One in every 250 ad impressions are still problematic, research suggests

Advertising networks are increasingly aware of malvertising

Malvertising is a thorn in the side of legitimate publishers that rely on ads to generate revenue online.

Malvertising involves the abuse of online advertising to spread malware. The typically involves injecting malicious code or malware-laden advertisements into legitimate online advertising networks.

Malicious adverts served through advertising networks can end up being displayed on legitimate websites through pop-ups, drive-by downloads, or redirects to exploit kits. Visitors become diverted to fraudulent domains, phishing pages, and malware payloads as a result of the cybercrime tactic. 

The New York Times, the London Stock Exchange, Forbes, The Onion, and The Daily Mail have all fallen prey to malvertising campaigns in the past.

Cheq, an online ad verification specialist, estimates that marketers will lose $23 billion this year in online ad spending because of fraud. However, advertising networks are increasingly aware of the problem and are attempting to filter out bad ads.

But there’s still more work to be done in order to protect the legitimate advertising ecosystem, according to a new study released on Tuesday by media and publisher protection specialist Confiant.

The Demand Quality Report analyzed a sample of 120 billion ad impressions in Q3 of 2019 and found that malicious adverts, in-banner video, and low-quality advertising continue to plague the industry.

Malicious advert volumes also dropped to 0.15% of overall ad impressions, in comparison to 0.25% in Q2 2019.

This does show progress, but according to Confiant, “one in every 250 impressions was [still] marred by a serious security or quality issue” – a rate that equates to four billion problematic impressions a month based on an average of one trillion ads being served online in the same timeframe.

Slipping past detection

Nearly every ad network improved their detection rates over the quarter, with one surprising exception: Google Ad Exchange.

In previous Confiant reports, the tech giant was the best performer and malicious ad impressions reached no further than 0.02%. That being said, in Q2, violation rates increased by 320% to 0.08%.

“Still, they remain a top performer, with their violation rate coming in a 0.08% vs. 0.15% for all impressions monitored,” the report notes.

There are four “highly sophisticated threat groups” that are responsible for the majority of malvertising attacks in Q3, Confiant claims. These threat actors are known as Scamclub, RunPMK, eGobbler, and Zirconium.

Scamclub uses a “spray and pray” technique, bombarding ad networks with hundreds of malicious ads on a daily basis designed with slight variations and basic obfuscation in the hopes of a small percentage making it past security checks.

eGobbler enjoys exploiting obscure browser vulnerabilities to bypass protections against pop-ups and forced redirects, whereas RunPMK focuses on mobile traffic and attempts to abuse Google Display and Video 360 (DV360).

Zirconium is the most advanced, utilizing browser fingerprinting techniques to target desktop browser sessions and sophisticated JavaScript-based obfuscation.

While bad ad impressions are on the decline, the company notes that in Q3 2018, there was a similar downturn – only for malicious impressions to rocket in Q4.

Confiant anticipates that history will repeat itself this year as fraudsters take advantage of reduced staff levels at ad networks over the holidays.

“Publishers have it tough because with programmatic advertising they usually have little visibility into the true sources of the demand running on their sites,” Eliya Stein, Confiant security engineer told The Daily Swig.

“Apart from security measures like working with an anti-malvertising vendor, sandboxed iframes, and a strong Content Security Policy, it's important that publishers form relationships with platforms that they can have a quick feedback loop with when issues surface.”

YOU MIGHT ALSO LIKE Web trackers using CNAME Cloaking to bypass browsers' ad blockers