Malvertising

As part of October’s Cyber Security Awareness month, we consider the guidance issued by the National Cyber Security Centre (NCSC) for brands to help advertising partners counter malvertising. The purpose of the NCSC’s advice is to make it harder for cyber criminals to deliver malicious advertising, and reduce the risk of cyber-facilitated fraud.

What is malvertising?

Malvertising is the term for criminally controlled advertisements within Internet connected programs, usually web browsers, which intentionally harm people and businesses with all manner of malware, potentially unwanted programs, and assorted scams. It uses what looks like legitimate online advertising to distribute malware and other threats with little to no user interaction required. Malvertising can appear on any advertisement on any site and it tends to install a tiny piece of code, which sends your computer to criminal command and control servers beyond the operators control. These servers the computer for its location and what software is installed on it, and then decides which malware it determines is most detrimental to send.

With ever increasing use of digital advertising, following the guidance issued by the NCSC can help mitigate the risks of cyber fraud and UK cyberspace a safer place.

The guidance includes the following principles and recommendations for digital advertising businesses:

• Put in place strong know your customer (KYC) checks and continuously monitor customers and adverts to identify suspicious behaviour, such as activity in regions known for money laundering and other financial crimes. As with many businesses (including law firms) KYC makes it more difficult for malicious actors to use the services of digital advertisers and to co-exist with your own ad campaigns.

• Employ strong cyber security practices. Providers should be able to explain how they ensure security in their adtech tools, such as ad servers, and in the integrity of code and information passed through the advertising supply chain. Another issue that can be dealt with via contractual provisions is the sub-contracting/ outsourcing of services, such as ad servers or serving third-party code, so that there are requirement for sufficient due diligence to ensure any sub-contractors have equally high security standards.

• Only use data from reputable sources. It is important to ensure that customer’s personal data is processed lawfully, fairly and transparently under UK General Data Protection Regulation (GDPR) legislation.

• Implement industry standards such as the TAG Certified Against Fraud programme and the IAB UK Gold Standard. Independent industry-recognised certifications, such as those offered by TAG or IAB UK, provide a comprehensive baseline of good practice.

• Deploy effective malvertising detection and removal services. Providers should be able to explain how they handle malvertising detection and removal and whether this includes “cloaking”, where the harmful nature or destination of an advert is hidden.

• Maintain processes to share threat intelligence with others in the digital advertising supply chain and to receive reports of malicious or suspicious activity.

Advertisers may consider requiring their digital advertising suppliers to commit contractually to requirements that reflect these principles and including provisions for compensation for any losses where any contractual requirements are breached.

The NCSC guidance was issued in November 2024 and not all advertisers may be aware of it. The guidance gives detailed measures for advertisers to ensure their digital advertising partners are implementing in order to reduce the risk of malvertising and potential harm to customers.