cleanAD Customer Updates

by Team clean, on May 26, 2022 8:51:01 AM

What's New In May

cleanAD’s Threat Mitigation Language: What It Is, What It Isn’t, and How It's Changing the Game

Constantly updating attacks and tactics has long highlighted the need for a proactive security system to protect sites from malvertising attacks.

cleanAD’s Threat Mitigation Language (TML) is a powerful yet efficient proprietary language to define behaviors and apply custom, context-aware logic for telemetry gathering and executing of advanced threat neutralization techniques. TML facilitates quick categorization of potentially harmful threats, including key indicators, behavioral traits, and other identifying metadata, for pairing with appropriate mitigation strategies.

Want to learn more? Check out this in-depth article which goes into the ins and outs of cleanAD's Threat Mitigation Language, and how it is changing the ad security ecosystem, here

Copy of Copy of Data Snacks (1)

In Case You Missed It

Types of iFrames and When to Use Them

Ad Ops All Stars: Lisa Howard, Global Head of Advertising and Marketing Solutions, The New York Times

Ad Ops All Stars: Ari Paparo, Entrepreneur and Co-Founder, Beeswax


Find Us On

LinkedIn   Facebook   Twitter   Instagram 

Questions? Feedback? We'd love to hear from you!  

Read Story

by Team clean, on Apr 27, 2022 11:17:00 AM

What's New In April


Everything you ever needed to know about Ad Operations 

Love a good podcast? Need something to listen to while walking the dog? Want to learn more about what it's like to work in the ad operations field? You've come to the right place! Check out the Ad Ops All Stars podcast with new episodes weekly that take you behind the scenes with top Ad Ops leaders to understand the ins and outs of their roles and what brought them success in their careers.

Head to our resource hub to check out all of our podcast episodes, or download directly from apple podcasts

Questions? Feedback? We'd love to hear from you!  

Read Story

by Team clean, on Mar 31, 2022 4:24:36 PM

What's New In March

What's the deal with all these MLPs? 

Throughout the majority of Q1 2022, our network has seen an influx of malicious landing page (MLP) attacks. One prevalent attack is a malicious energy scam which comes from misleading ads surrounding an energy saving system that has been deemed by authorities as "scientifically impossible." Click here to get the full scoop and to see how clean is protecting its partners from this malicious activity. 

Screen Shot 2022-03-31 at 11.50.23 AM

Questions? Feedback? We'd love to hear from you!  

Read Story

by Team clean, on Feb 28, 2022 10:47:04 AM

What's New In February

Q4 2021 Smart Report is Here! 

Q4 smart report

Check out our Q4 SMART Report for a deep dive into malvertising data across our network in the final months of 2021.

Our top 5 takeaways from Q4 2021 include: 

  • Redirect threats make comeback late in the quarter.
  • Malicious landing page threats continues to scale as schemes diversify.
  • Ad stacking IVT runs rampant, leading to billions of invisible ads served through many platforms.
  • New attack via Chrome browser extension enters ecosystem, targeting Google Tag Manager.
  • Supply chain attacks infect websites and victimize visitors.

Questions? Feedback? We'd love to hear from you!  

Read Story

by Team clean, on Jan 28, 2022 9:41:41 AM

What's New In January 

You Asked, We Answered...

Screen Shot 2022-01-26 at 1.28.18 PM

Now that you can see the number of heavy ads detected in your dashboard, what's next? Below we summarized some answers to commonly asked questions we've received related to heavy ads.

What are heavy ads?

Based on the criteria set by Google, an ad is considered heavy and blocked by Chrome-family browsers, if it has not been interacted with (e.g. click or tap) and meets 1 of the following:

  • Uses the main CPU thread for more than 60s in total (cpu violation)
  • Uses the main CPU thread for more than 15s in any 30s window (cpu violation)
  • Uses more than 4 megabytes of network bandwidth (network violation)

VAST/VPAID ads are mostly exempt from this, as this only applies to banner and native formats

What does report in the dashboard? 

Using a 10% sample rate, we collect data when Chrome browsers block an ad as heavy.

Why is this reporting important? 

For publishers that operate their own sites, this gives meaningful insight to changes in heavy ad volumes to understand how often ads are being blocked and possibly from whom.  Not because they don’t want to protect users, but because a page littered with broken ad messaging creates a poor user experience and reflects poorly on the site. Please note that usually, publishers still get paid for these ads so there is not a loss of revenue associated.

What is an acceptable number of heavy ads? 

Average dashboard percentage is .01%, but ranges up to .2% are quite common. Percentages are based on page-views and will vary significantly between sites due to differences in # of ads per page,  and page dwell time.

When is it a problem requiring investigation?

Mitigation should not be necessary unless dashboard percentage grows larger than 2%. Users are protected by the browser and revenue isn’t impacted, so even above average levels are acceptable.

Over 2% is an indication of a possible site issue, problem with a custom ad format, or site content erroneously blocked because it's being classified as an ad. This should be investigated and we’re here to support those efforts.

Why is SSP or DSP still pending verification? 

Ads may not get flagged as heavy until well after being served, making it difficult to trace back to responsible platforms.  Also, Chrome sometimes blocks non-ads, with no identifiable ad platform.

Questions? Feedback? We'd love to hear from you!  

Read Story

by Team clean, on Dec 30, 2021 3:35:05 PM

What's New In December

Happy New Year from Team Clean! 

We wanted to take this opportunity to thank you for being amazing partners through a historic year here at clean. Below are some highlights of the milestones reached and a summary of threats prevented in 2021:

  • 125M+ threats prevented from 80+ SSPs and 125+ DSPs
  • Heavy Ads Report released in Dashboard 
  • Threat Classification System created (TML)
  • Threats blocked from 25 Threat Classes & 39 Threat Variants
  • Pixel Stuffing (TI-19) emerged as highest volume threat class 
  • US was highest targeted country followed by Philippines & South Africa 
  • Chrome Mobile In-App Facebook identified as highest targeted browsers 

You can expect a more in depth recap of network trends and a deep dive into what we saw in the malvertising world later on this month. In the meantime, we wish you a great start to 2022. May all of your troubles last as long as your New Year's resolutions 😉

Read Story

by Team clean, on Nov 30, 2021 1:59:00 PM

What's New In November ?

Ad Stacking

This month we wanted to provide a general refresher on Ad Stacking and introduce a new dashboard update for our customers.  In August we shared our introduction to ad stacking, and how it ultimately hurts advertisers and their bottom line.  As a quick recap, this fraudulent script showcases one ad to the end user but allows for multiple (more like dozens!) of unapproved creatives to serve within a single unit.

The trick here is, they are loaded behind the approved ad with nearly zero opacity so the user experience is never hindered.  Even worse, these ads can be set on a banner rotation so once the ad lasts long enough to count for the impression another one is loaded in its place thus impacting campaign budgets without clear explanations.  So the question here is, if the publisher and end user are unaware that this is happening, who is able to detect and protect from this fraudulent behavior?

The clean team has worked to uncover how this sophisticated IVT can affect hundreds of thousands of impressions per day for different platforms.  In the last few weeks we have seen over 400 sites impacted by ad stacking and 2.2M fraudulent impressions delivered.  Catching this type of behavior is difficult and time consuming so it's important to pay attention to your data.

Heavy Ads

In other cleanAD news, our team is excited to announce that publishers will now see heavy ads reported in their dashboard.  While not actually harmful to your webpage or end-users, heavy ads often break advertising standards and can damage revenue by driving traffic away from your site.  Heavy ads are any ad the user has not interacted with, while also meeting any of the following criteria, according to Google Developers:

  • Uses the main thread of your site for more than 60 seconds in total
  • Uses the main thread of your site for more than 15 seconds in any 30-second window
  • Uses more than 4 megabytes of network bandwidth

How To Find Heavy Ads Data in cleanAD

Reports will appear under a Heavy Ads tab along the left-hand side of the Dashboard.  Unlike other product features, we do not block heavy ads but report on the interventions from Chrome.

The new feature creates reports based on 10% of Heavy Ads blocked by Chrome, Chrome Mobile, and Microsoft Edge browsers per page view, while also providing insights into which DSP/SSP the ads are originating from.

When reviewing your reports, keep in mind that they are based on a 10% sample rate, so for true volumes multiply by 10.

Why It Matters

Publishers need to understand how often and from who, ads are being blocked.  Not because they don't want to protect users, but because a page littered with broken ad messaging creates a poor user experience and reflects poorly on the site.

If you have any questions about Heavy Ads, or how they are reported in the dashboard, reach out to your cleanAD client success manager.

Read Story

by Team clean, on Sep 29, 2021 12:00:30 PM

New TI-24 Threat Detected

Thanks to our real-time behavioral solution, partners remain protected even when a new threat enters the ecosystem. In September the clean script caught & protected a new threat that entered the ecosystem called TI-24.

After behaviorally capturing new threats,'s Threat Research team will conduct a full forensic audit of the entire attack including the overall architecture, delivery methods, payloads and specific triggers. 

Our research found that TI-24 comes from a known group of bad actors responsible for another massive rise in threats in August. This time they used these new tactics to attempt to evade detection and place malware on users' devices:

  • Multiple Layers of Cloaking by Request Parameters
  • Clickjacking
  • Fingerprinting
  • Targeting by Device

New TI-24 Threat

TI-24’s JavaScript uses fingerprinting to scan devices to locate mobile users using a cellular connection, while hiding its malicious payload behind multiple layers of cloaking. 

Users that don’t meet those conditions will be shown a “safe” ad to avoid detection.

When conditions are met, the cloaked attack will then take over the webpage with an invisible overlay that redirects users to a harmful webpage where the bad actors can steal data or install malware on the users device. This is referred to as clickjacking.



TI-24 Threat Level Snapshot

clean found that 33% of SSPs were impacted, with most attacks originating from Verizon Media.

By Sept 20, ImproveDigital and Outbrain decreased while GumGum began to see small spikes as the malvertising group likely began retargeting its campaign.

On the DSP side, 22% were impacted overall, with most of the TI-24 Attacks originating via Bidswitch, while Trade Desk accounted for a consistent 8-12% of the remaining daily threats.

Attacks primarily occurred in the United States (over 90%), but were also detected in Denmark, Italy, France, Great Britain, and Japan 

As a result, 75% of our customers were targeted by this new threat, despite coming through just 2-3 SSPs, and 1-2 DSPs 



September Threat Level Snapshot


  • Overall, the new TI-24 threat made up less than 10% of total threats over the network in September
  • TI-23, a threat known for crypto scam, surged in mid-September and made up the large majority of threats on Sept 18, 21, and 25 peak attack periods
  • TI-19, a mobile in-app pixel stuffing scam continues to surge across the ecosystem
  • TI-23, TI-19, and TI-01 (an in-app redirect) all saw simultaneous spikes on Sept 10
Read Story
Content not found

Get the latest updates

New data, insights and updates exclusively for cleanAD customers.