Malvertising: The role of dynamic content and ad networks in the propagation of malicious code

Malvertising – that is the spreading of malware or fraudulent content through malicious ads on otherwise trustworthy homepages – is not only persistent but also growing as recent articles from Motherboard [1] and Ars Technica [2] suggest, both refering to a report from Cyphort as their primary source. This increase in delivery of malicious ads poses an imminent threat to users on the Internet. Ars Technica emphasises that one consortium only, consisting of 28 fake ad agencies, was able to reach 62% of ad monetized websites on a weekly basis.

Some 20 years ago, it was fairly common among security-aware users to disable the processing of scripting languages such as JavaScript in their browsers to mitigate pop-ups and other annoying behaviour. Back in these days, these scripting languages on webpages hardly ever served any useful purpose. This was especially relevant for users of Microsoft”˜s Internet Explorer, where “scripting” also included processing of VBScript and ActiveX, which opposed to JavaScript could access the filesystem [3]. Back then, the web was fairly static and interactive and dynamic content, where JavaScript and other scripting languages play a major role, was of subordinate importance.

Today, dynamic provisioning of interactive content is integral to many websites in order to serve their intended purpose. Be it applications such as Google Docs or social media platforms such as Facebook and Twitter.

But there is another business that heavily relies on the dynamic provisioning of content, advertisement. With help of scripts deployed on popular webpages, ad networks dynamically provide content to distribute ads in a specified volume, time frame and geographical location, to name just a few criteria. Additionally, the bi-directional nature of involved communication allows ad networks to not only blindly distribute specific content per page load but also to track and target certain user groups. The two most important types of peers of such ad network operators are on the one hand those who want to have their ads displayed on preferably popular web pages and pay for it, and on the other hand those who are willing to sell suitable advertisement space on their webpage.

Depending on the type of ad network and respective contracting, the operator of a webpage might be unaware of the content that is delivered to a visitor upon loading the page as this is handled by the ad network. This becomes delicate when ad networks allow advertisers to deliver active content such as JavaScript and Flash themselves, that will be executed on the visitor”˜s machine and might have been crafted with malicious intent. Even if such malicious code does not manage to escape the browser”˜s sandbox and autonomously download and execute any malware, they might lure inexperienced users into downloading malware themselves by inserting overlays and pop-ups containing fake security alerts that claim to require immediate interaction. Such attacks are generally referred to as drive-by downloads, even if not fully automated.

This leads to scenarios in which reputable web sites distribute malicious content without even knowing it, as happened with, or Huffington Post [4, 5], for example. Assuming that an up-to-date Anti Virus software will avert the threat is a misbelief as shown in the incident with Equifax, where only three out of 65 AV Scanners detected the malware [6].

The abuse of ad networks and its implications for endpoint security are not new at all and have been brought up by media and security experts alike throughout the last decade [7, 8]. Still, the problem is growing bigger and a recap of 2017 brings lots of Ransomware attacks to mind, many of which can be and have been conducted via drive-by downloads. The German BSI identified drive-by downloads as an important vector for the spreading of Ransomware [9].

So, what is the conclusion? As long as the content that is distributed via ad networks is neither restricted in type nor subject to any form of “quality” assurance, a rational user should block side-loaded content for the sake of security*. With this in mind, the attempt of some German content providers to prohibit the use of ad blockers appears to be an attack on both privacy and security of users [10]. On the other hand, the business models of many web page operators are highly dependent on ads actually being loaded and displayed.

*This, of course, does not provide any security in cases where the visited web page delivers malware itself, but it covers those cases where malware is dealt out by ad network operators.


[1] (
[2] (
[3] (
[4] (
[5] (
[6] (
[7] (
[8] (
[9] (
[10] (