Hacking America

Beware of malicious ads that can harm computers without a click

Can an ad hack your computer?
Can an ad hack your computer?

You've been told repeatedly not to click on suspicious links, to prevent your computer from being infected with malware and viruses. But there's a threat you've probably never heard of that can infect your computer—even without a single click. And lawmakers are taking notice.

Experts told CNBC that advertisements on sites can be used by cybercriminals to take over your computer, steal your identity or access your online bank account. Websites are working to stop the problem, but these aggressive ads still slip by with damaging code. This kind of malicious adknown as malvertisementscontain malware or embedded viruses, which can infect computers without a single click.

"We estimate that last year over 12.4 billion malicious ad impressions were served," said Craig Spiezle, executive director and president of Online Trust Alliance, a nonprofit that educates businesses and consumers on security and privacy issues.

Such ad impressions can compromise your computer if your browser has insecure privacy settings, said Curt Wilson, a senior research analyst at cybersecurity company Arbor Networks.

Spiezle testified at a May 15 Senate hearing on malvertising. He told the Senate subcommittee on investigations that malicious ads increased 225 percent between 2012 and 2013, though some tech companies disputed the increase.

Read MoreMistakes businesses are still making in cyberspace

Malvertisements on big sites

During the hearing, lawmakers cited recent examples of malicious ads reaching consumers. Spiezle said many large companies have faced malvertising attacks.

"In February of this year, an engineer at a security firm discovered that advertisements on YouTube served by Google's ad network delivered malware to visitor's computers. … That virus was designed to break into consumers' bank accounts and transfer funds to cybercriminals," said Sen. John McCain, R-Ariz.

YouTube is owned by Google. And in a statement sent by e-mail, a Google spokesman said, "In February, we detected ads on YouTube that violated our advertising policies. We have zero tolerance for these incidents and our teams quickly took the appropriate actions to resolve this issue."

And according to Google's blog, Google removed 350 million bad ads in 2013, including disabling ads from more than 400,000 websites that were hiding malware.

In written testimony, Yahoo said it "has built a highly sophisticated ad quality pipeline to weed out advertising that does not meet our content, privacy or security standards."

Read MoreLessons from Target's data breach fumble

Cybercriminal tactics

Smeel Photography | E+ | Getty Images

According to lawmakers, many of the malvertising attacks can be traced to international cybercriminals, including those in Russia.

"When law enforcement raided the hideout of a Russian cybercriminal network, they found calendars marked extensively with U.S. federal holidays and three-day weekends," McCain said. "These cybercriminals were not planning Fourth of July picnics, of course, they were planning to initiate malware attacks when security staffing at the ad networks would be at their lowest."

Last holiday season, cybercriminals were able to put malicious ads on Yahoo. McCain said the ads were designed to seize user's computers to mine for the digital currency bitcoin, which requires large amounts of computer power.

"In just one day, in just one hour, 300,000 users were exposed to a malicious ad of which 9 percent or 27,000 users were compromised," Spiezle said about the Yahoo incident.

In a statement e-mailed to CNBC, a Yahoo spokeswoman said the ad targeted I.P. addresses in the European Union. "Since then we have expanded our testing program to include greater geographic and technological diversity and mitigate this kind of spoofing," she said.

Read MoreHacker starts hedge fund targeting vulnerable companies

The growing complexity of ad networks

One reason for malvertisements is that Web ad networks have gotten more complex. A single ad can go through as many as six intermediaries before reaching websites it appears on, according to Spiezle.

"You have this very complex ecosystem and it was designed to be very efficient, which it is. It's designed to help provide very relevant advertising for the consumer, which it achieves, but also in all the benefits, it's opened its door to be an easy way for cybercriminals to compromise," Spiezle said.

Read MoreInternet ad spend up 32% as old media takes a hit

Protect yourself from malvertising

What bosses don't know about cybersecurity
What bosses don't know about cybersecurity

To help fight the problem, the industry has established TrustinAds.org. The group, started on May 8, offers consumers information on how to report malicious ads.

You can also file complaints with the Federal Trade Commission at ftc.gov/complaint. The FTC has brought legal actions for malvertising.

To protect yourself ahead of time, experts advise installing browser and operating system updates. These patches often contain critical updates that can stop the malware hidden in ads.

In addition, be sure to check your browser's privacy settings. If you automatically accept all cookies, you could be at risk.

Finally, make sure your antivirus and antimalware software is up to date. This software can find the malware before it has a chance to do damage.

Read MoreCybercriminals' new target? Your medical records

By CNBC's Jennifer Schlesinger.

For more CNBC coverage of cybersecurity, visit HackingAmerica.cnbc.com.