The benefits are clear from a productivity and personalisation perspective for both brands and ad agencies, but there is a darker side to this business transformation. AI technologies are potentially opening the door to cybercriminals through what is known as ‘malvertising’. This is where malware is embedded into videos, banners, and other forms of digital advertising.
According to a recent Menlo Security survey, one in three UK consumers now believe that the majority of ads on websites and social media are generated by AI.
If such ads are clicked on, users are either directed to a malicious website created using social engineering or spoofing tactics, or the malicious code will instal malware on a user’s device. If malware does reach the endpoint, it can cause havoc; adversaries can steal, delete or leak data, corrupt files, redirect internet traffic, monitor user activity, and more.
We are expecting to see a rise in fake ads like these, driven by cybercriminals able to access a combination of AI image generators, like Midjourney and DALL-E, and AI tools like ChatGPT to develop increasingly convincing campaigns. Right now, it makes sense for them to take advantage of the unwary as awareness of malvertising remains low.
While 70% of our survey respondents admitted that they click on online ads “to some extent”, the same percentage said they were not aware of the fact that their devices could be infected with malware by simply clicking on a brand logo. Yet around three-quarters recognised that they could be infected by malware hidden in an email link (known as phishing).
It seems that many are not aware they can be infected by clicking on social media ads or pop-ups and banners. The lack in awareness is a concern and a risk, particularly given how challenging it can be for users and publishers alike to discern between ads that are genuine and those that are malicious, and with both reaching audiences through legitimate advertising networks.
Even the most credible websites are not immune. In a recent study, we found that the top three brands impersonated by cybercriminals attempting to steal personal or confidential data were Microsoft, Facebook and Amazon.
With current estimates suggesting that around one in 100 online ads is currently malicious – and expected to rise – how can people spot and avoid malvertising when online?
Here are five top tips:
Always check URLs before clicking
By hovering your mouse over an advert until the URL appears, you can check it properly before proceeding to click, looking to confirm that cybercriminals have not replaced certain characters to trick the eye.
Confirm the brand logo looks genuine
When copied, a logo can appear stretched, squashed or pixilated, or the background colour looks odd. These are signs that an ad is not legitimate.
Consider what the advert is asking you to do
Malicious actors don’t care about measuring impressions like marketers do, meaning malvertising campaigns usually have a call to action, such as ‘click here’. These should be treated with caution.
Be cautious, no matter how credible the website
While credible sites may have a higher vetting process for adverts, they are not immune to malvertising. The same rules apply – always be cautious when clicking on ads.
Beware of redirections
Be aware that the more ads you click on, the higher chance you have of encountering malware. Each ad click will likely bring you to a website with less stringent vetting procedures than the last. You’re only 3-7 clicks away from malware online!
With the threat of malicious ads likely to increase, it is more important than ever to be cautious. By following these tips, you are better placed to avoid malvertising attacks.
