Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

What is malvertising?

Banner ads, sidebars, and pop-ups are everywhere online, from mainstream news sites to video streaming platforms. While most are simply colorful distractions, some are malvertising ads designed to infect your device with malware. In this article, learn what malvertising is, how it works, and how to prevent it.

What is malvertising?

Table of Contents

Table of Contents

What is malvertising?

Malvertising definition

Malvertising is malicious advertising that criminals use to steal data or install malware onto their victims’ devices. The attack can take different forms, but they all use online advertising as a way to snag the target.

Don’t assume an ad is safe because you trust the hosting site. Malvertising has been found on many “safe” sites, from streaming platforms like Spotify to major online news outlets, including The New York Times and The Atlantic.

How does malvertising work?

Malvertising involves placing malicious code in ads on both legitimate and scam websites. When users click these ads, the malware activates and can potentially infect their devices.

First, a cybercriminal creates an advertisement containing malicious code and places it on a legitimate website they have hacked or a spoofed version of a well-known site. The simplest trigger is user interaction, such as clicking on the ad (post-click malvertising).

However, it’s a common misconception that malicious ads only pose a risk if clicked on. Advanced malvertising can bypass some ad blockers or automatically initiate malware downloads simply by loading a webpage with the malicious ad, especially if your browser lacks security updates (pre-click malvertising). This malvertising attack, known as a drive-by download attack, is becoming increasingly difficult to guard against.

Once executed, the malicious code scans the device for vulnerabilities, such as outdated software, unpatched browsers, or vulnerable plugins. The malware exploits these weaknesses to gain unauthorized access to the device.

After breaching the device, the malware deploys its payload, which can include ransomware, spyware, bots, and computer viruses. This payload then performs malicious activity as programmed — stealing sensitive data, encrypting files for ransom, or incorporating the device into a botnet.

Malvertising vs. ad malware: What’s the difference?

MalvertisingAd malware
OriginMalicious ads.Advertising software.
NatureInherently malicious.Intrusive but not inherently damaging.
FunctionSpreads malware through online ads.Tracks user web activity to display targeted ads.
MethodAttacks the system through infected ads.Displays unwanted ads but doesn’t aim to compromise system security.
ImplicationDirectly affects user security and system integrity.Raises concerns about data privacy.

Unlike malvertising, which attacks through infected ads, adware is software that tracks a user’s web activity to show targeted ads. While all malvertising is inherently malicious, adware often comes with legitimate software.

Although adware raises concerns about data privacy, it’s not considered as dangerous as some of the most common types of malware like Trojans or worms. It does not let cybercriminals control your device’s system or alter, steal, or delete data.

Therefore, although they are often confused, malvertising and adware are distinctly different terms with different origins, nature, functions, ways of operating, and implications.

Examples of malvertising

The following examples of malvertising illustrate the diverse scenarios and techniques hackers use to carry out these cyberattacks.

Fake software updates

Malicious ads may mimic legitimate update prompts from popular software, urging users to update. When clicked, these ads download malware instead of a genuine update. Such campaigns are especially effective on adult or video streaming websites because they can tempt users to download the application to access the desired content.

Redirects to malicious sites

Clicking an ad can redirect a user to a malicious website. This site might then deceive them into providing sensitive information or automatically download malware onto their device. This exact scenario occurred with the cybersecurity brand NordVPN. According to a NordVPN representative Laura Tyrylytė, in 2020, the NordVPN brand was used in a malvertising campaign. The website that attempted to launch a virus through a malicious software program was taken down.

Exploit kits

Some malvertising directly leads users to websites that host exploit kits. These kits scan for vulnerabilities in the user’s system and install malware without any user interaction. An example of this is the Angler Exploit Kit attack. It automatically redirected visitors to a malicious website where the kit exploited vulnerabilities in common web extensions like Adobe Flash.

Phishing attempts

These ads may resemble bank warnings or government communications. A notable example is the ZeuS Panda Banker campaign. This campaign used malvertising to direct users to phishing sites that mimicked the login pages of banks and other financial institutions. Once on these fake sites, users were prompted to enter their login details, which attackers could later exploit.


Cryptojacking is the unauthorized use of someone’s device to mine cryptocurrency. A notable example of malvertising involving cryptojacking is the Coinhive incident. Initially, Coinhive offered a legitimate service that allowed website owners to monetize traffic by using visitors’ devices to mine cryptocurrency as an alternative to showing ads.

However, cybercriminals started embedding the Coinhive mining script into ads, covertly transforming unsuspecting users’ computers into cryptocurrency mining machines without their knowledge.


Like tech support scams, scareware begins by falsely claiming that your Mac or Windows device is infected. These scareware ads allege that your device has a virus and prompt you to urgently download software to remove it, which, in reality, is malware.

How to spot malvertising

Malicious ads can seamlessly integrate into legitimate websites, mimicking the appearance and behavior of standard ads. This camouflaging makes malvertising particularly deceptive and difficult to spot. However, you can distinguish these malicious ads by looking at telltale signs of malvertising:

  • Pop-up ads that urge you to click to win a prize
  • Ads that ask for personal or financial information
  • Ads that promise deals that are too good to be true
  • Ads with low-quality graphics and misspelled words
  • Ads that trigger system alerts
  • Ads that initiate downloads without your consent
  • Ads that do not match your recent search history
infographic: signs of malvertising

How do you remove malware caused by malvertising?

Follow these steps to remove existing malvertising threats and restore your device:

  • Run a full system scan. This can detect and remove any malware that might have been installed through malvertising.
  • Remove suspicious applications. Check your installed application list and remove any unknown or suspicious apps.
  • Reset your browser. If you suspect your browser has been compromised by malvertising, reset it to its default settings.
  • Clear the browser cache and cookies. Malvertising can leave harmful scripts in your browser cache and cookies, so clear it regularly.

For more thorough instructions on how to remove malware, check out the following articles:

How to avoid and prevent malvertising

Unfortunately, no surefire methods exist to avoid malvertising. Some pre-click malicious adverts can bypass ad-blocking software, so effective prevention requires a multifaceted strategy.

  • Use an ad blocker. While it may not be 100% effective, an ad blocker can still significantly reduce your risks. NordVPN’s Threat Protection feature, which comes with an ad blocker, also includes a malware blocker that blocks dangerous sites, removes annoying ads, and scans files during downloads to prevent malware attacks.
  • Install antivirus software. It’s a smart move if you use the internet regularly because it can limit the damage caused by malvertising. Keep your device protected by updating the software as often as possible.
  • Use a link checker. As a free alternative to our Threat Protection feature, consider using a link checker that scans any URL you wish to visit. This tool can help detect malware, phishing attacks, botnets, and fake websites.
  • Stay up-to-date. An exploit kit scans your device for vulnerabilities and often targets outdated software. Therefore, keeping your system up-to-date is crucial. Although you may be tempted to click “remind me later,” installing security updates as soon as they become available is the best practice.
  • Turn off auto-play. Go to your browser settings and turn off the autoplay function. This action will neutralize any content that relies on video plugins. It’s a simple way to prevent drive-by downloads and limit your exposure.
  • Be skeptical. Most malvertising still happens post-click, so you can avoid the threat by not engaging with the adverts at all. Always stop and think before following links or responding to aggressively promoted content. Malicious adverts often employ urgent messaging, but you should take your time and exercise caution.

Online security starts with a click.

Stay safe with the world’s leading VPN