How to Stop Forced Auto Redirect Advertising
Everyone gets auto-redirects. No one has to.
Some call them auto-redirects, others call them forced redirect ads. But no matter what you call them, every publisher and ad platform knows that they’re bad news.
Forced redirect ads aren’t new—they have plagued the online ad ecosystem for years. In 2020 redirects accounted for 48% of all malvertising. Beginning in 2018 and accelerating through 2020, a series of high-profile attacks by bad actors made forced redirect ads the ad tech industry’s most talked-about ad security and advertising issue.
In recent years, redirect attacks have also become more targeted, turning their attention on premium publishers and more engaged and affluent audiences. 72% of all forced redirects happen on mobile media, and 57% of all redirects happen specifically on iOS.
How forced auto redirect ads work?
Force redirected ads hide code in the ad pixels itself, giving scammers access even if the user doesn’t click the ad.
Forced redirect ads pull users into a maze of fraud that has a negative impact on the user experience and publishers reputation. That’s because unlike in other types of malicious ads, in the redirection method the code is hidden in the ad itself, not on a landing page or external website. Therefore, as soon as the ad request is made, the viewer is vulnerable.
It works like this. A user opens a publisher’s web page in a browser window. Pop-ups appear that cover the web page content or the majority of the screen on a phone. The message in the pop-ups is usually urgent, for example, notifying the user that their phone or computer has been infected with a virus or malware. In other cases, the pop-up notifies the user that they have won a prize or free gift card through a contest or promotion deal, or that the user’s device or browser must be updated.
There’s no clear way to close the pop-up, and of course, the message is misleading—it’s actually redirecting the user to another webpage and forcing users into the funnel of the scam. Even if the victim tries to refresh the page and doesn’t click on the malicious ad, malicious code is automatically deployed through the unsecured ad units. Publishers are also directly impacted. Since the user is redirected to another web page, the publisher loses the chance to earn ad revenue from the ad unit on the page.
Risks of forced auto-redirect ads
This type of malicious ad has painful repercussions for advertisers, SSPs, publishers, and users.
Can you get malware from redirects? What are malicious ad redirects?
For users, being forcibly redirected to another webpage is annoying. However, when a user experiences redirecting on a website, the damage goes beyond annoyance. Over 95% of redirect ads lead to scams run by sophisticated fraudsters and bad actors that have carefully evaded digital security technology used by web publishers. Fraudsters launch redirect ads to access personal information, scam users out of money, deploy malicious code onto users’ devices, or defraud advertisers, marketers, and agencies.
Sometimes the redirect brings the user to shady partner sites advertising pharmaceuticals, dietary supplements, dating services, trading services, or adult media, where they are prompted to provide access to their personal information. Sometimes the redirect is a Trojan horse attack that prompts the user to download a program that is infected with malware that gives the bad actor access to their personal or financial details. Sometimes the redirect brings the user to partner sites advertising pharmaceuticals, dietary supplements, dating services, trading services, or adult media from shady advertisers.
Losing users on the website
For publishers, forced redirect ads mean a loss of traffic to their website and the loss of revenue that could been earned from a safe ad. Not to mention, publishers lose money every time a malicious redirect occurs because redirect ads cause visitors to spend less time on their site. In fact, industry research estimates that publishers lose $210 million dollars per year to redirects, either from users abandoning sessions, never reaching their site, hitting refresh on their browser, or choosing not to return to the site after a bad experience.
Forced redirects impact a publisher’s reputation as well. It’s a terrible user experience, so when it happens to users, they don’t return to the page or site, canceling subscriptions or opting for a competitor.
How to stop forced auto redirect ads?
To stop forced redirect ads, you need a solution that detects them using a combination of blocklists and behavioral detection methods that identify tactics like fingerprinting, code similarities, and steganography.
Detect forced redirect ads
Redirects are a code, so if you could find that code, you could find the redirect ads. But it isn’t always that simple—scammers often hide the code using sophisticated encryption tactics that make it impossible for many scans to detect it.
For example, like with cloaking, scammers often start by showing the ad creative without redirection and only activate the code after the SSPs and DSPs approve the ad. In addition, redirect ads are often only activated for users who meet certain criteria and structured so that users are redirected to different sites according to different events, making the scam harder to detect in a standard scan. They also create conditions for the attack. They often attack devices when they’re on a mobile network because if a user’s on the move, they’re less likely to notice the warning signs.
The scammers know that publishers and their ad quality partners are looking for them, and they go to great lengths to avoid detection. Scammers utilize sophisticated methods to disguise themselves as legitimate advertisers in order to get around various security mechanisms that publishers deploy.
Many utilize a method called obfuscation that mixes up malicious code and makes it look like gibberish so it can’t be identified. Scammers usually conduct obfuscation in layers, so even if one layer is detected in a scan, there are additional layers that continue to hide the redirection. In other cases, they use a method called steganography, which hides the malicious code in a single pixel that makes it difficult, if not impossible, for ad blockers and other mechanisms to detect.
Since the redirect doesn’t occur in every instance in the same way, blocklists aren’t enough to detect them. Blocklists need to be combined with behavioural detection methods that identify tactics like fingerprinting, code similarities, and steganography in order to accurately and consistently detect redirect ads.
How to block redirect ads
The best time to fight forced redirects is before they happen. Publishers have tried to prevent redirects by raising or lowering price floors, implementing inefficient DIY solutions, and asking their ops teams to manually track down the source of redirects that appear in their ad units. These solutions are slow, resource-heavy, and ultimately ineffective. Publishers need real-time solutions for their web sites that allow them to maximize revenue for every ad request while still blocking redirect ads.
GeoEdge’s cutting-edge technology monitors the programmatic ad ecosystem for ad security and quality issues, including redirection attacks. Not only does it block previously known issues before they reach publishers’ web sites, but it also uses machine learning to detect and block new threats in real time.
GeoEdge’s real-time blocking of bad ads takes you beyond redirects, and addresses the spectrum of digital security threats. GeoEdge leads the charge for ad quality assurance, detecting and blocking latent, and explicit creative.No other company provides these comprehensive security and quality tools. With GeoEdge protection, you can begin perfecting the overall performance of your sites, growing your audience, deepening engagement, and earning more revenue.
Everyone gets auto-redirects. No one has to. Talk with GeoEdge’s acclaimed support team about how we together can stop redirects before they happen… and so much more.
Maximize Your Profits By
Eliminating Bad Offensive Malicious Redirect Ads
What our clients say
Chief Technology Officer I Evolve Media