How Attackers Used SSPs & DSPs to Execute Attacks in Q2 2020

by Marshall Moritz, on Jul 24, 2020 8:00:00 AM

This series explores each of our Q2 Smart Report findings in more depth and detail. Explore all articles in this series:

One of the most interesting insights from our Q2 data is how it shows the methods in which bad actors take advantage of the way the programmatic advertising ecosystem is built and how an ad creative flows through that system.

How Ads Flow-Through SSPs and DSPs

Let’s do a quick review of how ad creative flows through platforms to ultimately reach users for those who would like a refresher.

To start, a few quick definitions:

demand-side platform (DSP) is the adtech platform that allows advertisers to submit ad creative and purchase impressions across a variety of publisher properties in a single place. Advertisers will submit all ad creative to a DSP and pay the DSP for any impressions.

The primary role of the DSP is to connect Advertisers to Publisher inventory; a single DSP will plug into multiple SSPs, giving advertisers access to the ability to place ads across a network of Publishers.

supply-side platform (SSP) is the adtech platform meant to connect the marketplace of digital publishers with available ad content. SSPs programmatically bid on available ads on publisher websites or apps, then the publisher will display the ad provided by the SSP. The SSP will then pass along the revenue from the initial ad purchaser to the publisher to pay for the impression.

The SSP enables the Publisher to put their inventory up for auction, where the DSP will fill that ad-slot with an appropriate creative at the highest bid. This allows the Publisher to monetize their inventory. A single publisher often works with many SSPs in order to maximize the revenue-earning opportunity with as many DSPs and Advertisers having access as possible.

Flow of Threats

Attackers can take advantage of this system, and the opportunities provided through a single DSP. The threat flows as follows:

  1. DSP: Attacker submits ad creative to a DSP. A single DSP allows access to many SSPs.
  2. SSP: SSP enables bids from multiple DSPs on available ad-slots across their entire network of inventory. 
  3. Ad Views: Ad impressions are seen by users. Through a single DSP, attackers can create a massive impact.

DSP-SSP-Publisher-Flow-Diagram (1)

Q2 2020 Data

Data from Q2 shows that 90% of total threats originated from just 9 SSPs, and we measured attacks across a total of 63 unique SSPs.

In addition, what we can see in action with Q2 data is how attackers systematically rotate attacks and target small groups of SSPs at a time. Bad actors rotated through 3 major cycles of SSP attacks in Q2.


Phase 1: The first 6 weeks of Q2 showed attacks were primarily focused on just 3 SSPs, accounting for 74% of attacks in phase 1.

Q2202004-3 (1)

Phase 2: The following four weeks showed a rotation of attacks on 3 new SSPs, accounting for 72% of attacks in phase 2.

Q2202004-2 threat

Phase 3: Finally, the last 3 weeks rotated further to attacks primarily focused on 3 new SSPs, accounting for 53% of attacks in phase 3.

Q2202004-3 threat rotation

What this data shows is that bad actors are systematically using multiple SSPs as entry points to launch their infectious code onto devices.

What we’ve seen behaviorally is that attacks focus on a small number of SSPs at once, first through small probing campaigns before scaling to widespread attacks.

In Q2 in particular, we saw this cycle of small probing attack followed by a large scale attack repeated 3 times. Bad actors cycled major attacks through several groups of SSPs throughout the quarter, and as they began to be discovered, they shifted to new SSPs. 

In general, what we see are malvertisers going “full throttle” on a few SSPs while already testing on their next batch of platforms to attack.

Key Takeaways

Attack rotations.

Bad actors systematically rotate attacks across multiple SSPs and DSPs to find vulnerabilities that will drive them the greatest gain.

Exponential impact.

While we saw 90% of the threats coming from 9 SSPs in Q2, we also prevented threats coming from over 63 unique SSPs total, indicating that there is a long tail of SSP probing that occurs.

Final Thoughts

The most important information to take away from this data is the behavior of malvertisers across the ecosystem. Seeing small probing attacks are a great leading indicator that your inventory may be next up for a widespread attack.

If you are able to catch and stop small probing attacks, malvertisers will most likely avoid your platform in widespread attacks altogether as the failure of a probing attack indicates to them that the effort to attack you holds no profit for them.

Staying vigilant is important. As the attackers rotate efforts between SSPs, it is hard to predict which platform will be targeted next. But, working with means you will always be protected, no matter which combination of SSPs and DSPs are being targeted in a given threat cycle.

Read the full Q2 2020 Smart Report.



Topics:Malvertising DataMalvertising

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates