Free Trial

Q1 2021 SMART Report

Read the full report below, or enter your email to download the PDF.



Executive Summary

Q1 2021 has served to truly show how bad actors have evolved over time into very sophisticated malvertisers. The methods they employ to remain undetected and execute their attacks have become increasingly refined.

Gone are the days of opportunists who launch large-scale attacks expecting them to remain unnoticed. In today’s environment of anti-malvertising solutions, malvertisers have adapted and found ways to overcome the protection measures that publishers and ad platforms have in place.

Across Q1 2021, our data shows that malvertisers are coming up with entirely new ways of attacking, targeting different avenues to launch attacks, employing new methods to hide attacks, and even looking for the presence of anti-malvertising solutions in an effort to evade detection.

Read the Q2 2021 SMART Report to learn more about:

  • Emerging threat types and attacker methods like cloaking and invisible ads
  • New anti-detection techniques malvertisers are using to stay below the radar
  • Threat mutation techniques to help execute a single attack in a multitude of different ways
  • Threat targeting behaviors through SSPs, geographic locations, devices, and browsers


About this Report

This report is built using impression and threat data gathered from sites across the entire cleanAD network.

The data included in this report is collected through behavioral analysis of tens of billions of impressions each month, in real time, on over 8 million websites and apps.

Note: You are welcome to share and republish the data and charts included in this report. We just ask that you attribute the source and link back to this page.

Top 5 Key Takeaways From Q1 2021

  1. Attackers are expanding their mutations of threats
  2. Attacks show increasing probing for, and avoidance of, anti-malware tools
  3. Attackers are continuously evolving the use of anti-blocklist techniques
  4. Malvertisers are running “safe” versions of campaigns to appear legitimate
  5. New threat types like Cloaking and “Invisible” Ads are emerging

1. More Threat Mutations than Ever

In Q1 2021, there was a large influx of threat variants delivered through numerous supply paths.

We saw more instances of the same threat utilizing a wider variety of techniques to hit a target including:

  • Hundreds of domain variations
  • Cloaking techniques
  • Varying ad servers
  • Tampering with anti-malvertising solutions


2. Increasing Awareness and Avoidance of Anti-Malvertising Solutions

Malvertisers have increasingly shown signs of actively probing for anti-malvertising tools in an effort to circumvent or avoid them.

Some actions we regularly see include tampering with perceived objects or network communications.

In general, these tampering efforts often may have a greater impact against anti-malvertising tools that use creative wrapper initializations than with on-page initializations.

Screen Shot 2021-04-14 at 9.42.46 AM

3. Continuously Evolving Anti-Blocklist Measures

Malvertisers are getting increasingly creative with novel blocklist-avoidance techniques.

Examples include:

  • Avoiding the use of “SRC” for iframe assignment, a common method blocklists use for detection of malicious code (shown at right)
  • Use of “partial writes” attempts to complicate detection of iframe presence
  • Clever “macro” usage to make blocklisting more difficult

code snippet with anti-blocklist techniques

4. Running "Safe" Versions of Campaigns

Bad actors have become more patient in their pursuit to drive engagement.

They are spending on “safe campaigns” to deceive publishers and platforms.

These “safe campaigns” never execute a malicious payload and are always running, which makes the malvertisers appear to be legitimate advertisers.

mixed safe and malicious campaigns

5. Emergence of Non-Redirect Attacks

Malvertisers have started incorporating more non-redirect attacks into their repertoire.

Examples include:

  • Invisible ads shown on publisher pages causing impressions to fire (shown at right)
  • Ads deliver a script that breaks out to page-level context and creates dozens of ad units
  • Setting opacity to something like 0.0000000001% to effectively become invisible
  • Ads checking for and hiding from debuggers


Invisible Ads Example

Q1 2021 Threat Level

The overall malvertising threat level declined by 48% in Q1 2021, coming off the very busy Q4 2020 holiday and retail season. Additionally, the effects of the COVID pandemic on threat level are starting to wane.

Q1 started with a higher threat level, but subsided as the quarter progressed, likely due to the introduction of increased demand in the advertising ecosystem.

Fewer single-day attacks also led to a less volatile quarter.



Threat Level Changes by Country

European and North American markets continue to experience the highest threat levels, with Switzerland ranked #1 for Q1 2021.

The United States and Canada were #2 and #4, with France taking the #3 spot, and other EU nations directly following.

There were also notable quarterly increases in Asia-Pacific, including Australia, Singapore, New Zealand, and Japan.



Browser & Device Types

While the largest attacks of the quarter took place on desktops, mobile remains the channel of choice for malvertisers.

Threat Level by Device Type

While mobile web has historically experienced the highest malvertising threat levels, the majority of large-scale, single-day attacks have consistently been targeted at desktop users.

Unlike previous quarters, large-scale, single day attacks were not as prevalent in Q1, but the high level of mobile web attacks has continued from trends in prior quarters.



Attacks by Device Type

As in previous quarters, mobile web continues to be the target of the overwhelming majority of malvertising attacks.

There are a variety of reasons for this, including the difficulty of implementing scanning solutions for mobile devices, and the fact that some attackers exclusively target cell networks for their attacks.


Click to Tweet


Attacks by Browser

Threats decreased across nearly all browser types in Q1 compared with Q4 2020, however the top three attacked browsers in Q1 2021 were all mobile browsers.

Chrome was the most attacked desktop browser,  with a large gap between it and the remaining desktop browsers.


Click to Tweet

Social Media Browser Attacks

Facebook remains far and away the highest attacked social media browser in the advertising ecosystem.

Snapchat, Instagram, and Pinterest remain far behind.


SSP Attack Targeting

In Q1 2021, malvertisers shifted the SSPs through which they are executing attack

Attackers generally moved away from the larger SSPs toward some of the smaller SSPs in Q1.

SSP Attack Targeting

Download this Report