Data Snacks: Malvertising Threat Levels Spike 700% in Redirect Attack From Single DSP

by Marshall Moritz, on Jul 15, 2021 5:00:46 PM

This is the first article in a new series called “Data Snacks” that will briefly highlight unusual malvertising activity as it occurs. Each Data Snack will cover what happened, why it matters, and what you should know about it.

What Happened

This week, observed a malicious advertising attack that initiated on July 12th at 3 P.M. and lasted through July 13th at 7 a.m. The attack caused a 700% increase in our network threat level, which is based on data gathered from more than 8 million websites protected by cleanAD. publisher network threat level


The attacks primarily came through a single supply side platform (SSP). However, a second SSP also experienced attacks the day after the initial spike began, as well as the day it subsided.


SSP threats per day


By tracking threats per day for each SSP, we can say how the SSPs labeled in blue experienced significant upticks over July 12 and into July 14.

Throughout the duration of the attack, all of the attacks originated from a single demand side platform (DSP). 


dsp threats per day


The primary attack type used was forced redirects, which automatically direct users away from a publisher's webpage to a malicious advertiser’s URL.  

Prior to this week’s attack, most of the redirect attacks we observed came from a consistent redirect variant (Variant A). However, this week we observed a surge from a second variant (Variant B), meaning bad actors were experimenting with new channels to evade detection and ensure their attack successfully reached end users.

Threat Variants By DayThreat Variant

Why It Matters

Large scale attacks similar to this one typically come without warning, and are a good reason to ensure you’ve put anti-malvertising protections in place on your website. 

Redirect attacks disrupt your user experience, cost you revenue, and are difficult to catch without the proper tools.

Because these attacks originated from an SSP that was not delivering malicious ads prior to this three day period, they illustrate how bad actors can and will switch their tactics on the turn of a dime in order to ensure their campaigns continue to evade detection and generate results.

This way, they hit publishers hard for a short period of time, and then once the attack is caught will either stop or change tactics to attack through a new, more vulnerable channel.


What You Need To Know

Using a blocklist can be an effective strategy for known origin attacks, but will become obsolete when the attackers change to signatures not already blocked.

This will have long term impacts on your ad revenue as malicious attacks and poor user experience push your audience away.

Using a patented behavioral analysis approach, cleanAD ensures your site is protected without the need for a blocklist, and prevents malicious ads at runtime. Meaning, even if malvertisors suddenly change their strategy, you’ll still be protected.

And better yet, because the ad impression still fires, you still get paid.

If you are interested in speaking with us about a free trial, follow the link here.

New call-to-action

Topics:Malvertising DataMalvertisingMalvertising SolutionsAdOps StrategyAd Revenue

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates