facebook twitter

Malvertising takes a variety of forms, including forced redirects, crypto-mining, video stuffing, and more. Malicious ads sneak into our user experiences by stealing legitimate ad creative from other brands and reusing them with additional malicious code inserted.

With the constant evolution of the digital landscape and growing sophistication of malvertising threats, it can be challenging to prevent, stop, or predict the sources of malicious advertising in the programmatic ad ecosystem.

As such, there are a variety of different tools on the market to help combat malvertising. Each of these tools works at a different point in the timeline of malvertising execution, and each with varying degrees of effectiveness. Overall there are two major categories of tools: pre-scanning and real-time solutions.

Understanding when each tool works is key to comparing their approaches and effectiveness.

The timeline below summarizes how malicious ads are executed and details when different classes of tools attempt to detect and stop bad ads.

Malveriser Step 1: Campaign Set Up.

Using a self-service demand-side platform (DSP) or ad network, a bad actor will prepare a malvertising campaign for launch.

Publishers are often “blamed” for malvertising attacks, but they themselves are victims just as much as the end users that receive the ad. Malvertisers are simply using their property as a vehicle to execute their attacks.

Malvertiser Step 2: Creative Review Submission.

Once they’ve finished building their malicious campaign and creative, bad actors have a number of ways they can get their creative in front users. The most common way is by submitting that creative to the DSP for review. Some may also hack ad servers or compromise individual sites. 

Because DSPs have to be accountable to their SSP partners for the quality of the campaigns they deliver, DSPs generally have a creative review process where they attempt to scan or manually review creatives before they begin delivering across real users.

Most of the tools start with a review of the creative submitted by all advertisers to look for signs of malicious activity.

Malvertising Block Attempt 1: Creative Approval Scanner.

The DSP may use creative approval scanners to try and detect a malvertising attack. Creative approval scanners will attempt to check each ad that is submitted to the platform for various markers of malicious behavior.

Malvertiser Step 3: Fingerprint Checks & Scanner Bypass.

Bad actors can structure their code to detect scanners and will not show malicious behavior if it senses their presence. They can cloak their malicious payloads and appear to the scanner as a legitimate ad, rather than a malicious advertisement. In fact, thus far we’ve counted hundreds of methods bad actors use to detect and bypass scanning tools.

Malvertiser Step 4: Campaign Goes Live.

Once a pre-approval scanner has decided that the advertisement is legitimate, it allows the campaign to launch and it can start working to deliver impressions to real users.

Malvertiser Step 5: Pay for Ads & Deliver Malicious Payloads.

At this step, the malvertiser is charged for their ads, ads begin to render on page, and they think they are actively executing their malicious code to redirect users to malicious landing pages.

Malvertiser Step 6: Fingerprint Checks & Malicious Payload Preparation.

Throughout the execution of the campaign, the malicious code will continue to run fingerprint checks to determine if their ad is running on a sandbox or scanning environment versus being presented to a real user.  This happens on every individual device and impression where the creative is served.

If the code finds that it is in a scanning environment, it will hide malicious activity. If the code finds that the impression is being delivered to a real user, it will deliver the malicious payload.

In this case, because it has already bypassed the scanner, and finds that it is running in a live user environment, it will prepare to execute its malicious payloads.

Malvertising Block Attempt 2: Blocklists. 

During delivery, some solutions will attempt to discover the bad actors by matching malicious code URLs against a known “bad URL” blocklist.  Bad actors will often rotate URLs to attempt to bypass this checkpoint.

Bad actors can circumvent URL blocking solutions by rotating the domains they use as well as actively detecting and tampering with various blocklist solutions. 

User Sees an Ad

Only once we get to this step does a user actually see an ad. At this point the creative for the ad has rendered, but the malicious portion of the code has not yet been executed.

Malvertising Block Attempt 3: Behavioral Analysis Tools.

Clean.io uses unique behavioral analysis techniques to stop malicious ads from executing harmful JavaScript after the originally approved creative has rendered, and after the bad actor has purchased the ad. 

Essentially, behavioral analysis solutions like clean.io allow the harmless portion of the original ad to render (the stolen creative) for the user, but block the actual malicious activity.

Some of the benefits of waiting until this step to catch and block malicious activity include:

  • More effective blocking of malicious ads: Because we aren’t relying on knowing previous bad actors or creating a separate environment for detecting malicious activity, but detecting in real-time, behavioral analysis tools are more effective at catching malvertising and preventing users from being affected.
  • Revenue is preserved: Clean.io is the only tool that catches bad actors after they have already paid you, preserving your revenue and ultimately discouraging bad actors from attacking your site in the long term (as it is unprofitable for them to do so).
  • Fewer false positives: Because we wait and block malicious code only when it begins to trigger, there is a lower risk of false positives.
  • No impact on speed or performance: Our software runs in real-time, and doesn’t rely on searching a large block list so there are no impacts on speed for the user.
  • Able to detect “novel” threats: Because we are watching behavior, and looking for malicious activity triggers, we are able to catch attack types we have never seen before they display to users.

User is Affected (or Not) by Malicious JavaScript

Behavioral analysis solutions like clean.io allow the harmless portion of the original ad to render (the stolen creative) for the user, but block the actual malicious activity.

Try clean.io free for 30-days to see why major publishers trust our platform as the simplest, smartest, and most effective anti-malvertising solution available.

Try clean.io free for 30-days