Malvertising Data: How Many Paths Are There From Malvertiser to Publisher?

by Marshall Moritz, on Dec 1, 2020 9:00:00 AM

Ok, I admit it, the question posed in the title is actually a trick question. The answer is basically impossible to determine for a few reasons:

  • The programmatic advertising ecosystem is incredibly complex and the methods by which bad ads flow through DSPs and SSPs means the routes are constantly changing; and
  • Malvertisers are constantly changing their tactics and attacking from new directions, so the pathways are actually fluid.

the limit does not exist gif


The complexity of the digital advertising ecosystem works to the advantage of malvertisers.

There are so many touch points as an ad travels from advertiser to end-user, from DSPs to SSPs to resellers, 3rd party pixels and ad-trackers. More touch points yield greater opportunities for malvertisers to inject nefarious activity, and make it harder for publishers to pinpoint the weak link in the chain. 

The visualization below from our network shows all of the different ways a single malvertiser executed an attack that made it to a single publisher.

Q3 2020 SMART Report

We found that the DSP with the most threats flowing through it was also the DSP which was connected to the most SSPs (a total of 46). Most commonly, we see malvertisers using a single DSP to connect to somewhere between 11 and 35 SSPs.

This makes chasing the bad guys similar to playing a game of whack-a-mole.

whack a mole


On the flip side of the equation, a single SSP is seeing attacks from between 20 and 30 unique DSPs. A platform cannot simply turn off a single buyer and have the problem go away, because the problem persists across many of their customers.

Ultimately, trying to guess the number of total paths from malvertiser to publisher looks a little like one of those carnival games where you win a big prize if you can guess the number of jelly beans in a giant jar. . . except they aren't jelly beans, they are wasps.



Really, what it comes down to is understanding that you live in a house with about a million doors, and the only way to truly protect all of them is with a security system.

-- Article Continues Below --

New call-to-action

Visit the Complete Malvertising Resource Center

How Ads Travel Through the Ecosystem

Let’s do a quick review of how ad creative flows through platforms to ultimately reach users.

To start, a few quick definitions:

What is a demand-side platform (DSP)?

A demand-side platform (DSP) is the adtech platform that allows advertisers to submit ad creative and purchase impressions across a variety of publisher properties in a single place. Advertisers will submit all ad creative to a DSP and pay the DSP for any impressions.

The primary role of the DSP is to connect advertisers to publisher inventory; a single DSP will plug into multiple SSPs, giving advertisers the ability to place ads across a network of publishers.

What is a supply-side platform (SSP)?

A supply-side platform (SSP) is the adtech platform meant to connect the marketplace of digital publishers with available ad content. SSPs programmatically bid on available ads on publisher websites or apps, then the publisher will display the ad provided by the SSP. The SSP will then pass along the revenue from the initial ad purchaser to the publisher to pay for the impression.

The SSP enables the publisher to put their inventory up for auction, where the DSP will fill that ad slot with an appropriate creative at the highest bid. This allows the publisher to monetize their inventory. A single publisher often works with many SSPs in order to maximize the revenue-earning opportunity with as many DSPs and advertisers having access as possible.

Flow of Threats

Attackers can take advantage of this system, and the opportunities to gain greater reach for ads provided through a single DSP.

The threat flows as follows:

  1. DSP: Attacker submits ad creative to a DSP. A single DSP allows access to many SSPs.
  2. SSP: SSP enables bids from multiple DSPs on available ad-slots across their entire network of inventory. 
  3. Ad Views: Ad impressions are seen by users. Through a single DSP, attackers can create a massive impact.

flow of threats cleanio chart

Read the Case Study

How cleanAD Completely Eliminated Malicious Redirects, Freeing up 60 Hours of AdOps Efforts per Week, for Venatus Media

Read the Case Study

How Malvertisers Execute Attacks

Because there are so many avenues to attack, it becomes a game of how long a bad actor can use a certain combination of both attack types and DSP/SSP routes to execute an attack before they are found.

The goal would be to use a combination for as long as it is fruitful, and then, once the attack is discovered and publishers know how to block it, bad actors will rotate to a new combination.

Data from the cleanAD network shows that malvertisers typically rotate through the following stages when executing an attack:

  1. Probing: Bad actors will run many small probing campaigns in parallel to see which attacks provide the best initial results.
  2. Scaling: Once an attack shows positive ROI, the malvertiser will scale the attack to a much higher volume to take advantage of every minute they can get away with it before discovery.
  3. Closure: As publishers or platforms discover the attack, and learn how to block it, bad actors will see a reduction in ROI and begin to sunset the attack combination.
  4. Repeat: Bad actors will then return to the probing attacks they have running to pick the next best performer to lean into.

The Bottom Line

Keeping up with the constant rotation of malvertising campaigns is a losing game. Like a corgi chasing its tail, you’ll never really be able to catch the bad guys.

Instead, you need a solution that is able to catch bad actors regardless of their delivery method, path through the SSP and DSP jungle, and attack type.

The Complete Guide to Malvertising

Topics:Malvertising Data

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates