John Murphy

 •  3 minute read

Why fighting malvertising requires a multi-layered approach

Malvertisers work tirelessly to exploit the fragmented nature of the digital ad ecosystem, yet bad ads are often downplayed as just a publisher or user issue. But the reality is that all parts of the ecosystems -- including marketers, agencies and the ad tech platforms -- are under attack from a variety of malicious behaviors designed with one goal in mind: Making illegitimate companies rich.

To minimize the security threat and prevent these bad actors from disrupting the user experience, the industry needs to move toward solutions that analyze and prevent exploits across every layer of the programmatic value chain.

Bad ads don’t have to steal data or infect machines to be bad for everyone

No one wants to help malvertisers steal data or infect user devices, which is why high-profile attacks and phishing scams spark industry-wide concern. But the negative effects of more subtle techniques like forced redirects and ad stacking can be less apparent. Yet the risk to each layer in the value chain applies even when the campaigns don’t make the headlines.

Let’s say a bad actor targets online shoppers with display ads that redirects the user to landing pages where dozens of additional ads load in the background. There’s no malicious data collection, but once the user  gets to the landing page, their browser grinds to a halt and they’re forced to close the window and restart their session.

The user is the first victim, who must deal with the annoyance of being diverted from the content they were viewing. But the corollary is that the publisher also suffers a loss in the form of drastically reduced session duration, as that user -- who might have navigated to multiple pages on the publisher’s site during a normal visit --has been lost mid-session.

There’s also the increased possibility of user churn, since people will likely stop going back to a website once they notice that something “weird” like a redirect happens every time they visit on their phone.

The next victim in this chain is the SSP. Let’s say the publisher’s ad ops team picks up on the sharp decline in session duration and is able to pinpoint the SSP that’s been serving the bad ad . While one or two minor incidents might be excused, publishers can easily opt to stop working with SSPs that deliver security or quality issues -- often with very little impact to their revenue. Losing a major publisher like the New York Times can be catastrophic for an SSP and represent millions of dollars lost annually.

Moving further up the chain brings us to the DSP, where the negative impact of this “harmless” malvertising campaign can also include a hefty price tag. A DSP can lose access to high-quality inventory if the SSP they’re working with gets banned (or chooses to cut off the DSP due to recurring issues), or if they have direct publisher partnerships and get outed as the source of bad ads themselves. This means their advertisers could be cut off from a highly desired inventory source, raising the question of why those advertisers should continue to work with the DSP versus one of its competitors.

But an even greater threat comes in the form of non-payment, since, depending on the size of the deal and the payment terms, this “fake” advertiser could run a campaign, distribute the malware, and then disappear once their ads are detected. If they evaporate without paying, that new six-figure e-commerce campaign that came in right at the end of the month could actually turn into a six-figure loss for the DSP.

Analysis and action across the entire programmatic value chain

While every link in the chain is vulnerable to malvertising, each link also provides an opportunity for defense. As it stands today, the best defense sits at the publisher level in the form of real-time blocking of bad ads.

But to truly combat malvertising, we need to extend protection and analysis to include all DSPs and SSPs -- not just publishers -- and stop bad actors from entering the ecosystem at all.

The first layer of defense would be detecting an issue with the creative (or the buyer behind it) from within the DSP, which would prevent the ad from making it into the ecosystem in the first place. If it were to slip in undetected, the next layer would be analysis on the SSP level, with a solution that alerts them to the risk in real time, allowing the creative to be disqualified from the auction.

And if the malicious ad were able to evade that second layer, the third layer of publisher-level protection would help make sure the ad never got served to a user. Combined, these  layers of defense create three unique opportunities to identify a security issue and block it from moving further down the chain.

With a few exceptions, malvertising is often viewed as a “publisher problem” that’s a nuisance (at best) to advertisers. It needs to be reframed as the costly, ecosystem-wide issue it is, with potential pitfalls for sellers, buyers, and everyone facilitating transactions in between.

Staying one step ahead of it requires analysis of both what malvertisers do and who they are, and having visibility and access across the various layers of the ad tech value chain.