Malvertising: Defined Explained & Explored

Malvertising affects users around the globe every day — and its effects are often immediate and visceral. Malvertising is, to the broader public, the face of ad security and quality. More accurately, to those in the industry, malvertising is the face of the enemy of ad security and quality. Malvertising has been around for as long as digital advertising has, and malware has been around as long as it’s been possible to compromise the security of devices, programs, and platforms.

We’re here to explain what malvertising is, how it behaves, and how it can be prevented in today’s world. We’re here to underline the threats to users and to other digital businesses, to describe warning signs of malvertising before they become a serious problem, and to illuminate a path forward, where publishers can monetize their ad inventory and ad platforms can trade freely with their partners without the overhanging threat of malvertisers driving away their audiences and damaging their bottom line.

“Malvertising” simply means “malicious advertising.” More specifically, the term “malvertising” refers to digital ads that are either designed and deployed with explicitly malicious intent, or compromised by bad actors. There are many different forms of malvertising categorized by the various actions triggered when the malicious ad reaches the user’s screen, by the vector of attack, and by other factors. But the common element is the use of the ad creative, or any vulnerable points along the ad supply chain, to negatively affect the end user. When malvertising reaches its target user, which could be a broad target, or a target as specific as a typical legitimate ad campaign will aim to reach — it deploys its payload. The payload is whatever malicious entity the ad delivers.

Malware and malvertising overlap with each other, but aren’t the same thing. Malvertising may contain malware, and it may direct the user to a landing page where they are prompted to download malicious software. A malicious script, by contrast, can trigger software already on the user’s device to perform an action. Some malvertising campaigns entice the user to take action on their own, with no additional software or scripts involved. And malware can reach a user’s device through points other than the ad slot, including the browser or a corrupted program or file. To the user, malvertising may appear frightening or annoying, or by contrast, the user might not even notice its effects. But malvertising isn’t just a bother — it’s a criminal enterprise. Malvertisers are commonly out for the user’s credit card or banking information, either to steal money from them or to sell that data to other criminals.

Malvertising comes from third parties that, in one way or another, have access to a publisher’s ad slots and/or the creative that renders in them. Often a malvertiser will execute a media buy starting from the DSP, just like any legitimate advertiser. In other cases, the malvertiser will insert its payload via inventory reselling, or some other unsecured point in the supply chain. For the malvertiser, this is an efficient and scalable method of causing harm. There’s no need to take control over the publisher’s entire site or server, and typically there’s no need for the user to perform any action other than loading a web page. A malvertising campaign can have international reach, and can be targeted to particular geographic regions, demographics, or device types. Malicious code in an ad creative will take the form of a URL. Ad scanning tools at points along the supply chain will scan the creative’s code for suspicious URLs, but malvertisers get past scanners by using cloaking — hiding their real URLs within code that looks legitimate (for example, resembling the URL of a legitimate company) or at least innocuous to a scanner or human QA. The cloaked URL slips past these relatively low-tech security measures and reaches the user’s screen undetected. Malvertisers commonly take advantage of opacity of the programmatic market. Between the DSP and the publisher sit any number of SSPs, ad exchanges and ad networks — a web of supply paths where bad ads can pass. Accountability may be tricky among programmatic players — most users aren’t even aware of the existence of the intermediaries along the supply chain, so those intermediaries have little to lose in the PR game. And many criminal malvertising enterprises exist beyond the borders of their target users — out of local jurisdiction, and extremely difficult to prosecute. Where Can Malware Hide?

There are several paths malvertisers can pursue to reach their target user. Here are some of their options, which can execute in standard display, video or in-app environments:

Malvertisers evaluate consumer behavior and trends within various countries and first create attack blueprints including various creatives and landing pages that will best suit the targeted users.

Much like traditional marketers, malvertisers test the effective-ness of their campaigns by first launching probing campaigns to gauge which campaigns prove most effective.

Capitalizing on their short window of opportunity, once the malicious campaign reaches the target ROI, the attack is scaled to reach a wider range of users.

Malvertising takes advantage of normal digital ad distribution channels. Adware is software designed to render ads to the user. Sometimes adware is legitimate, and the user has consented to it — for example, as a way for a developer to monetize software that is otherwise free to the user. But sometimes adware is placed on the user’s device without the user’s consent. In either case, whether the developer has ill intent or their software is compromised, adware may contain malware. Malvertising itself, as we’ve said, takes many forms, through many vectors of attack. Here are some common forms of pre-click and post-click malvertising, and how they’re deployed:

Beyond the general categories of malvertising, the digital media industry has seen several prominent and recurring malvertising campaigns in recent years. These campaigns have been detected by GeoEdge, whose security researchers quickly came to understand the campaigns’ behaviors and characteristics. Here are some pervasive, distinct malvertising campaigns GeoEdge has studied:

In many malvertising campaigns, the most harmful elements are not actually carried in the ad creative itself. Often, the creative will appear on the page to function like a normal ad, and only when the user clicks through will they land on a page that contains malware or a setup for a scam. As such, anti-malvertising efforts need to inspect not only the ad creative, but the landing page behind the ad.

How Do Malvertisers Evade Detection?

Cloaking hides both of these pieces — the creative the user sees, and the landing page it leads to. The malvertiser will launch a campaign using ad creative in disguise — as it passes down the supply chain, the creative will appear to be harmless and legitimate at first glance. Scanning will reveal a landing page URL that also appears to be legitimate. When the ad reaches a human environment, its code will automatically swap that false creative for the real creative the malvertiser wants the user to see. The code will also make the real, malicious URL interactive for the user, so it links to the unsecure landing page. The landing page may even appear legitimate to the user — counterfeiting the design and branding of a premium publication or brand, and/or with a URL that appears to represent a well-known company. This whole process is designed to take advantage of the user’s trust in the brand they think they’re interacting with, and the publisher that hosted the ad. But the malicious landing page will, with or without the user purposefully initiating a download, deliver malware to the user’s device; or prompt the user to begin communicating directly with the malvertiser, who will try to extract personal information or money from the user.

Malvertising has historically been challenging for publishers and platforms to combat because of the technical sophistication of malvertisers. Digital professionals often speak of malvertising prevention as a game of Wac-a-Mole because whenever they come to understand one campaign, bad actors confuse them by deploying new tactics through new vectors of attack. Publishers and platforms rarely have the resources to keep up with new attacks on their own, and need assistance from an ad quality vendor, whose technology is advanced enough to continually block even brand-new malvertising attacks. In 2020, the industry saw a dramatic increase in attacks that totally evaded ad scanners — because the creative in these campaigns doesn’t use malicious code, but instead uses a creative that plays with the user’s psychology and engagement with page content.

Examples of Fake Ads

The strategy is to entice the user to click on an ad, where they’re led to an unsafe or untrustworthy landing page. With the COVID pandemic keeping millions of people at home and extremely online, the industry saw a rapid uptick in ads featuring:

The small screen offers particular opportunities for malvertisers. Users on mobile are often in a hurry, looking for a quick solution, so they have little patience for interruptions. Small screens with delicate response make erroneous clicks on ads a nearly inevitable phenomenon. Unfortunately, there is sometimes a symbiotic relationship between app developers and ad platforms: If an ad platform is paid on a CPI (cost per install) basis, and if a developer relies on that platform to distribute ads to drive up downloads of the app, then the platform is essentially incentivized to run more ads from buyers they’re not necessarily familiar with yet. This makes it easier for bad actors to slip their campaigns through.

Auto-redirects affect both mobile and desktop, but especially mobile. GeoEdge research found 72% of all redirects occurred on mobile.

An auto-redirect can send a user directly to the app store for the same reason a user can easily click through from, say, a browser or an email, to content in an app that’s already on their device. (Think of clicking through a link to see particular content in Twitter, LinkedIn, or your health provider’s app containing COVID test results.) The malicious redirect, however, will commonly no longer work after the first time it’s launched, making it challenging for publishers to trace and troubleshoot manually.

The most immediate and damaging effects of malvertising are effects on the user. At best, malvertising is annoying and disruptive. For example, to make an auto-redirect on mobile disappear, the user would most likely need to turn off their phone, delaying their ability to access important information on the go. Or, unwanted pop-ups and pop-unders can slow down or temporarily freeze a user’s browser. Let’s not forget spyware and other malware that runs totally undetected on a user’s device — the user could see reduced battery life or a slower-running system without understanding the source of the issue. At worst, when the malvertiser is actually successful in their attempts to deceive and defraud, the user is effectively robbed. If they are convinced to pay money, or to share personal information such as a Social Security number or banking details, pursuing those bad actors for criminal activity could range anywhere from prohibitive to impossible. Prosecuting malvertisers and overseas scammers is arduous and requires the participation of multiple law enforcement divisions. And as we’ve also said, malvertisers commonly sell the user data they’ve obtained to other criminals. The affected user could easily be robbed again, by an even more distant entity. Malvertising can discourage users from trusting not only the site where they had been attacked, but from trusting digital media in general. In an era when many premium publishers feel the need to encourage users to trust and be well-informed by their content, and to push hard against the effects of misinformation, the appearance of malvertising on their site sets back a publisher’s efforts. Even when the user is not attacked with a redirect or enticed to click through to a bad landing page, the mere appearance of suspicious or salacious ads can chip away at their trust.

The GeoEdge team estimates that malicious activities cost industry stakeholders publishers upwards of $1B million annually, including identification, documentation,and remediation

Malvertising can cost publishers and platforms in the moment and into the future, in time and resources spent cleaning up bad ads, and in loss of potential revenue. When a malvertising attack hits its site or platform, a business needs to act swiftly, in order to protect its users from harm, and/or reassure its partners of its high standards and professionalism. The process of tracing the source of bad ad — including communicating with demand sources and other supply-chain partners — is time-consuming and exacting, and it takes digital professionals away from the projects that help move the business forward. Meanwhile, troubleshooting by turning demand partners on and off leaves revenue on the table.

Ad Blockers

As users take matters in their own hands and begin installing ad-blocking software, they chip away at the publisher’s ability to monetize their sessions. And the effects are permanent, for the lifetime of their relationship with the site (and any site). Ad-blocking software is a real threat to publishers’ livelihoods — by some estimates, it costs publishers globally anywhere from $16 billion to $78 billion per year.

How Malvertising Affects Revenue

When users choose to avoid a site because they believe it’s unsafe or the publisher doesn’t value their engagement, there’s a ripple effect on the business’s bottom line. The publisher loses the ability to monetize the lifetime value of that user. Having a reputation for hosting bad ads can not only decrease traffic for a publisher but also harm any publisher’s or platform’s efforts to solidify relationships with business partners. Publishers will choose to de-prioritize or not work with platforms known for hosting bad ads, and quality advertisers. Malvertising incidents can easily lead users to download ad blockers. Aside from the fact that these ad blockers prevent publishers from monetizing users’ sessions, some ad blocking software makes for a worse user experience. The software may slow down page load — and some ad blockers don’t even block all ads, but allow ads from buyers who have paid the software developer to be whitelisted. And some of those ads could still contain malvertising. Diminished traffic and reputation drive down CPMs and opens the door to new ad quality issues from malicious or low-quality advertisers to whom higher CPMs would be a barrier to entry.

Without the aid of trustworthy, high-tech solutions for detecting malvertising or malware and keeping it from your site and platform, the process can be daunting. Homegrown or low-tech processes can be heavily manual, error-prone, and reactive rather than proactive. For many publishers who choose to handle malvertising outbreaks on their own, the first sign they see of their site being affected will be from users, reaching out via email or social media. And frequently, malvertising attacks occur after business hours or on weekends. An attack can set off a mad dash to remove the bad ads from the site and try to trace them back to their demand sources — especially frantic when an attack comes during nights or weekends, as is often the case. So how do anti-malvertising researchers detect malvertising?

Curious how the pros do it?

Publishers and ad platforms use any combination of common preventative methods to stop malvertising before it can affect users including:

The old adage “You don’t expect it to happen until it happens to you” feels familiar to many publishers and ad platforms. It’s common enough to believe that because you’ve never been hit by a malvertising attack, your existing security efforts must be sufficient. Naturally, being under attack changes that attitude quickly, and calls for enhanced security just as quickly. Here are some signs that your site or platform’s security might be impacted by malvertising before the problem becomes grave:

CTR in the 2020s is generally low — but clickbait-style “fake ads” favored by malvertisers today have unusually high CTR. This ostensibly positive development might actually indicate your site is under attack and your users are being duped.

This is not necessarily a sign that you’re currently under attack, but it’s a good indicator that one or more of your demand partners has been compromised, or is dropping the QA ball. Tell your demand partners if you’re seeing IBV, and ask for details about their security measures.

When a user wants to complain to a company, it’s often faster and more convenient for them to do so on Twitter, Facebook or a customer review site than it is to email the company. A publisher or customer support team must remain vigilant and search for mentions of the company’s name.

You can mitigate rising malvertising threats by regularly communicating with your demand partners, and understanding what threats they and their partners have seen.

In the event of a serious attack, consider partnering with an ad quality vendor that can be integrated and start blocking bad ads quickly, as GeoEdge can.

ISeeing as malvertising is so complicated that even guide such as this demands such a broad and wide-ranging explanation, it makes sense ad security and quality is a thriving subset of the digital ad industry. The rapid spread of auto-redirects alone spawned a cottage industry of solutions aimed specifically at stopping redirects. But in choosing an ad quality partner, it’s deeply important to work with a partner that has shown success in combating a wide range of ad security and quality issues, not just the malvertising trend du jour. GeoEdge is that seasoned, comprehensive partner publishers and platforms can rely on for the long run. In vetting a partner to help prevent malvertising and a wide variety of other security and quality threats, ask whether your potential partner has these characteristics:

GeoEdge is unique among ad security and quality vendors in that it embodies and enacts all of these characteristics, and serves as a committed partner to your business rather than simply a vendor. True ad quality partnership transcends malvertising and malware and addresses the countless subtleties and unseen threats in digital media. Reach out to the GeoEdge team today to learn what we can do together to detect and stop malvertising — and any other ad quality and security issues affecting your business, users, customers, clients and partners.