Q3 2020 Malvertising Statistics: Desktop vs. Mobile Web
by Marshall Moritz, on Nov 3, 2020 11:08:26 AM
Every quarter, clean.io publishes the SMART (Summary of Malicious and Reputational Threats) Report, which summarizes insights on malvertising threat levels and attack trends across more than 7 million websites in the cleanAD network.
The data compiled in our Q3 2020 Smart Report reveals that while threat levels have dropped somewhat from their COVID-induced highs during Q2, they remain 72% higher than average, indicating that the long tail of COVID continues to present opportunities for the bad guys to take advantage of.
One thing is crystal clear—desktop traffic and mobile web traffic prevent very different attack landscapes.
In fact, we found major differences in the way attacks are executed on desktop vs. mobile web across each of the following categories:
- SSP Attack Concentration
- Attack Types
- Weekend vs. Weekday Trends
In addition, Facebook browser continues to be a significant attack vector, further underscoring the need for any malvertising protection solution you put in place to serve you well across all browsers and support the differences between attack types, methods of delivery, and timing across both desktop and mobile web.
-- Article Continues Below --
While threat levels are consistently choppy throughout the year, when we look back across all of 2020, we can see distinct surges around major holidays such as Labor Day and the 4th of July.
As we head into the 4th quarter, we're forecasting that this trend will continue and advising publishers to be especially vigilant around national holidays such as Thanksgiving and Christmas.
SSP Attack Concentrations
Q3 data shows that attackers had an entirely different set of supply side platforms (SSPs) they were using to execute attacks when focusing on desktop versus mobile web. This most likely is related to the protection and detection mechanisms in place on different platforms being more likely to catch malicious activity on one type of display versus the other.
Overall, what we found was that 7 SSPs were responsible for about 75% of the threats on desktop, and 5 SSPs were responsible for about 75% of the threats on mobile web.
Of these, there was only one SSP that made the top list in both categories. Otherwise, the lists were entirely different.
75% of threats on desktop came from 7 SSPs.
75% of threats on mobile web came from 5 SSPs.
Primary Attack Types
In addition, attackers vary their method of attack significantly between web and mobile web. Different devices offer different user experiences, forcing the bad guys to optimize their attacks to account for the way users behave on each type of device.
As you can see from the graphic above, clickjacking attacks were the most prevalent on mobile devices while other redirect-style attacks were more common on desktop.
This comes as little surprise, as clickjacking is much easier to get results from on mobile.
A clickjacking attack creates a transparent, clickable overlay that is written in code of the website page but is invisible to a user, which results in any click (or tap if you’re on mobile) on that page being read as a “click” to the attack target page.
Because, in order to scroll on mobile you must first tap on the screen (initiating a click), it is much easier to get a guaranteed click through using clickjacking, this makes this type of attack attractive on the mobile web.
Some other important takeaways to note from this data include:
- Largest Attack Vector: The majority of attacks overall were either redirects or clickjacking. These are the most profitable types of attacks, and the easiest for attackers to execute.
- Client Side Injections: Client side injection attacks are more prevalent on desktop as they are often executed through nefarious browser extensions, which aren't present on mobile devices.
- Attack Balance: The most important thing to note is that attack types are very different between web and mobile web. If your audience is split between devices, you'll want to be covered for all attack types.
Read the Guide
Malvertising prevention is essential for any publisher with an expansive online presence, and shoring up your lines of defense is a worthwhile investment.
Weekend vs. Weekday Attacks
In Q3, we observed and prevented several 24 to 48 hour malware attacks, which consistently occurred on weekends.
Six of the 7 major attacks occurred on Saturdays and Sundays, although the largest single attack (an outlier), took place on Thursday, August 27.
Overall, attacks on mobile web were more heavily focused through the weekdays, with desktop being more highly attacked on weekends.
In fact, weekends have a 1,000% higher threat level than weekdays on desktop. By contrast, weekdays have a 28% higher threat level than weekends on mobile web.
Covered at length in this article, this pattern of attacks takes advantage of times (such as weekends) when a publisher may not have AdOps hands on the controls.
Just like it is easier for a burglar to rob someone who isn’t home, the bad guys focus on attacking sites when they know it will take longer to be discovered.
Facebook browser continues to be the most attacked browser, accounting for 52.4% of attacks by volume.
Bad actors go where the users are. And more and more users are using facebook's browser to consume their favorite content.
Emerging Trend: Cloaking
This quarter, we saw an increase in the volume of cloaking attacks.
What is cloaking?Cloaking is a type of attack that misuses native "dynamic creative" features of advertising platforms to get ads that might otherwise be banned in front of end-users.
Many advertising platforms have the ability for users to provide dynamic creative where, based on user signals, different versions of the creative may be displayed.
While dynamic creative has many good uses, bad guys can take advantage of it to bypass ad screening methods and swap in clickbait images, fake news, or links that would otherwise be banned.
The Bottom Line
Q4 is traditionally the most significant revenue-driving quarter for publishers.
As we head into this critical time of year, make sure your user experience is protected, no matter the device or browser your audience is coming from.