Malicious Ads: 5 Different Attack Types to Know About in 2020
by Jeff Matthies, on Nov 10, 2020 9:00:00 AM
Malvertising is an evolving landscape in which bad actors are constantly finding new ways to infiltrate user experiences and profit off your unsuspecting audience. The key to learning how to prevent malvertising is to understand how it is executed, which is why we’ve created this series of blogs to provide an overview of the different attack types. It is important to note that these are the attack types that we see as of the time this article was written, and we plan on updating these articles regularly when we recognize new attacks as they happen (because they inevitably will).
There are three important steps to the delivery of malware that make up the anatomy of an attack:
- Delivery Method: The delivery method for the attack (e.g. how the malicious code gets to the end-user)
- Set-Up: The methods bad actors use to appear legitimate (e.g. how they bypass checkpoints meant to identify malicious code)
- Attack Triggers: The way in which the attack is executed (e.g. the type of malicious behavior or code that is being executed)
-- Article Continues Below --
This article focuses on number three in the equation—the methods by which attacks are executed once the code has made it to the user’s browser experience.
Read more about how bad actors deliver attacks and bypass protections (coming soon!) in our companion articles.
The attack types covered in this article are:
1. Video Stuffing
Video stuffing is a malicious attack where the bad actor runs small display creatives or video ads which look legitimate on the surface, but load a large number of video ad tags or fire additional video ad impressions in the background, which are never visible to the end-user.
In this case, a bad actor is looking to make money by selling video ad impressions to buyers looking to advertise. They are purposely misusing the purchase of an ad slot to “pretend” like they are showing many videos (thus collecting ad revenue for each) when they aren’t actually displaying them.
Users are initially unaffected by this type of malicious ad, until it begins to slow down the page. Trying to load multiple video ads significantly hurts page load speed, ultimately causing the site to error out, and your users to abandon sessions.
Page load speed is incredibly important to user engagement metrics, and ultimately to your revenue as a publisher.
Cloudflare statistics show that “Studies have consistently shown that fast page speed will result in a better conversion rate. In other words, the quicker a webpage loads, the more likely a user is to perform the targeted action on that webpage.”
2. Redirect-Style Attacks
Redirect-style attacks have their own category because they are such a prevalent form of malvertising and exhibit many different sub-techniques to ultimately result in the same end goal.
The end goal of a redirect-style attack is to take the user to a phishing page where the bad guys collect the users' personal information to be used in a nefarious manner.
Redirect-style attacks may also employ a similar strategy to video stuffing by charging unsuspecting buyers for ad impressions they aren’t really getting.
As a result, redirect attacks are often the most profitable, and thus the most common type of malvertising attacks targeted at publisher websites.
A Clickjacking attack creates a transparent, clickable overlay that is written in code of the website page but is invisible to a user, which results on any click (or tap if you’re on mobile) on that page being read as a “click” to the attack target page.
In this case, ad creative may load in just the space of the ad unit, but the attackers are taking advantage of any click or tap across the entire page area, thereby forcing the user away from the website.
To a user, this feels almost the same as an auto-redirect (see below) because they don’t realize they’ve clicked on anything.
An Auto-redirect attack occurs when a snippet of code is injected in the ad creative and uses a set interval of time to automatically force a user to be redirected to the target page.
This particular attack type is usually somewhat easier to detect than say Clickjacking (above) or Focus Stealer (below) because you can search for the use of the “set interval” function.
A Focus stealer attack uses a change in the browser “focus” function to trigger an action to redirect the user to the target page.
This type of malvertising attack bears a bit more explanation.
Go back to the last time you were filling out a form on a website. When you click into a form field, say to input your email address, the browser puts “focus” on that field.
When you finish filling out the form and click outside of the form field, your browser releases “focus” from the form and the website can trigger events based off of this change of focus.
Typically, it is used to launch something like the validation of the form field. For instance, the website might check the email address you’ve input, confirm it is in the correct format and alert you if it isn’t.
Bad actors take advantage of the fact that you can trigger events off of this information to redirect users to a target page.
Here’s how it usually works:
- Attackers will create an “invisible” text field on the page that the user can’t see.
- They will give that field “focus” in the browser.
- If users click or tap anywhere outside of that invisible field, it is read as a change of focus.
- Attackers trigger a forced redirect off of the change of focus.
Again, this particular attack type feels almost the same as an auto-redirect to the user because they don’t realize they’ve done anything at all.
Safe Frames and newer versions of Google Chrome can protect against this attack type, but they don't completely solve the problem because you have no guarantee that your users will be visiting from a safe environment.
Read the Guide
Malvertising prevention is essential for any publisher with an expansive online presence, and shoring up your lines of defense is a worthwhile investment.
A Crypto-mining attack is a display ad that looks legitimate on the surface but loads a background script which can hijack CPU cycles on an end-user device in order to mine for cryptocurrencies.
This particular type of attack is much less prevalent these days than it has been in the past because it is simply not as profitable for bad actors as redirect-style attacks.
4. In-Banner Video
In-banner video attacks take a typical display banner ad and use it to instead display video which does not match with what the ad says it is advertising.
Similar to video stuffing above, this particular attack type is about capturing false ad views and charging unsuspecting advertisers for video views they may not really be getting.
It can also be frustrating to publishers who don’t want video shown in a banner slot. But even more frustrating, it is usually used as a method to sneak in ad types that a publisher might not want to be shown.
For instance, if you as a publisher don’t allow any political ads, this method would make it look like you were displaying a non-political ad while nevertheless sneaking one in for the viewer.
5. Autoplay Audio/Video
Autoplay audio/video ads occur when a video or ad audio plays automatically, rather than requiring a user to press “play” despite the fact that a publisher requires it.
This particular attack type shows up primarily in the App space, and is more often the result of poorly coded creatives than an actual “attack.” The ad delivered by the software development kit (SDK) used to source ads may return a poorly coded creative that accidentally overrides the App settings on auto-play and as a result, frustrates users.
The Bottom Line
There are many different methods the bad guys employ to get malicious ads onto publisher websites. Most importantly, this list changes constantly over time as they find new ways to get around the safeguards put in place by publishers.
Your best bet is to have a solution that doesn’t rely on knowing who the bad guys are, but on using behavioral analysis to catch new and novel attacks as they arise.