Malevolent advertising is called malvertising. The “ad” is placed on a website by cybercriminals who want control of your computer for financial gain.
And the real scary thing about malvertising is that these trick-ads have appeared on trusted, popular websites like the Weather Network, BBC, NFL and the New York Times.
Oh, and it gets worse: The malicious ad can be hidden, unseen by the site visitor, thanks to a special html code that allows the bad ad to be inside legitimate content. This trick-code is usually hidden in what are called iframes—without affecting the rest of the site appearance.
The type of cybercriminal who succeeds at this needs to be patient and clever.
- Legitimate advertisers place their ads with ad networks, bidding for ad placement.
- Ad networks, which handle the bidding, serve the ads to websites.
- Crooks may place legitimate ads with these networks to gain a good reputation, or, crooks run networks.
- After building trust with placement of legit ads, the crooks graduate to ad placement on high traffic sites, and then they put in their malicious code in the iframes: malvertisements.
- When you’re on one of these infected pages, the ad will release malware to your computer that can do a whole host of damage.
What to do?
- Keep all your software and systems up to date.
- Install an ad blocker, but be judicious, because ad blockers can disrupt the presentation of some sites, e.g., blocking some content, not just the ads. You may not mind this inconvenience, but also realize that an ad blocker will not block every malvertisement, either.
- Install antivirus software or an anti-exploit kit that will snuff out exploit kits, a favorite tool of the malvertiser.
- Exploit kits prowl your computer for vulnerabilities, and the right software will detect and neutralize them.
- Uninstall browser plugins you have no use for, especially if they’re the vulnerable Adobe Flash and Java.
- Set the remaining plugins to click to play, which will give you the option to run a plugin when a site you’re visiting wants to load one.
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.