malvertisingOn Saturday, March 19, major news websites such as The New York Times, BBC, Newsweek and began serving visitors malware for the duration of the weekend. The malware didn’t come from these pages; instead, what happened was the advertisements posted to these sites were remotely hijacked. This deceptive type of malware is called malvertising — a combination of the words malicious and advertising — and it’s been a major, growing issue for most of this decade.

What does malvertising do?

This phenomena involves hackers injecting false advertisements onto web pages, creating a malvertisement. If you’re on a site with malvertisements, you may encountered an ad saying something like “Your PC is INFECTED!” on a site that wasn’t necessarily shady. The point is to get you to click on the ad so you’ll install malware on your device. In other instances, malvertising doesn’t change an ad’s appearance, but the code within the ad contains malware. This usually triggers a pop up that will install the malware to your computer when you click on the ad. In other instances, you don’t even need to click on the ad or see a pop up for the malware to download to your machine. The malware could be anything, from a Trojan virus to ransomware, as was the case of this latest round.

Because ads are managed by third parties, it’s extremely difficult for a website’s staff to tell when its ads have been hijacked. In addition, these distant parties are often far removed from knowing the details regarding which ads are placed where and when they’re active. This usually makes it rather easy for scammers to manipulate ads without anyone noticing until it’s too late. Unfortunately for visitors, this means there are no dead giveaways to help identify when malvertisements are on a page, especially modern variations of malvertisements, which keep the ad content the same but secretly install malware by simply being on your screen.

What can you do about it?

The Internet has so many vulnerabilities that it’s frustrating to use at times. But aside from leaving the Internet entirely, what can you do? We detailed five ways to protect yourself from malvertising.

1. Consider disabling plugins. Everyone has talked at length about Adobe Flash’s security issues that make the plugin vulnerable to hackers. While the safest way to avoid such vulnerabilities is to abandon the plugin, complete disuse may not be realistic because a lot of major sites still use Flash — not just for advertisements, but for lots of things. Hulu, for example, still uses Flash to display videos. Although Flash gets a lot of heat, it isn’t the only culprit. Older versions of Microsoft Silverlight, one of the video player options on sites like Netflix and Amazon Video, were also vulnerable, as well as other multimedia software.

You don’t have to avoid these multimedia plugins altogether, but you should definitely limit their ability to run. Most modern browsers like Chrome or Firefox will allow you to determine when a plugin can open. By activating this feature, any time a page has to load a plugin, you’ll be asked if you want to run it. If you’re on a site like Hulu, it might make sense to let Flash run. But if you’re on a site that doesn’t primarily have videos, if might make sense to keep Flash inactive. It comes down to assessing the need of the plugin. It should be noted that the newest versions of Firefox usually disable vulnerable plugins by default.

2. Enlist the help of a pop-up or ad blockers. Pop-up or ad blockers are controversial because most Internet content is funded through advertising. That said, not all ads are vulnerable, just ones not using current HTML5 support. The rule of thumb most people who enlist the help of pop-up blockers follow is blocking ads for most sites, while allowing them for sites they trust or want to support. It’s important to keep in mind that if the site is hijacked in some other way not involving ads, this protection is useless. Pop-up blockers might be even more useful for mobile devices, because in some cases mobile browsers and Internet security software don’t have the more robust features that their desktop counterparts do.

3. Anti-exploit services. Anti-exploit software monitors your computer for activity that resembles features commonly associated with drive-by malware installation, like malvertisements. Some Internet security software, like Kaspersky, have anti-exploit features to protect you from malvertisements, but not all do. If your security program doesn’t offer any anti-exploit protections, you can invest in a standalone service. There aren’t many to choose from, but popular brands like Microsoft and Malwarebytes make programs capable of protecting your device.

4. Keep your plugins, browsers and operating systems up to date. If you need to use a plugin, make sure it’s up to date. Older versions of plugins will definitely have vulnerabilities that have already been exploited and are known by hackers and scammers. The same goes for your browser and operating system. Since advertisements are capable of reporting geolocation and device data to ad networks, hackers can use this info to make particular malvertisements that target users with older, more vulnerable browsers and systems. Read this blog post to learn more about why updating your technology is essential to security.

If you want more information on how to handle malware and computer security threats, keep up with our technology blog. And if you’re in the market for a security software to protect you while you search the web, make sure to check out our Internet security software reviews.