Malvertising (malicious advertising) uses the online advertising infrastructure to deliver malware to users visiting legitimate websites. The New York Times, BBC, and many major sites have unwittingly served malvertising campaigns. You don’t need to click an ad — some attacks exploit browser vulnerabilities just from the ad loading.
How Malvertising Works
The online advertising ecosystem involves multiple parties:
- Advertiser: buys ad space (legitimately or fraudulently)
- Ad network: intermediary (Google Ads, Programmatic exchanges)
- Publisher: the website showing ads (NYT, Reddit, any site)
- User: visits the website
Attackers exploit this chain by:
Method 1: Buying Legitimate Ad Space
Attackers register as an “advertiser” and buy real ad impressions through legitimate networks. They submit ads that initially appear benign, pass review, go live, then update the landing page to serve exploits.
The timeline:
- Submit clean ad → review passes
- Geo-target to specific countries/ISPs to avoid detection during review
- After approval: activate malicious redirect
Method 2: Compromising Ad Networks
Attackers compromise smaller ad networks or Real-Time Bidding (RTB) participants, injecting malicious code into ad slots across many sites simultaneously.
Method 3: Domain Spoofing
Attackers register lookalike domains of major advertisers and buy ad space claiming to be from the spoofed brand. The ad content is malicious.
Delivery Mechanisms
Drive-By Download (Exploit Kits)
The most dangerous type — no user interaction required:
- Ad loads in the browser
- Ad contains JavaScript that fingerprints the browser (version, plugins, OS)
- If a known vulnerability matches, the exploit kit delivers shellcode via heap spray or memory corruption
- Shellcode installs malware silently
Popular exploit kits: Angler (defunct), RIG, Magnitude, Purple Fox. These scan for unpatched browsers, Flash Player (now extinct), Java applets, and PDF readers.
Forced Redirect
The ad loads a redirect to a scareware site (“Your computer is infected! Call Microsoft at 1-800-xxx-xxxx”) or download prompt for fake updates.
Click-Based
More traditional: the ad looks legitimate (fake Microsoft update, fake antivirus) and user clicks to install.
Targets in 2026
Without Flash/Java/IE, pure drive-by exploits are less common. Current malvertising focuses on:
- Google Search Ads: fake ads for popular software (TeamViewer, Bitwarden, VirtualBox) that link to malicious lookalike sites with trojanized downloads
- Social media platforms: Facebook/Instagram ads for fake crypto exchanges, fake app downloads
- Streaming sites: ads on free streaming sites regularly serve exploit kits
- Adult content sites: high-volume, low-moderation ad networks
Search ad malvertising is particularly dangerous in 2026 — attackers buy Google/Bing ads for “download VLC”, “download Zoom”, etc. and the top ad result serves a malicious installer.
How to Protect Yourself
1. Ad Blocker (Most Effective)
uBlock Origin (Chrome, Firefox, Edge) blocks ads at the request level:
- No ad request made = no malvertising possible
- Uses filter lists (EasyList, EasyPrivacy, malware domains)
- Enable “Block coin miners” and “Block malware domains” in filter lists
In Firefox + uBlock Origin, essentially no ad-based attack vector exists.
2. Keep Browser Updated
Browser vendors patch drive-by exploit vulnerabilities quickly after discovery. Enable automatic updates. Running an old Chrome is significantly riskier than a current one.
3. Disable Browser Plugins
Every plugin (Java, old PDF readers, media players) is a potential exploit target. Modern browsers don’t support NPAPI plugins anyway — but check for any legacy plugins:
chrome://extensions (check for legacy plugins)
about:plugins in Firefox
4. Click-to-Play Media
If any media plugins are present, set them to click-to-play so they don’t auto-execute.
5. Browser Sandboxing
All modern browsers sandbox tabs. Additionally:
- Windows Sandbox: run suspicious links in a disposable VM
- Firejail (Linux): sandbox individual browser processes
- HitmanPro.Alert: blocks browser exploit techniques
6. DNS Filtering
Block known malvertising domains at DNS level:
- NextDNS with “Malware domains” blocklists enabled
- Pi-hole with malware blocklists
- Cloudflare 1.1.1.2 (malware-blocking variant)
7. Verify Software Downloads
When downloading software:
- Only download from the official developer’s website (not ads, not mirrors)
- Check the URL carefully — googlevids[.]com is not Google
- Verify file hashes when available
- Check VirusTotal for any downloaded executable before running
Recognizing Fake Download Ads
Google Search malvertising red flags:
- Ad label at the top of results
- URL doesn’t match expected domain (teamviewer-download[.]net vs teamviewer.com)
- Landing page design is slightly off (wrong logo, minor typos)
When searching for software to download, scroll past ads to the actual search results and navigate to the official website directly.
For Organizations
Enterprise defenses against malvertising:
- Web proxies with SSL inspection: inspect ad content before it reaches endpoints
- DNS security (Cisco Umbrella, Infoblox): block malvertising domains in real-time
- Endpoint security with browser protection layer
- Training: teach employees to always go directly to vendor sites, not click ads
The most impactful individual action: install uBlock Origin. It eliminates the entire ad-based attack surface in one step.