Skip Navigation

March 4, 2024 |

What is malvertising?

Loading table of contents...

Since just a single data breach costs an average of $4.45 million to recover from, it’s more important than ever for professionals to understand key cybersecurity risks.

The problem is there are so many different risks today it can be difficult for individual users to keep up. This is particularly concerning for attack vectors that are often under-discussed and, therefore, underprepared for. Malvertising is one of these.

Let's dive into how malvertising can hurt companies and what you and your employees should do to stay safe. Let’s get started.

What is malvertising?

Malvertising is a combination of malware and advertising. It’s a kind of ad meant to encourage unsuspecting users to download malware. Once malware is on the user’s computer, the hacker who made it may steal data, corrupt files, or ask for a ransom.

In the context of the workplace, malvertising attacks tend to look something like this:

  1. An employee searches for a tool or application they need for work
  2. The worker clicks on the first link they see
  3. They get taken to a website where they download a file
  4. Unbeknownst to them, the website they just visited has either been compromised or created for brand impersonation
  5. The file the employee downloaded is malware, which gives a threat actor access to the company’s network

Malicious advertisements can be the first result on Google or shared across popular sites like online news sources and social media platforms. Threat actors pay for digital ads like a normal business would.

But if a user clicks on the ad, they download malware or get taken to a site where their information can be stolen. This means even ads on trusted web pages can be cleverly disguised malvertisements.

Malvertising vs. adware

People sometimes use the terms malvertising and adware interchangeably, but there’s a key difference. Malvertising is always malicious, whereas adware tracks a user’s web activity to display more personalized ads.

Cybercriminals can use adware to learn about a user’s behavior and target them, so it’s important to be aware of it. But it’s also used by legitimate companies, whereas malvertising is not.

Examples of malvertising in the world

It can be helpful to consider a few real-world examples when learning about malvertising attacks and how difficult they can be to identify. We’ve compiled many such examples through our security intelligence posts, but here's a quick look at what happened to Bitwarden, a popular password manager used by millions of people globally.

Security researchers discovered an unknown threat actor using phony websites that imitate Bitwarden exactly but for a slight typo in the URL (e.g., instead of

Users who accessed a phony website were still given the option of downloading Bitwarden for Windows, Mac, or Linux. However, only users who tried downloading Bitwarden on Windows were sent to a malicious installer instead. Those who tried downloading on Mac or Linux were sent safely to the official download page.

At least some Bitwarden users who fell for the scam must have been directed to fake websites after clicking phony advertising links. Their only mistake may have been failing to pay close attention to the URL.

Why is malvertising so common?

Remote work appears to be here to stay, and it's one reason malvertising may be getting more popular. When employees work from home, they tend to use more cloud-based tools. As searches for and downloads of these tools rise, they become increasingly attractive attack vectors for bad actors.

It’s also never been easier to advertise something online. Hackers are taking advantage of this by paying to broadcast their malicious links on Google search pages and popular websites.

Once the ads are posted, they bring victims to the hacker just as they normally bring customers to businesses. This makes the threat actor’s job easier since the victims are coming to them instead of the other way around.

Since malvertising is an effective way to disguise malicious files, it’s likely to become increasingly common as the average internet user becomes more sophisticated about cybersecurity.

Tips for detecting malvertising

Malvertising can be difficult for employees to spot because it can lurk on a site without displaying obvious signs of compromise or maliciousness. For example, someone may not notice a slight change in a URL if the fake website is otherwise the same as the real one. Or, if a legitimate website is compromised, there’s often no easy way for an employee to know that the file they’re about to download is infected.

Still, protecting yourself and your company from malvertising is possible.

Always check the URL

A good first step is teaching your team how hackers disguise their phony websites. As mentioned, they often change legitimate URLs slightly, such as substituting an M with an N or adding a hyphen where one doesn’t belong.

And while it’s true that even an observant, educated employee can make an honest mistake, it’s essential they understand the importance of verifying the URLs before they click.

As part of this, you may want to recommend that employees set up bookmarks for the sites they use most frequently. That way, whenever they need to access something secure (like a bank account login page or secure internal database) they can easily click on a trusted link instead of searching for the page online.

Keep software up to date

Research from Microsoft indicates that up to 80% of cybersecurity attacks originate from unmanaged devices. There are several reasons for this, but one is undoubtedly that these devices aren’t regularly updated—they continue using outdated software with exploits that hackers have already found.

Updating won’t prevent all malvertising attacks, but it may add new domains, IPs, and other elements involved in malvertising campaigns to your block list.

That’s why it’s smart to ensure your employees keep their software up to date. Ask them to turn on automatic updates. That way, the employee’s software is updated whether or not they remember to do so themselves.

This tactic gives your business another layer of protection against malvertising. Even if an employee visits a malicious website or downloads malware, the hacker may not be able to get into your company’s network if the employee’s software is up to date.

Don’t let Flash and Java run automatically

You may think you can stay protected from malvertising by simply not downloading anything from websites you aren’t 100% certain are safe. But that’s not always true.

One form of malvertising redirects users from legitimate websites to sites that host malware through Flash and Java files. If your computer automatically runs these programs, it may download the malicious files from the site even if you try to exit it as soon as you arrive.

This happened in 2015 when unsuspecting Daily Motion visitors were shown ads that automatically redirected them to a malicious site. Those who had automatic Flash and Java enabled downloaded malware unknowingly.

That’s why it’s important to turn off automatic Flash and Java. You want to approve these manually and only when visiting a site you trust.

Use legitimate ad blockers and firewalls

Ad blockers and firewalls offer further protection against malvertising. They block ads and sites or alert users who try to access websites or download files with suspicious characteristics. 

For example, without an ad blocker, your employees could see a fake ad for your company’s customer relationship management software and click on it before logging into their account. But if they had an ad blocker installed, they likely wouldn’t have been shown the ad in the first place.

Firewalls offer similar benefits. They can serve as a last line of defense when an employee downloads malicious files. Some modern firewalls also have extensions for web browsers like Google Chrome. Depending on pre-selected settings, these extensions will warn users or block a suspicious site.

Watch for brand inconsistencies or imitation errors

Malvertising directs users to one of two places: either a real website that’s been compromised or a fake one that looks like the real thing. It’s the second category we’re focusing on here.

Even when skilled cybercriminals are behind malvertising, the websites they spoof will often have obvious flaws once you start looking for them. This can include:

  • Inconsistent branding
  • Behavioral anomalies (such as prompting you to download a file the instant you get to the site)
  • Content issues like misspelled words and poor grammar
  • Poor website functionality, which can be a sign of hastily written code

Even if a user can’t immediately point out the flaws in a fake website, they can feel like something is off. Tell your team to listen to these feelings and call in a security expert before taking action. It’s better to be over-prudent than to leave your company vulnerable.

Deploy a comprehensive cybersecurity tool

Educating your employees about malvertising and how to avoid it can significantly reduce your risk of breach. But some malware can still fall through the cracks—even if the entire team follows all of your best practices.

That’s why it’s also important to have a comprehensive cybersecurity tool in place. You want something that constantly scans your network, cloud services, and devices and alerts you when it spots suspicious, malicious, or anomalous activity.

You’ll also need a response capability to address security problems efficiently. Larger companies with existing cybersecurity teams can sometimes handle this internally. But for small and medium-sized businesses, it’s typically more economical to partner with a third-party managed detection and response (MDR) tool.

MDRs watch over your company’s network and devices, issue alerts when they show unusual activities, and help you respond to security problems as they arise. The net result is a complete cybersecurity shield you don’t have to manage yourself.

Beat malvertising and other security threats with Covalence

Cybersecurity has become increasingly important as more and more of our work happens online. User education and awareness are critical first steps in the fight against malvertising and other security breaches. But they aren’t a comprehensive strategy themselves.

Covalence may be your solution. Our MDR provides expert-backed 24/7 monitoring and response for your entire company. It’s a single platform you can use to check off nearly every item on your cybersecurity to-do list—from endpoint detection to around-the-clock support from our security experts.

But don’t take our word for it. Watch this three-minute Covalence tutorial to see how it can help your business achieve its cybersecurity goals.