The battle against malvertising

What do you do when faced with a malvertising campaign?
16 February 2023

Your network is your forcefield against all attack – including malvertising.

Getting your Trinity Audio player ready...

In Part 1 of this article, we spoke to Ricardo Villadiego, CEO of network security specialists Lumu, about the evolving threat of malvertising – digital advertising agencies run by cybercriminals for the express purpose of putting malware in otherwise unsuspected advertisements on other people’s perfectly legitimate websites.

After a few positive affirmations and a calming beverage, we returned to Ricardo to ask one crucial question.

What’s next?


In Part 1, you said that every action bred a reaction, and that malvertising had evolved as a response to attempts to stop cybercriminals buying perfectly legal ads and weaponizing them.

If every action has a reaction, what do companies need to do now? What’s the response that needs to happen? What’s the next move?


I think there are two things that the companies have to do, and they have to be decisive in both of them. Number one is a training issue. Companies need to elevate the skillset of their employees when it comes to identifying campaigns. When each of us is small, we’re taught about crossing the street – you don’t just cross, you look both ways to ensure it’s safe.

In cyberspace, those signs of risk don’t exist in quite such an obvious way, but we need to intentionally create those same habits of caution and skepticism. In our company, we use the idea that every click an employee makes is either defending the company, or exposing the company to a risk. So we need to be stronger in our intention to make sure our employees are able to identify those campaigns, building that habit of stopping to see if this thing could expose their organization to a risk or not. That’s number one, making sure that the human element of companies is able to better defend the organization.

Get that right and it’s going to amplify the power of the cybersecurity teams within those organizations.

And number two, companies have to have the right capabilities. The capabilities that help you to identify when one of those humans mistakenly clicks on one of those ads, and act decisively to block those contacts within your network if and when they do.

Continuous compromise assessment is a technology that helps companies to implement that layer of protection, that layer of visibility that helps to identify when someone clicks something that puts the company at risk. And if they click something like that, it helps to engage a response that stops the potentially catastrophic effect that could result.

Spotting invisible signs?


Hang on. You just said that in cyberspace, the signs that there’s a 16-wheeler truck of malware about to crash into your business simply aren’t there. So how can companies train their staff to spot the signs?


There’s trust – but then there’s verification. You train your people, you help them build a habit of cyberskepticism, to identify when they are potentially exposing the organization. But you don’t just trust that, you verify through the continuous compromise assessment system, and if they are mistakenly clicking on dangerous things, there’s a system in place to stop the threat becoming a catastrophe.

There are things companies can control, and things they can’t. You can’t control if any dark advertising network has put ads on your site. You can control your readiness to deal with it, at both the human and systemic level.


2023 is what’s being charitably described as a “challenging economic environment.” Tech companies of all sizes are jettisoning staff left, right and center – up to 20% of their workforce in cases like Yahoo. Plus they already have to protect against all the digital dangers of which they’re aware. How do you make the case to them that they have to train their staff to spot malvertising too?


It’s not really something that can be ignored. Cyberthreats will continue to evolve. And traditionally, we’ve seen that is that in economies where there’s recession, cybercrime thrives. So while I know times are hard in the tech sector, I think cutting budgets in your cyberprotection regime is a bad decision. Ultimately, a recession means there’ll be fewer companies at the end because economic factors will prey on some, and cybercrime will take out other businesses. That means a smaller number of targets for the same – or more – cybercriminals, because they don’t work in an economy that ever recedes.

Do you want to take the risk of being one of those targets without adequate security?


Ah, the “fit a burglar alarm” argument? At least if you haven’t cut your cybersecurity budget you make it harder for the criminals, and they might go “next door”?

The heavy toolbag of cybersecurity.


Exactly that, yes.

But there are things to say on cybersecurity, too. We’ve fallen into a mindset in cybersecurity where for each new threat, we get a new solution. A new specific solution to deal with this specific new threat.


The patching mindset? This is something that endangers me, here’s a solution to this thing, apply it quickly and on we go – rather than a system-wide appreciation of threat vectors, so to speak?


Exactly. And that’s understandable, because of the speed and pressure on InfoSec teams – they frequently don’t have the time or can’t raise the budget for a holistic approach to cybersecurity, so the “patching” mindset, where you get a new tool for every problem, solves today’s problem today.

But pretty soon, that means you have a whole bag full of tools, each of which does something very specific – and is therefore useless when the next threat comes along.

It’s unsustainable. So what companies should do is take decisive action about what capabilities they need to detect today’s threats – and the threats of tomorrow.

Check the network.

And what is the common denominator across all those threats? It’s the fact that they have to utilize the network to be a successful threat. Companies have to use systems that help them agnostically identify the state of compromise of their networks.

Do that, and it may be the last cybersecurity tool that they need to buy.

Get that layered visibility to identify when something’s going bad in the internet, and you construct more return of investment than the bagful of cybersecurity controls that you currently have.

Typically, a company has a firewall, right? In modern institutions, they’ll have a SASE deployment and endpoint security technology and an anti-spam technology. Those are the primary controls that a company has. Now the question is how are you using that layer of visibility to implement those controls?

The work we do helps companies to put those controls in the perfect synchronicity to deal with the threats the company is facing today, and the threats it’s going to face in the future, because at the end of the day, those are the three main vectors that you have to use to stop those attacks.

The ultimate cybersecurity answer?

Build an architecture that is capable of detecting and preventing all the threats that may affect your organization, in which the common denominator is the use of the network.

That, and well-trained, cyberskeptical staff, is how you ensure you’re as safe as you can be, not just from malvertising – but from the next threat, and the threat after that. And while it may seem at the start like you’re throwing good money after bad, by replacing the patchwork culture of a tool for every problem with a holistic approach that focuses on the common point of all threats, you vastly increase your return on investment, and your safety, over time.