What is Malvertising and How Do You Protect Yourself?

Blank billboard in bus stop at night with the lights of the cars passing by great copy space for your design shot in London United Kingdom uk

Attackers are trying to compromise your web browser and its plug-ins. “Malvertising,” using third-party ad networks to embed attacks in legitimate websites, is becoming increasingly popular.

The real problem with malvertising isn’t ads — it’s vulnerable software on your system that could be compromised by just clicking a link to a malicious website. Even if all ads vanished from the web overnight, the core problem would remain.

Editor’s Note: This site is obviously ad-supported, but we’re trying to inform people of a very real problem with zero-day drive-by attacks, and the popular solution doesn’t prevent the root cause. You can certainly use Adblock to reduce your risk, but it doesn’t eliminate the risk. For instance, celebrity chef Jamie Oliver’s website was hacked not once, but 3 times with a malware exploit kit that targeted millions of visitors.

Websites are hacked every day, and assuming that your adblocker is going to protect you is a false sense of security. If you are vulnerable, and a ton of people are, even a single click can infect your system.

Web Browsers and Plug-ins Are Under Attack

There are two main ways attackers attempt to compromise your system. One is by attempting to trick you into downloading and running something malicious. The second is by attacking your web browser and related software like the Adobe Flash plug-in, Oracle Java plug-in, and Adobe PDF reader. These attacks use security holes in this software to force your computer to download and run malicious software.

If your system is vulnerable — either because an attacker knows a new “zero-day” vulnerability for your software or because you haven’t installed security patches — just visiting a web page with malicious code on it would allow the attacker to compromise and infect your system. This often takes the form of a malicious Flash object of Java applet. Click a link to a shady website and you could be infected, even though it shouldn’t be possible for any website — even the most disreputable ones on the worst corners of the web — to compromise your system.

What is Malvertising?

Rather than attempting to trick you into visiting a malicious website, malvertising uses advertising networks to spread these malicious Flash objects and other bits of malicious code to other websites.

Attackers upload malicious Flash objects and other bits of malicious code to ad networks, paying the network to distribute them like they’re real advertisements.

You could visit a newspaper’s website and an advertising script on the website would download an ad from the ad network. The malicious advertisement would then attempt to compromise your web browser. That’s exactly how one recent attack that used Yahoo!’s ad network to serve malicious Flash ads worked.

That’s the core bit of malvertising — it takes advantage of flaws in software you’re using to infect you on “legitimate” websites, eliminating the need to trick you into visiting a malicious website. But, without malvertising, you could be infected in the same way after just clicking a link away from that newspaper’s website. Security flaws are the core problem here.

How to Protect Yourself From Malvertising

Even if your browser never loaded another ad again, you’d still want to use the below tricks to harden your web browser and protect yourself against the most common attacks online.

Enable Click-to-Play Plug-ins: Be sure to enable click-to-play plug-ins in your web browser. When you visit a web page containing a Flash or Java object, it won’t automatically run until you click it. Almost all malvertising uses these plug-ins, so this option should protect you from almost everything.

Use MalwareBytes Anti-Exploit: We keep banging on about MalwareBytes Anti-Exploit here at How-To Geek for a reason. It’s essentially a more user-friendly and complete alternative to Microsoft’s EMET security software, which is targeted more at enterprises. You could also use Microsoft’s EMET at home, but we recommend MalwareBytes Anti-Exploit as an anti-exploit program.

This software doesn’t function as an antivirus. Instead, it monitors your web browser and watches for techniques browser exploits use. If it notices such a technique, it will automatically stop it. MalwareBytes Anti-Exploit is free, can run alongside an antivirus, and will protect you from the vast majority of browser and plug-in exploits — even zero-days. It’s important protection every Windows user should have installed.

Disable or Uninstall Plug-ins You Don’t Frequently Use, Including Java: If you don’t need a browser plug-in, uninstall it. This will “reduce your attack surface,” giving attackers less potentially vulnerable software to target. You shouldn’t need many plug-ins these days. You probably don’t need the Java browser plug-in, which has been an unending source of vulnerabilities and is used by few websites. Microsoft’s Silverlight is no longer used by Netflix, so you may be able to uninstall that too.

You could also disable all your browser plug-ins and use a separate web browser with plug-ins enabled just for web pages that need it, although that will require a bit more work.

If Adobe Flash is successfully erased from the web — along with Java — malvertising will become much more difficult to pull off.

Keep Your Plug-ins Updated: Whatever plug-ins you leave installed, you need to ensure they’re kept up-to-date with the latest security patches. Google Chrome automatically updates Adobe Flash, and so does Microsoft Edge. Internet Explorer on Windows 8, 8.1, and 10 automatically updates Flash, too. If you’re using Internet Explorer on Windows 7, Mozilla Firefox, Opera, or Safari, ensure Adobe Flash is set to automatically update. You’ll find Adobe Flash options in your control panel or in the System Preferences window on a Mac.

Keep Your Web Browser Updated: Keep your web browser updated, too. Web browsers should automatically update themselves these days — just don’t go out of you way to disable automatic updates and you should be okay. If you’re using Internet Explorer, ensure Windows Update is activated and regularly installing updates.

While most malvertising attacks take place against plug-ins, a few have attacked holes in web browsers themselves.

Consider Avoiding Firefox Until Electrolysis is Done: Here’s a controversial piece of advice. While Firefox is still beloved by some, Firefox is behind other web browsers in an important way. Other browsers like Google Chrome, Internet Explorer, and Microsoft Edge all take advantage of sandboxing technology to prevent browser exploits from escaping the browser and doing damage to your system.

Firefox has no such sandbox, although other browsers have had one for several years. A recent malvertising exploit targeted Firefox itself using a zero-day. Sandboxing techniques built into Firefox could have helped prevented this. However, if you do use Firefox, using MalwareBytes Anti-Exploit would have protected you.

Sandboxing is set to arrive in Firefox after years of delays as part of the Electrolysis project, which will also make Firefox multi-process. The “multi-process” feature is scheduled to be part of the stable version of Firefox “by the end of 2015,” and is already part of the unstable versions. Until then, Mozilla Firefox is arguably the least secure modern web browser. Even Internet Explorer has employed some sandboxing since Internet Explorer 7 on Windows Vista.


Currently, almost all malvertising attacks take place against Windows computers. However, users of other operating systems shouldn’t get too cocky. The recent malvertising attack against Firefox targeted Firefox on Windows, Linux, and Mac.

As we’ve seen with crapware moving over to Apple’s operating system, Macs aren’t immune. An attack on a specific web browser or a plug-in like Flash or Java usually works the same way across Windows, Mac, and Linux.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.