facebook twitter

About one year ago, clean.io launched with our first customer — and so began our journey to make the connected world a better and safer place for advertisers, publishers, platforms, and ultimately, end users. The journey thus far has been fast growing, and fast changing.

Now, over 13,000 sites, apps and platforms rely on clean.io to protect their end users, reputation and revenue. Our customer footprint also provides us with a census on malvertising activity occurring across the Internet on a global basis.

Today is the launch of the inaugural clean.io S.M.A.R.T. Report (Summary of Malicious Ads and Reputation Threats) — a brief quarterly summary of insights derived from our platform over the last 90 days. The report each quarter will be a little bit quantitative, and a little bit qualitative. Hopefully you’ll learn a thing or three. We’ll summarize each of the data points in a blog post, and I encourage you to join in the discussion. The bad guys are definitely not letting up — as you’ll see below, they have stepped up their game in multiple areas. We feel strongly that the more data and insights that we can openly share — we should. And we will. It can only make us all smarter and better.

Welcome to our first S.M.A.R.T. Report infographic!

The first ever clean.io S.M.A.R.T. Report infographic.

Since this is the first quarterly report from clean.io, we chose to start by answering a few basic questions, including when do attacks happen, where do they come from, and what do they look like. This will help establish a baseline for future reports.

International is the new black!

One of the more notable advances we saw in the second quarter was a shift in where malicious activity appears to be occurring. clean.io’s U.S. and international traffic grew over 100% and 273%, respectively, as our business and our customers’ businesses expanded. Instead of proportional growth in malvertising attack volumes in these geographies, we saw the volume of attacks in the U.S. grow by only 11% relative to last quarter whereas international attack volumes grew by 181%. We interpret this as a shift in propensity by actors to increasingly attack international users, possibly on account of a higher probability of evading detection due to lower adoption rates of anti-malvertising solutions relative to U.S. publishers and platforms, the potential for lower cost inventory, and possible changes in revenue incentives.

Bad ads never looked so good (minus the NSFW stuff)!

There was a time where malicious ads simply looked like, well — malicious ads! Poor production quality tended to go hand-in-hand with the terrible user experience they were creating. In the second quarter, we noticed that the bad actors really stepped up their game with respect to their landing page executions. As you can see from the imagery, trusted brands like Facebook, Verizon, Visa, and Amazon (among others) were frequently leveraged in malicious landing pages along with experiences that imply a prize or contest in order to enhance the odds of deceiving end users into taking the desired action.

We also noticed an uptick in the utilization of malicious redirects as a vehicle for delivering NSFW ads and content. We saw creatives that ranged from dating sites to outright nudity/pornographic referral links. If the economics can make sense for the bad actors, there is no telling what they will attempt to use their malicious technology for.

Six different SSPs accounted for 90% of the volume of threats — up from three in Q1!

In 2Q19, we witnessed malicious ads originating from over 30 SSPs. You may be asking yourself, “are there really over 30 SSPs?” Indeed there are. Interestingly, in 1Q19 three SSPs accounted for about 90% of bad ads whereas in 2Q19 six SSPs accounted for 90% of bad ads. While an optimist might claim the problem is contained, with attacks originating from over 30 SSPs the bad actors clearly have their hooks in throughout the ecosystem. Further, the expansion and rotation in delivery channels quarter-over-quarter reflects, to us, the whack-a-mole nature of the problem and serves as a reminder we should remain vigilant against all attack vectors (i.e. the 24 SSPs that weren’t major drivers this quarter could suddenly become a major driver; it appears to rotate).

Weekends and mornings are the most active for bad actors.

It should come as no surprise that weekends are the ‘primetime’ for the execution of malicious ads. Weekends are when ad operations professionals are — hopefully — away from the office enjoying time off and not thinking about ads. Bad actors know this, and take every advantage. This was our busiest quarter yet onboarding new publishers during weekends in order to offer immediate relief from an active attack.

A data point that might surprise you is the time of day when we see malicious ads strike most frequently. Whereas Internet traffic typically peaks during evenings, over the last 90 days the hours of 9am-11am saw the highest volume of malvertising attacks, nearly 35% above the volume of attacks that occur during peak traffic loads during the evening hours.

Publishers using our platform have access to a reporting dashboard that delivers a large variety of data to give them insights as to what is happening on their properties. One of the data points that our partners receive is which browsers the bad actors are attempting to compromise. We obviously see malicious ads entering the ecosystem via pretty much every avenue available — often via brand name browsers like Internet Explorer, Chrome, Safari, and FireFox. OEM browsers like the Samsung Internet Browser (embedded as a factory default in Samsung devices) often hit the radar as well.

In 2Q19, 23% of all of the attacks we prevented happened in embedded browsers within social media apps. Many publishers leverage the audiences across social media to distribute their content, and when consumers engage with content while in the social media apps the user experience keeps the user within the app (by opening the embedded browser). Bad actors exploit the social media browsers because it is easier for them to detect proxying, and can likely get better user engagement by running ads that emulate the look and feel of the social media applications (see the brand impersonation graphics above). Additionally, it is easier for the bad actors to hide as there are no developer tools for these browsers making it harder to reproduce, and thus more difficult to catch the bad actors.

Anything in here surprise you? Are there insights you’d like to see in a future report? We’ll be publishing insights each quarter in an effort to help educate and protect the ecosystem, please don’t hesitate to drop us a line at [email protected]. And, if you need help — even if it is a Saturday morning — don’t hesitate to hit us. We are here to help you to protect your biggest assets — your end users, your reputation, and your monetization!