GeoEdge Researchers Uncover Malicious Auto-Redirect Attack

This newly discovered auto-redirect attack marks the continued escalation of malware attacks like steganography and WebRTC which go undetected via traditional blacklisting, the most frequently used method to block malicious ads.


This is the result of abuse of sandboxed iFrames which were developed to provide safe communications between the publisher’s content and the advertiser

For serving video ads, marketers and agencies have embraced the VPAID (Video Player Ad-serving Interface Definition) ad format which enables interactivity (like geo-targeting ads and enabling clicking through for more info) and better ad tracking metrics like clicks, ad viewability, and completion rates.

The challenge of VPAID has been the latency on apps, OTT and the mobile web.

Add to this a new challenge: Malvertising.

Security researchers at ad security and verification provider GeoEdge uncovered a new form of auto-redirect malvertising which is hidden in the code of programmatically served VPAID video ads within the sandboxed iFrames distributed via global media platform Teads.

Auto-redirects are those annoying ads that redirect our phone screen or browser to a warning about a fake virus or another scam, an app we didn’t ask for, a prize we’ll get for just clicking or a scam for phishing personal data.

The challenge in discovering these malicious auto-redirect ads is the fact that the tag for redirecting the ad is hidden or encoded in the sandboxed cross-origin iFrame, making it impossible for them to be found via blacklisting, the most common way for blocking malicious ads.

In these cases, the GeoEdge research team had to decode the specific tag in order to uncover the malicious auto-redirect ads. With programmatic advertising involving many different players, the task of decoding each tag as it passes through the programmatic chain is daunting.


Sandboxed iFrames were developed to insert an ad’s content into a container, creating a barrier which “sandboxes” the ad, providing secure communications between the advertiser and publisher while reducing the likelihood for bugs, interferences or data leaks.


But what secures the advertiser, now also provides security for malicious advertisers.

The technology is supposed to offer consumers greater protection while providing publishers with greater ad control, more efficient, standardized and bug-free ad serving and greater data security, and to facilitate a better and easier-to-implement experience for marketers and agencies.

Sandboxed iFrames provide a dedicated space for the ad network/exchange to insert the encoded ad code within an iFrame (Inline Frame) on the publisher’s web page/app. Thanks to this technology protocol, the Iframe could present ads coded using JavaScript without exposing any user or other data.

But in this case, the IFrame or cross-origin frame also enables malvertisers to serve malicious auto-redirect ads which were delivered encoded within the IFrame.

“In the last year, we’ve seen an escalation in the sophistication of malvertising attacks, including steganography, where malicious ads are hidden inside an image, and WebRTC malvertising attacks occurring via ads served through programmatic exchanges, predominantly through header bidding,” said Adi Zlotkin, Security Research Team Leader, GeoEdge. “This escalation is forcing publishers and marketers to go beyond blacklisting in order to fight malicious advertisers and offer users, marketers, and agencies a safe and malware-free experience.”

The last year has also seen an increase in malicious ads served via video, which were unheard of until two years ago. “Though malicious video ads are still below one percent of all malware, we’re expecting that number to increase significantly in the coming years,” added GeoEdge’s Security Research Team Leader Adi Zlotkin.


Eighteen months ago, GeoEdge research forecast that auto-redirect ads will cause publishers and marketers $1.13 Billion in damages in 2018, which was accurate. By 2020, GeoEdge predicts that auto-redirect malicious ads will cause publishers and advertisers $1.3 Billion in damages.


GeoEdge enables the supply side of the digital ad ecosystem to focus on publishing, instead of worrying about malvertising attacks.

The company handles malicious and unsafe advertising so that publishers, app developers, and other supply-side clients can focus on optimizing their advertiser campaigns and provide better and more effective relations with their clients in the time saved.

GeoEdge enabled clients to find a 90-95% reduction in complaints through the elimination of offensive and malicious ads, and gain full transparency and visibility of their entire ad inventory, beyond the blocked malicious ads, facilitating improved management of each partner’s brand safety needs.


Protect Your Site From Auto-Redirect Attacks!

Get Started Today! 

Michal is an experienced and versatile customer marketer, passionate about understanding people and building awareness about how our products/services satisfy their business needs. You can find her on Linkedin to discuss her approach to strengthening client relationships.

Malvertising, the practice of sprinkling malicious code into legitimate-looking ads is growing more sophisticated. GeoEdge’s holistic ad quality solution has you covered.


450+ Publishers & Platforms