Table of Contents
- Mobile Malware Threats
- How Auto-Redirects Work
- Dangers of Malvertising
- The Cost of Malvertising for Publishers & Platforms
- Anti Malvertising: Techniques for Detecting Malware
- Preventing Malvertising
- Red Flags: Your Malvertising Protection Isn’t Effective
- Removing Malvertising
- Malvertising Protection: Solutions Beyond Security
We could call malvertising the bogeyman of digital media, except that unlike a bogeyman, malvertising is both scary and real.
Malvertising affects users around the globe every day — and its effects are often immediate and visceral. Malvertising is, to the broader public, the face of ad security and quality. More accurately, to those in the industry, malvertising is the face of the enemy of ad security and quality. Malvertising has been around for as long as digital advertising has, and malware has been around as long as it’s been possible to compromise the security of devices, programs, and platforms.
We’re here to explain what malvertising is, how it behaves, and how it can be prevented in today’s world. We’re here to underline the threats to users and to other digital businesses, to describe warning signs of malvertising before they become a serious problem, and to illuminate a path forward, where publishers can monetize their ad inventory and ad platforms can trade freely with their partners without the overhanging threat of malvertisers driving away their audiences and damaging their bottom line.
What is Malvertising
“Malvertising” simply means “malicious advertising.” More specifically, the term “malvertising” refers to digital ads that are either designed and deployed with explicitly malicious intent, or compromised by bad actors. There are many different forms of malvertising categorized by the various actions triggered when the malicious ad reaches the user’s screen, by the vector of attack, and by other factors. But the common element is the use of the ad creative, or any vulnerable points along the ad supply chain, to negatively affect the end user. When malvertising reaches its target user, which could be a broad target, or a target as specific as a typical legitimate ad campaign will aim to reach — it deploys its payload. The payload is whatever malicious entity the ad delivers.
A script engineered to execute an action, whether or not the user interacts with the ad
Malware Malicious software, placed on the user’s device without the user’s consent and with the intent to compromise the user’s browser or device
Malware vs. Malvertising
Malware and malvertising overlap with each other, but aren’t the same thing. Malvertising may contain malware, and it may direct the user to a landing page where they are prompted to download malicious software. A malicious script, by contrast, can trigger software already on the user’s device to perform an action. Some malvertising campaigns entice the user to take action on their own, with no additional software or scripts involved. And malware can reach a user’s device through points other than the ad slot, including the browser or a corrupted program or file. To the user, malvertising may appear frightening or annoying, or by contrast, the user might not even notice its effects. But malvertising isn’t just a bother — it’s a criminal enterprise. Malvertisers are commonly out for the user’s credit card or banking information, either to steal money from them or to sell that data to other criminals.
Malware slithers its way through advertising into users’ devices in a variety of ways – through every- thing from direct-sold campaigns to indirectly sold ads from exchanges or networks.
Where Does Malvertising Come From
Malvertising and the Advertising Ecosystem
Malvertising comes from third parties that, in one way or another, have access to a publisher’s ad slots and/or the creative that renders in them. Often a malvertiser will execute a media buy starting from the DSP, just like any legitimate advertiser. In other cases, the malvertiser will insert its payload via inventory reselling, or some other unsecured point in the supply chain. For the malvertiser, this is an efficient and scalable method of causing harm. There’s no need to take control over the publisher’s entire site or server, and typically there’s no need for the user to perform any action other than loading a web page. A malvertising campaign can have international reach, and can be targeted to particular geographic regions, demographics, or device types. Malicious code in an ad creative will take the form of a URL. Ad scanning tools at points along the supply chain will scan the creative’s code for suspicious URLs, but malvertisers get past scanners by using cloaking — hiding their real URLs within code that looks legitimate (for example, resembling the URL of a legitimate company) or at least innocuous to a scanner or human QA. The cloaked URL slips past these relatively low-tech security measures and reaches the user’s screen undetected. Malvertisers commonly take advantage of opacity of the programmatic market. Between the DSP and the publisher sit any number of SSPs, ad exchanges and ad networks — a web of supply paths where bad ads can pass. Accountability may be tricky among programmatic players — most users aren’t even aware of the existence of the intermediaries along the supply chain, so those intermediaries have little to lose in the PR game. And many criminal malvertising enterprises exist beyond the borders of their target users — out of local jurisdiction, and extremely difficult to prosecute. Where Can Malware Hide?
Where Can Malware Hide?
On A Landing Page
In the Delivery Path
Embedded In the Creative
Within a Pixel
Within a Video
Malicious Ad Delivery
There are several paths malvertisers can pursue to reach their target user. Here are some of their options, which can execute in standard display, video or in-app environments:
The payload will then be deployed when the ad loads on the page. The creative may appear to be “clean,” because the bad URL is cloaked and is only revealed when the page loads or the user clicks on the ad.
A bad actor inserts harmful code into the supply path as the ad is being called.
The user clicks on a malicious ad. A series of URLs are called to bring up the ad’s landing page. Malicious code may be inserted by any third party along that path.
Just like any tracking pixel, a malicious pixel signals to the malvertiser that the user has interacted with the ad in a specific way — at which point the pixel triggers the payload.
How Malvertisers Set Up Malicious Campaigns
Step 1: Recon
Malvertisers evaluate consumer behavior and trends within various countries and first create attack blueprints including various creatives and landing pages that will best suit the targeted users.
Step 2: Probe
Much like traditional marketers, malvertisers test the effective-ness of their campaigns by first launching probing campaigns to gauge which campaigns prove most effective.
Step 3: Scale
Capitalizing on their short window of opportunity, once the malicious campaign reaches the target ROI, the attack is scaled to reach a wider range of users.
How a Malvertising Campaign Runs When it Starts at the Beginning of the Supply Chain and Evades Detection:
The campaign is submitted to the DSP and undergoes pre-flight review for ad quality issues and spec compliance./span>
Automated tools inspect the creative’s code for potential hazards.
The cloaked “bad URL” has successfully hidden the identity of the buyer and the nature of the campaign, and the campaign begins to progress along the supply chain.
The bad ad is designed to reveal its real URL to a human user, and to hide it in a non-human environment. Scanners are non-human environments. Ad platforms and other vendors fail to detect the bad code via simple scanning.
Because the real URL is cloaked, it fails to match against platforms’ and publishers’ lists of prohibited URLs (known bad actors and unwanted advertisers).
Impression & Payday
The ad reaches the user’s screen, where the payload is deployed directly to the user and their device.
Just as malvertising and malware are frequently conflated, so are malvertising and adware. Again, there’s a difference.
Types of Malvertising
Malvertising takes advantage of normal digital ad distribution channels. Adware is software designed to render ads to the user. Sometimes adware is legitimate, and the user has consented to it — for example, as a way for a developer to monetize software that is otherwise free to the user. But sometimes adware is placed on the user’s device without the user’s consent. In either case, whether the developer has ill intent or their software is compromised, adware may contain malware. Malvertising itself, as we’ve said, takes many forms, through many vectors of attack. Here are some common forms of pre-click and post-click malvertising, and how they’re deployed:
Malicious code takes over the ad unit, expanding the creative to fill the screen, with no option to close the ad. The creative directs or links the user to a malicious landing page, the app store, or a phone number for a phishing scam.
With or without their consent, or full knowledge of its contents, the user downloads an exploit kit, which executes a malicious action on the user’s device or browser.
A script written to copy itself and spread to other devices.
Software, sometimes downloaded willingly by the user, that creates a backdoor for bad actors to enter
Software that sends data to the malvertiser about the user, who is not aware it’s on their device.
The payload locks the user’s device or account, and prompts them to pay to unlock it.
The ad creative tells the user their device is at risk, and prompts them to download a malicious “solution.”
Examples of Malvertising
Beyond the general categories of malvertising, the digital media industry has seen several prominent and recurring malvertising campaigns in recent years. These campaigns have been detected by GeoEdge, whose security researchers quickly came to understand the campaigns’ behaviors and characteristics. Here are some pervasive, distinct malvertising campaigns GeoEdge has studied:
This attack redirects the user to a page that resembles a local or regional law enforcement site. The malicious code then takes over the browser, changing to a full-screen box with no exit option, and displays a message telling the user they owe a fine, and that paying the “fine” will unlock their browser.
This is a bitcoin-related cloaking scam. It fingerprints the user’s device and environment, including factors like time zone and IP. It will commonly show a sensationalistic or clickbait-style message in the creative, which can be served through server-side and client-side channels. When a non-targeted user clicks on the ad, they’ll be taken to a harmless site. When a targeted user clicks, they’ll be taken to a site for a cryptocurrency scam.
When this campaign first appears at the DSP level, it does not have its payload within. This allows it to bypass creative scanners, and sometimes a fake URL counterfeiting the URL of a legitimate advertiser also helps it pass. After several days, ad platforms are acclimated to the campaign’s presence, and at that point its ads are deployed with the malicious payload. Morphixx uses IP data to geotarget users, and to serve a personalized message in the creative and landing page (which is common practice in contemporary ad targeting, but previously less common in malvertising) claiming to be the user’s ISP, using the ISP’s branding and local language. The landing page prompts the user to complete a survey or sweepstakes, which are the means to extract personal information. Sometimes these landing pages will go so far as to include fake comments from fake users about the survey and the rewards they won.
Malvertising in Landing Pages
In many malvertising campaigns, the most harmful elements are not actually carried in the ad creative itself. Often, the creative will appear on the page to function like a normal ad, and only when the user clicks through will they land on a page that contains malware or a setup for a scam. As such, anti-malvertising efforts need to inspect not only the ad creative, but the landing page behind the ad.
How Do Malvertisers Evade Detection?
Cloaking hides both of these pieces — the creative the user sees, and the landing page it leads to. The malvertiser will launch a campaign using ad creative in disguise — as it passes down the supply chain, the creative will appear to be harmless and legitimate at first glance. Scanning will reveal a landing page URL that also appears to be legitimate. When the ad reaches a human environment, its code will automatically swap that false creative for the real creative the malvertiser wants the user to see. The code will also make the real, malicious URL interactive for the user, so it links to the unsecure landing page. The landing page may even appear legitimate to the user — counterfeiting the design and branding of a premium publication or brand, and/or with a URL that appears to represent a well-known company. This whole process is designed to take advantage of the user’s trust in the brand they think they’re interacting with, and the publisher that hosted the ad. But the malicious landing page will, with or without the user purposefully initiating a download, deliver malware to the user’s device; or prompt the user to begin communicating directly with the malvertiser, who will try to extract personal information or money from the user.
Trends in Malvertising: Fake Ads
Malvertising has historically been challenging for publishers and platforms to combat because of the technical sophistication of malvertisers. Digital professionals often speak of malvertising prevention as a game of Wac-a-Mole because whenever they come to understand one campaign, bad actors confuse them by deploying new tactics through new vectors of attack. Publishers and platforms rarely have the resources to keep up with new attacks on their own, and need assistance from an ad quality vendor, whose technology is advanced enough to continually block even brand-new malvertising attacks. In 2020, the industry saw a dramatic increase in attacks that totally evaded ad scanners — because the creative in these campaigns doesn’t use malicious code, but instead uses a creative that plays with the user’s psychology and engagement with page content.
Examples of Fake Ads
The strategy is to entice the user to click on an ad, where they’re led to an unsafe or untrustworthy landing page. With the COVID pandemic keeping millions of people at home and extremely online, the industry saw a rapid uptick in ads featuring:
Misrepresented Medical Equipment
This includes ads for subpar face masks, COVID tests/treatments that don’t even exist, treatments and equipment that aren’t government-approved for medical use, and products that don’t resemble the images used to advertise them.
Some bad actors sold hard-to-find medical equipment at predatory prices, a tactic premium publishers generally don’t want their advertisers to employ.
Tabloid-Style Celebrity Images
These include classic clickbait “celebrities in peril” headlines (“You won’t believe what happened to…”) and ads suggesting falsely that a celebrity has endorsed the product.
In an environment where users are online for much of the day and also on edge, waiting for solutions to COVID-related issues, these fake ads are especially effective and dangerous. To combat them, publishers and platforms need to be able to inspect landing page content.
Mobile Malware Threats
The small screen offers particular opportunities for malvertisers. Users on mobile are often in a hurry, looking for a quick solution, so they have little patience for interruptions. Small screens with delicate response make erroneous clicks on ads a nearly inevitable phenomenon. Unfortunately, there is sometimes a symbiotic relationship between app developers and ad platforms: If an ad platform is paid on a CPI (cost per install) basis, and if a developer relies on that platform to distribute ads to drive up downloads of the app, then the platform is essentially incentivized to run more ads from buyers they’re not necessarily familiar with yet. This makes it easier for bad actors to slip their campaigns through.
Auto-redirects affect both mobile and desktop, but especially mobile. GeoEdge research found 72% of all redirects occurred on mobile.
How Auto-Redirects Work
An auto-redirect can send a user directly to the app store for the same reason a user can easily click through from, say, a browser or an email, to content in an app that’s already on their device. (Think of clicking through a link to see particular content in Twitter, LinkedIn, or your health provider’s app containing COVID test results.) The malicious redirect, however, will commonly no longer work after the first time it’s launched, making it challenging for publishers to trace and troubleshoot manually.
Placing Malicious Code
The bad actor will place malicious code in the ad creative either when the ad is called, or post-click.
Not Detecting in Real-Time
Because of when and where the bad code is inserted (that is, while it’s en route to the user), the ad platform would not have been able to detect it — at least, not without a real-time solution for detecting and blocking bad ads.
When the user opens a site or app, the bad ad will take over the screen. From there, it might direct the user to the app store to download an unwanted app. Or, it might show a message saying the user has won a gift card, or been invited to take part in a survey, or been exposed to a system risk that can only be fixed by clicking through.
Phishing Scam / Prompt
If the user clicks through, they will be directed to a phishing scam or a prompt (obfuscated or not) to download malware.
Dangers of Malvertising
The most immediate and damaging effects of malvertising are effects on the user. At best, malvertising is annoying and disruptive. For example, to make an auto-redirect on mobile disappear, the user would most likely need to turn off their phone, delaying their ability to access important information on the go. Or, unwanted pop-ups and pop-unders can slow down or temporarily freeze a user’s browser. Let’s not forget spyware and other malware that runs totally undetected on a user’s device — the user could see reduced battery life or a slower-running system without understanding the source of the issue. At worst, when the malvertiser is actually successful in their attempts to deceive and defraud, the user is effectively robbed. If they are convinced to pay money, or to share personal information such as a Social Security number or banking details, pursuing those bad actors for criminal activity could range anywhere from prohibitive to impossible. Prosecuting malvertisers and overseas scammers is arduous and requires the participation of multiple law enforcement divisions. And as we’ve also said, malvertisers commonly sell the user data they’ve obtained to other criminals. The affected user could easily be robbed again, by an even more distant entity. Malvertising can discourage users from trusting not only the site where they had been attacked, but from trusting digital media in general. In an era when many premium publishers feel the need to encourage users to trust and be well-informed by their content, and to push hard against the effects of misinformation, the appearance of malvertising on their site sets back a publisher’s efforts. Even when the user is not attacked with a redirect or enticed to click through to a bad landing page, the mere appearance of suspicious or salacious ads can chip away at their trust.
The GeoEdge team estimates that malicious activities cost industry stakeholders publishers upwards of $1B million annually, including identification, documentation,and remediation
The Cost of Malvertising for Publishers & Platforms
Malvertising can cost publishers and platforms in the moment and into the future, in time and resources spent cleaning up bad ads, and in loss of potential revenue. When a malvertising attack hits its site or platform, a business needs to act swiftly, in order to protect its users from harm, and/or reassure its partners of its high standards and professionalism. The process of tracing the source of bad ad — including communicating with demand sources and other supply-chain partners — is time-consuming and exacting, and it takes digital professionals away from the projects that help move the business forward. Meanwhile, troubleshooting by turning demand partners on and off leaves revenue on the table.
As users take matters in their own hands and begin installing ad blocking software, they chip away at the publisher’s ability to monetize their sessions. And the effects are permanent, for the lifetime of their relationship with the site (and any site). Ad blocking software is a real threat to publishers’ livelihoods — by some estimates, it costs publishers globally anywhere from $16 billion to $78 billion per year.
How Malvertising Affects Revenue
When users choose to avoid a site because they believe it’s unsafe or the publisher doesn’t value their engagement, there’s a ripple effect on the business’s bottom line. The publisher loses the ability to monetize the lifetime value of that user. Having a reputation for hosting bad ads can not only decrease traffic for a publisher, but also harm any publisher’s or platform’s efforts to solidify relationships with business partners. Publishers will choose to de-prioritize or not work with platforms known for hosting bad ads, and quality advertisers. Malvertising incidents can easily lead users to download ad blockers. Aside from the fact that these ad blockers prevent publishers from monetizing users’ sessions, some ad blocking software makes for worse user experience. The software may slow down page load — and some ad blockers don’t even block all ads, but allow ads from buyers who have paid the software developer to be whitelisted. And some of those ads could still contain malvertising. Diminished traffic and reputation drives down CPMs, and opens the door to new ad quality issues from malicious or low-quality advertisers to whom higher CPMs would be a barrier to entry.
Anti Malvertising: Techniques for Detecting Malware
Without the aid of trustworthy, high-tech solutions for detecting malvertising or malware and keeping it from your site and platform, the process can be daunting. Homegrown or low-tech processes can be heavily manual, error-prone, and reactive rather than proactive.For many publishers who choose to handle malvertising outbreaks on their own, the first sign they see of their site being affected will be from users, reaching out via email or social media. And frequently, malvertising attacks occur after business hours or on weekends. An attack can set off a mad dash to remove the bad ads from the site and try to trace them back to their demand sources — especially frantic when an attack comes during nights or weekends, as is often the case. So how do anti-malvertising researchers detect malvertising?
Curious how the pro’s do it?
Known Plaintext Cryptanalysis
Publishers and ad platforms use any combination of common preventative methods to stop malvertising before it can affect users including:
URLs and domains used by undesirable advertisers — including bad actors in the ad ecosystem — should be proactively blocked. However, blocklists only work well at stopping known bad actors, not newly-emerging threats. Also, bad actors can evade blocklists by frequently changing the URLs they use.
Because malvertising campaigns evolve and spread so quickly, real-time protection is the most comprehensive and fail-safe protection. A well-established real-time solution, like GeoEdge’s, will be able to detect patterns in creative code that resemble already-known malvertising code — thereby allowing the publisher or platform to stop and inspect a new potential threat before it’s trending. Automated QA also speeds up in-house workflow, and allows publisher and platform teams to focus on more strategic monetization efforts.
Manual review may be time-consuming, but it’s still an important part of malvertising prevention. There is always a place for human insights drawn from an understanding of the full context in which the user will be seeing the ad.
All legitimate entities along the ad chain should scan creatives for potential hazards — all stakeholders need to contribute to a safe and transparent marketplace. However, scanning is a fairly basic security measure, and it looks at only a sample of all the ads coming through. Even without cloaking — which is designed to evade scanners — bad ads could easily pass.
Understanding your prospective ad partners’ history of managing malvertising threats (or failing to do so) can help you make the right decisions, with the right level of risk, for your business. Talk with your industry peers about their experiences with your prospective partners as well.
Red Flags Indicating Your Malvertising Protection Isn’t Effective
The old adage “You don’t expect it to happen until it happens to you” feels familiar to many publishers and ad platforms. It’s common enough to believe that because you’ve never been hit by a malvertising attack, your existing security efforts must be sufficient. Naturally, being under attack changes that attitude quickly, and calls for enhanced security just as quickly. Here are some signs that your site or platform’s security might be impacted by malvertising, before the problem becomes grave:
Sudden increase in CTR on display ads
CTR in the 2020s is generally low — but clickbait-style “fake ads” favored by malvertisers today have unusually high CTR. This ostensibly positive development might actually indicate your site is under attack and your users are being duped.
In-banner video on the site or platform
This is not necessarily a sign that you’re currently under attack, but it’s a good indicator that one or more of your demand partners has been compromised, or is dropping the QA ball. Tell your demand partners if you’re seeing IBV, and ask for details about their security measures.
Negative social media mentions
When a user wants to complain to a company, it’s often faster and more convenient for them to do so on Twitter, Facebook or a customer review site than it is to email the company. A publisher or customer support team must remain vigilant and search for mentions of the company’s name.
You can mitigate rising malvertising threats by regularly communicating with your demand partners, and understanding what threats they and their partners have seen.
In the event of a serious attack, consider partnering with an ad quality vendor that can be integrated and start blocking bad ads quickly, as GeoEdge can.
Malvertising Protection: Solutions Beyond Security
ISeeing as malvertising is so complicated that even guide such as this demands such a broad and wide-ranging explanation, it makes sense ad security and quality is a thriving subset of the digital ad industry. The rapid spread of auto-redirects alone spawned a cottage industry of solutions aimed specifically at stopping redirects. But in choosing an ad quality partner, it’s deeply important to work with a partner that has shown success in combating a wide range of ad security and quality issues, not just the malvertising trend du jour. GeoEdge is that seasoned, comprehensive partner publishers and platforms can rely on for the long run. In vetting a partner to help prevent malvertising and a wide variety of other security and quality threats, ask whether your potential partner has these characteristics:
The threat of malvertising is too great to digital company’s users, partners and overall business to manage it after the fact — and today’s malvertisers are too wily for anything other than real-time blocking to suffice.
Malvertising is truly the tip of the iceberg, and a real ad quality partner addresses less-obvious threats to users, as well as the concerns advertisers have about the environments where their ads appear.
Automation allows your in-house teams to focus on growing your ad-related business, not just maintaining the business you have.
Don’t make the mistake of focusing on one vector of attack, at the expense of the next vector malvertisers might favor.
For brand safety, for good user experience, and to maintain users’ trust in a publisher’s site, ad content and page content must be aligned. Among publishers, 91% believe heavy-handed and overly broad blocklists hurt their overall revenue. More control over categorization allows in more of the right ads for the right environment.
When GeoEdge blocks an ad, it inserts a clean ad the publisher has approved in advance, so the user’s session will still be monetized fully.
Look for a partner who has persevered through several waves of malvertising trends, and has shown a positive track record throughout. A trustworthy partner should have deep experience and a commitment to continued research and product development.
An ad quality partner must deliver not just technology, but human response and understanding. Look for customer service that responds rapidly and internalizes the needs and desires of your business.
GeoEdge is unique among ad security and quality vendors in that it embodies and enacts all of these characteristics, and serves as a committed partner to your business rather than simply a vendor. True ad quality partnership transcends malvertising and malware, and addresses the countless subtleties and unseen threats in digital media. Reach out to the GeoEdge team today to learn what we can do together to detect and stop malvertising — and any other ad quality and security issues affecting your business, users, customers, clients and partners.