Only the strong survive: This has long been an inspirational tenet for ad tech, but it also describes the industry’s insidious malvertising problem.
Better technology and broader awareness have mostly constrained the most conspicuous breed of malvertising – forced redirects – that plagued us five years ago. What’s left now is a new strain of attacks that are more diverse, more profitable and harder to detect: malicious clickbait, tech-support scams and malware-infected software downloads.
The solution lies in another cliché: strength in numbers. Actions by individual publishers and platforms simply cannot keep pace with the agility of bad actors. Collectively, however, the industry has the force of its technical prowess to maximize its protection.
From bad to worse
In the good old days, the ubiquitous malvertising was driven by the easy-to-exploit Flash and drive-by downloads. Now Flash has been deprecated, the ad industry is investing in security vendors and browser security is maturing to better contain redirecting ad scripts. But the bad guys didn’t give up and switch to more honest pursuits just because drive-by downloads and forced redirects became less feasible. The smart ones found better, less conspicuous ways to compromise the ad tech infrastructure.
Today’s scammers use sophisticated cloaking techniques, disguising the real URL deep within the code of ad tags to sneak past automated ad scanning tech and manual QA. This cloaking also allows them to operate much more like legitimate advertisers and buy ad inventory on publisher sites, social media and in-app ad platforms.
These malvertisers then use speed and agility to their advantage, delivering malicious clickbait, tech support scams and malicious software downloads. The game has turned from Whac-A-Mole to cat and mouse.
Malicious clickbait is the most insidious of these new types of malvertising. A form of financial fraud, these cloaked investment scams have surged since 2019, when first reported by Confiant as FizzCore attacks. At one point, in 2021, they represented 90% of the attacks we detected.
Even recently, display ads were the primary vector for malvertising. Today, investment scams permeate every form of digital advertising – inside walled gardens; through in-app, native and video ads; and, of course, within display ads. And because users are often embarrassed to have fallen for these scams, much of the problem goes unreported.
A revenue-raiding scourge for ad tech
The result is a problem that appears quieter on the surface but is even more prolific – and much more damaging to users – than before. One in every 400 programmatic ads is malicious. And unlike tech-support scams and malicious software downloads, the impact of malicious clickbait is directly financial: The bad actors aren’t trying to infect a device or steal credentials. They are going straight for the user’s wallet.
The FTC estimates Americans lost over $1.7 Billion to investment scams in 2021, and 2022 was expected to well outpace that loss. That money isn’t just being stolen from unwitting users; it is money that won’t get properly invested into legitimate financial vehicles. Financial damage at that scale not only hurts the reputation of the publisher seen serving those ads but destroys the trust between users and the financial industry. The FTC also reported the damage is severe enough that it’s attracting government attention. The UK, with their Online Safety Programme, is actively reviewing their regulatory framework of paid-for online ads to tackle “the evident lack of transparency and accountability across the whole supply chain.”
Unsurprisingly, cautious users are installing ad-blocking software, threatening the ad revenue stream of all ad tech by decreasing the number of ad impressions served. Between 2014 and 2019, ad blocker penetration rates in the US increased from 15.7% to 25.8%. That number includes 100% of the US Intelligence Community.
A collaborative solution
The seemingly obvious answer here is for there to be supply-chain transparency so platforms and publishers can nip malvertising campaigns in the bud. But the problem is that enough entities have decided transparency is a threat to their business model and ad tech implements all of its transparency initiatives as one-way mirrors.
Modern malvertising preys on this lack of transparency. To overcome it, both sides of the industry must learn to act as partners. Initiatives like DemandChain Object, Buyers.json and client-side disclosures of Creative IDs (CRIDs), slow moving as they are, represent our best hope of concretizing the gains of the past five years before the malvertising game evolves again into something even worse.
