clean.io SMART Report — Q4 2019
by Matt Gillis, on Feb 3, 2020 6:15:00 PM
Summary of Malicious Ads and Reputation Threats
- While 90% of the threats originated from 11 SSPs (unchanged QoQ), 7 of those SSPs are brand new to the top 11 signaling a shift of malvertising activity to new SSPs during Q4 surge
- Europe and North America continue to be the regions with the highest Threat Levels in Q4 2019 with peak threat days steering clear of competing with brand demand in Q4
- A predictable surge in Threat Level to end the quarter in the United States, with spikes around each event/holiday in the quarter
- Users are 20% more likely to experience a malicious experience within an embedded browser relative to traditional mobile browser sessions
Threat Levels generally hit new highs around each holiday to close Q4 2019.
In Q4 2019, fraudsters centered attacks around the lucrative holidays. We witnessed a steady and prolonged surge throughout the quarter, which started at an elevated baseline following increased attacks at the end of Q3. Presumably, bad actors wanted to exploit the days marked by higher consumer engagement with fewer Ad Ops folks in the office during the holidays. Each day (indicated by the spikes noted between Halloween the end of December) saw Threat Levels generally hit consecutive new highs in the quarter.
Learn more about what is malvertising and how to protect your business.
European and North American countries contiinue to deliver the highest Threat Levels globally
As cited in last quarter’s report, bad actors focused intensely on two key global markets — Europe and North America. This remained consistent in Q4 2019. Last quarter, all but one country in our Top 10 saw tremendous growth in Threat Level change. This quarter, a couple countries exited the Top 10 (Portugal and Norway), making room for new entrants to the Top 10 — Spain and Sweden. Spain showed the largest growth QoQ with a 400% increase in Threat Level. Canada experienced its second consecutive quarter of triple digit growth in Threat Level. The United States sustained moderate growth, increasing 25% in Q4 (after posting 23% growth in Q3). The United Kingdom bounced back with an almost 100% increase in Threat Level in Q4 following a 65% decline in Q3.
Peak Threat Level days in each country avoided heavy brand budget days in the quarter.
When analyzing the individual peak threat level days in each of our Top 10 countries, one thing stands out. Most notably, bad actors scaled their attacks when brands were either pulling back spend (following the Christmas holiday), or before brands fully engaged their spend (prior to mid November). Therefore, bad actors were likely able to buy more efficiently without competing with peak CPMs that accompany Q4 brand budgets.
A new mix of SSPs enter the Top 11 as bad actors move around the ecosystem.
Our SSP data revealed another interesting phenomenon in Q4; malicious campaigns spread to a new set of programmatic pipes after attacking the same channels for the first 9 months of the year. While the top 11 offending SSPs, which accounted for 90% of threats, remained constant in the first three quarters, 7 new SSPs emerged in the top 11 for Q4. Just like bank robbers don’t rob the same bank day after day (unless they are hoping to get caught), bad actors are intent on exploiting vulnerabilities across a wide array of platforms. We expect this game of cat and mouse to continue as bad actors move their exploits from platform to platform.
Embedded browsers in social media apps are at increased risk of attack.
In Q2 2019, we started to investigate end user experiences within embedded browsers. End users are consuming more content within apps like Facebook, Instagram, and Snapchat (to name a few). When users click on content within an app, the article opens in an embedded browser that is operated and owned by the native platform. From a UX perspective, while you are taken to the url that you clicked on, you actually remain within the embedded browser of the social media app. Our data shows users are 20% more likely to experience malicious ad fraud in an embedded browser than in a traditional mobile web browser (like Safari, Firefox, or Chrome). The reasons bad actors attempt to exploit this channel are straightforward — their landing pages often emulate the look and feel of the app that they are in (in Facebook, the landing page mirrors the Facebook app). Moreover, there are no developer tools for these browsers making it harder to reproduce, and thus more difficult to catch the bad actors. As many publishers rely on this channel to reach their users, we’ll continue to monitor this trend.
Anything in here surprise you? Are there insights you’d like to see in a future report? We publish a handful of insights each quarter in an effort to help educate and protect the ecosystem, so please don’t hesitate to drop us a line at firstname.lastname@example.org and tell us what you’d like to see in an upcoming report. And, if you need help with solving challenges surrounding malicious behaviors on your sites or apps — even if it is a Saturday morning — don’t hesitate to contact us. We are here to help you to protect your biggest assets — your end users, your reputation, and your monetization!