Push Ads: A New Attack Vector Plaguing Users
There’s no denying that Push Ads have taken over the digital advertising ecosystem. But will they continue to steadily rise in popularity? We say YES!
Unfortunately, as push ads grow in popularity, so too does the threat to publishers’ end-users.
As publishers develop new innovative methods of engagement, cybercriminals trail closely behind with plans to exploit these innovations.
Push Notifications vs. Push Ads Notifications
Simply put, push ads are a new type of native ad format.
Push advertising delivers ads to users’ desktop or mobile devices in a form resembling usual push notifications. It’s highly-engaging nature has lead to its growing popularity in the digital advertising world.
Image: Voluum
There are two types of push ads: mobile and web browser
Because this ad format resembles SMS notifications, push ads are more familiar and natural to users, especially on mobile.
In its benign use, push ads are served by legitimate publishers and advertisers- to send out relevant offers or updates. In it’s more sinister use, cybercriminals leverage the new format to send out malicious bait.
So, how do malicious actors serve unsolicited advertisements and encourage users to download malicious software?
Heres Where it Gets Dirty
Malicious ads often use social engineering tactics to trick users into downloading unwanted software, purchasing fake products and services, or giving up valuable personal information
What is social engineering?
Social engineering is the manipulation of human emotion to serve the purpose of a malicious actor. The term describes the wide range of malicious activities that use psychological manipulation to trick users into making security mistakes.
Social engineering attacks like these occur when users believe they are downloading or accessing a legitimate service.
The most commonly targeted psychological traits include carelessness, curiosity, and desire.
What makes social engineering especially dangerous is the fact that it relies on human error rather than software vulnerabilities.
The Malicious Push
Wondering exactly how users are baited?
Cybercriminals deploy ads about ‘news’, cash prizes and rewards to advertisements for goods and services, and beyond.
The purpose is not always for users to be convinced by the ads, but often for cybercriminals to exploit a pay-per-view payment program.
If they can also manage to steal some data while they’re at it, all the better.
This distinct social engineering attack tries to trick users into subscribing to its push notifications so that they can send unwanted advertisements directly to users’ devices. On mobile and desktop, these malicious attacks feature browser hijacking and full-screen hijacking.
When a user clicks somewhere on the page other than the buttons to allow or block a push notification this causes the browser to switch to full screen mode.
Suddenly users wind up in a loop of push notifications, that prevents the user from doing anything else, with the only escape being consenting to receive the push notification.
These campaigns flood users with malvertising, by bouncing users to scam sites, including the forced download of malware, or similar vicious threats.
As malvertising grows bolder, publishers must step up their defense.
Malvertising is a lucrative business for criminals all over the world which allows them to profit off a publishers reputation, inventory, and traffic.
If you’re thinking, I’m a small publisher, why would they care about me?
Well, malvertisers target smaller publishers banking on the presumption that smaller publishers lack resources to mount a full defense.
Meanwhile, premium publishers are targeted because of their highly engaged, highly valuable audiences.
The Simple Solution?
Ad Verification.
An essential first step towards revenue optimization includes implementing verification technology that screens out security and quality risks well in advance, helping to take the fear out of fill.
While push ads are a popular way for publishers to engage their readers, publishers must recognize the growing risk and take the necessary steps to ensure that their users are protected. That includes implementing verification technology to ensure only quality ads are served.
GeoEdge specializes in automating security and quality assurance.
The real-time blocking solution specializes in blocking a range of bad ads, including latent, non-compliant, or otherwise performance-damaging ad creatives.