Data Snacks: Malvertising Threat Levels Spike 700% in Redirect Attack From Single DSP
by Marshall Moritz, on Jul 15, 2021 5:00:46 PM
This is the first article in a new series called “Data Snacks” that will briefly highlight unusual malvertising activity as it occurs. Each Data Snack will cover what happened, why it matters, and what you should know about it.
This week, clean.io observed a malicious advertising attack that initiated on July 12th at 3 P.M. and lasted through July 13th at 7 a.m. The attack caused a 700% increase in our network threat level, which is based on data gathered from more than 8 million websites protected by cleanAD.
The attacks primarily came through a single supply side platform (SSP). However, a second SSP also experienced attacks the day after the initial spike began, as well as the day it subsided.
By tracking threats per day for each SSP, we can say how the SSPs labeled in blue experienced significant upticks over July 12 and into July 14.
Throughout the duration of the attack, all of the attacks originated from a single demand side platform (DSP).
The primary attack type used was forced redirects, which automatically direct users away from a publisher's webpage to a malicious advertiser’s URL.
Prior to this week’s attack, most of the redirect attacks we observed came from a consistent redirect variant (Variant A). However, this week we observed a surge from a second variant (Variant B), meaning bad actors were experimenting with new channels to evade detection and ensure their attack successfully reached end users.
Why It Matters
Large scale attacks similar to this one typically come without warning, and are a good reason to ensure you’ve put anti-malvertising protections in place on your website.
Redirect attacks disrupt your user experience, cost you revenue, and are difficult to catch without the proper tools.
Because these attacks originated from an SSP that was not delivering malicious ads prior to this three day period, they illustrate how bad actors can and will switch their tactics on the turn of a dime in order to ensure their campaigns continue to evade detection and generate results.
This way, they hit publishers hard for a short period of time, and then once the attack is caught will either stop or change tactics to attack through a new, more vulnerable channel.
What You Need To Know
Using a blocklist can be an effective strategy for known origin attacks, but will become obsolete when the attackers change to signatures not already blocked.
This will have long term impacts on your ad revenue as malicious attacks and poor user experience push your audience away.
Using a patented behavioral analysis approach, cleanAD ensures your site is protected without the need for a blocklist, and prevents malicious ads at runtime. Meaning, even if malvertisors suddenly change their strategy, you’ll still be protected.
And better yet, because the ad impression still fires, you still get paid.
If you are interested in speaking with us about a free trial, follow the link here.