions is a popular but often frustrating pastime.

It sometimes feels as if saying “X will happen” simultaneously makes it true and untrue.

As though some crooks figure, “Well, if that’s where you’re focusing your attention, I shall go elsewhere,” while others say, “What a jolly good idea, I must try it at once.”

But there’s one malware delivery mechanism that we think will be in the news fairly regularly throughout 2016, not perhaps as the most likely vehicle for crooks to infect your computer, but as one of the most frustrating.

We’re talking about malvertising, short for malicious online advertising, which is where usually-trustworthy sites temporarily go rogue because one of the ads they display turns out to be booby-trapped, and tries to foist malware or potentially unwanted content on your computer.


It’s not hard to see how malverts can happen, even if almost everyone in the advertising chain is trying to play by the rules.

Forbes, for example, was a recent high-profile victim of a poisoned-ad attack – a two-sided attack, really, because Forbes ended up being both victim and perpetrator.

The publication’s website, and brand, was hijacked and embarrassed by the crooks; at the same time, the Forbes website became a potential infection vector for cybercrooks.

Remember that when we talk about malvertising, we’re not just talking about scammy diet ads with improbable weight loss claims.

We’re not even talking about those free gift cards you’ve been “awarded”.

We’re talking about a sequence like this:

  • Crook hacks an ad delivery server, or signs a fraudulent contract with no intention of complying with the rules.
  • Crook uploads an ad with malicious content, such as booby-trapped JavaScript or Flash.
  • Ad network accepts the ad and inserts it into the database of options to serve for various customers.
  • Ad network customers’ websites occasionally pull and display the malicious ad instead of a legitimate one.
  • Users visiting any of the websites using the affected ad network at the time are placed in danger.

Of course, what you see as a user is that you visit a site you trust, yet your anti-virus goes off. (Or not.)

So the “crook” or “hacker,” as far as you are concerned, is company whose URL is in the address bar and whose logo appears proudly at the top of the screen.

Interestingly, when we went looking for screenshots to illustrate the abovementioned poisoned ad problem on Forbes, we found that the “foistware” offered up in the story wasn’t actually malware, but was a risky proposition nevertheless:

The website promised us a Safe Download, and pretended to be a legitimate installer (the Java Setup window in the screenshot above, however, is just an image inside the web page) and we ended up, to our surprise, with a byte-for-byte perfect copy of the Java Runtime Environment installer.

However, this installer delivered Oracle’s official security update from October 2014, which was already superseded back in January 2015.

By applying the “update” we’d have downgraded ourselves by more than a year’s worth of Java patches – even regressing to the POODLE bug – and perhaps that’s what the site had in mind, hoping that computers that had once been patched would unintentionally rewind their security and thus be more vulnerable to other attacks.


As you can imagine, crooks love this sort of malware delivery mechanism for a number of reasons:

  • One poisoned ad template on one insecure ad server could end up being distributed via hundreds or thousands of websites that use the ad network concerned.
  • Popular sites typically use dozens of different ad networks, and only one ad network needs to be compromised at any time to put the entire user community at risk.
  • Users won’t see the poisoned ads predictably, because ad networks vary content by time, visitor, location and more, so that identifying the source of the problem is harder.
  • Threat researchers won’t necessarily get matching results when investigating malvertising reports, so that taking down the offending content is harder.
  • Malverts typically poison legitimate, trusted, high-traffic sites, yet with no need to hack into the main site itself.
  • Someone else pays for the bandwidth.

That’s why a lot of people use adblockers.

Sure, lots of people run adblockers mainly because they don’t like ads and consider them annoying, trite or even insulting.

But adblockers also improve security.

The logic is simple: malverts are a subset of adverts; adblockers block adverts; ergo, adblockers block malware, too.

And why not?


The irony is that companies that rely on ad networks for revenue dislike adblockers as much as you dislike ads, so as a community we are at an impasse.

The theory is that free content, subsidised by ads, will start to become less and less common if we block ads, because there won’t be any money left in “free” any more.

That would be a reasonable point, were it not for the fact that in the abovementioned Forbes case…

…the reporter claims that the malvertising came immediately after Forbes’s plea to turn off adblocking, to protect its “free content” revenue stream.

But tests run by SophosLabs very quickly revealed well over 100 different ad-serving domains that Forbes uses on repeat visits, so that turning off your adblocker is a much riskier proposition than you might at first think.

In a world that works this way, telling users to turn off adblocking because “it’s better for everyone” is a bit like telling them to turn off their anti-virus in case it gets in the way of forthcoming software installs. (Don’t do this! Find another product instead that takes security more seriously!)

The problem with security loopholes is that crooks quickly learn to leap through them.