Malvertising & Ad Quality Index Q4 2021

(formerly known as Demand Quality Report)

Download full report

Confiant's Malvertising and Ad Quality (MAQ) Index (formerly known as our Demand Quality Report) is a quarterly look into the quality of demand in digital advertising.

Using a sample of over 150 billion impressions monitored in real time each quarter, Confiant is able to answer fundamental questions about the state of creative quality.

Digital advertising delivers significant value to publishers but introduces myriad risks related to security, privacy, and user experience. Malicious, disruptive, and annoying ads degrade user experience and drive adoption of ad blockers.

In 2018, Confiant released the industry’s first benchmark report. This report, the fifteenth in the series, covers Q4 2021 and full year 2021.


  • Security Violations

    Security Violations

    Attempts to compromise the user through the use of malicious code, trickery, and other techniques. Top issues include:

    • Malicious Clickbait
    • Forced redirects
    • Criminal scams
    • Fake ad servers
    • Fake software updates
    • High-Risk Ad Platforms (HRAPs)*

    *Ad platforms that consistently serve abnormal levels of malicious ads and are the preferred vector for malicious actors.

  • Quality Violations

    Quality Violations

    Non-security issues related to ad behavior, technical characteristics, or content. Top issues include:

    • Heavy ads
    • Misleading claims
    • Video arbitrage (formerly In-Banner Video)
    • Undesired audio
    • Undesired video
    • Undesired expansion

Industry View

In 2021 1 in every 125 ad impressions was dangerous or disruptive to users.

How did the industry fare in 2021?

How did the industry fare in 2021?

The Security violation rate in Q4, at 0.14% of total impressions, matched Q3’s high level, which was already the highest in over a year. Looking at 2021 vs 2020, Security issues declined slightly to 0.11%.

The Quality violation rate continued its steady rise, closing the year out at 0.82%. The rate of Quality issues has increased almost 50% from Q1 to Q4 and has increased for six consecutive quarters.

Q4 2021 Violation Rates by Country

Q4 2021 Violation Rates by Country

European markets remained more prone to Security issues in Q4, a pattern we’ve observed for some time. In Great Britain, the Security violation rate more than doubled compared to Q3.

Continuing a trend from Q3, Quality violations were widespread in Canada, exceeding all other markets. Japan’s Quality violation rate more than tripled though remained low.

Q4 2021 Violation Rates by Browser

Q4 2021 Violation Rates by Browser

SSP Rankings

The worst performing SSP had a violation rate 132x that of the best.

Q4 2021 Security Violation Rates by SSP

Q4 2021 Security Violation Rates by SSP

For most SSPs, Security violation rates in Q4 largely tracked their performance for the full year. Exceptions included SSPs K, L and I, which showed significant improvement in Q4 vs the rest of 2021.

Google remained an outlier in terms of both security violation rate and type, with Q4 exceeding their overall 2021 violation rate, Google’s issues here are being driven by fake download ads, not malware, for which more information is provided on slides 25 and 30.

Average duration of attack by SSP Q3 over Q4

Average duration of attack by SSP Q3 over Q4

SSPs differ in their ability to respond to attacks once they are underway. We measure how long it takes from when a threat first appears on an SSP to when it’s last seen. On this measure, we see huge differences among the major SSPs.

In Q4, OpenX’s average response time remained below 1 day, an extremely strong performance.

Q4 and 2021 Violation Rates by SSP

Q4 and 2021 Violation Rates by SSP

Major Threat Groups Q4 2021

  • ScamClub


    Active for many years now, ScamClub malvertisements are defined mainly by forced redirections to scams that offer prizes to "lucky" users, like the all too ubiquitous "You’ve won a Walmart gift card!" or "You’ve won an iPhone!" landing pages.
    ScamClub was abusing a browser vulnerability that Confiant reported earlier in the year (CVE-2021-1801).

  • FizzCore


    Eschewing forced redirects, FizzCore uses creative cloaking to bypass ad quality reviews and drive users to cybersecurity scam sites.
    FizzCore carefully excludes the United States from their attacks, presumably for fear of law enforcement. This is common for investment scam attacks.

  • DCCBoost


    Traditionally focused on mobile redirects, DCCBoost has operated a major shift after going silent since early Q3. Their new campaign forcefully redirects desktop users to a site that poses as McAfee and executes a fake antivirus scan. At the end of the scan, victims are sent to the actual McAfee site to buy the real antivirus.

  • Tag Barnakle

    Tag Barnakle

    Tag Barnakle is a unique threat actor in the malvertising world that specializes in Revive Adserver compromise which they use to inject themselves into the Ad Tech supply chain without having to spend any money on media buys.
    More recently, they have re-infected an ad network that runs on top of Revive and has struggled with Tag Barnakle in the past.

  • Fake Updates and Malicious Downloads

    Fake Updates and Malicious Downloads

    Fake Updates and malicious download buttons are as old as the Internet. A whole ecosystem of dubious apps and services are still leveraging this old clickbait tactic. Targeting mainly the US and Europe, they most often feature a prominent, colorful call- to-action button on a white background.

Download full report

Confiant’s Malvertising and Ad Quality (MAQ) Index provides an inside look into the frequency and severity of ad quality issues in digital advertising. Discover what were the top concerns for premium publishers, how SSPs performed in 2021, and what tactics were employed by malvertisers.

Learn about major threat groups active & their tactics

The full report details active threat actors, their techniques, & their impact on the digital ecosystem over the last quarter.

Learn how SSPs are performing

Confiant tracked impressions from over 100 SSPs. However, 75% of global impressions originated from just 12 providers commonly used by publishers. Explore which SSPs are performing the best and worst when it comes to ad quality quarter over quarter.