Malvertising in Native Ads

The popularity of native ads continuous to grow, with increasingly more publishers accepting the well-liked format.

In fact, native ad adoption is expected to reach 41% in 2017. But while publishers are aware of the benefits of the ad format – they are less aware of its risks and the high costs associated with bad native ads, especially those containing malware. Here we will dive into what native ads are and look at those risks.

Native Ads 101

So, native advertising – by definition is: “a type of advertising that matches the form and function of the platform upon which it appears”.

In general, it would mean that the user’s experience will be natural, clean, and not intrusive.

Today, there are 6 main units in native advertising

• Social in-stream units • Paid search units • Recommendation widgets • Promoted listings • In-ad units • Custom units


Social In-Stream Units

These can be found in Twitter’s Promoted Tweets and Facebook’s Sponsored Posts. They merge seamlessly into the feed and can only be identified by the word “promoted” or “sponsored” next to the ad.

Paid Search Units

This type of native ad applies to search results, such as the ones that we see on Google, Bing, Yahoo, etc. They are all actually paid advertisements marked as “ads” allowing the user to understand that they are indeed paid Native search units, and not a regular generic search engine result.


Recommendation Widgets

These usually appear at the bottom of a web page, under the heading “From around the web” or “You may also like…”. These ads are usually driven by third-party publishing platforms. Widgets usually promote a list of related articles – so that the ad (whether image or textual) merges nicely with the regular content of the page.


Promoted Listings

This kind of ad can be found on eBay, Amazon, FourSquare, etc, showing promoted product listings on shopping sites.


In-Ad Units

An in-ad is a standard IAB container that holds contextually relevant content and relevant links to an offsite page. These are used today by Federated Media, Martini Media, and more.


Custom Units

A custom embedded ad located within a product, with specific unique measurements. These could be within a website or app. These are used today by Spotify, Pandora, Hearst, Tumblr and many more.


Technical Implementation

Now that we know which units to use & we applied all ethical aspects to our ads, We need to know how the technical implementation works.

There are three main types of Native platforms
Closed Platforms

Here brands promote their own content (or branded content) on their own websites. The risks here are minor and as in any closed environment, the control is high.


Open Platforms

The content of native ads comes from outside the particular website or app and is distributed over multiple sites by a third-party vendor. There are many risks with these platforms and having one might create many unknown risks due to the ads or the final landing pages presented to the users.


Hybrid Platforms

The native ad content of the hybrid platform is applied in a programmatic manner, where advertisers can bid on the inventory via Direct Sales or Real-Time Bidding.

The  3 options above show us that there is indeed a risk when planning to work with Native ads.


Now switching gears to the Open & Hybrid options – as they have the most high-risk issues.


Lack of Publisher Control

Since publishers relinquish control in Open and Hybrid platforms, these present the highest risk. • In these platforms, the ad unit is powered by a script that’s generated to handle all the targeting parameters. The publisher has no control over these parameters, which may affect the ad presented to the user.

• All of the data that applies to the related content is hosted on servers that belong to the publishing platform’s ad servers.

• Much of the content that is seen is actually hosted by content recommendation engines, which again does not allow any control by the publisher.

• With full Real-Time Bidding (now entering Native), the Open and Hybrid platforms do not allow any publisher control.


Despite all these problems, there are still many positive reasons to employ Open and Hybrid platforms: you get ads that are targeted to your users, the RTB and Programmatic methods used enable high revenues for the publisher, etc. But with all the benefits – the publisher is still releasing control, and this may result in serious risk issues.


Security Threats from Native Ads

Today, most security threats from native ads are post-click (the action/activity taking part right after the user is clicking on the ad).


Let’s review the risks we see today 
Delivery Path Corruption

With Delivery Path Corruption the click URL, which indicates the redirect that the user will go through, is changed to affect the endpoint. The user will then see a totally different end location and totally different Landing Page.

Landing Page Hijacking

In Landing Page High-Jacking cyber-criminals use automated tools to discover third-party Landing Pages in Native ad campaigns. They then physically infect these Landing Pages with a virus. The users will later visit these infected Landing Pages.


Manipulated Attacks 

The attacker builds a legitimate campaign and presents it to a Content Recommendation Engine. The campaign is checked, reviewed, and approved by the Native platform. It goes live and runs on publisher sites. But after a couple of days, the attacker activates the malicious code, and from that point on, every user is infected.


These infections could be:
Phishing attempts • Drive-by downloads • Trojan horses • Ransomware


Targeted Attacks

Similar to a Manipulated Attack, but more sophisticated, is the Targeted Attack.

Here, the same method is applied, but the attacker targets only specific users. These users may be specified by IP, geo-location, browser type, or other criteria.

For example, users seeing a specific Native campaign via the Chrome browser in France would have no problems, while users from Canada using Firefox, that saw the exact same campaign, would be targeted based on their geographical location and browser.

This is simply a more dynamic way to attack specific users.



GeoEdge and Native Ads
GeoEdge offers comprehensive malware protection for native ads. We scan ads or codes in order to identify any malicious activity in Native Ads – whether they be dynamic security threats or softer threats impacting the user experience.

Speak to us about protecting your sites and users from native ads, and be sure to sign up for our next webinar, “Optimizing Video Ads for Better User Experience.”

Eliana is a marketing strategist with a passion for technology and storytelling. Eliana’s work has been featured in places like Slashdot, the RSA conference, and Facebook’s PyTorch publications. You can find more about Eliana on Linkedin.

Malvertising, the practice of sprinkling malicious code into legitimate-looking ads is growing more sophisticated. GeoEdge’s holistic ad quality solution has you covered.


450+ Publishers & Platforms