AgriLife Information Technology

Malvertising Attacks

What is a malvertising attack?

A malvertising attack occurs when a legitimate website you are visiting loads a malicious piece of code embedded in an advertisement. Typically, the attack tries to trick the user into performing an action that the bad actors need in order to gain control of the device.

How do malvertising attacks work?

Many legitimate websites, especially those that rely on advertising revenue, display advertising sections on their websites such as the example above
  1. Malicious groups craft a convincing ad, inject malicious code, and pay an advertising network to display their new evil add on websites
  2. When the evil ad loads on a website, it triggers the malicious code- there is no need to click on the add
  3. This executes a Fake Anti-Virus scan pop-up or attempts to install malware
  4. Pop-ups encourage users to contact these false experts to fix issues by granting them remote access to their computer

What does an attack look like?

While navigating a legitimate website:

  1. A warning appears alerting you that your device is infected
  2. A scan appears to run, then tells you to contact Microsoft at a phone number that is not a legitimate Microsoft phone number

Don’t be fooled- the malicious party will impersonate Microsoft with an impressive amount of branding, as shown in the example below

Above is an example of malvertising that loads a common Fake Anti-Virus/Fake Support pop-up

What should you not do?

  2. Do not make contact on the phone
  3. Do not click on any of the links or buttons on the pop-up pages to stop or cancel the false scanning activity

What should you do?

  1. You can use these keyboard shortcuts to close your web browser (Google Chrome, Firefox, Safari, Edge, etc)
    • On Windows devices- Alt + F4
    • On Mac devices- Command + Q
  2. Click here to contact AgriLife IT to verify that malicious code has not compromised your web browser or computer system
  3. Take a look at your Sophos Anti-Virus panel for any Alerts

Note: If you are in the College of Agriculture & Life Sciences, you can perform the same action with for the anti-virus product on your system.

Sophos is AgriLife’s Anti-Virus solution.
If Sophos detects any malicious activity or malware, AgriLife IT will also receive a notification of the activity, and will contact you to follow up.
For more information on Sophos, click here.

Why is this getting through to me?

Great question!

It is extremely difficult to stop this kind of attempt entirely for several reasons:.

  • Legitimate advertising networks inadvertently publish these evil ads, on legitimate websites
  • The same ads do not always load on the same websites
  • Malicious groups register websites to host their Fake Support/Fake Anti-Virus websites daily
  • These sites are only added to blocked lists and taken down when discovered and reported by experts

Fortunately, having a comprehensive Anti-Virus program such as Sophos renders this type of attack more of a nuisance by blocking any malicious activity and malware.

Only the pop-ups urging users to contact the false experts remain.

If you ever have any doubts or suspicions about an ad or pop up on your computer, please contact AgriLife IT.