by Team clean, on Dec 30, 2021 3:35:05 PM

What's New In December

Happy New Year from Team Clean! 

We wanted to take this opportunity to thank you for being amazing partners through a historic year here at clean. Below are some highlights of the milestones reached and a summary of threats prevented in 2021:

  • 125M+ threats prevented from 80+ SSPs and 125+ DSPs
  • Heavy Ads Report released in Dashboard 
  • Threat Classification System created (TML)
  • Threats blocked from 25 Threat Classes & 39 Threat Variants
  • Pixel Stuffing (TI-19) emerged as highest volume threat class 
  • US was highest targeted country followed by Philippines & South Africa 
  • Chrome Mobile In-App Facebook identified as highest targeted browsers 

You can expect a more in depth recap of network trends and a deep dive into what we saw in the malvertising world later on this month. In the meantime, we wish you a great start to 2022. May all of your troubles last as long as your New Year's resolutions 😉

Read Story

by Team clean, on Nov 30, 2021 1:59:00 PM

What's New In November ?

Ad Stacking

This month we wanted to provide a general refresher on Ad Stacking and introduce a new dashboard update for our customers.  In August we shared our introduction to ad stacking, and how it ultimately hurts advertisers and their bottom line.  As a quick recap, this fraudulent script showcases one ad to the end user but allows for multiple (more like dozens!) of unapproved creatives to serve within a single unit.

The trick here is, they are loaded behind the approved ad with nearly zero opacity so the user experience is never hindered.  Even worse, these ads can be set on a banner rotation so once the ad lasts long enough to count for the impression another one is loaded in its place thus impacting campaign budgets without clear explanations.  So the question here is, if the publisher and end user are unaware that this is happening, who is able to detect and protect from this fraudulent behavior?

The clean team has worked to uncover how this sophisticated IVT can affect hundreds of thousands of impressions per day for different platforms.  In the last few weeks we have seen over 400 sites impacted by ad stacking and 2.2M fraudulent impressions delivered.  Catching this type of behavior is difficult and time consuming so it's important to pay attention to your data.

Heavy Ads

In other cleanAD news, our team is excited to announce that publishers will now see heavy ads reported in their dashboard.  While not actually harmful to your webpage or end-users, heavy ads often break advertising standards and can damage revenue by driving traffic away from your site.  Heavy ads are any ad the user has not interacted with, while also meeting any of the following criteria, according to Google Developers:

  • Uses the main thread of your site for more than 60 seconds in total
  • Uses the main thread of your site for more than 15 seconds in any 30-second window
  • Uses more than 4 megabytes of network bandwidth

How To Find Heavy Ads Data in cleanAD

Reports will appear under a Heavy Ads tab along the left-hand side of the Dashboard.  Unlike other product features, we do not block heavy ads but report on the interventions from Chrome.

The new feature creates reports based on 10% of Heavy Ads blocked by Chrome, Chrome Mobile, and Microsoft Edge browsers per page view, while also providing insights into which DSP/SSP the ads are originating from.

When reviewing your reports, keep in mind that they are based on a 10% sample rate, so for true volumes multiply by 10.

Why It Matters

Publishers need to understand how often and from who, ads are being blocked.  Not because they don't want to protect users, but because a page littered with broken ad messaging creates a poor user experience and reflects poorly on the site.

If you have any questions about Heavy Ads, or how they are reported in the dashboard, reach out to your cleanAD client success manager.

Read Story

by Team clean, on Sep 29, 2021 12:00:30 PM

New TI-24 Threat Detected

Thanks to our real-time behavioral solution, partners remain protected even when a new threat enters the ecosystem. In September the clean script caught & protected a new threat that entered the ecosystem called TI-24.

After behaviorally capturing new threats,'s Threat Research team will conduct a full forensic audit of the entire attack including the overall architecture, delivery methods, payloads and specific triggers. 

Our research found that TI-24 comes from a known group of bad actors responsible for another massive rise in threats in August. This time they used these new tactics to attempt to evade detection and place malware on users' devices:

  • Multiple Layers of Cloaking by Request Parameters
  • Clickjacking
  • Fingerprinting
  • Targeting by Device

New TI-24 Threat

TI-24’s JavaScript uses fingerprinting to scan devices to locate mobile users using a cellular connection, while hiding its malicious payload behind multiple layers of cloaking. 

Users that don’t meet those conditions will be shown a “safe” ad to avoid detection.

When conditions are met, the cloaked attack will then take over the webpage with an invisible overlay that redirects users to a harmful webpage where the bad actors can steal data or install malware on the users device. This is referred to as clickjacking.



TI-24 Threat Level Snapshot

clean found that 33% of SSPs were impacted, with most attacks originating from Verizon Media.

By Sept 20, ImproveDigital and Outbrain decreased while GumGum began to see small spikes as the malvertising group likely began retargeting its campaign.

On the DSP side, 22% were impacted overall, with most of the TI-24 Attacks originating via Bidswitch, while Trade Desk accounted for a consistent 8-12% of the remaining daily threats.

Attacks primarily occurred in the United States (over 90%), but were also detected in Denmark, Italy, France, Great Britain, and Japan 

As a result, 75% of our customers were targeted by this new threat, despite coming through just 2-3 SSPs, and 1-2 DSPs 



September Threat Level Snapshot


  • Overall, the new TI-24 threat made up less than 10% of total threats over the network in September
  • TI-23, a threat known for crypto scam, surged in mid-September and made up the large majority of threats on Sept 18, 21, and 25 peak attack periods
  • TI-19, a mobile in-app pixel stuffing scam continues to surge across the ecosystem
  • TI-23, TI-19, and TI-01 (an in-app redirect) all saw simultaneous spikes on Sept 10
Read Story
Content not found

Get the latest updates

New data, insights and updates exclusively for cleanAD customers.