Malvertising is the term that describes taking advertising that appears on legitimate web sites and turning it into weapons.
In almost all cases, the web sites involved have no knowledge of what is going on. Web sites buy ads from large ad networks such as Google and AOL. Those ad networks sign up advertisers so that when you open a web site, based on the information that they have collected about you, they will show you an ad for cooking shows or rock climbing. It used to be that these ads were just pictures, but since people were ignoring those ads, they now have amazing amounts of animation, timers and all kinds of things. That means that these ads are really programs that are dynamically downloaded to your computer and executed without your permission or even requesting it.
Either the ads entice you to click on them and when you do, they install the malware or they figure out how to use a vulnerability in your system to get loaded just by displaying the ad. That second type is the really scary one because all you need to do is go to Fox News, for example, to get infected. And, it is not Fox’s fault because they don’t even know what ad you are seeing.
As software vendors patch vulnerabilities, the malvertisers get less automatic infections, so they have to get you to innocently click on the ad. This is why they have resorted to video malvertising. Maybe the video advertises something in the news (for example, today, it could be the Paris attacks). Or maybe it uses humor. In any case, the objective is to get you to click on it so that they can infect your computer or phone.
One popular way to deliver these infected ads is through Adobe Flash, which is why I have disabled it by default. Yes, that means that a few web sites don’t work, but mostly it means that my web pages actually load faster. This is not a cure-all, but it helps. The other thing that users can do is use an ad blocker to, again, reduce the pool of potential ads that could possibly infect you.
Neither of these methods or even the two together are 100% effective, but they definitely improve your odds.
Of course, the last thing in the world that advertisers want is for you to block their ads, so they are working, very hard, at discovering the malicious ads before you do. But, like all malware, it is a cat and mouse game.
One example I just saw was malware that ONLY attacks if it thinks you are a government employee (since ads are now programs, it can check things before it runs – which makes it harder to detect). In this case, the malware only fires if you are running Windows XP and an old version of Microsoft Internet Explorer (unfortunately, there is a strong correlation between running old, unsupported software and working for the government. Sadly.) So, if the ad network tests the ad on Windows 10 and Chrome or a Mac with Safari, the malware doesn’t attack and they don’t find it. Which means that the ad networks have to be very clever attempting to detect the malware.
But sometimes the bad guys win. On October 29th, for about 12 hours, for example, about 3,000 web sites served up a video ad that told visitors that they needed to update Safari. If the visitor got sucked in and clicked on the ad, they were infected with a backdoor trojan that gives the attacker control of their computer. Forever.
Unfortunately, this is not going to end any time soon and ads seem to be pretty effective at delivering malware. And, there is no easy answer to the problem. But, being aware and doing some of what I suggested above helps.