CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Research Finds 1 Percent of Online Ads Malicious

One percent does not sound like a lot, but multiple it by the right number, and it can be.

One percent does not sound like a lot, but multiple it by the right number, and it can be.

Such is the case when it comes to malicious advertising. In research recently presented at the 2014 Internet Measurement Conference in Vancouver, a team of security experts from Ruhr-University Bochum, University College London and the University of California, Santa Barbara (UCSB) examined more than 600,000 online advertisements on 40,000 websites over a three-month period and used multiple detection systems to assess whether they were good or bad. The end result: one percent of the ads were found to be involved in suspicious or malicious activity such as drive-by downloads and link hijacking.

Malvertising “While this is bad news for the advertising networks, advertisers and Internet users who are all under attack from the malware producers, the good news is there are several things available today that can stop malvertising,” said Giovanni Vigna, co-founder and CTO of Lastline, one of the members of the team that worked on the research. “One of these is the use of the sandboxing attribute in iframes within HTML5. None of the 40,000 websites we observed leveraged this mechanism, even though it could stop the link-hijacking that is by far the most prevalent method by which miscreants are getting past other security measures in order to distribute malware through advertisements.”

“On the ad network side — whether those be ad brokers, ad distributors, ad resellers or traditional ad networks — a similar approach can be taken to that used in our study to monitor for malvertising,” he continued. “To detect malicious behavior in ads we used a composition of blacklists, reputation databases, and Wepawet, a honeyclient developed at UCSB that uses an emulated browser to capture the execution of JavaScript to identify signs of maliciousness, such as drive-by-download attacks. The research community and technology companies (including security providers as well as ad networks and ad brokers) can and should continue to study malvertising and develop new techniques and tools to detect and stop it.”

Apostolis Zarras of Ruhr-University Bochum said that the smaller ad networks appear to be more prone to serving malvertisements, which he speculated could be due to less efficient filtering mechanisms compared to the larger ones. 

In the paper, the researchers also speculated that many publishers trust their advertisers to police malicious activity, and therefore do not use additional filters to protect their users. As for solutions, the researchers argued that collaboration among the ad networks can bring better results in defending against malvertisements compared to individual actions, and the existence of a common blacklist where all malicious advertisements will be submitted can prevent attackers from submitting their wares to a different network if they get rejected by another.  

“Another, more drastic, solution will be penalizing of the ad networks which are inefficient to detect the malicious code embedded in advertisements,” according to the paper. “For instance, forbidding from participating in ad arbitrations for a certain amount of time, or the application of similar penalties, when an ad network is found delivering malvertisements, can boost the ad networks to invest in better detection algorithms.”

“Back in time, said Zarras, “we used to have websites that were controlled by cyber-criminals and the attackers had to lure the victims to visit these websites so they can effectively infect their machines with malware. But, with the ads this is not necessary any more. An ad can exploit vulnerabilities in your browser, or your browser extensions without the need from user’s side to visit a malicious website. For instance, the incident that took place on January 2014, in which Yahoo ads exploited vulnerabilities in Java and installed malware on victims’ computers, [shows] that these attacks are actually possible and not theoretical. So, the main reason that malvertisement is more effective that traditional attacks, is that the user’s can be infected with malware even if they visit only legitimate websites.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.