[Infographic] A More Effective Method for Platforms to Combat Malvertising
by Geoff Stupay, on Jul 14, 2020 7:30:00 AM
With so many steps in the digital advertising process, who is truly responsible for blocking malvertising at the source?
Publishers may take action on their site to block individual ads, but truly beating bad actors where it counts, by cutting them off at the source is one of the most effective methods to curtail malvertising.
SSPs and DSPs have a variety of different options for tools that can help them combat malvertising at the source. Each of these tools works at a different point in the timeline of malvertising execution, and each with varying degrees of effectiveness.
Overall there are two major categories of tools: pre-scanning and real-time solutions. Understanding when each tool works is key to comparing their approaches and effectiveness.
SSPs want not only to catch bad actors as they are trying to execute campaigns, but they need real, actionable data in order to find, identify, and ultimately remove bad actors from their platforms completely.
The timeline below summarizes how malicious ads flow through the different platforms they touch, and how each type of malvertising solution works to stop them.
Malveriser Step 1: Campaign Set Up.
Using a self-service demand-side platform (DSP) or ad network, a bad actor will prepare a malvertising campaign for launch.
While the advertiser may start their journey from a DSP, SSPs have a vested interest in identifying bad actors as well. The willingness of publishers to use a specific SSP is directly related to how much they can trust the ads being delivered by that SSP.
Malvertiser Step 2: Creative Review Submission.
Once they’ve finished building their malicious campaign and creative, bad actors have a number of ways they can get their creative in front of users. The most common way is by submitting that creative to the DSP for review. Some may also hack ad servers or compromise individual sites.
Most of the tools start with a review of the creative submitted by all advertisers to look for signs of malicious activity.
Malvertising Block Attempt 1: Creative Approval Scanner.
The DSP may use creative approval scanners to try and detect a malvertising attack. Creative approval scanners will attempt to check each ad that is submitted to the platform for various markers of malicious behavior.
Because DSPs have to be accountable to their SSP partners for the quality of the campaigns they deliver, DSPs generally have a creative review process where they attempt to scan or manually review creatives before they begin delivering across real users.
Malvertiser Step 3: Fingerprint Checks & Scanner Bypass.
Bad actors can structure their code to detect DSP scanners and will not show malicious behavior if it senses their presence. They can cloak their malicious payloads and appear to the scanner as a legitimate ad, rather than a malicious advertisement. In fact, thus far we’ve counted hundreds of methods bad actors use to detect and bypass scanning tools.
Malvertiser Step 4: Campaign Goes Live.
Once a pre-approval scanner has decided that the advertisement is legitimate, it allows the campaign to launch.
Ultimately this results in the bad actor moving from DSP to SSP, ready to deliver impressions for ads the SSP wins bids for. While DSPs may be taking steps to prevent malicious actors from getting this far, those methods may not be 100% effective, meaning the SSP will now need to take steps of their own to catch malvertisers.
Malvertiser Step 5: Pay for Ads & Deliver Malicious Payloads.
At this step, the malvertiser is charged for their ads, ads begin to render on-page, and they think they are actively executing their malicious code to redirect users to malicious landing pages.
Malvertiser Step 6: Fingerprint Checks & Malicious Payload Preparation.
Throughout the execution of the campaign, the malicious code will continue to run fingerprint checks to determine if their ad is running on a sandbox or scanning environment versus being presented to a real user. This happens on every individual device and impression where the creative is served.
If the code finds that it is in a scanning environment, it will hide malicious activity. If the code finds that the impression is being delivered to a real user, it will deliver the malicious payload.
In this case, because it has already bypassed the scanner, and finds that it is running in a live user environment, it will prepare to execute its malicious payloads.
Malvertising Block Attempt 2: Blocklists.
During delivery, some solutions will attempt to discover the bad actors by matching malicious code URLs against a known “bad URL” blocklist. Bad actors will often rotate URLs to attempt to bypass this checkpoint.
Bad actors can circumvent URL blocking solutions by rotating the domains they use as well as actively detecting and tampering with various blocklist solutions.
User Sees an Ad
Only once we get to this step does a user actually see an ad. At this point, the creative for the ad has rendered, but the malicious portion of the code has not yet been executed.
Malvertising Block Attempt 3: Behavioral Analysis Tools.
Essentially, behavioral analysis solutions like clean.io allow the harmless portion of the original ad to render (the stolen creative) for the user but block the actual malicious activity.
Some of the benefits of waiting until this step to catch and block malicious activity include:
- More effective blocking of malicious ads: Because we aren’t relying on knowing previous bad actors or creating a separate environment for detecting malicious activity, but detecting in real-time, behavioral analysis tools are more effective at catching malvertising and preventing users from being affected.
- Fewer false positives: Because we wait and block malicious code only when it begins to trigger, there is a lower risk of false positives.
- No impact on speed or performance: Our software runs in real-time, and doesn’t rely on searching a large block list so there are no impacts on speed for the user.
- Able to detect “novel” threats: Because we are watching behavior, and looking for malicious activity triggers, we are able to catch attack types we have never seen before they display to users.
Clean.io Identifies Bad Actors for Platforms
Because the bad actor has been watched and followed through the entire duration of their activity, right up until malicious code execution, platforms are able to get a full forensic report (we affectionately call them “Smoking Gun Reports”) of exactly what they are doing.
As a Platform, not only do you have access to the data, and full details on all attack attempts, from your own execution of the script, but you get access to data on every attack attempt across our entire network.
Platform Removes Malvertiser
This allows platforms to completely remove bad actors at the source and gives them all the data they need to prove they are truly malicious actors.
Making the decision to remove an advertiser means saying goodbye to revenue, and the decision to do so is often met with opposition internally. Platforms and their teams need to know with 100% certainty that they are making the right decision, and have the proof to back it up. The clean.io Smoking Gun reports provide exactly that.
Try clean.io free for 30-days to see why major platforms trust us as the simplest, smartest, and most effective anti-malvertising solution available.