by The Computing Australia Group | Malvertising: Risks
and Protection
Online advertising keeps much of the internet free. It funds newsrooms, blogs, apps, and services you use every day. But the same ad ecosystem that makes digital content accessible can also be abused by cybercriminals. One of the most common tactics is malvertising-short for malicious advertising-where malware is distributed through online ads.
Our cybersecurity team at Computing Australia Group (Perth) has been engaged frequently over recent months to remediate incidents triggered by malicious ads. What makes malvertising especially frustrating is that it can affect c areful users and reputable websites. In some cases, you don’t even need to click. A compromised ad placement, a rogue ad network, or a malicious redirect can be enough.
This guide explains what malvertising is, how it spreads, how to spot the warning signs, and what you can do-today-to reduce your risk on phones, tablets, and computers.
What is malvertising?
- Drive-by downloads (malware installs without clear user action)
- Credential theft (fake login pages, session hijacking)
- Scams and fraud (tech support pop-ups, “your phone is infected” alerts)
- Ransomware infection (in more severe cases)
- Browser hijacking (unwanted extensions, homepage/search changes)
- Data exposure (spyware, keyloggers, tracking)
How malvertising works
Malvertising isn’t one single technique—it’s a delivery method. The “payload” can vary from nuisance adware to serious malware. Here’s a simplified view of how it typically happens:
1) Attackers create or compromise an ad
They may:
- Submit an ad through an ad platform using fake business credentials
- Compromise a legitimate advertiser account
- Use a look-alike domain or cloned brand assets
- Hide malicious code inside scripts that appear benign during review
2) The ad is served through the ad ecosystem
Because ad delivery is automated and distributed, malicious ads can be served at scale before detection kicks in—sometimes in minutes, sometimes over days.
3) The user is redirected or tricked
Depending on the attack:
- Clicking the ad sends the user to a malicious landing page
- The ad triggers a redirect without an obvious click (in some scenarios)
- A pop-up imitates a system warning, urging urgent action
- The user is guided to install a “security tool,” “update,” or “extension”
4) The payload executes
The end result might be:
- A downloaded file (often disguised as a document, update, invoice, etc.)
- A browser extension install
- A fake login prompt (credential harvesting)
- Malware execution via a browser or plugin vulnerability (less common today than in the past, but still possible, especially on outdated systems)
Why malvertising is hard to detect
Malvertising is effective because it blends into normal browsing and often avoids obvious red flags. A few reasons it slips through:
- Ads are dynamic: The same ad slot may display different content to different users.
- Attackers “cloak” content: They show harmless content to moderators or scanners, then deliver malicious content to real users.
- The supply chain is layered: Websites may rely on multiple ad partners, resellers, and exchanges—making accountability difficult.
- Time-based attacks: Some malicious ads stay dormant until certain conditions are met (time, geography, device type, browser).
- Social engineering works: Even when the technical path is blocked, scare tactics (“Your device is infected!”) can push users into installing something dangerous.
Common malvertising tactics and formats
Here are the patterns we see most frequently:
Fake system alerts and tech support scams
You’ll see pop-ups claiming:
- “Virus detected”
- “Your iPhone has been hacked”
- “Windows Defender found threats”
- “Call support immediately”
These are designed to panic you into:
- calling a scam number
- installing a remote access tool
- paying for fake services
- handing over personal or banking information
“Update required” prompts
Malvertising often imitates:
- browser update prompts
- video player updates
- “your device is out of date” banners
Legitimate browsers update through their own built-in mechanisms—not random pop-ups.
Malicious redirects
A click—or even a page load—can bounce you through multiple URLs and land you on:
- a scam page
- a fake prize giveaway
- an adult site redirect
- an app download page hosting malware
Drive-by download attempts
Modern browsers are more resistant than they used to be, but outdated software, insecure extensions, or misconfigured systems can still be vulnerable.
Malicious or shady browser extensions
Some ads push extensions that:
- inject ads into your pages
- track your browsing
- intercept search queries
- redirect shopping links
- steal session cookies or credentials (in worst cases)
Malvertising vs adware vs phishing: what’s the difference?
These terms overlap, but they are not identical:
Malvertising
Adware
Adware is software that displays ads—often bundled with free applications. Some adware is merely annoying; some becomes dangerous when it:
- injects unwanted pop-ups you can’t close
- changes your browser settings
- installs additional unwanted programs
- tracks you aggressively
- leads you to malicious downloads
Phishing
Phishing is the attempt to trick you into handing over sensitive information (passwords, codes, payment details). Phishing can be delivered via:
- SMS
- social media
- phone calls
- ads (in which case it overlaps with malvertising)
In short: malvertising uses ads as the vehicle; adware is typically software that pushes ads; phishing is a deception technique that may appear inside ads.
How to identify malvertising ads
Not all online ads are harmful—but certain patterns should put you on alert. Be cautious if you see ads that include:
- Spelling or grammar errors (especially brand names spelled incorrectly)
- Celebrity scandals or sensational clickbait (“shocking secret…”, “you won’t believe…”)
- Miracle cures or unrealistic health claims
- Over-the-top urgency (“Act in 5 minutes”, “Account will be locked”)
- “Get rich fast” promises
- Low-quality designs or mismatched branding
- Adult/pornographic content in contexts where it doesn’t belong
- Fake download buttons (especially on file-sharing or streaming sites)
- Unexpected redirects when you click anywhere on a page
- Pop-ups that mimic your device (fake Apple/Google/Microsoft warnings)
How to protect yourself from malvertising
The best protection is layered: safer browsing habits + browser hardening + endpoint security + keeping systems updated.
1) Don’t click ads you don’t fully trust
This is the simplest and most effective baseline. If an offer looks interesting, don’t click the ad—go to the brand directly.
Safer alternative: open a new tab and type the company name (or use a bookmark you trust).
2) Use “click-to-play” (or reduce auto-play)
Auto-playing media isn’t just annoying—it can increase risk and distractions.
- Disable auto-play for video/audio where possible
- Restrict site permissions (pop-ups, redirects, notifications)
Browsers vary, but most provide controls under:
- Privacy & Security
- Site settings / Permissions
- Pop-ups and redirects
- Automatic downloads
- Notifications
3) Install a reputable ad blocker (or use a browser with tracking protection)
Ad blockers can reduce exposure to malicious ad inventory—especially on high-risk sites.
Options include:
- browser built-in tracking/ad protection features
- reputable ad-blocking extensions
- DNS-based ad blocking (for advanced users or families)
Tip: Keep your extensions minimal. Too many extensions increases attack surface.
4) Keep your browser, OS, and apps updated
Outdated software is one of the most common risk factors. Updates patch known vulnerabilities that malvertising chains sometimes rely on.
- Turn on automatic updates for your OS and browser
- Update PDF readers, office tools, and media apps
- Remove software you don’t use
5) Use reputable endpoint protection (antivirus/anti-malware)
Modern endpoint protection can block:
- malicious downloads
- known malicious URLs
- suspicious scripts
- potentially unwanted programs (PUPs)
Make sure:
- it’s actively running
- definitions are updating automatically
- the subscription is current (if applicable)
6) Download only from official sources
For apps, plugins, and extensions:
- use official vendor websites
- use Apple App Store / Google Play
- use official browser extension stores (still review carefully)
Avoid “download portals” and random mirror sites, especially for popular software.
7) Lock down browser permissions
A lot of malvertising damage comes from permission abuse.
Review and restrict:
- Notifications (common scam vector)
- Pop-ups and redirects
- Location/camera/mic (only allow when needed)
- Automatic downloads
If you see a site repeatedly asking for permission—leave.
8) Use a password manager + MFA
If malvertising leads you to a fake login page, a password manager often won’t autofill—this is a subtle but powerful warning sign.
Also enable multi-factor authentication (MFA), ideally using an authenticator app or security key for high-value accounts (email, banking, admin accounts).
9) Consider network-level protection
For households and businesses, network-level controls can reduce risk:
- secure DNS filtering
- firewall rules to block known malicious domains
- web filtering policies
- browser isolation / hardened browsing for higher-risk roles
Avoid “download portals” and random mirror sites, especially for popular software.
Protection tips for businesses and website owners
If you run a website that displays ads, malvertising is also a brand and trust risk—even if you’re not the attacker. Consider:
Vet ad partners and reduce reseller complexity
Work with reputable ad networks and avoid excessive layers of resellers. Complexity increases blind spots.
Use security headers and strong site hygiene
- Content Security Policy (CSP) can help constrain what scripts can do
- Keep CMS, themes, and plugins updated
- Remove unused plugins and ad tags
Monitor and respond quickly
- Monitor user complaints about redirects/pop-ups
- Use site monitoring tools that detect unexpected script changes
- Keep an incident playbook: what to disable, who to contact, how to communicate
Separate ad-related scripts where possible
Limit script privileges and isolate third-party scripts to reduce blast radius.
What to do if you think you’ve been hit
If you clicked an ad and something feels off, act quickly but calmly.
Step 1: Close the tab (don’t interact with pop-ups)
If a page says “Call now” or “Your device is infected,” don’t click anything inside it. Close the browser tab or the browser itself.
If it won’t close:
- force quit the browser/app
- restart the device
Step 2: Check for suspicious downloads
Look for recently downloaded files you didn’t intend to download. Don’t open them.
Step 3: Run a full security scan
Use reputable endpoint protection and run a full scan. If threats are detected, follow the remediation steps.
Step 4: Remove suspicious extensions
In your browser extension settings:
- remove anything you don’t recognize
- remove extensions you no longer use
- review permissions
Step 5: Change passwords if you entered credentials
If you typed a password into a site you now suspect was fake:
- change that password immediately
- change passwords on any accounts that reused it
- enable MFA
- review account sign-in history where available
Step 6: Watch for persistence
Signs the problem isn’t gone:
- your homepage/search engine changed
- ads appear everywhere, even on trusted sites
- frequent redirects
- new toolbars or unknown apps
- device performance drops suddenly
If symptoms persist, professional assistance can save time and reduce damage – especially for business devices.
Ads may be striking, but they can be harmful. Following safe online practices can protect you from malvertising. To know more, contact our cybersecurity specialists or email us at cybersecurity@computingaustralia.group.
Jargon Buster
Browser – is an application for accessing data on the Internet.
Malware – a term for Malicious Software that is intended to cause harm to devices, networks and servers. Common types include viruses, ransomware, spyware etc.
Pop-ups – pop-up ads are forms of online advertisement that are graphical user interface display areas that suddenly appear in the visual interface.
FAQ
Can malvertising infect you without clicking?
Sometimes, yes. While “no-click” infections are less common with modern browser protections, malicious redirects, vulnerable plugins/extensions, and exploit chains can still cause issues—especially on outdated systems.
Are reputable websites safe from malvertising?
Not always. Even reputable sites may serve ads through third-party networks. A malicious ad can slip into the supply chain. The site owner may not know immediately.
Is every pop-up a virus?
No—but treat “your device is infected” pop-ups as suspicious by default. Real security alerts typically come from your installed security software or OS notifications, not from random web pages.
Are mobile devices at risk?
Yes. Mobile platforms have strong protections, but scams, malicious redirects, fake apps, and notification abuse are common. Always avoid installing apps prompted by ads or pop-ups.
What’s the safest way to claim an online deal?
Don’t click the ad. Visit the brand directly via a known URL/bookmark, then search for the deal on the official site.
