DNSSecurity

Protect Against Malvertising with an Active Security Strategy

If you pay attention to the world of security you’ve probably heard about the upswing in a type of attack known as Malvertising.

Last updated: September 15, 2025

An avatar of the author
BlueCat
Abstract blue skull formed from streaming code, symbolizing cyber threats from malvertising attacks
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article explains the growing threat of malvertising—corrupted ads inserted into trusted websites that redirect users to malware hosting sites—and highlights why passive reliance on external parties is insufficient to stop it. It recommends that IT leaders proactively block DNS queries for newly created or low-reputation domains by default, restrict network devices to only the external resources they require, and maintain comprehensive visibility into device behavior to detect early signs of compromise. Implementing these DNS-based controls, least-privilege network access, and robust monitoring reduces operational risk and improves detection and response to malvertising-driven intrusions.

What is malvertising and why is it harder to stop than traditional phishing or spam?

Malvertising is the insertion of corrupted advertisements into legitimate websites that appear as normal ads; when users click them they are redirected to sites that deliver malware such as ransomware or bot clients. It is harder to stop than traditional phishing or spam because ads are highly distributed across the Internet and often served via trusted domains and ad networks, making reliance on external parties like Google, ad vendors, or industry groups ineffective. The attack leverages common web ad delivery patterns and trusted channels, so organizations must take proactive internal measures rather than depend solely on external remediation.

What DNS-based controls does the article recommend to reduce malvertising risk?

The article advises paying attention to the types of domains devices request and disallowing DNS queries to newly created domains or those with low reputational scores by default, only allowing exceptions after careful analysis. This approach focuses on preventing connections to suspicious or unproven domains at the DNS layer, reducing the chance that an ad click will reach a malicious host. Such DNS controls form a preventative layer that complements device access restrictions and visibility measures to lower the likelihood of successful malvertising-driven infections.

How should organizations limit device access and why is visibility important?

Organizations should ensure that only devices needing external resource access have it and implement least-privilege rules so devices like IP security cameras can only reach the specific services required (for example, not general-purpose sites like eBay). Limiting unnecessary external access reduces the attack surface and opportunities for malvertisements to affect nonessential devices. Visibility into all devices’ network actions is critical because it enables detection of behavioral changes that may indicate compromise, and early detection substantially improves the chances of effective response and mitigation.

If you pay attention to the world of security you’ve probably heard about the upswing in a type of attack known as Malvertising. Data Breach Today and Dark Reading recently featured articles on the subject. If you haven’t heard of it, Malvertising is the practice of inserting corrupted advertisements into trusted web sites, making them look just like any other ad that you may be enticed to click on.  If you do click, you are redirected to a hosting site that will deliver some type of malware directly to your device, which could be ransomware, a bot client, traditional virus, or anything that would be of use for the attacker.  Stopping this type of attack is more difficult than blocking traditional spam or email phishing attacks since the highly distributed nature of the Internet makes connections via advertisements to little-known or trusted domains very common.

Passive reliance on external parties such Google, ad vendors and agencies, industry groups, or government bodies isn’t the answer to solving this challenge. Malvertising isn’t going away. IT leaders need a solid strategy to deal with it by proactively identifying and blocking malicious ads as soon as they hit your network.

So what can you do?  Perhaps the most significant impact a security team can have on this problem is to start paying attention to the types of domains being accessed by all the devices on the networks.  DNS queries related to newly created domains, or those with low reputational scores should be disallowed by default, with exceptions made only after careful analysis.  The next action should be to ensure that only devices on your network that actually need access to external resources have that access.  For example, your IP-based security cameras probably don’t need to access an ad linked to eBay.  Those devices should be limited to accessing the resources they need to do their job and nothing more.  Finally, while you may not be able to prevent people from clicking on Malvertisements you should at least have the visibility into the actions of all devices on your network so that you can see when those devices start to exhibit changes in their behavior that may indicate some sort of compromise.  Visibility is the foundation of detection, and early detection has become the key to success in the new world of security.

To find out more about proactively protecting your enterprise from a range of security threats, click here.

Published in:

DNSSecurity

Published on: November 4, 2016

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more