Ad Blocking and Allow Listings are an incomplete Malvertising Solution

by Andrew Reed, on Apr 8, 2021 11:51:08 AM

The current state of the online ad industry is far from perfect. A clean and transparent solution to harmful malvertising has yet to be executed across the online advertising ecosystem, forcing roughly a quarter of online users to install ad blocking extensions to their browsers.

But ad blocking extensions and allow listing are themselves incomplete solutions and have kept the door open for clever malvertisers to slide past pre scanning tools, leaving the end users still vulnerable to malvertising attacks.

Why Do Ad Blockers Exist and What is Allow Listing?

The large majority of users with ad blocking software say they install extensions because advertisements are bothersome and can slow down websites, while others are concerned with the risk of privacy attacks and viruses.

So in short, 25% of online users protect themselves from the digital advertising industry because they are being handed a disappointing, frustrating, and potentially dangerous user experience.

ad blocker example

In the beginning, these ad-blocking extensions blocked every ad across all websites—full stop. But that of course started to have a significant negative impact on both the publishing and the advertising side of the industry.

So in 2011, Adblock Plus (the most popular ad blocking extension) introduced its Acceptable Ads program. This program set a number of guidelines that allow approved, non-intrusive advertisers (those who don't use pop-ups, noisy ads, redirects etc.) to bypass ad-blocking tools, and charges publishers with more than 10 million impressions a month 30% of their ad revenue. Publishers with less than 10 million impressions can be approved for free.  

Later in 2015, Adblock Plus introduced the concept of "allow listing" by making this list open source and available to competitors, thus making the Acceptable Ads Committee the final word in whose ads are blocked by these extensions and whose are displayed.

But even with allow listing, advertisers and publishers still suffer. Not only can users choose to turn off the acceptable ads option, but restrictions on where, when, and how an ad can trigger cut into impression opportunities—and the 30% take can really cut into the margins of publishers who are just meeting the 10 million impressions mark.

Let's face it—not everyone can be Google.

  -- Article Continues Below --

New call-to-action

  -- Article Continues Below --

Allow Listing Leaves Door Open to Bad Actors

Another major problem with allow listing is that clever malvertisers have already found a successful way around it.

Ad cloaking, or simply "cloaking", is when a bad ad fools pre-scanning tools into thinking it has met the criteria to be allow listed, while burying its deceptive creative and target landing page deep in its code, only to reveal itself as malicious when it is finally in front of the user.

Here's how it works.

how ad cloaking works

What allow listing has done is slap a bandaid on an issue in need of a far more surgical solution. 

Not only are ad blocking extensions hurting publishers and advertisers, but they are still leaving the door open for the end user to be attacked, which will likely push them towards turning the acceptable ad option off. 

Who Is At Fault?

The origin of this issue spawns out of the digital ad industry itself.

If users were given an experience that did not frustrate or attack them, there wouldn't be any need for ad blocking extensions.

But now that the bell is rung, how do you win back your users' trust? 

  -- Article Continues Below --

Read the Case Study

How cleanAD Completely Eliminated Malicious Redirects, Freeing up 60 Hours of AdOps Efforts per Week, for Venatus Media

Read the Case Study

  -- Article Continues Below --


Anti-malvertising products like cleanAD are a great first step towards protecting your users and earning back their trust. Unlike other anti-malvertising solutions, cleanAD does not rely on pre-scanning. 

Instead, it detects cloaked ads at runtime. This allows the ad impression pixel to fire while preventing malicious content, so publishers still get paid and bad actors lose out. 

So, not only are you protecting your users, but you are also creating a financial disincentive for malicious advertising groups.

Another thing to consider is the design of your site itself.  Try asking yourself these questions:

  • How many ads are you running per page? 
  • How many pop ups are users experiencing during their time on your site? 
  • Is your content worth putting up with the amount of advertisements a user will experience? 
  • Can your audience find the same content somewhere else without disabling their ad blockers?

Optimizing the number of ads your audience is served is important to developing healthy ad revenue, but site retention and customer loyalty are a far more effective way of achieving this.

Take the time to create a tolerable ad experience on your site so when you ask ad blocking users that land on your site to disable their ad blocking extensions, they will feel inclined to do so. 

Programs like Detect Adblock and IAB Ad Block Detection Code, among others, offer free solutions that will detect when a user has ad blocking extensions installed. 

After finding the script that works best for you, you'll need to decide what to do with those users who are employing ad blockers. Some sites will totally shut out users with ad blocking extensions, while others will bring them to a new landing page that notifies them and asks them to turn them off. 

how to request website visitors turn off ad blockersDesign your strategy around what you believe your users will have the most positive response to, and try to be as straightforward with them as you can.

Try not to interrupt their experience too much. Sometimes, a small notification is enough. Remember, they installed the ad blocker to prevent annoying incursions to begin with, so popping up and interrupting their browsing will likely elicit the same response.

In this case, a gentler approach may be best.

Let them know that their ad revenue is what makes it possible for you to create the content they enjoy, and ask them to turn off their blockers to help support you and your efforts to deliver high quality content.

System1 Case Study

Topics:MalvertisingMalvertising 101Malvertising Solutions

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates