Data Snacks: Labor Day Weekend Yields Elevated Malvertising Attacks Across Network

by Marshall Moritz, on Sep 8, 2021 4:05:59 PM

Holidays have historically been times when malvertising threat levels surge. There are a number of reasons for this, ranging from increased use of less-secure mobile devices, to decreased monitoring as ad-ops teams are typically on PTO. This year, Labor Day weekend was no exception to the holiday threat increase rule, with overall threat levels rising by 93%

Prior to Labor Day weekend, the cleanAD network observed a consistent malvertising threat level, staying within a standard ~20% weekly range. However, Threat Level jumped 62% from Sunday, September 4th into Labor Day, continuing to a 93% rise from pre-Labor Day levels into September 7th. 

Malvertising attack patterns typically occur as sudden surges, or as gradual increases in attacks over time. However, this weekend we observed a hybrid. Labor Day attacks occurred in several waves, increasing in intensity as the hours (and days) continued.



Labor Day Surge Threat Classifications

Malvertisers have recently been consistent in the types of attacks being employed against end-users. Mobile in-app pixel stuffing and cryptocurrency scams have been two of the most common attacks, while over the long Labor Day weekend, we also measured a slow rise in prohibited ads --  those whose content is considered offensive or inappropriate.

-- Article Continues Below --

Read the Case Study

How cleanAD Completely Eliminated Malicious Redirects, Freeing up 60 Hours of AdOps Efforts per Week, for Venatus Media

Read the Case Study

  -- Article Continues Below --

Attack Origins

Attack origins will often rotate between demand side platforms (DSPs) and supply side platforms (SSPs) as malvertisers attempt to evade detection. Over the last two weeks most attacks were concentrated between two DSPs (DSP A and DSP B in the chart below)


On September 2nd, we started to see attacks coming from a 3rd DSP (DSP C), which shortly subsided while a fourth DSP (DSP D) began to enter the mix on September 4th.

Attacks from DSP A began to surge on August 30th and sustained those levels through September 5th, while DSP B held steady albeit slightly lower volumes until September 5th. Both DSPs spiked on Labor Day (Sept 6th) with single-day increases of 84% and 73% respectively.


Similarly, we also observed a concentration of attacks passing through two SSPs.



SSP A saw the largest increase from Saturday through Monday, up 190% through Labor Day Weekend. Similarly, SSP B saw a rise on Labor Day, although the surge was still in-line with its recent 2-week threat levels.

Secondary SSPs (like SSP C, SSP D, SSP E) all experienced an increase in attacks (300%+ growth) but the total volume was dwarfed by larger Platforms.

-- Article Continues Below --

New call-to-action

  -- Article Continues Below --

By Browsers and Device

Labor Day Attacks were targeted across platforms and screens; From Saturday (Sep 4) to Monday (Sep 6), attacks on Mobile Devices increased 107% while Desktop increased 55%. 

Meanwhile, Facebook’s mobile embedded browser experienced the largest rise on Labor Day; with Safari Mobile, Chrome, and Chrome Mobile also surging significantly (50%+) day-over-day.


Screenshot 2021-09-08 at 09-33-36 Labor Day Data Snacks

Impact on Publishers and Ecosystem

The surge of attacks was absorbed primarily by a few large publishers, with Publisher A experiencing the largest increase. 

Overall, 14 of our top 20 Publishers experienced at least a 15%+ increase in threat level, when comparing Labor Day (Sept 6th) to the 7 days prior.


Increases in threat level were global, impacting many countries and regions:

  • US +40%
  • Netherlands +11%
  • Canada +133%
  • Portugal +320%
  • Germany +69%
  • United Kingdom +355%
  • Switzerland +102%
  • Rest of World +13%


What You Need To Know

Holiday attacks are predictable, but knowing exactly when and where they will be coming from is far more difficult. Sophisticated malvetisers are always changing tactics to avoid detection, from different threat classifications to using the “pipes” of various DSPs and SSPs. While attacks came through just a handful of platforms this time around, the attack vectors will certainly look very different the next holiday weekend.

Adding platforms that are serving you bad ads to your blocklist is an effective way to start isolating your problems, but it is a reactionary tactic that keeps you playing catchup with the bad guys.

At cleanAD, our patented software uniquely detects malicious behavior at runtime, removing the need for blocklists and keeping you one step ahead of your attackers. 

If you are tired of tracking down and blocking troublesome platforms, you can get started with a 14-day free trial here.

Topics:Malvertising DataMalvertisingMalvertising 101

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates