Decoding the malicious behavior of bad actors in malvertising
by Matt Gillis, on Jul 15, 2020 1:10:05 PM
- Threat levels of malicious ads have scaled in recent weeks as the end of the quarter nears.
- Malicious behavior is persistent over time — specifically shown by the act of probing and moderate threat increases between specific periods being of ‘under attack’.
- Over the last two weeks, a single SSP has experienced an excessive threat level increase. This is not intended to call out any single SSP. Know that the bad actors are constantly on the move.
- Publishers and platforms should not wait until they are under attack to seek an assessment of the extent of malicious ads on their sites and platforms. As we head into Q4, we recommend that anyone who relies on ads to monetize should partner with a malware-prevention company.
Yesterday was the fall equinox. Unfortunately for most in the northern hemisphere, summer is over. And for those in the media business, it means that it is time to get busy. It also means you’ll likely be excited that we now have 6 days left in the quarter.
Revenue is hopefully scaling for you to close the quarter and month on a strong note. You are also likely excited about the fact that Q4 is upon us. It’s your chance to help brands and marketers deliver on their goals — while achieving yours at the same time.
1. Malicious Ad Threat Level Increases
By the looks of our data at clean.io, malvertisers also seem pretty excited about this timing too. Below you’ll find a few images that articulate how threat levels have scaled recently, along with an illustration of how they change over time, and how the bad actors are constantly refining where and how they conduct their attacks.
The number of overall threats (and accordingly, the Threat Level) has escalated in a significant way over the last two weeks. Overall threat level is up 900% in the last 10 days. It appears that bad actors follow a similar pattern to brand advertisers as they close out the quarter by making sure they spend their budgets, and drive results.
Threat levels have rapidly increased over the last two weeks.
2. Persistent Malicious Behavior on SSPs
In the last two weeks, bad actors have focused scaled attacks on a small number of SSPs. The source of the recent upswing in threat level shows that a single SSP is severely under attack. This SSP (we’ll call them ‘SSP A)’ has shown elevated levels of malicious threat execution since September 10.
Various SSPs that are contributing to the significant increase in threat level over the last two weeks.
It is important to note that despite the above image showing a handful of SSPs that are experiencing elevated attack levels, there is a long tail of plenty more SSPs that are showing signs of moderate and persistent attacks. These attacks range from simple low level ‘probing’, to scaling degrees of attack severity.
Learn more about what is malvertising and how to protect your business.
3. Probing Attacks
You’ll see that these attacks come and go — behavior that is an indication of bad actors trying new methods and attempting to exploit new channels to initiate their attacks. The act of probing generally is seen as an effort by the malicious actors to fly under the radar of detection, until they decide to press the gas as they have on ‘SSP A’.
The malicious underbelly of probing that is happening across all SSPs that are not currently ‘under attack’.
When isolating the malicious behavior of ‘SSP A’ over the last six months, you are able to see below that they have experienced a number of isolated incidents of attacks (early April, late April/early May, end of June). You will see that there is a level of probing that generally occurs every day. You’ll also see the significant scale of the recent attacks over the last 10 days. Their daily average over the last 10 days is up 900% comparing the daily average of the previous six months.
A constant pulse of probing combined with varying degrees of attacks, some brief, and some (recently) sustaining over a longer period of time.
Related Reading: PubPlus Clean.io Case Study
4. Various Malicious Creative Ids
The behavior of the bad actors is even more interesting when you look at the number of unique creative IDs that are responsible for generating these attacks. In the image below you can see that the bad actors have been working since July to ready their entry points into this particular SSP.
During the second quarter, the daily average number of malicious Creative IDs seen across ‘SSP A’ was 11. You can see these scaling over the last quarter, with some days seeing over 150 different malicious Creative IDs conducting attacks — and an average of over 103 for the last 10 days. When comparing the below image with the image above, you can obviously see that although the malicious Creative IDs began to scale in July, the bad actors were simply readying their weapons over the last few months waiting for the appropriate time to initiate their attacks. That appropriate time for them appears to be over last ten days.
A significant increase in Creative IDs that are the origination source of attacks on ‘SSP A’.
Lastly, it is important to note that while we have focused this specific post on a single SSP over the last two weeks, they are not the only one experiencing challenges with malicious ads. The problem is actually quite widespread.
The 100% stacked bar chart that you see below illustrates the originating attacks by SSP over the last six months. You can see, it is a rainbow — with each color representing a different SSP that is delivering malicious ads daily over the last six months. You can see that the problem is ever changing and the threats are always moving. The bad actors are constantly changing their attacks and their entry points into the ecosystem to evade detection and achieve their goals.
Clean.io offers publishers and platforms a 30 day free trial to understand how ad fraud could be negatively impacting their user experience, their monetization, and their reputation. Send us an email at firstname.lastname@example.org and let us know how we can help!