As publishers recognize the true cost of malvertising, recent cases highlight the damage

And it should, according to experts, as approximately $1 billion revenue was lost last year. Even so, publishers are often missing the evidence. Only when an aggregate of data ultimately tells them they’re losing traffic do they take notice, and those moments are becoming more frequent.

“One thing that publishers are very much aware of is the redirect, when the page gets hijacked, the user journey on the page is interrupted, and they’re sent to some scam or to some malware,” said Jerome Dangu, co-founder and CTO of Confiant, a company that works with publishers and brands to deter and mitigate malvertisers. “For publishers, it’s terrible, because they lost that user for that session, and maybe the user will not come back because they don’t trust that the site is safe. 

“And then there are [more complex] cycles in security as attackers iterate,” Dangu continued, “and they’re pushing the limits of what can be done to continue to exploit an environment.”

Malvertising is an increasingly sophisticated threat

Malvertising attacks are becoming more sophisticated, moving away from simple redirects to a more complex pathway that involves malicious clickbait. For example, some ads target older people with offers featuring celebrities such as Paul McCartney and Mel Gibson.

With a click, recipients are redirected to a fake Bitcoin opportunity, which connects them to a call center, typically in Eastern Europe. The unsuspecting victim is set up with a fake portal that shows their bitcoin investment doing well, and so the victim is coaxed into “investing” more money. They are, of course, being scammed out of every cent they spend.

“In the UK, just two weeks ago, we found 20 million ads like this on our publisher clients’ sites,” said Dangu. 

Some celebrities have filed or threatened to file lawsuits against malicious advertising agencies. But it’s not clear if these lawsuits are discouraging advertisers from using a familiar face to propagate convincing Bitcoin scams.

Other cases, globally, include bad actors in China, where malvertisers have leveraged Javascript to create a notification that appears on victims’ mobile devices, usually a convincing carrier-branded scam. The interface convinces the victim that they have won a smartphone, prompting them to input their payment information and resulting in a data-theft transaction.

In some cases, scammers leverage client-side fingerprinting to inspect the user’s environment in real time and evade quality controls. They lure users onto a cloaked landing page that may look innocuous — if simple or slightly pointless — and then gathers information to send back to their malicious server. The scammer scrutinizes the collected data and decides what to do next. As time has progressed, the fake ads have gotten more sophisticated, too, mimicking blog and platform-specific social-media ads with increasing polish.

A problem rooted in organized crime

Publishers and brands may not realize that the traffic they lose only harms their revenue — and reputation — it often contributes to international criminal enterprises.

The malvertising ecosystem is believed to be connected to the funding of organized crime rings — often in Eastern Europe. For example, scam-generated revenue has been shown to flow to a crime syndicate headed by a man known by his nickname “The Wolf of Kiev.”

“It’s an economy,” Dangu said. “The people that do these attacks are businesses. And they’re very professional, well organized and they work together. And they collaborate with affiliate networks that are essentially promoting malicious offers. You could think of it like this: I’m a source of traffic, I have traffic to sell, and I have a payload to deliver to victims. So, I sell inventory in these ad networks, which allows me to interact and transact.”

What publishers and brands can do about malvertising

Dangu emphasized that turning a blind eye to protect revenue can have serious consequences. The response that can stem the flow? Turning off malvertising spigots when publishers find them.

“You can have the whole 98% of the ecosystem that has strong rules and typically if you find malvertising incidents and your analysis identifies a buyer, that buyer has to be removed and blocked,” Dangu said. “If the platform is not willing to do that, because they’re protective of their revenue, then they are complicit in the malvertising that’s happening on that platform. We’re continuing to see these kinds of half-hearted efforts.”

Steps that will bring publishers closer to a whole-hearted response include questions like the following, each a step toward diligence when looking at partners that can help detect and prevent malvertising.

• Can the security partner pivot as malvertisers shift from redirects to more sophisticated attacks and tactics?
• Is the solution simple to use, or will the publisher need to invest time and money in training their team?
• Can the publisher’s team gain immediate insights into the source of issues and the relative performance of different SSPs?
• Ad quality and security go hand-in-hand: What protections does the vendor provide for quality issues such as undesired video or audio, heavy ads and non-monetizing ads?

The first step in successfully combating a problem is acknowledging that one exists. As brands and publishers take a proactive approach to malvertising, including vetting partners and focusing new attention on supply, they are helping to break the cycle that devalues their properties, funnels audiences away from their pages and sends money to criminals around the world.