Malvertising & Ad Quality in Q3 of 2020

Improve your user experience, user trust, & prevent revenue disruption by knowing what's happening within the programmatic ecosystem with our Demand Quality Report. 

 

 

DQR_Q3 Cascade

Introduction

To compile the research contained in this report, Confiant analyzed a normalized sample of more than 135 billion programmatic advertising impressions from July 1 to September 30, 2020, from over 40,000 websites and apps. The data was captured by Confiant’s real-time creative verification solution, which allows us to measure ad security and quality on live impressions (not sandbox scans) across devices and channels.

Industry View

Industry View Q3-01

How did the industry fare in Q3 2020?

The global Security violation rate declined significantly from Q2 to Q3, driven by continued improvements at a number of larget SSPs. Conversely, the Quality violation rate increased by more than a third.  

Q3 2020 DQR - Violation Rates by Country

Q3 Violation Rates by Country

The rate of Security issues in the U.S. exceeded that of all European countries except Spain. Quality issues also tended to be more prevalent in the U.S. 

Confiant - Ad Security and Quality - Violation Rates

Violation Rates by Header Bidding Framework

Download the Full Report

 

How did the industry fare in Q3 2020?

Q3 Violation Rates by Country

Violation Rates by Header Bidding Framework

 

SSP Rankings

Confiant - Q3 2020 DQR - Security Violations by SSP

Security Violation Rate by SSP

SSP-F was the worst performer by a significant margin, with a security violation rate over 50x the best-performing SSP. SSPs K, H, and L also struggled with security issues. All other SSPs performed at the level of the overall industry or better. 

Confiant - Q3 2020 DQR - Daily Maximum Malicious Rate

Daily Maximum Malicious Rate by SSP

When under sustained attack, even the best performing SSPs had days where 1 in 25 impressions was a security violation, putting publishers and users at considerable risk.

Confiant - Q3 DQR - Quality Violation Rate by SSP

Quality Violation Rate by SSP

Download the Full Report

 

Security Violation Rate by SSP

Daily Maximum Malicious Rate by SSP

Quality Violation Rate by SSP

 

Major Threat Groups Active in Q3

Nephos7 example

Nephos7

This relatively new attacker has been buying large volumes of traffic since Q4 2019 to execute forced redirects to carrier-branded scams. The primary mode of operation for Nephos7 is to churn and burn dozens of CDN subdomains, sometimes for a single push. They leverage well known CDN providers in order to avoid registering multiple domains.

This is a common tactic used by malvertisers who try to fly under the radar, but Nephos7 relies on it quite heavily.

We believe there to be a close relationship between Nephos7 and eGobbler based on a certain shared tactics, techniques, and timing. 

eGobbler

eGobbler runs their campaigns in big waves that usually gravitate around the weekends. Lately, the majority of their activity has been centered around European countries, where they deliver disruptive, highly targeted carrier-branded scams.

This is a sophisticated attacker that has been observed to exploit sandbox bypasses in both Chrome and Webkit in order to maximize the impact of their campaigns. Learn more about eGobbler.

e-gobbler-1
yosec

Yosec

Yosec is a threat actor that pushes fake Flash drive-by downloads and tech support scams via forced redirection. 

The bulk of their activity targets Mac devices, particularly the Safari browser. 

Yosec malvertising activities are categories by short, targeted bursts, but at time we have observed up them to ramp up to large volumes over the course of several hours. 

Nephos7 example

Nephos7

This relatively new attacker has been buying large volumes of traffic since Q4 2019 to execute forced redirects to carrier-branded scams. The primary mode of operation for Nephos7 is to churn and burn dozens of CDN subdomains, sometimes for a single push. They leverage well known CDN providers in order to avoid registering multiple domains.

This is a common tactic used by malvertisers who try to fly under the radar, but Nephos7 relies on it quite heavily.

We believe there to be a close relationship between Nephos7 and eGobbler based on a certain shared tactics, techniques, and timing. 

e-gobbler-1

eGobbler

eGobbler runs their campaigns in big waves that usually gravitate around the weekends. Lately, the majority of their activity has been centered around European countries, where they deliver disruptive, highly targeted carrier-branded scams.

This is a sophisticated attacker that has been observed to exploit sandbox bypasses in both Chrome and Webkit in order to maximize the impact of their campaigns. Learn more about eGobbler.

yosec

Yosec

Yosec is a threat actor that pushes fake Flash drive-by downloads and tech support scams via forced redirection. 

The bulk of their activity targets Mac devices, particularly the Safari browser. 

Yosec malvertising activities are categories by short, targeted bursts, but at time we have observed up them to ramp up to large volumes over the course of several hours. 

Definitions

Security Violations

Attempts to compromise the user through the use of malicious ads, trickery, and other techniques. Top issues include: 

  • Mobile redirects
  • Criminal scams
  • Fake ad servers
  • Fake software updates
  • High-Risk Ad Platforms (HRAPs)

Malicious Ads

A creative that includes (often obfuscated) JavaScript that spawns a forced redirect or loads a secondary payload for malicious purposes. Most malicious ads exist to force users to interact with phishing scams, but some infect the user’s device to propagate botnets and other nefarious activities.

High-Risk Ad Platforms (HRAPs)

Ad platforms that consistently serve as major attack vectors for malicious actors. For a platform to receive this designation, we have to consistently observe malicious campaigns on an ongoing basis so that it becomes unclear whether the platform is negligent, complicit, or just overwhelmed.

Quality Violations

Non-security issues related to ad behavior, technical characteristics, or content. Top issues include:

  • Undesired audio 
  • Undesired video
  • Heavy ads
  • Undesired expansion 
  • Video arbitrage (formerly In-Banner Video)

Video Arbitrage

The practice of serving video ads in banner placements without the publisher’s consent, and often without the advertiser’s consent, either. Exploiting an arbitrage opportunity between Display and Video marketplaces, a video ad unit is loaded within a banner placement instead of playing within a media player.

Other Quality Issues

Creative violations across a wide range of different quality specifications selected by the publisher. The dimensions include audio/video related violations, creatives probing for user’s geolocation, the network load of the ad, and much more.

Definitions

Attempts to compromise the user through the use of malicious ads, trickery, and other techniques. Top issues include: 

  • Mobile redirects
  • Criminal scams
  • Fake ad servers
  • Fake software updates
  • High-Risk Ad Platforms (HRAPs)

A creative that includes (often obfuscated) JavaScript that spawns a forced redirect or loads a secondary payload for malicious purposes. Most malicious ads exist to force users to interact with phishing scams, but some infect the user’s device to propagate botnets and other nefarious activities.

Ad platforms that consistently serve as major attack vectors for malicious actors. For a platform to receive this designation, we have to consistently observe malicious campaigns on an ongoing basis so that it becomes unclear whether the platform is negligent, complicit, or just overwhelmed.

Non-security issues related to ad behavior, technical characteristics, or content. Top issues include:

  • Undesired audio 
  • Undesired video
  • Heavy ads
  • Undesired expansion 
  • Video arbitrage (formerly In-Banner Video)

The practice of serving video ads in banner placements without the publisher’s consent, and often without the advertiser’s consent, either. Exploiting an arbitrage opportunity between Display and Video marketplaces, a video ad unit is loaded within a banner placement instead of playing within a media player.

Creative violations across a wide range of different quality specifications selected by the publisher. The dimensions include audio/video related violations, creatives probing for user’s geolocation, the network load of the ad, and much more.

Download the Full Report.

Confiant’s Demand Quality Report informs publishers on current trends and insights by analyzing over 135 billion programmatic advertising impressions from over 40,000 sites and apps. For the full report, fill out the form to the right.

Learn about major threat groups active & their tactics

The full report details active threat actors, their techniques, & their impact on the digital ecosystem over the last quarter. 

Learn how SSPs are performing

Confiant tracked impressions from over 100 SSPs. However, 75% of global impressions originated from just 12 providers commonly used by publishers. Explore which SSPs are performing the best and worst when it comes to ad quality quarter over quarter. 

Download the full report and access the trends and insights you need to protect your revenue and safeguard your audiences. Fill out the form below:

Download the Full Report.

Confiant’s Demand Quality Report informs publishers on current trends and insights by analyzing over 135 billion programmatic advertising impressions from over 40,000 sites and apps. For the full report, fill out the form to the right.

Download the full report and access the trends and insights you need to protect your revenue and safeguard your audiences. Fill out the form below:

Learn about major threat groups active & their tactics

The full report details active threat actors, their techniques, & their impact on the digital ecosystem over the last quarter. 

Learn how SSPs are performing

Confiant tracked impressions from over 100 SSPs. However, 75% of global impressions originated from just 12 providers commonly used by publishers. Explore which SSPs are performing the best and worst when it comes to ad quality quarter over quarter.