BAD ADS, DEFINED
WHAT IS MALVERTISING?
Unlike ad fraud, which compromises the quality of web traffic through fake users and bots, malvertising compromises the safety and quality of digital ads—using them to spread malware or phishing campaigns. While ad fraud mainly affects advertisers, malvertising targets publishers and users with tactics like forced redirects that trick users into installing malware onto their computers. That’s not only bad for a user’s experience—it’s bad for business, too.
Short for malicious advertising. When cybercriminals sneak malicious code into real advertisements, creating bad ads with a nefarious purpose.
Short for advertising technology. An umbrella term for the software and tools that help brands and agencies target, deliver, and analyze their digital advertising efforts. These can include supply-side platforms (SSP), demand-side platforms (DSP), data management platforms, ad networks, exchanges, and more.
Disruptive Ad Behaviors
Pop-ups, auto audio, in-display video, and other annoying ads that interrupt the user experience and skyrocket bounce rates.
Ads with a large file size that slow your site, tank performance, leading to lost users and lost revenues.
Consent Management Platform (CMP)
CMPs request and track users data privacy consent to help with GDPR, CCPA, and other data privacy regulations. CMPs allow websites to inform visitors about the types of data they want to collect and ask users for consent for specific processing purposes.
A technique attackers use to force visitors onto an unknown site where they may be infected with malware or shown a fake ad that collects personal information. Redirects can happen through a link, a disruptive pop-up ad, or a webpage overloaded with display ads.
A type of online scam where a criminal diguises themselves as a legitimate and trusted advertiser in order to steal sensitive information from the user.
A clever way to hide malicious activity from security tools. Cloaked ads use fake ad creatives and landing pages to diguise the scam and bypass detection showing a different ad experience to ad quality scanners than to real viewers.
People/groups who use technology to create malicious advertisements with the purpose of stealing sensitive company information or personal data for their own profit.
Criminals, scammers, fraudsters, threat actors, and unscrupulous advertising companies that anonymously send bad ads out into the advertising ecosystem.
A general term for computer programs that hackers use to wreak havoc and gain access to sensitive information. The three main types of malware are viruses, worms, and trojans.
The process of compressing or "stuffing," one or more normal size ads into a single 1x1 pixel frame on a publisher's site. The ad becomes virtually invisible to the user but still triggers an impression with every visitor that lands on the site.
Misleading, false or fraudulent messaging in advertising designed to steal money, personal information or both from victims.
High-risk Ad Platforms (HRAPs)
Ad platforms that are notorious for delivering high-risk ad creatives and are the preferred vector for malicious actors. While HRAPs offer some safe demand, their high rates of malicious ads make it a wise decision for most publishers to block them.
AKA malicious cryptomining. When cybercriminals hack into someone's business or personal computer, laptop, or mobile device and use its power and resources to mine for cryptocurrencies or steal cryptocurrency wallets owned by unsuspecting victims. The code is easy to deploy, runs in the background, and is difficult to detect.
Fake Software Updates
A type of "drive-by download" used to trick site visitors into downloading malware that gives the attacker remote access to their device.
Fake Ad Servers
When Hackers breach outdated servers and append malicious code to existing ads. This type of attack Confiant uncovered and labeled "Tag Barnacle" because the malicious code is attached to a previously valid Revive Ad server.
Unsafe Click Trackers
AKA: Hyperlink Auditing is an HTML standard that can be used to track clicks on web site links. This is done by creating special links that ping back to a specified URL when they are clicked on. It can be used to illegally track personal information.
When malvertisers layer multiple ads on top of one other, but only the top ad is visible. When the user clicks on the top ad, a click is registered for all the ads in the stack and advertisers end up paying for all those false ad impressions and clicks.
A type of toolkit cybercriminals use to distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash®, Java®, Microsoft Silverlight®.
A form of cookieless tracking that users can’t easily discover or opt-out of. It involves creating a unique fingerprint of a user’s computing device based on the myriad characteristics that differ from one computer to another (screen resolution, operating system, fonts installed, etc).
Auto-play audio ads that play as soon as the page or ad loads. These are usually considered disruptive, can contain inappropriate language, and can cause slow load times.
Auto-play video ads that play as soon as the page or ad loads. These are usually considered disruptive, can contain inappropriate imagery, language, and can cause slow load times.
When bad actors sneak multiple, high-cost video ads into low-cost banner ad placements. The scammer secures a low cost placement, poses as the publisher who was auctioning the ad space, joins a different exchange, and offers a higher-value video opportunity. Then they accept multiple bids for the same slot, stack the videos on top of each other, and place a static display ad on top. The publisher thinks they got what they asked for and serves the ad. The user triggers impressions for all the ads. And the scammer pockets the difference between what they paid for the banner ad and what the video placements paid.
A disruptive, graphical user interface (GUI) display area, usually a small window or Ad, that suddenly appears ("pops up") in the foreground of the visual interface. Some authors of pop-up advertising create on-screen buttons or controls that look similar to a "close" or "cancel" option. When the user chooses one of these "simulated cancel" options, the button performs an unexpected or unauthorized action (such as opening a new pop-up, or downloading an unwanted file on the user's system.
Brands whose ads may be offensive, competitive, or inappropriate for a specific publisher's site or audience based on their consent (or age).
Categories or types of ads that may be offensive, competitive, or inappropriate based on publisher's choices, or audience based on their consent (or age).
A pop-up graphical control element in the form of a small window that communicates information to the user and prompts them for a response. These can be inserted in bad ads to force the user to complete the on-screen action. Any response can install malware or initiate an unwanted software program.
Flash Cookies (LSO)
AKA: Local Shared Object (LSO), Zombie Cookies, or commonly called a Flash cookie (due to its similarity with an HTTP cookie), is a piece of data that websites that use Adobe Flash may store on a user's computer. They store information about the websites you visit and can persist even after you opt-out of behavioral ad tracking or delete HTML cookies.
Geo Location Requests
Uses geotargeting (provided by mobile service providers) to pinpoint potential customers and supply them with ad content relatable to them. This is a form of tracking and can violate the privacy consent of users who have not opted-in to tracking.
Public service announcement ads or other non-revenue producing ads. Often these are used to replace any empty ad space that still exists when the page is served - often these are used to replace bad ads that were removed if the ad impression space was not re-sold.
Ads that use misleading language or imagery to garner clicks or sell products and services of dubious quality.
Advertiser Blocked Ads
Ads that act as a placeholder when a brand-safety blocklist prohibits the original ad from displaying. While not appropriate for the original advertiser, a different advertiser might be interested in inventory.
When there is a mismatch between the tracking behavior of an ad and the consent given (or not given) by a user. User consent is required to fulfill regulatory requirements (GDPR, CCPA, etc).
Any unusual (or unexpected) activity by a person or entity that flouts accepted norms of behavior, rules or regulations.
Cross Site Request Forgery (CSRF)
AKA: XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. A successful CSRF attack can be devastating for both the business and user.
A type of paid media where the ad experience follows the natural form and function of the User Experience, so that it looks like a trusted part of the content. The user can be lured into clicking on Malvertising that utilizes Native Ads because it looks like trusted content.
Software that integrates with users' Internet browser and interacts with browser functionality automatically.
Rogue Browser Extensions
Server software that integrates with users' Internet browser to add malware, expose private information, control or manipulate the browser for criminal, malicious or subversive purposes.
A digital marketplace that enables advertisers and publishers to buy and sell advertising space.
Supply-Side Platform (SSP)
AKA: Sell-Side Platform, is software used to sell advertising in an automated fashion. SSPs are most often used by online publishers to help them sell display, video and mobile ads.A
Demand Side Platform (DSP)
Server software that is used to purchase advertising impressions (viewable online Ad space) as cost effectively and efficiently as possible.
AKA: Invalid Traffic (IVT) is any attempt to defraud digital advertising networks for financial gain, for criminal purposes or to steal personal information. Most often Ad Fraud is perpetrated through the use of a software Bot, that masquerades as a human to cause the fraud on the digital Ad network.
A link (or button) that is designed to attract attention and to entice users to click that link and read, view, or listen to the linked piece of online content, being typically deceptive, sensationalized, or otherwise misleading, but may also contain malware. Often, the clickbait headline and content is of a sensational, provocative or controversial nature. These types of headlines, along with eye-catching images and social media sharing and commenting are all common elements of clickbait.
"The use of automated software to purchase digital advertising, as opposed to the traditional process that involves RFPs, human negotiations and manual insertion orders. The process uses software programmed to fulfill the buy or sell transactions. "
Not the Elite 8 you want to play against. These are the most prominent malvertising threats that Confiant has detected to date. These nasties have made a name for themselves for a variety of reasons—but we’re onto them all.
Fully licensed to operate as investment brokers across Europe, these companies accumulate victims’ complaints and regulatory friction for their unsavory practices.
Zirconium is notable for their persistence, technical prowess, and ability to adapt in a changing environment.
DCCBoost campaigns consistently include interesting malvertising innovations from a technical standpoint.
The campaigns have a huge presence in Native advertising and often sneak onto publisher sites via lesser known platforms.
eGobbler is a sophisticated attacker that has been observed to exploit sandbox bypasses in both Chrome and Webkit in order to maximize the impact of their campaigns.
Bitcoin Scam landing pages usually present outlandish investment opportunities that are backed by fake celebrity endorsements. Many of these scams are perpetuated at scale by large malvertising groups with big budgets and complex cloaking infrastructure. It is a sub category of Investment Scams.