New Attack Types Cause 231% Spike in Malvertising Threats in Q3

by Andrew Reed, on Oct 29, 2021 12:30:00 PM

A massive 231% spike in malvertising threat levels in the second half of Q3, coupled with new attack types being launched by known attackers signal that malvertiers are moving away from traditional redirect and single-day attacks in favor of new attack styles that more easily evade detection.


threat level 2021


These trends highlight the need for security solutions that can adapt to large shifts and new threats in the malvertising ecosystem, especially since our data shows most malvertising software solutions to be consistently blocking traditional redirect attacks, but failing to catch new attack types.

This has many providers in the anti-malvertising industry playing catch up with even the most common malvertising groups, leaving publishers and platforms vulnerable while these traditional tools track down and block new attacks.


Sharp Spikes in Threat Level and New Malvertising Trends

The second half of Q3 saw threat levels rise by a shocking 231%, mainly due to an increase in new malicious landing page attacks and mobile in-app pixel stuffing (as opposed to the first half of the quarter, when clickjacking redirects made up the majority of threats).

Q3 2021 Threat Level By Attack Type

threat level by typethreat level attack legend


Holes in the Anti-Malvertising Industry

Due to its position on-page, our cleanAD script can monitor other anti-malvertising tools that wrap ads, allowing us to see whether harmful ads have been blocked or successfully avoided detection. This quarter, we took a look at that data to see what insights we could glean.

Overall, leading anti-malvertising tools saw similar performance when blocking traditional, “stable” redirect attack styles. Data collected from two consecutive observation periods shows that each of the three most commonly used tools is continuously improving protection, and are able to block most familiar redirect threats and their mutations.

But unlike cleanAD, none of the other leading anti-malvertising tools was successful at regularly blocking client-side injections or pixel stuffing attacks, which, as previously mentioned, are rapidly increasing in volume as malvertisers seek new avenues to avoid detection.

Along with this, traditional anti-malvertising tools are slow to detect and prevent most new classes of redirect-style attacks. And when these threats are eventually identified, only a limited number of threat variants are being blocked.

This is most likely due to the blocklisting approach many anti-malvertising tools rely on, which requires an ad to display properties that are recognized as harmful, and subsequently labeled as such before the tool is able to block the ad. After new malicious ads are blocked, it takes additional time to track down and block their variants.

This major surge in both new redirects, and difficult-to-detect malicious landing pages, will have traditional block-listing security tools playing catch up as they rush to add new threats to their databases, leaving publishers vulnerable to attacks in the meantime.

New call-to-action


New Attack Types

As mentioned above, Q3 saw familiar bad actors test new attack types, using new supply paths and methods for concealing familiar malicious payloads.

new attack payloadnew attack malicious payloadpayload new attack

[examples of new malicious payloads discovered by cleanAD]

The most pervasive new attack our network picked up was a malicious landing page attack, which dominated the second half of the quarter and contributed to the dramatic increase in threat levels.

Native advertisements like these do not themselves carry malicious payloads. Instead, they lure users to harmful landing pages looking to steal information, scam users, or install malware. Because of this, and due to the lax ad quality guidelines employed by some native ad platforms, these ads can be particularly difficult to catch.

In addition to the proliferation of new attack types, malvertisers used strategies, such as delivering threats across a much larger set of web and mobile properties using smaller frequency caps, resulting in lower impression counts per property, to avoid detection. 

This shift in behavior indicates attackers are moving away from large-scale single-day attacks in favor of stable, day-over-day attack patterns, increasing the longevity of the attack as they decrease their likelihood of detection.



Preventative vs. Reactionary Security

Each of the trends highlighted here underscores the importance of having an effective anti-malvertising solution, as well as the necessity of using one that reduces the amount of time that elapses between an ad call and the software identifying and blocking a malicious ad (particularly when that ad uses a new or emerging threat type).

Bottom line, bad actors familiar with “stable” redirects know just as well as we do that their attacks are becoming less effective, and have begun looking for new strategies to target users. 

Blocklisting URLs is an effective way to manage known attacks, but if you rely on it to protect your website, you will always be playing catch up when new attacks enter the ecosystem.

New call-to-action

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates