by Adi Bleih

Underground chatter about malvertising is on the rise

Deep and dark web posts discussing malvertising and soliciting malvertising services are on pace to rise 68% this year compared with last.

In a malvertising attack, a threat actor deploys an ad via a legitimate online advertising network, such as Google or Bing. The ad lures the victim to a malicious website (possibly impersonating a legitimate site or service), which then tricks the user into downloading malware or revealing sensitive data. 

This tactic has become one of the most popular methods to deliver malware. According to Securelist, the abuse of Google Ads--specifically sponsored search results listings--to spread malware has increased significantly in recent years.

In parallel, underground chatter discussing malvertising or transacting malvertising services has increased in recent years. Based on Q1 numbers, 2023 is on pace to culminate with over 2,700 malvertising-related posts, a 68% rise over 2022.

Underground posts related to malvertisingFigure 1: Number of posts that discuss malvertising services on underground forums

With malvertising on the rise, it is our understanding that the deep and dark web provide a growing venue for actors to buy and sell malvertising services as well as exchange TTPs and ideas.

Malvertising services generally involve the service provider posting ads to channel traffic to a landing page of the customer’s choice. Let’s take a closer look at actors selling and seeking malvertising services on the underground:

Services Providers

Threat actors advertise traffic direction services on underground forums (see figures 2, 3, and 4) or by commenting on posts from members seeking such services (see figure 5). While terms and conditions are generally discussed in private chats, actors occasionally reveal operational details. In the post below, the actor advertises fake shops and claims that partnerships will be lucrative.

ads looking for paiement gateways processorsFigure 2: A threat actor searches for partners, offering traffic from malicious campaigns.

As shown in the example below, service providers often provide multiple services, offering Google Ads malvertising services and fake bank accounts (“Fake BA”). 

google ads traffic fake BA+ cryptoFigure 3: A threat actor offers black hat services for Google ads

google ads traffic for fake BA google ads traffic for fake BAFigure 4: A threat actor offers black hat services for Google ads

In the following example, a service provider commented on a public post. In some instances, service providers also leave their contact information.

i'm looking for google ads on bank fakeFigure 5: A service provider leaves a comment for another threat actor searching for malvertising services

Service consumers

While a high percentage of cybercriminals have enough knowledge of software engineering to build malicious websites and applications, many lack specific malvertising expertise or knowledge of black hat SEO to direct online traffic to malicious content. Therefore, threat actors search for short- and long-term partnerships with malvertising service providers.

team requires google ads traffickerFigure 6:  A team searches for a Google ads trafficker 

looking for google and fb adsFigure 7: An actor searches for Google and Facebook fake ads services

an actor searches for a Facebook ads services for his fake bank accountFigure 8: An actor searches for a Facebook ads service for his fake bank account

an actor searches for a yahoo fake ads serviceFigure 9: An actor searches for a Yahoo fake ads service

In other cases, threat actors specializing in fake ads and creating traffic seek partners who can provide content, such as phishing and scam pages.

a team seeks ad publishing servicesFigure 10: A team seeks ad publishing services


Online advertising fuels the business models of some of the world’s largest companies, which invest heavily in ensuring that their users maximize ad views. As a result, it’s no surprise that attackers seek to piggyback on these networks for malicious purposes. Without a doubt, ads directing traffic to malicious websites damage the integrity of legitimate ads and can deter viewers from clicking through.

To preserve the value and integrity of online advertising, it’s in the best interest of ad platforms to monitor underground trends and TTPs related to malvertising. Doing so will enable them to take stronger measures to detect and prevent malvertising, ensuring that their users will feel safe viewing and clicking on credible advertisements.

You may also like


January 05, 2024

2023’s Most Significant Cyber Events as Reported in Cybersixgill’s Beyond the Headlines

Read more
Black Hat Recap-Thumbnail

August 16, 2023

How Artificial Intelligence Can Empower Security Teams Cybersixgill's Review of Black Hat USA 2023

Read more
Building up your defenses when the barriers to cybercrime come down

May 05, 2023

Building up your defenses when the barriers to cybercrime come down

Read more