The newest cyberthreats to consumers don't come from the deepest reaches of the dark web. They come in fairly benign-looking ads in emails or the websites of their favorite brands.
Welcome to the world of malvertising, where cybercriminals inject malicious code into ostensibly legitimate ads. When the unsuspecting consumer clicks on -- or even views -- the ad, cybercriminals push malware onto their devices or steal their sensitive data.
"Malvertising takes on different forms," said Maryam Meseha, founding partner and co-chair of the data privacy and security practice group at Pierson Ferdinand. "Essentially, they're bad code that's injected inside of an ad campaign. They can come through an email sent by a company [or] could be injected while you're searching the web."
Malvertising is on the rise, in part spurred by Microsoft blocking macros in documents downloaded from the internet. While these attacks can devastate consumers, they can also severely affect brands whose websites and ads are spoofed in an attempt to exploit vulnerabilities.
Marketing and sales leaders should know common malvertising examples to help them ensure their campaigns don't appear fraudulent and so they can protect their customers. Check out five top malvertising examples and what companies can do to defend their brands.
1. Drive-by downloads
On even the most legitimate sites, advertisements may not be vetted thoroughly, according to Michael McLaughlin, co-leader of cybersecurity and data privacy at law firm Buchanan Ingersoll & Rooney.
For example, news sites may not review sponsored posts extensively. Those ads could be drive-by downloads -- essentially, ads that cybercriminals injected malicious code into that trigger malware to download on a user's computer.
2. Typosquatting
It's almost imperceptible unless you know what you're looking for.
Michael McLaughlinCo-leader of cybersecurity and data privacy at Buchanan Ingersoll & Rooney
Typo and domain squatting are another malvertising example that can compromise a brand's reputation and user security. In this example, users think they're going to a brand's website, but instead get directed to a site that uses a typo or a slight variation of that brand's domain name, according to McLaughlin. The malvertising may then prompt users to download malware or try to steal their credentials.
"It's almost imperceptible unless you know what you're looking for," McLaughlin said. "I see it across the board for reputable companies and well-known names in the industry."
3. False applications
Cybercriminals also try to implement malvertising on mobile devices through impersonated applications or ads, McLaughlin said.
For example, users may try to download a cryptocurrency trading platform, but as soon as they type in their crypto wallet credentials, malicious actors can steal their data. These bad actors may also want to steal passwords, contacts or gain any data stored on a user's mobile device.
Malicious actors can also create false applications for cryptojacking, where they use both mobile and desktop devices to mine cryptocurrency. Users may run innocuous-looking software or visit a website injected with malware, and cybercriminals run cryptomining operations in the background.
4. Fake QR codes
Thanks to the rise in QR code usage, cybercriminals have found another way to launch phishing and malware attacks. Some QR codes are executable, according to McLaughlin, which bad actors can exploit.
Cybercriminals have taken advantage of the opportunity QR codes present to blend the physical and digital worlds. Fake QR codes redirect users to sites that ask for their credentials or are injected with malware to take control of their devices.
5. Exploit kits
One of the more insidious malware examples is an exploit kit. This type of attack involves malicious code inserted into ads that can find and exploit vulnerabilities on a user's device to install malware without any user action.
The user simply visits a site, like a popular video streaming site, where the code exists. The code then profiles the user's device for vulnerabilities, looks for outdated software -- like antivirus software or an older version of the web browser -- and silently runs the malicious code. The user is never the wiser.
Educate customers to avoid malvertising
Brands often don't realize when malvertising attacks occur, according to Meseha. So, they should try to train their customer base to help prevent these attacks.
"What I like to advise clients is to sometimes, quarterly or semiannually, send a PSA that says, 'These are what our ads look like, and these are the things you need to be careful of,'" she said.
These messages should also advise customers to contact customer service if they receive a suspicious email or link.
On the back end, Meseha said she advises organizations to have the right disclosures and limitations of liability to protect themselves. She also said organizations should ensure that their own security protocols and tools are up to date, so if code on their websites is flagged as malicious through endpoint detection, internal monitoring or other means, they can activate a response quickly.
"There has to be an internal protocol from a security perspective," she said.
Christine Campbell is a freelance writer specializing in business and B2B technology.
