Malvertising: when advertising is not just annoying, it's also dangerous

The popularisation of smartphones and free access to the Internet has made it commonplace to be bombarded by advertisements on any website we access. Often these are harmless advertising insertions that do little more than hinder our reading or create superfluous needs, but there are also those designed expressly to cause us harm.

The latter is what cybersecurity experts call malvertising, a tactic where criminals insert malicious advertisements into online advertising networks. As a result, these threats can appear while we are browsing trusted websites without us suspecting that by clicking on a banner or pop-up we will end up infecting our device.

"From a hacker's perspective, malvertising is a relatively easy way to compromise sites that receive a lot of traffic, but without having to attack them directly," explains Oliver Buxton, a specialist at antivirus firm Avast, who also describes this as a dynamic threat: "The most sophisticated attacks can infect even if the malicious ads are not clicked on, because they hide code - within images of a few pixels - that is imperceptible to monitoring mechanisms.

The first recorded malvertising attack dates back to 2007, when cybercriminals exploited a vulnerability in Adobe Flash to sneak malware onto then-popular sites such as MySpace. The threat has been growing ever since: in 2024 alone, Google removed 5.1 billion malicious ads, blocked ads on 1.3 billion pages and suspended the accounts of more than 39 million advertisers.

The majority of malvertising attacks (up to 81% during the fourth quarter of last year, according to the report published by the firm AdMonsters) correspond, as we said, to forced redirects. An example: an advert appears inviting us to download a well-known free antivirus and, when we click on it, we are redirected to a website designed in the image and likeness of the official one, where we download an executable capable of accessing our mobile phone's information.

Sometimes the download may be hosted automatically in the folder for this purpose, without any click on our part. Other common forms of malvertising are tech support scams, Buxton continues: "Fraudulent ads often install some kind of browser-hijacking malware to disrupt the user's experience and then instruct the user to call a phone number to resolve this non-existent problem. This is when the scammers (always posing as employees of a large tech company) try to get us to make unnecessary credit card payments.

There is also an abundance of 'scareware' (alarming advertisements with error messages inviting you to download a programme capable of resolving them in seconds); promises of hard cash without effort (by filling in surveys that in reality allow third parties to take control of your computer); and fake updates that flood gadgets with spyware. In these cases it is worth remembering that errors and the availability of operating system updates will always be notified to us via windows of the O.S. itself; never when opening the browser or accessing external websites.

In addition to not clicking on ads that we consider suspicious in order to combat malvertising, Spain's National Institute of Cybersecurity (INCIBE) recommends keeping all our devices updated to have the latest security patches; installing and enabling only those browser plug-ins that are essential for day-to-day use; adopting security software with virus, malware and spyware detection; updating programs such as Java or Adobe from their official sites and enabling the 'click-to-play' function, available in most browsers. In doing so, we will have to allow the execution of any plug-in that tries to start when visiting any website.

Finally, in the context of internet advertising, children are particularly vulnerable. Younger children may end up clicking on fraudulent banners simply because they are colourful and teenagers may fall for the false promise of discounts or free additional content for their favourite video games. For this reason, INCIBE advises parents to deactivate personalised advertising on those social networks that allow it (in their settings), install ad blockers and set maximum usage times. In addition to teaching them to surf responsibly, showing them which websites are trustworthy and which are free of advertising.

We will have done well if we see that, when they come across an advert on their mobile or tablet, they make a habit of closing it without delay. As is the case with much of what we see and read on the internet, it is better to be wary of all the advertisements, offers and opportunities that come our way every day with exclamation marks.