What is malvertising?

Malvertising defined

Malvertising is the malicious use of Internet ads. Hackers inject code into legitimate ads, which then direct users to problematic sites and downloads. Ill-intentioned ads can also be designed from scratch. In both cases, hacked or deceptive ads attack end users in one or more of the following ways:

• Initiate an automatic download of malware
• Encourage users to take actions—from clicking or calling to filling out a form—that result in downloading malware
• Automatically redirect users to phishing sites
• Trigger often urgent-seeming pop-ups that direct users to click or call, which can initiate a malware download or more in-depth cyberattack

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn More

To be clear, not all pop-ups are malvertising. Many pop-ups are legitimate functions of trustworthy software, such as a pop-up that encourages you to install a valuable update or try a new feature. Malvertising is distinct in that it aims at installing malware and/or ultimately stealing your data.

How does malvertising happen?

Like most cyberthreats, malvertising exploits vulnerabilities. In this case, there are two primary vulnerabilities that malicious actors can use to their advantage:

Advertising ecosystem vulnerabilities

According to a 2007 study by market research firm Yankelovich, the average person encounters up to 5,000 ads a day. That number is estimated to have doubled by 2022. There are several vulnerable points in the chain of events between ad creation and display on individual devices. Hackers exploit these weak spots—most often at the server or browser level—to insert malicious code.

Browser vulnerabilities

Browsers can be susceptible to threats, especially if a user doesn’t closely monitor their settings, choose safe extensions, install updates, and protect their devices with antivirus software. When these steps aren’t taken—and sometimes even when they are—malicious actors can exploit weak points in extensions and out-of-date browsers.

Ways to protect against malvertising

Sneaky as it may be, there are several ways to guard yourself and your devices against malvertising:

Run antivirus and anti-malware software

Antivirus and anti-malware software, including Microsoft Defender, provide essential protection against cyberthreats, including malvertising. This software, which can come separately or bundled, is continually upgraded to keep you safe from both established and ever-evolving attacks. Hackers continuously invent new ways to outsmart protections, so antivirus and anti-malware software is your best defense against ongoing, changing threats.

Add an ad blocker

Ad blockers are designed to stop ads from popping up in your browser. They limit malvertising, too. To find an ad blocker, explore available extensions on your web browser. Ensure you’re choosing a safe extension by referencing trusted sources, like this list of verified extensions for Microsoft Edge.

Check your browser settings

To set yourself up for safety, be choosy with your browser settings. Browsers give you the freedom to disable pop-ups, reject or inspect cookies, routinely clear your cache, and more. Applying these settings decreases your vulnerability to malvertising attacks.

Keep up with updates

Staying current with browser, operating system, and antivirus updates is one your best moves to outsmart all kinds of cybercrime. When you stay up to date, you are immediately better protected by the latest security patches and features to thwart threats.

Click with caution

While the best way to avoid malvertising is to stop it from appearing in your browser, there’s always a chance that hackers will find new ways to show up on a site. With that in mind, click with caution. Watch for ads and webpages that feel off: You might notice a misspelling or an out-of-proportion logo. If something looks untrustworthy, trust your instinct. If you enter a legitimate web address, but are then directed to a malicious page, your best protection is to pay attention to details—from missing punctuation to an image that’s too big—and inspect the URL for changes to the original address before clicking anything else.

Don’t take the bait

If a page or pop-up aggressively demands that you click or call to avoid dire consequences, don’t take the bait. Urgency is often a sign of trickery when it comes to pop-ups and web copy. If you sense that an ad, pop-up, or webpage is trying to alarm you, be wary—this is a classic manipulation tactic. Legitimate entities—like banks, online stores, etc.—communicate with more composure and provide ways to calmly resolve issues.

Even though malvertising is designed to trick you, these actions can give you a great deal of protection. If you also practice good cyber hygiene, you will have an excellent shot at keeping your device and data safe.