Malvertising & Ad Quality in 2020

Improve your user experience, user trust, & prevent revenue disruption by knowing what's happening within the programmatic ecosystem with our Demand Quality Report. 

 

 

Screen Shot 2021-02-24 at 10.28.07 AM

Introduction

To compile the research contained in this report, Confiant analyzed a normalized sample of more than 650 billion advertising impressions monitored from January 1 to December 31, 2020, from over 40,000 websites and apps. The data was captured by Confiant’s real-time creative verification solution, which allows us to measure ad security and quality on live impressions (not sandbox scans) across devices and channels.

Industry View

Security + Quality Issues in 2020

How did the industry fare in 2020?

The Security violation rate for 2020 was 0.14%. The rate fell significantly from Q2 to Q3, then remained flat at just under 0.10% for the remainder of the year. This improvement was largely driven by better quality control at two of the largest SSPs. Conversely, the Quality violation rate increased from 0.25% in Q3 to 0.38% in Q4, an increase of over 50%. The Quality violation rate for the full year was 0.24%.

2020 Violation Rate by Country

2020 Violation Rates by Country

Continuing a trend from past years, European markets in 2020 tended to have higher rates of Security violations than the U.S. or Canada. However, the gap between the U.S. and Europe closed over the year, with the U.S. Securite rate finally exceeding all major European markets by Q4. 

Confiant - Ad Security and Quality - Violation Rates

2020 Violation Rates by Header Bidding Framework

Download the Full Report

 

How did the industry fare in 2020?

2020 Violation Rates by Country

2020 Violation Rates by Header Bidding Framework

 

SSP Rankings

Q4 and 2020 Security Violation Rate by SSP

Q4 and 2020 Security Violation Rate by SSP

SSP-L had the highest Security violation rate in Q4, with a security violation rate 346x higher than the best performing SSP. For the year, SSPs K and I had the worst overall violation rate, but ended strongly in Q4 with both ranking in the top four. SSPs C, G, B, J, and Google consistently excelled at fending off threat actors, while SSP-F struggled in both Q4 and 2020. 

Daily Maximum Malicious Rate by SSP

Q4 Daily Maximum Malicious Rate by SSP

When under sustained attack, even good performing SSPs had days where 1 in 25 impressions was a security violation, putting publishers and users at considerable risk.

Confiant - Q4 DQR - Quality Violation Rate by SSP

Quality Violation Rate by SSP

Download the Full Report

 

Q4 and 2020 Security Violation Rate by SSP

Q4 Daily Maximum Malicious Rate by SSP

Quality Violation Rate by SSP

 

Major Threat Groups Active in Q4

e-gobbler-1

eGobbler

eGobbler runs their campaigns in big waves that usually gravitate around the weekends. The majority of their recent activity has been centered primarily around the United States and Europe, where they deliver disruptive, highly targeted carrier-branded scams.

This is a sophisticated attacker that has been observed to exploit sandbox bypasses in both Chrome and Webkit in order to maximize the impact of their campaigns.

We believe there to be a close relationship between Nephos7 and eGobbler based on certain shared tactics, techniques, and timing. 

Yosec

Yosec is a threat actor that pushes fake Flash drive-by downloads and tech support scams via forced redirection. 

The bulk of their activity targets Mac devices, particularly the Safari browser. 

Yosec malvertising activities are categories by short, targeted bursts, but at times we have observed up them to ramp up to large volumes over the course of several hours. 

In February of 2021, Confiant was awarded CVE-2021-1765 for reporting an exploit leveraged by Yosec in order to bypass built-in security mitigations in Safari. 

yosec
DCCBoost-1

DCCBoost

DCCBoost campaigns consistently include interesting malvertising innovations from a technical standpoint. 

They use a combination. of server-side targeting combined with a. compartmentalized client-side payload in order to deliver the malicious ad in stages. 

The Confiant Security Team recently published a detailed analysis of DCCBoost's end-of-year attack on our blog.  

 

Fizzcore-style attackers

In Q3, Confiant witnessed an explosion of new threat actors leveraging Fizzcore-style attacks, as well as a growing sophistication in text and image manipulation. Q4 saw a relative normalization.  

While Germany and the UK continue to be prime targets, interest in other geographies spiked and faded, as seen in Australia (very active until October). Eastern Europe is becoming a strong focus of interest since November (e.g. Poland, Hungary, Romania). 

Additioanlly, some attackers have gained persistence by aiming at ad platforms (tier-2, native) that do not police against investment scams and provide demand to large SSPs. 

Fizzcore-style attackers-1
e-gobbler-1

eGobbler

eGobbler runs their campaigns in big waves that usually gravitate around the weekends. The majority of their recent activity has been centered primarily around the United States and Europe, where they deliver disruptive, highly targeted carrier-branded scams.

This is a sophisticated attacker that has been observed to exploit sandbox bypasses in both Chrome and Webkit in order to maximize the impact of their campaigns.

We believe there to be a close relationship between Nephos7 and eGobbler based on certain shared tactics, techniques, and timing. 

yosec

Yosec

Yosec is a threat actor that pushes fake Flash drive-by downloads and tech support scams via forced redirection. 

The bulk of their activity targets Mac devices, particularly the Safari browser. 

Yosec malvertising activities are categories by short, targeted bursts, but at times we have observed up them to ramp up to large volumes over the course of several hours. 

In February of 2021, Confiant was awarded CVE-2021-1765 for reporting an exploit leveraged by Yosec in order to bypass built-in security mitigations in Safari. 

DCCBoost-1

DCCBoost

DCCBoost campaigns consistently include interesting malvertising innovations from a technical standpoint. 

They use a combination. of server-side targeting combined with a. compartmentalized client-side payload in order to deliver the malicious ad in stages. 

The Confiant Security Team recently published a detailed analysis of DCCBoost's end-of-year attack on our blog.  

 

Fizzcore-style attackers-1

Fizzcore-style attackers

In Q3, Confiant witnessed an explosion of new threat actors leveraging Fizzcore-style attacks, as well as a growing sophistication in text and image manipulation. Q4 saw a relative normalization.  

While Germany and the UK continue to be prime targets, interest in other geographies spiked and faded, as seen in Australia (very active until October). Eastern Europe is becoming a strong focus of interest since November (e.g. Poland, Hungary, Romania). 

Additioanlly, some attackers have gained persistence by aiming at ad platforms (tier-2, native) that do not police against investment scams and provide demand to large SSPs. 

Definitions

Security Violations

Attempts to compromise the user through the use of malicious ads, trickery, and other techniques. Top issues include: 

  • Forced redirects
  • Criminal scams
  • Fake ad servers
  • Fake software updates
  • High-Risk Ad Platforms (HRAPs)

Malicious Ads

A creative that includes (often obfuscated) JavaScript that spawns a forced redirect or loads a secondary payload for malicious purposes. Most malicious ads exist to force users to interact with phishing scams, but some infect the user’s device to propagate botnets and other nefarious activities.

High-Risk Ad Platforms (HRAPs)

Ad platforms that consistently serve as major attack vectors for malicious actors. For a platform to receive this designation, we have to consistently observe malicious campaigns on an ongoing basis so that it becomes unclear whether the platform is negligent, complicit, or just overwhelmed.

Quality Violations

Non-security issues related to ad behavior, technical characteristics, or content. Top issues include:

  • Undesired audio 
  • Undesired video
  • Heavy ads
  • Undesired expansion 
  • Video arbitrage 
  • Misleading claims

Video Arbitrage

The practice of serving video ads in banner placements without the publisher’s consent, and often without the advertiser’s consent, either. Exploiting an arbitrage opportunity between Display and Video marketplaces, a video ad unit is loaded within a banner placement instead of playing within a media player.

Other Quality Issues

Creative violations across a wide range of different quality specifications selected by the publisher. The dimensions include audio/video related violations, creatives probing for user’s geolocation, the network load of the ad, and much more.

Definitions

Attempts to compromise the user through the use of malicious ads, trickery, and other techniques. Top issues include: 

  • Forced redirects
  • Criminal scams
  • Fake ad servers
  • Fake software updates
  • High-Risk Ad Platforms (HRAPs)

A creative that includes (often obfuscated) JavaScript that spawns a forced redirect or loads a secondary payload for malicious purposes. Most malicious ads exist to force users to interact with phishing scams, but some infect the user’s device to propagate botnets and other nefarious activities.

Ad platforms that consistently serve as major attack vectors for malicious actors. For a platform to receive this designation, we have to consistently observe malicious campaigns on an ongoing basis so that it becomes unclear whether the platform is negligent, complicit, or just overwhelmed.

Non-security issues related to ad behavior, technical characteristics, or content. Top issues include:

  • Undesired audio 
  • Undesired video
  • Heavy ads
  • Undesired expansion 
  • Video arbitrage 
  • Misleading claims

The practice of serving video ads in banner placements without the publisher’s consent, and often without the advertiser’s consent, either. Exploiting an arbitrage opportunity between Display and Video marketplaces, a video ad unit is loaded within a banner placement instead of playing within a media player.

Creative violations across a wide range of different quality specifications selected by the publisher. The dimensions include audio/video related violations, creatives probing for user’s geolocation, the network load of the ad, and much more.

Download the Full Report.

Confiant’s Demand Quality Report provides an inside look into the frequency and severity of ad quality issues in digital advertising. Discover what were the top concerns for premium publishers, how SSPs performed in 2020, and what tactics were employed by malvertisers. 

Learn about major threat groups active & their tactics

The full report details active threat actors, their techniques, & their impact on the digital ecosystem over the last quarter. 

Learn how SSPs are performing

Confiant tracked impressions from over 100 SSPs. However, 75% of global impressions originated from just 12 providers commonly used by publishers. Explore which SSPs are performing the best and worst when it comes to ad quality quarter over quarter. 

Download the full report and access the trends and insights you need to protect your revenue and safeguard your audiences.

Download the Full Report.

Confiant’s Demand Quality Report provides an inside look into the frequency and severity of ad quality issues in digital advertising. Discover what were the top concerns for premium publishers, how SSPs performed in 2020, and what tactics were employed by malvertisers. 

Download the full report and access the trends and insights you need to protect your revenue and safeguard your audiences.

Learn about major threat groups active & their tactics

The full report details active threat actors, their techniques, & their impact on the digital ecosystem over the last quarter. 

Learn how SSPs are performing

Confiant tracked impressions from over 100 SSPs. However, 75% of global impressions originated from just 12 providers commonly used by publishers. Explore which SSPs are performing the best and worst when it comes to ad quality quarter over quarter.