We are bombarded by advertisements every single day. Estimates of the number of online and offline advertisements we are exposed to in a day vary from several hundred to several thousand. Even if we prefer to be conservative and regard the estimate of several hundred to be accurate, and further believe that only half of those are online ads, we are still faced with exposure to a few hundred online advertisements on a daily basis – and only one of them has to be malicious to cause havoc in your life.

What is the probability that you will encounter a malicious advertisement when online? Malicious advertising is so common, it even has its own term – malvertising. We are likely to encounter malicious advertising every day and we must learn to protect ourselves, which requires first understanding what malicious advertising is and isn’t. Let’s first take a closer look at what isn’t malicious advertising.

What Isn’t Malicious Online Advertising

Online advertising is often described as a privacy risk, as our online habits can lead to advertisers building profiles of individual internet users that can be used to create personalised ads and build differential pricing strategies where the user pays a different price for the same product or service than other customers. Such advertisements may fall under the purview of privacy regulations, but are not considered malicious advertising in the context of cybersecurity.

Types of Malicious Online Advertising

Online advertising can occur in various forms, such as popups, popunders, redirects, images, inline videos that may or may not autoplay, and text (which could include entire articles). Such advertisements are considered to be malicious if they are designed to actively harm the user and can be broadly classified under two categories: advertising that includes malicious code, and advertising that does not include malicious code.

Advertising that Includes Malicious Code

Online advertisements may include malicious code directly, in the form of scripts, or indirectly, by linking to a page that hosts malicious code or downloads. Website visitors who never click on advertisements may believe they are safe from malicious advertising but that belief only provides a false sense of security. Users need not click on a malicious ad to trigger malicious activity. Drive-by-downloads are a form of cyberattack where webpages can automatically download malware to exploit vulnerabilities in browsers. The website visitor does not need to interact with the advertisement, or any part of the webpage, in any way; if the malicious website is a popunder advertisement, the website visitor may not even be aware that another webpage has been opened.

Advertising that Does Not Include Malicious Code

Online advertisements can be malicious without including any malicious code as the advertisement may merely direct the website visitor to a malicious resource such as an infected app or even to an attacker who operates offline e.g., the victim sees an enticing advertisement that includes a phone number, and the person they speak to on the phone persuades them to make a payment after which the attacker is never heard from again. The advertisement is, by itself, entirely benign which makes it difficult for antivirus or other cybersecurity tools to protect the website user from such messages.

Malicious advertisements, especially the type that does not include malicious code, may appear on legitimate websites that are assumed to be safe, or even be delivered by a search engine above search results, as the platform on which the advertisements appear has no way of verifying if the displayed advertisements are safe. Online advertisements are no longer limited to websites; we encounter them in apps and even on the lock screens of our phones, and the risk of falling prey to malicious advertising increases along with the increase in exposure to promotional messages online.

Protecting Yourself Against Malicious Online Advertising

Online advertising is pervasive and may therefore pose a risk to personal cybersecurity, but protection against malicious advertising only requires following the fundamentals of cyber hygiene:

1. Be Sceptical – An advertisement that is too good to be true is most probably not true. Avoid clicking or tapping on ads, or links in promotional messages, unless you have good reason to believe the message is genuine. Visit the advertiser’s website directly, rather than through the advertisement, to verify if the same offer is available on their official website
2. Be Alert – An advertisement may appear to be from your bank and clicking on the message may direct you to a login page that looks exactly like your bank’s login page but is actually a malicious page designed to steal your banking credentials. Check the URL of the page to confirm it is your bank’s URL before entering any information. Similarly, do not provide any personal information via emails, SMS, WhatsApp, or on the phone unless it is absolutely necessary and only if you can verify that the recipient is genuine. Search engines always indicate which search results are advertisements; look out for this marker and ask yourself if you would like to click on the ad or on a search result
3. Be Informed – Reading news about online scams and threats will keep you informed of the latest methods and tactics that attackers use, which you can then recognise and avoid. Always check ratings and reviews before you install any software or app on your device
4. Update Hardware and Software – Your browser, other software, plugins, operating system, phone, router, etc. receive security updates from their vendors. Ensuring such updates are installed as soon as they become available reduces the risk of a malicious advertisement exploiting an unpatched vulnerability. Search for the updates on the vendor’s official website, as advertisements that offer updates or related tools may link to malware
5. Use Comprehensive Antivirus – Antivirus that can block malicious links, stop drive-by-downloads, and prevent malicious apps from running can help you stay safe from malicious advertising. Ensure you install antivirus on all your devices, and obtain the antivirus from the vendor’s official website as attackers may create advertisements that lead you to malware disguised as antivirus
6. Use an Ad Blocker – Ad blocking software can block all or most online advertising but using an ad blocker is an extreme step as it may prevent you from seeing useful advertisements that may benefit you, and some websites may not function properly if certain scripts are blocked. Nevertheless, ad blocking is an effective way to prevent exposure to malicious advertising. Before searching for an ad blocker, check if your antivirus product includes ad blocking

Advertisements can be useful or entertaining, and some may even consider them a form of art, but the risk of malicious advertising keeps increasing as we move to a digital-first way of life. Luckily it takes only a few sensible precautions to stay safe from such dangerous communication.