facebook twitter

A few months ago, we started sharing our aggregated data with the very first clean.io SMART Report. With over 13,000 sites and apps now leveraging our technology, we have access to a vast array of anonymized data regarding malvertising trends across the global programmatic advertising ecosystem. This report represents a summary of the most interesting insights we have observed in the ecosystem over the last quarter. Our goal is to make the connected world a better and safer place for advertisers, publishers, platforms, and ultimately, end users. We hope by sharing our ‘Census of the Internet’ data, everyone gets a little smarter about the behavior of malvertisers in order to best protect all stakeholders in the ecosystem.

Last quarter, we focused on the basics — like when does malvertising happen, where does it originate, and even what does it look like. We also talked about the growing surge of malvertising in international markets. This quarter, we’ve seen an even larger surge of malvertising internationally — so we’re going to zero in on the global nature of malvertising, how quickly it is escalating throughout the world, and how the threats seem to be spreading across a more diverse group of SSPs.

The Headlines:

  • Significant growth in Threat Levels in our top ten countries.
  • European countries dominate the top ten impacted geos by Threat Level, having grown significantly quarter over quarter indicating an aggressive spread of malvertising beyond traditional U.S.-focused delivery.
  • Volume of threats have spread to more SSPs — now 11 different SSPs account for 90% of threats up from 6 in Q2 2019.
  • A noted shift in the behavior of malvertisers to close Q3 2019. Whereas we have traditionally seen peaks and valleys in terms of the volume of malvertising threats within a quarter, Q3 2019 followed this trend until September, which saw a shift to a growing aggregate volume of attacks comprised of many more low-volume attack campaigns.

Top ten countries by Threat Level, with a noted scaled shift in European markets.

In Q3 2019, bad actors more intensely focused on European markets. Four out of the top five, and seven of the top ten countries impacted by malvertising are from Europe. In the top four countries alone (Belgium, Italy, France, and Germany), we witnessed an average growth in Threat Level of close to 450% quarter over quarter. In our top four countries by Threat Level, almost 1% of all page views were impacted by malvertising in the quarter. Other notable changes in the top ten include the United States, with experienced a comparatively modest 23% growth in Threat Level quarter over quarter, albeit off a much larger baseline than the other geographies, and the United Kingdom which saw its threat level decrease 65% quarter over quarter. It should be noted that the U.K. experienced an outsized growth in Threat Level in Q2 2019 predominantly driven by certain attacks in late May 2019 (read the blog post here). Lastly, Portugal experienced the most significant growth in Threat Level in our top ten, growing an astonishing 4,505% quarter over quarter. Based on the significant growth across the top ten, bad actors appear to have dramatically spread their exploits to new global markets in Q3 2019. This is a trend clean.io will continue to monitor throughout Q4 2019.

Top ten countries ranked by their Threat Level in Q2 2019, showing ‘peak day’ and the respective Threat Level in each country.

While looking at a top ten list can help drive awareness of where malvertising is predominantly happening , we felt it was also interesting to understand when each country experienced their ‘peak day’ during the quarter. The behavior of malvertisers differs by country throughout the globe — there is no ‘one size fits all’ when it comes to malvertising. In fact, there wasn’t a single day of overlapping ‘peak days’ among our top ten countries. It has been often noted that malvertisers tend to conduct their exploits on weekends and holidays — and this behavior was witnessed in many of our top ten. In Belgium, we saw the country Threat Level peak at over 15% on Sunday July 21, which was Belgian National Day. On this day, while the country was celebrating the anniversary of the investiture of King Leopold I, the country’s first monarch — malvertisers were celebrating by attempting to conduct their exploits and negatively impact approximately one in every seven page views. For advertisers — if you were buying in Belgium on sites not protected by clean.io, there is a reasonable chance that a decent portion of your budget went to waste that day with over 15% of all page views impacted by malvertising.

But, it wasn’t only happening on national holidays and weekends. In the United States, we saw the ‘peak day’ of malvertising in the quarter happen on July 16. This day was a Tuesday where the Threat Level peaked at close to 5%. What is the significance of this day you ask? Amazon Prime Day! We don’t think this is a coincidence. The malvertisers somewhat skipped the usual July 4 Independence Day celebrations in the United States and instead focused their attention on Amazon Prime Day where Internet usage was higher than normal as consumers sought out some mid-year bargains.

Volume of threats have spread to more SSPs — now 11 different SSPs account for 90% of threats up from 6 in Q2 2019.

At the end of Q3, we issued a blog post that articulated the behavior of malvertisers — specifically noting how the behavior of malvertisers is constantly moving between the various entry points in the programmatic landscape. They rarely remain still, often striking broadly between a dizzying combination of SSPs and DSPs — and even those that you think should be considered ‘clean’! In that post, we used a stacked 100% bar graph to show the rainbow of colors representing each SSP that we detected originating malvertising attacks. Dominant colors represent increased threat levels from a single SSP, and you can see it as clear as day. In Q2, there was a single SSP that stood out from the crowd (light blue, above). At the end of June and into July, there was a similar pattern (yellow, above). From mid-July to mid-September — it was a broad range of SSPs that were contributing to the malvertising issue. Then, in early September, a single SSP started separating from the pack (dark blue, above). As you can see — without a single dominant color, it means that the landscape for malvertising is diverse and far-reaching.

In our Q2 2019 SMART Report, we discussed how malvertising is spreading at a rapid rate across more SSPs in the ecosystem. This quarter, the numbers would indicate that this has accelerated. In Q1 2019 — just 3 SSPs accounted for 90% of the malicious activity we witnessed in the ecosystem. In Q2 2019 — we noted that a total of six SSPs accounted for 90% of the malicious activity. This past quarter, that number almost doubled yet again to 11 SSPs. This indicates that the bad actors are more intently spreading their malware across a broader array of supply platforms to conduct their exploits. This past quarter, we announced an anti-malvertising technology partnership with Xandr, a leading global marketplace in support of their effort to ensure the safety and cleanliness of demand delivered via their marketplace. We are seeing increased interest from leading exchanges and header bidders who wish to proactively differentiate themselves to publishers via the quality of demand they deliver, especially as the problem of malvertising continues to spread more broadly throughout the ecosystem.

Lastly, for those that work in this ecosystem, it is expected that the normal behavior of malvertisers is one of peaks and valleys. They generally tend to come and go, but they never really go away. In the last few quarters, we typically witnessed frequent spikes in malvertising followed by periods of quiet, measured probing by the bad actors. In looking at the last two quarters of aggregated threat level across our platform, you can see these spikes in the aggregate Threat Level. In Q3, you can see that these behaviors were evident in July and August; however, a material shift in behavior occurred in September relative to the prior months. Rather than typical peaks and valleys, the month of September showed a steady and sustained surge in Threat Level orchestrated by an increase in lower-volume individual attack campaigns to close the quarter. It will be interesting to compare this end of quarter change we saw in Q3 when we wrap up Q4 to see if this attack pattern continues to evolve than revert back to the norms of the past.

Anything in here surprise you? Are there insights you’d like to see in a future report? We’ll be publishing insights each quarter in an effort to help educate and protect the ecosystem. Please don’t hesitate to drop us a line at [email protected] with your questions and feedback. And, if you need help — even if it is a Saturday morning — don’t hesitate to hit us. We are here to help you to protect your biggest assets — your end users, your reputation, and your monetization!

Complete Infographic: