Why Malicious Cloned Sites Are Publishers Greatest Threat

With the seasonal peak in malvertising approaching, publishers are facing an onslaught of deceptive ads leading to malicious cloned sites, marking it the greatest threat facing publishers today.

Malvertisers have numerous methods for trying to get their hands on cash and the rising method among malvertisers is serving fake or cloned websites. And as November nears, 89% of publishers serve deceptive ads, exposing average users to around one malicious site a day. Of the 89% of publishers serving deceptive ads, 42% are facing user complaints, while 20% are forced to contend with a loss in revenue or users.

Malicious Content: A New Frontier

For years, we’ve been warned against malicious code hidden in the ad creative, ready to deploy without the user’s knowledge. Now, in this latest wave of attacks users are lured to a dangerous landing page by willingly clicking on a deceptive ad. See image below 

And as November nears, 89% of publishers serve deceptive ads, exposing average users to around one malicious closed site a day.

Once on that page, the user is hit with a phishing scam, a fraudulent product or service offer, or an enticing deceptive prompt to download malware.

Curious why deceptive content now accounts for over 50% of all malicious advertising today?

Malicious advertisers are investing in marketing and creating deceptive sites and personally targeted content because it’s six times more effective than auto-redirect ads. And with the US presidential elections approaching, GeoEdge’s security researchers expect a drastic increase in the number of cloned news websites over the next month.

With the average user seeing around 5,000 online ads daily, and one in 5,000 ads leading to a malicious cloned site, most users are exposed to a malicious cloned site every day. So how did we get here?

As CPMs Fell, So Did Publishers’ Defenses

As publishers’ CPMs have fallen across digital properties, malicious and deceitful entities gained access to inventory that under normal circumstances would sell to deep-pocketed premium advertisers.

Low fill has also opened the door to bad actors, were in a less crowded field of buyers when publishers are selling less of their inventory overall than normal, publishers and ad platforms are eager to fill, even if the buyer is not familiar to them. Once bad actors gain entry to publisher inventory through legitimate demand channels, they’re able to go toe-to-toe in a programmatic auction with quality advertisers.

Lifting the Curtain on Cloaking  

Malvertiers have also gained access to publishers’ inventory by cloaking their ads to fool scanning technology. Typically, malvertisers build an ad creative with corresponding landing pages that appear legit, which is the content the ad scanner “sees” when it looks at the ad tag. When in reality, the real URLs for the creative and landing page have been cloaked within the code.

Cloaking utilizes layers of deception designed to evade creative scanning technology, which is too complicated to be routinely detected manually. After the last scan, the code will swap in the malicious creative with the hidden URL that will open when the user clicks as the publisher’s page loads.

These ads typically show a celebrity’s name or a deceptive product or service description — and the landing page keeps up the ruse. See the example below.


And as November nears, 89% of publishers serve deceptive ads, exposing average users to around one malicious closed site a day.


Cloned Sites: Deceptive Tactics 

Through the use of salacious ad content, malvertisers lure unsuspecting victims to visit the clone site. GeoEdge’s security team revealed deceptive content accounts for over 50% of all malicious advertising with deceptive ads redirecting users to counterfeit or cloned landing pages.

And as the name suggests, cybercriminals use a ‘clone’ site, which mimics the design and borrows the prestige and branding of well-known sites. So how convincing are cloned sites? The clone site often looks identical to the original one, barring a minimal change in the URL, or web address. See the example below. 

And as November nears, 89% of publishers serve deceptive ads, exposing average users to around one malicious closed site a day.

Once on the cloned site, users mistakenly believe they are on legitimate sites where they are often served ads promoting counterfeit products or cryptocurrency schemes.

Attack of the Clones 

Nearly any website can be copied, but retail shopping sites, travel booking sites, and banks are the chosen favorites among cybercriminals. Ultimately, cloned media websites enable malicious marketers to benefit from the content’s fake legitimacy next to which their ads appear.

2020 proved no publisher regardless of size or prestige is immune to cloned sites. This year, Forbes, Today, BBC, as well as both HSBC and Paragon Bank, were all victims of cloned sites, translating to real financial losses and the spread of fake news.

See examples below

And as November nears, 89% of publishers serve deceptive ads, exposing average users to around one malicious closed site a day.

At first glance, these sites look legit, and may even have a domain that’s quite similar to the original site. And the mimicked design didn’t cost much to replicate either, Photon Research revealed that a template for a cloned site for some of the biggest online brands starts at $2-3, a cloned e-commerce site page will cost $20.43, and a cloned banking site page sits at $67.91.

So how much does falling victim to a deceptive scam cost?

Deceptive Ads Put Publishers, Advertisers, Users At Risk

Deceptive ads and deceptive sites pose a significant risk to the security of the user’s devices, personal information and wallet. According to Adi Zlotkin, GeoEdges VP Data and Security, “In the past, if someone wanted to steal your money, they had to steal your wallet or rob a bank – and people knew pretty quickly that they had been robbed.

With online identity theft, malicious actors can access credit card information for hours, days, even weeks and months without people knowing that they’ve been ‘robbed’. And it can happen after simply clicking on a malicious link and providing information to what seems like a trusting partner. This requires greater vigilance on the part of the financial services industry as well as extensive and continuous education for users, particularly those who are older and/or newer to digital finance.

Adi, mentioned “The countries which have been most negatively impacted are also the countries with the highest incomes because there simply is more money to steal. These countries include Japan, Australia, New Zealand, the United States and Canada, the UK, France, Netherlands, Belgium, Germany, Switzerland, Austria, Italy, Spain, Portugal, and the Scandinavian countries. These countries tend to be more advanced in their use of the Internet, too.

Now, we’re starting to see more attacks in other high-income countries including the Gulf states in the Middle East, as well as in emerging markets in South America, Asia, and Eastern Europe.”

Maintaining Ad Quality Amidst Chaos

In today’s complex digital media reality, publishers cannot merely take a defensive and reactive stance on ad security and quality.

When thrown to malicious sites, users will conclude the publisher hosting the deceptive ad has condoned that ad, its buyer, and its buyer’s landing page. They will then avoid the site that led them down this path, depriving the publisher of its ability to monetize future sessions.
Publishers must act aggressively and proactively. They must take the fight to the bad actors’ landing pages. And the industry has the tools to do so safely and effectively.

Cloned Sites: Where to Go Next?

The research shows that nearly half, 49% of publishers often, even very often, inadvertently block non- deceptive ads as they’re racing to keep out bad actors. There’s clearly a need for publishers to fine-tune tactics for blocking deceptive ads, with approaches including keywords, phrases and even blocking certain verticals (or using all three).

Deceptive landing pages, hiding behind tantalizing ads, should be a top security concern for any legitimate, quality publisher with an engaged audience. But bad landing pages can be detected — allowing the creative to be blocked before the page loads — using existing technology. However, that technology must be sophisticated enough to analyze the landing page and the creative in real-time.

This needs to happen before it can reach the user, harm them, and deter them from returning to, and monetizing, the publisher’s site.

A New Front: Cyber Social Engineering 

“In today’s world, where cyber meets social engineering, malicious advertisers have raised their game, adding the marketing sophistication of a trained CMO as they lure unsuspecting users into their malvertising scams,” said Amnon Siev, CEO, GeoEdge. “That’s why we’ve upgraded our real-time advanced malware detection technology offering to include the ability to block any ads leading to cloned websites as a way to keep our publishing partners and their users safe and free of fake news.”

To address the shift to content-driven malvertising, GeoEdge stands as the first ad security solution to offer publishers and platforms a way to block serving any ad leading to a landing page from a malicious cloned website in real-time. By blocking these ads leading to cloned websites, GeoEdge eliminates the threat of malicious ad attacks before a user is exposed to the ad.

How to Limit Vulnerabilities: Focus on the Long-term

For publishers, this scenario underscores the security and QA importance of inspecting not only the ad creative but the landing page it leads to. To keep users safe long-term, publishers need a closer analysis of what awaits the user after the click. If you can recognize a fraudulent or otherwise unsafe landing page, you can flag the entire creative itself as a potential risk before users are ever harmed.

Alisha is a Technology Writer and Marketing Manager at GeoEdge. Her writing focuses on current events in the AdTech ecosystem and cyberattacks served through the digital advertising supply chain. You can find Alisha on LinkedIn to discuss brand building and happenings in AdTech.

Malvertising, the practice of sprinkling malicious code into legitimate-looking ads is growing more sophisticated. GeoEdge’s holistic ad quality solution has you covered.


450+ Publishers & Platforms