John Murphy

 •  3 minute read

The Difference Between Malvertising and Ad Fraud (And Why It Matters)

The terms are sometimes used interchangeably, but they mean very different things, and refer to very different targets.

The words “malvertising” and “ad fraud” are thrown about a lot these days, but what are we really talking about? While these terms are sometimes used interchangeably, there’s actually a significant difference between the two.

In addition, when we break down these terms further, there are a number of different attack types and vectors that can vary based on publisher type, audience targeted and the type of device on which the attack is delivered.

Fraud vs. malvertising is really about traffic quality vs. ad quality

When we talk about ad fraud, what we really mean is invalid traffic, or IVT, as defined by the Trustworthy Accountability Group (TAG) and the Media Rating Council.

IVT take a few forms, but the predominant variety is web traffic generated by fake users, or bots. IVT is a traffic quality issue, in that it affects the quality of the impressions, clicks, or conversions generated by an inventory source, and the impact is felt by advertisers -- the buyers of traffic --  rather than users or publishers.

Advertisers’ goals are to reach real people who could have real interest in their products and services. Obviously, removing a real user from the equation completely defeats that purpose of advertising, and the presence of ad fraud has lead to friction, distrust, and inefficiency in the ecosystem.

Digital advertising industry revenue topped $107.30 billion in 2018, up from $90.39 billion in 2017, a year over year increase of nearly 19 percent, according to TAG. The amount of revenue at stake is clear motivation for criminals to try to divert as much of that money as possible into their own pockets via multiple schemes. Advertisers lost an estimated $19 billion to IVT in 2018, or about $51 million per day. Worse, that loss will climb to $44 billion by 2022. Meanwhile, publishers lose up to $1.27 billion each year, according to the research.

Demand Quality Report

Malvertising targets publishers, users and their data

Malvertising, on the other hand, is the act of leveraging digital ads to spread malware or phishing campaigns. It involves the safety and quality of the ad itself, and the impact is borne by publishers and especially users, who are the targets of the malvertiser.

Malvertising can compromise a user in a number of ways. Forced redirects, where the ad causes the browser to redirect the user to a new site, are by far the most common method. The new site will often masquerade as a system alert to trick users into installing malware on their computer. Less commonly, attackers leverage exploit kits to take advantage of browser vulnerabilities to compromise a user’s machine, without the user taking any action whatsoever.

And attacks are moving beyond the desktop as users increasingly use the Web on mobile devices and smartphones. In fact, malvertising can be even more of a threat, since mobile devices are always on and carried everywhere a user goes; from home, to work, on weekend outings, shopping, banking and the like. That makes mobile devices and smartphones a highly desirable target for malvertising.

Programmatic advertising is an extraordinary attack vector for the bad guys

Malvertising is made possible by the same programmatic advertising infrastructure, including third-party ad exchanges, that publishers use to buy, position and deliver ads. It offers tremendous reach and targeting capabilities that malvertisers make full use of.

Because large websites rely on advertising networks consisting of ad resellers, it’s difficult -- if not impossible -- to thoroughly analyze each ad. Even then, most ads won’t receive too much scrutiny unless someone has filed a complaint against it.

Additionally, with programmatic advertising, the ads are tailored to the individual user and constantly changing. This makes it difficult for security researchers to pinpoint a particular ad as malicious.

Malvertisers also design attacks to work on older browsers, or systems that haven’t installed patches or security updates. In some instances, they hone in on certain publishers or companies, because their audience or customer base fits these characteristics.

Of course, attacks on individual users or groups of users not only target users and customers’ personal and financial information. Publishers also lose out, because victims of malvertising are likely to associate an infection not with a compromised ad or the hosting ad network, but blame the particular website or app from which they were infected.

Knowing and understanding the terminology and proper use of these terms is a first step toward a greater knowledge of the security threats posed by malvertising and fraud. Today, companies that understand the nuances of programmatic, ad tech and cybersecurity have developed the technology to screen, identify and block these threats. Information sharing within the digital advertising industry is one of the best ways to fight against this ever-evolving threat.