Search engines just aren’t what they used to be. What was once a simple tool for everything from finding the nearest coffee shop to finding niche information has become a cluttered and frustrating experience. In addition to sometimes inaccurate AI-driven responses, the amount of advertising makes it hard to know if you’re getting a legitimate result. As if that wasn’t enough, now you have to worry about a rising cyber threat: “malvertising.”
What the Heck is Malvertising?
Malvertising is a term that combines “malicious” and “advertising” and incidents of it surged 42% month-over-month last fall, according to cybersecurity firm Malwarebytes. Hackers are increasingly using online ads, injecting malicious code to trick users into downloading malware or falling for scams. These rogue ads can appear during routine searches or even while browsing trusted websites, turning the everyday internet experience into a potential minefield. They often mimic familiar brands like Microsoft, Amazon, Apple, or other big companies that people inherently trust. When users click on these ads, they can unknowingly be redirected to phishing sites or have malware downloaded onto their systems.
Unlike “adware,” which typically causes an irritating flood of pop-ups or banners, malvertising is more insidious. It’s not just about being bombarded with unwanted ads—it’s about tricking you into clicking or downloading something that can compromise your device, your data, or your identity. Adware tends to be annoying, while malvertising can be dangerous.
What Does Malvertising Look Like?
Malvertising looks just like a regular ad, and they don’t just target casual web surfers. Cybercriminals often set their sights on corporate employees, heightening the threat for businesses. Many companies are reporting that their employees have unknowingly fallen for these attacks. For instance, employees at Lowe’s were tricked into clicking on a malicious ad that imitated the company’s internal portal. The ad, which featured a subtly misspelled URL (“myloveslife.net” instead of “myloweslife.net”), led them to a spoofed page using Lowe’s logo to steal employee credentials.
The example above involved a fake ad mimicking Slack, a popular communication tool from Salesforce. Although the ad incorporated links to legitimate Slack pages and information, it contained a link to get unsuspecting users to download and install malware, thinking it was the real Slack app. Similarly, we’ve reported on pop-up ads posing as Microsoft Windows updates or as viruses, which work the same way – convincing users to download and install malware on their computers.
Why is Malvertising on the Rise?
Hackers are constantly changing their tactics to exploit unsuspecting victims and malvertising has surged because of our inherent trust in search engines. Many people use Google or Bing as a starting point for everything online. So when we see an ad at the top of the search results, we assume it’s legitimate—after all, why would Google show us something dangerous? Haven’t they checked the ads that appear at the top of their search results?
The shift to malvertising was also prompted by Microsoft’s decision to block embedded Office macros in 2023. For years, hackers relied on these macros to infect Word or Excel documents with malware. Once Microsoft closed this door, cybercriminals shifted focus to the online advertising ecosystem, where ads are everywhere and users are often less suspicious.
How to Spot Malvertising?
One of the most challenging things about malvertising is how hard it is to detect. Malicious ads are designed to look just like real ones, making it hard to know when you’re at risk. While phishing emails often contain red flags like bad grammar or suspicious links, malvertising can look just like any official ad from a reputable brand.
Here are some tips to help protect yourself:
- Avoid Sponsored Ads: When doing onlin e searches, be careful clicking on sponsored ads. Although not every sponsored ad is dangerous, many malvertising schemes take advantage of this prime real estate. Usually, the first non-sponsored link in search results is more reliable. If you’re interested in a company or product, it’s safer to type the URL directly into your browser or use a trusted bookmark.
- Double-Check URLs: If you do click on an ad, take a second to examine the URL in the address bar. Cybercriminals often create URLs that look like real ones, with subtle misspellings or extra characters. For example, instead of amazon.com, you might land on amzon.com, a spoofed site designed to steal your personal data.
- Use Ad Blockers: One of the simplest ways to reduce your risk is by using an ad blocker. Browser extensions can block most ads, including malicious ones. This significantly reduces your exposure to malvertising. While some websites may ask you to disable your ad blocker, weigh the risk against your need to access that site’s content.
- Keep Your Software Updated: Ensuring that your operating system and browser are up-to-date is another crucial step in preventing malvertising attacks. When you intentionally download these updates, you’re less likely to fall for fake pop up ads that look like Microsoft updates or viruses. Many drive-by-downloads – where malicious software is automatically downloaded when you visit an infected site – rely on vulnerabilities in outdated software. Regular updates help patch these security gaps – and while you’re at it, don’t forget some of these surprising things that need regular security updates.
- Install Antivirus Software: Antivirus software provides an additional layer of protection by scanning for and blocking malware before it can infect your device. Modern antivirus programs offer real-time protection and can alert you to suspicious ads or websites.
Corporate Targeting: A Growing Concern
Malvertising isn’t just a threat to individual users. Hackers know they can steal more from companies, so they’re increasingly targeting employees within corporations. No one wants to be the employee that accidentally let the bad guys take down their company – so be on alert, especially at work. In the Lowe’s example above, attackers tried to steal employee logins and passwords by mimicking an internal portal. Successful attacks like this could compromise the entire company’s network, leading to a headline-making breach or a costly ransomware attack.
Businesses need to take proactive steps to warn and protect their employees. Regular cybersecurity training, strict browsing policies, and enterprise-grade endpoint antivirus software can help minimize the risk of malvertising. Employees should also be educated on the importance of verifying URLs and avoiding sponsored ads, even when using trusted search engines.
How to Protect Yourself from Drive-By-Downloads
A particularly dangerous form of malvertising is the drive-by-download. In this type of attack, simply visiting a compromised website can lead to malware being downloaded onto your device without you even clicking on anything.
Drive-by-downloads rely on security vulnerabilities in your browser or operating system. The best defense is to keep your software up-to-date and install security patches as soon as they become available. Using an ad blocker and antivirus software can further reduce your exposure to these silent threats.
Similarly, you may get pop-up ads posing as Microsoft Windows updates or as viruses, which work similarly – convincing users to allow the download and installing malware on their computers, thinking it’s a legitimate update. Manually updating your computer software helps to prevent becoming a victim of this type of malware.
 |
Can I Trust Search Engines or the Ads on Them?
Given the rise in malvertising, many users are starting to question the trustworthiness of search engines like Google and Bing. There’s so much advertising on these platforms it’s hard for them to keep an eye on everything. We’ve seen stories of search engine advertising that tries to lure people onto websites with fake products like the one listed here.
It’s important to understand that while search engines are not directly responsible for malvertising, their algorithms often allow malicious ads to slip through the cracks. Cybercriminals have found ways to game these systems, placing their malicious ads alongside real ones.
Stuart Madnick, a professor of information technology at MIT, compared the situation to the post office: “Does the mailman check every letter you get to make sure it’s really from Publishers Clearing House?” In other words, search engines can’t inspect every ad, but it’s up to users to exercise caution when clicking.
Why This is Happening Now?
As cybercriminals lose access to older tactics, such as Office macros, and users get better at spotting sophisticated phishing scams, they’re turning to new ways of hacking people. Malvertising is an appealing option because ads are everywhere, and people have grown used to trusting them. Combined with the huge volume of online ads, it’s easy for malicious ads to go unnoticed until it’s too late.
Avoiding all ads isn’t realistic since they are a fundamental part of the internet economy. However, by being more discerning about which ads you interact with, and practicing some key cybersecurity behaviors, you can significantly reduce your risk of falling victim to malvertising. Always double-check URLs, avoid sponsored ads, and use ad blockers and antivirus software for an added layer of protection. By staying informed and cautious, you can help safeguard your personal data and devices and avoid becoming a victim of the growing threat of malvertising.