Now, twenty-six years since the first banner ad ran on HotWired.com, the digital advertising industry has been revolutionized by the advent of programmatic technology. Unfortunately, there’s one significant caveat that comes with programmatic – bad ads. Initially, publishers first sought out programmatic to enhance revenue, but have now lost control over ad inventory and margins.

As modern users naturally associate page content and ad creative as part of the same unified experience, the meteoric rise and dominance of bad ads, specifically deceptive ads have accelerated the need for publishers to crack down on these damaging ads.

What’s a bad ad?

A bad ad disrupts the user experience and may contain anything from offensive or inappropriate content, and at the far end of the spectrum, may contain malicious code that hijacks a user’s browser and redirects them to questionable landing pages.

It’s imperative for publishers in an upended digital landscape to take control of their sites, their relationships with their audiences, and their capacity to protect their users from poor experiences and scams. To take action meaningfully on these issues, it’s crucial to understand what makes a bad or deceptive ad.

For starters, deceptive ads fall into three broad categories.

In one category, there is no correlation between the ad creative and the content of the landing page it leads to.

In the second, the ad leads to a landing page that is related to the ad creative, but the landing page content is low-quality — poorly-made or fraudulent products, misinformation, salacious content, etc.

In the third, the ad leads out to phishing scams, links to download malicious code, and other tactics meant to harm the user and enrich criminal enterprises.

GeoEdge separates the assault on user experience into three distinct categories: user security, ad quality and ad content quality.

Programmatic: An uncontrollable web

Bad ads are slipping through the programmatic net, and it’s a worry. Our research, surveying 88 industry professionals made up of publishers and advertisers, echoes this concern. In the programmatic market, bad actors can easily disguise themselves as legitimate buyers, and a single vulnerable ad slot presents an opportunity for an attack, launched directly upon the user and their device.

Increasingly publishers and advertisers are encountering deceptive ads, these ads spread fake news, presenting information that is false or misleading. In other cases, ads trick users into thinking they’re going to read more about a certain product or celebrity but link out to unrelated or scam sites.

For fraudsters in the ad ecosystem, bad ads are easy to deploy, and evading low-tech security is no challenge. For publishers, prevention is hard. And whenever one bad actor is identified and blocked, another will emerge to take advantage of the publisher’s same vulnerabilities.

These problems in programmatic are multiheaded with every publisher facing two unescapable issues, 1. user security and 2. low ad quality. While this third-party ad serving system is necessary to fill ad inventory and to generate greater revenue – the flip side leads to user and brand harm, and sometimes ruin. Ultimately publisher’s credibility relies on its record for delivering value and relevance, which is true for the ads on the page as well as the page content.

Where do bad ads come from?

Bad ads enter the ecosystem at various points along the supply chain. They slither their way into users’ devices through a variety of ways- from direct-sold campaigns to indirectly sold ads from exchanges or networks.

As programmatic allows bad actors to maintain anonymity and have maximum reach, fraudsters hack or take advantage of a publishers site to distribute their ads across the web, enabling them to make a profit off of the installation malware or conversions from their spam.

Curious how much it costs to be a cybercriminal?

There’s a common misconception that higher CPMs act as a barrier to bad actors who aim to deploy harmful code or launch scams through publishers’ ad slots, meanwhile sophisticated cybercriminals are more than willing to pay high CPMs. Of course, many fraudsters are able to meet their nefarious goals via lower-hanging fruit. When CPMs fall, malicious and deceitful entities have access to inventory that, under normal circumstances, would sell to deep-pocketed premium advertisers. So, by extension, low CPMs basically present an invitation to scammers, fraudsters and hackers.

Low fill also opens the door to bad actors. In a less crowded field of buyers, when publishers are selling less of their inventory overall than normal, publishers and ad platforms are eager to fill, even if the buyer is not familiar to them. Once bad actors gain entry to publisher inventory through legitimate demand channels, they’re able to go toe-to-toe in a programmatic auction with quality advertisers.

The average user knows nothing of the intermediaries on the chain and blames the publisher for the effects of bad ads. Premium publishers understand the responsibility that comes with being the last link of the chain, and they understand that most intermediaries simply don’t have the same incentive to keep their platforms clean of substandard ads.

Bad actors’ newfound ease of access to premium inventory, coupled with publishers’ scramble to fill in the face of reduced spending increases security risks for publishers and their end users.

User security

Malicious ads are the scourge of the digital ecosystem, among the worst fears of any publisher. Today, the task of malware protection goes far beyond the end-user.

The most dangerous attacks come from the least obvious sources; those that put the user at risk without even attacking an entire publishers site. All it takes is one unsecured ad slot for bad actors to deploy malicious code — auto-redirects, drive-by downloads, Trojan horses, ransomware, and more.

The most notorious form of malware is auto-redirects which make up 48% of all malvertising events. They arrest the entire user experience and send the user spinning into bizarre territories that can feel impossible to escape because hackers have designed the process of returning to the original site to be extremely confusing. As a result, users often accidentally install malware in desperate, disoriented attempts to leave the malicious page.

Redirects have a second sinister form known as– the hidden one. As the name implies, this type of redirect does not affect the user experience and remains under the radar. The redirect operates from within an invisible iframe or image, and unbeknownst to the user, goes on its own delivery path. It’s most often a vehicle for click fraud and at other times attribution fraud and cookie stuffing.

The high probability that users will react is precisely why auto-redirects have taken the place of exploit kits as the most dominant web-based threat. In spite of high-profile ransomware attacks, software vendors have mostly risen to the challenges that exploit kits pose. Operating system vendors, browser makers, anti-virus systems, and ad verification tools have worked in concert to close critical vulnerabilities that allowed hackers to simply run an executable on a user’s machine and directly install malware. Even just the removal of Flash from Google Chrome and the nearly complete obsolescence of Internet Explorer went a long way to barricading easy avenues for malvertisers.

Publisher accountability, credibility and punishment

When we talk about publishers’ liability here, we’re talking about responsibility and accountability in a legal sense. Publishers are legally liable for the ads they host on their sites. This liability extends to any landing pages their sites link out to, including landing pages linked to via the ads they host.

The FTC enforces truth-in-advertising laws, further legal issues around IP infringement arise when the content, including ad creative, contains the image of a public figure who has not granted the right to use their likeness for this purpose. Scammy or misleading ads frequently use photos, without permission, of celebrities or other public figures in an attempt to give their ads the appearance of legitimacy or authority.

Some users who are understandably frustrated with these experiences install ad blockers — software that prevents ads, both good and intrusive from appearing. When this happens, every publisher pays the price, as it means decreases in ad revenue and for legitimate advertisers who create relevant ads, ad blockers make it impossible to reach customers. To solve the issue of bad ads, industry-wide concerns led to the formation of the Coalition for Better Ads.

The Better Ads Standards are based on extensive user research conducted by the Coalition about which ad formats and ad experiences consumers think are the most annoying and disruptive. For some publishers, annoying ad experiences can be tempting because they often come with higher CPMs. But while you may think there is a short term revenue gain, the Coalition’s research shows in the long run damaging ads will cost you if users abandon your site or resort to ad blockers.

Unfortunately too often publishers find out about malicious or low-quality issues too late; often by browsing the site themselves or by frustrated users notifying them personally, trashing them on social media, or downrating them in the app store.

While low-quality ads and disreputable advertisers may appear to be uncontrollable forces, taking control is indeed both the publisher’s prerogative and responsibility.

How to avoid bad ads?

No one is immune to bad ads, however leveraging technology can help identify when bad ads are served and prevent fraudsters from continuously slipping through the programmatic net.

Publishers can implement these steps to secure and maintain high-quality UX on their sites.

For direct campaigns:

1. Scan all creative and landing pages from different geographic locations and use different target parameters before uploading them to your ad server.

2. Perform daily checks for compliance breaches in your advertising assets that have been previously approved. Continue this during their entire run within your inventory.

For third-party campaigns:

1. Constantly scan in real time all live campaigns — both creative and landing pages that are served within your inventory.

2. Ensure that your ad verification and security service will notify you in real-time when malware or other malicious activities are detected within your inventory.

Facing bad ads now: What should you do

If you have bad ads showing on your site right now, the first step toward gaining control over ad behavior, ad content, and blocking malvertising is to identify their source by monitoring which advertisers are the root of the problem.

Publishers can take a more proactive stance in weeding out bad actors by notifying SSPs about the low quality, offensive or fraudulent ads– urging them find the source and solve the problem. Delivering SSPs with accurate information about those ads, in a constant and actionable manner will enable them to block fraudsters.

Giving your partners concrete examples of where the ads displayed and potentially what network they came from can help them settle the current chaos on your site sooner.

The fundamental question publishers have to ask themselves is whether their team’s resources are strong enough to deal with bad ads alone or if they need external support to stop bad ads from infiltrating their site.

Escaping Digital Quicksand With GeoEdge

GeoEdge blocks campaigns with malicious and bad ads at the per-impression level so that the user is never exposed to malicious ads; and automatically replaces blocked ads with clean and safe ads to ensure that publishers generate revenue from every impression.

With GeoEdge’s detection and real-time blocking of malicious and low-quality ads, you can be confident knowing your users are continuously being protected against non-compliance, malware (malvertising), inappropriate content, data leakage, operational, and performance issues.