Protecting Against Malvertising

Malvertising (the delivery of malicious programs or deceptive adverts through ad networks) is one of the fastest growing security threats on the internet. As a site author, you need to be sure that any adverts you serve do not harm your users.

Risks

Prevalence Occasional
Exploitability Moderate
Impact Devastating

Since hackers have discovered ad-networks as an attack vector, the variety of attacks a user can expect to encounter has exploded. These include:

  • Malicious downloads, including ransomware. “Drive-by” downloads don’t even require the user to click on an advert - simply viewing the page may be enough to deliver the payload. Malware is usually delivered through vulnerable versions of Flash or Adobe Acrobat.
  • Redirects to phishing sites that attempt to steal a user’s credentials.
  • Scareware - adverts designed to trick a user into downloading unnecessary and potentially dangerous software, such as fake antivirus protection.
  • Browser lockers - malware that locks up the browser, often posing as a security alert.
Want to see this vulnerability in action? Take our exercise. Learn how malvertising works.

Protection

When you host adverts, you are inviting a third-party to write content to your web-pages. Unfortunately, this means you are limited in how much control you have in protecting your users. You can mitigate the risks involved by:

  • Working with reputable ad networks. Choose networks that are certified by e.g. Google. If you are evaluating a new ad network, see if they have any existing big-name clients. Avoid advertising networks that use deceptive practices pop-ups and pop-under windows.
  • Performing due diligence on agencies and advertisers. Restrict your advertising to relevant market segments, and if your ad networks permits it, consider individually permitting advertisers.
  • Implementing a content security policy. Implementing a Content-Security Policy will help control what domains can host content used in your web-pages. Unfortunately, many advertising toolkits (e.g. Google Adsense) cannot be restricted in this fashion - so you may have to create a “soft” allowlist using the Content-Security-Policy-Report-Only header, and monitor unexpected domains.
  • Using client-side error reporting tools. Tools for recording errors in the browser - like Sentry, TrackJS, Rollbar and Airbrake - will help you detect unexpected and anomalous behavior that could indicate a malvertising infection.
  • Logging out-going URLs. Capturing click-strings for adverts will help with forensic analysis in the case of a malvertising outbreak.

Further Reading

Got all that?
Test Yourself →
Take our quiz to make sure everything is clear