Malvertising: How It Ruins a User’s Day, and Destroys Their Trust in Digital Advertising

It’s Saturday morning. You have just brewed your first (or second, or even third, no judgments here) cup of coffee, and now you’re lounging on the sofa, checking the local news on your phone. You encounter an ad on the page and suddenly, through no action of your own, you are forcefully redirected through a series of websites at rapid-fire speed, finally landing on a page offering you a $1,000 Amazon gift voucher, as long as you provide them some details, of course.

Alternatively, you may have just arrived at your favorite cafe after a tough day at work, ordered your beverage of choice, sat down at your favorite spot, and broke out your laptop to check out the latest article on your favorite fansite (movies, fashion, West Highland Terrier appreciation, again, no judgments) when an ad catches your eye. You click on it, and suddenly a new page pops up with a massive WARNING: your system has been infected with multiple viruses and you have 30 seconds to call tech support before your entire system is compromised beyond all repair.

Regardless of the setting, device, or website, in both scenarios, you’ve just been the victim of demand-side ad fraud, also known as malvertising.

A Brief History of Malvertising

Malicious advertising (Malvertising) occurs when threat actors inject malicious code into digital ads, often through third-party javascript exploits. Once their dangerous payload has been hidden within a seemingly legitimate looking advertisement, these same threat actors will often pose as real advertisers to get the bad ads distributed via legitimate ad networks to the users of the very website spend lots of their digital time each and every day, leaving thousands of users exposed to, and at risk of falling victim to various attack methods, like exploit kits, ransomware, or forced redirects to sweepstakes scams to name a few.

Malvertising isn’t a new problem by any stretch. The first recorded example of an attack, according to Wikipedia, took place between 2007/08 when a malware loaded ad affected a number of major publishers at the time, MySpace among them. In the decade-plus since that first attack, a number of major sites – including the New York Times, BBC, Forbes, The Onion, and even the NFL – have unwittingly displayed malicious attacks targeting their own users, usually with profit as the driving motive.

Threat actors follow the money, and there’s a lot of money in digital advertising, particularly with the explosion of programmatic, where everything is ramped up, making the process highly exploitable, and making it difficult for publishers to have real visibility as to where the demand they are running is really coming from.

Read More: Thinking Back and Looking Ahead at the Programmatic Ecosystem – Brand Safety is No Longer a Pipe Dream

A Fragile Digital Trust

Frequently within the digital ad ecosystem, discussions about trust and transparency focus on supply-side fraud, otherwise known as invalid traffic. Advertisers long ago began demanding that publishers guarantee the clicks they pay for are from real, live humans rather than bots, or the results of schemes like ad stacking or cookie stuffing. The fraud happening on the demand-side, though, requires a similar conversation, both between ad platforms serving ads and publishers displaying them, but it’s also key to talk about the impact on user trust.

Great content is what draws visitors to publisher sites. Once a user has stumbled upon a site that consistently delivers engaging content, they keep coming back. Publisher sites require high-quality user traffic to keep advertising revenue coming in, and that revenue, in turn, drives their ability to create regular, unique content. There is undoubtedly a very interconnected relationship between the advertiser/ad platforms serving the ads, the publishers running them, and the visitors who view them whilst spending time on their favorite sites. This relationship is fragile and can be completely destroyed when a malicious attack occurs.

The digital advertising ecosystem is quick to bemoan the use of ad blockers by users, as they view this as a breach of the unspoken contract they have with users because ad revenue from clicks keeps sites running and creating. Ad blockers hurt revenue streams, making it harder for publishers to keep users engaged. And, while they do help to protect a user from harmful attacks, they aren’t perfect and can be bypassed by creative, determined cybercriminals. However, when observed from the point of view of a user who was forcefully redirected to a phishing page designed to collect their personal or financial details, or fallen victim to ransomware because of a bad ad running on their favorite site, it’s difficult to blame them for wanting to keep themselves protected.

Read More: Ad Fraud: The New Way to Launder Money

How to Take Back Control & Keep Users Safe

When asked why they employ ad blockers when browsing websites, users often cite ads containing viruses or bugs as a major driver, however, they also state their willingness to engage with relevant digital ads when it is safe to do so. For publishers who — perhaps unfairly – bear the ultimate burden of keeping their visitors safe, there are steps that can be taken to take back control in the fight against malicious ads and keep visitors safely engaged with great content.

Understanding your demand is a crucial first step. Identifying where the demand is coming from, and which partners operating on your domain can be trusted to work proactively to keep that demand threat free. Many ad platforms have made great strides to tackle the issue, and are proactively working to filter out bad ads before they reach their publisher’s sites. Strong, transparent relationships between publishers and platforms, allows for open communication when issues occur, making it all the more likely they can be snuffed out before putting a user in danger.

Finding a dedicated digital ad security partner that can work with you to monitor, detect, and prevent malicious ads before users have a chance to view them is the most effective way to tackle the problem. But when looking at a security provider, it’s important to take a detailed look at their approach to eliminating digital risk inside. Your provider should offer a comprehensive, multi-pronged approach that provides for analysis at the preflight stage, followed by frequent, daily scanning during the campaigns active lifecycle for detections based on modern, first-party threat data, rather than solely relying on third-party historical data.

Know what you are buying. Some security providers rely heavily on “real-time” malware blockers as an easy solution to a complex, ever-evolving problem. While these blockers can be a great last line of defense style tool in your overall compliance framework, they are based on a cache system, meaning they can only block threats they’ve previously encountered. Anything new (and if there’s one thing we can say for threat actors, they are always updating and innovating their attack methods) will slip through the cracks, putting users at risk. Today’s modern threats require a solution with a crawler powered by modern browser technology in order to properly identify and contain them.

There is no silver bullet for ending the problem of malvertising. It requires diligence to actively monitor creatives to ensure compliance, partners willing to work together in order to act against threats when they arise, and a desire to ensure that user security and experience are always a top priority. Keep your users safe, and they’ll keep their faith in you.

Read More: What’s Up, Doc?: How Digital Technologies and AI Are Changing Healthcare