Peruse the content of the report below or download the full PDF.
This report is built using threat and attack data gathered from sites across the entire clean.io network.
The data included in this report is collected through behavioral analysis of tens of billions of impressions each month in real time on over 7 million websites and apps.
View all the Q2 2020 trends below.
Note: You are welcome to share and republish the data and charts included in this report, we just ask that you attribute the source and link back to this page.
How has COVID affected the malvertising landscape?
Major changes in the way we work and consume content, shifts in the behavior of brand advertisers, as well as spikes in the virus itself have all contributed to trends observed in Q2.
But, what does it all mean?
COVID-19 has changed the way the world operates. In the last few months many jobs have shifted to work-from-home, education has moved online, global sports and entertainment have paused, and travel has massively decelerated.
COVID has changed the way the world, and malvertisers themselves, operate.
- Matt Gillis, CEO
This activity is reflected in malvertising as well; Automotive, Travel, Education, and Sports were the most commonly attacked site verticals in Q2.
As the world continues to adjust to life in a pandemic (the return of sports, a new school year in the upcoming quarter) we expect to see elevated threat levels in the most impacted industries.
Attack trends mirrored COVID-related demand shifts. Threat level increased as demand levels reduced, and threats reduced as demand recovered with COVID-19 and quarantine shifts.
While malvertising attacks are predictable around certain holidays, threat levels are otherwise erratic. Add a pandemic to the mix, and the volatility in attacks has been even more severe. Staying vigilant and protected is more important now than ever before.
The only thing that is predictable about the behavior of bad actors is that they are unpredictable.
- Kathy Knott, VP Client Success
Q2 began in the midst of a growing pandemic which created a vacuum of brand demand and allowed bad actors to infiltrate the ecosystem. Acclimation to life in a pandemic, alongside natural growth in demand towards the end of the quarter, yielded declines in threat level.
Top countries by threat level closely matched the most heavily affected countries by the pandemic.
The Americas and Europe are the top two regions impacted by COVID-19 thus far; conversely it follows that they are the two regions most impacted by malvertising in Q2. The US, Canada, and 8 European nations make up the Top 10 countries by threats in Q2.
Malvertisers will take advantage of any and all environmental changes that present an opportunity.
- Geoffrey Stupay, Co-Founder
Just as the pandemic has inflicted pain on specific countries at different times and with different volumes of cases, malicious code exhibited the same pattern.
Within our Top 10 countries for Q2, we saw Peak Threat Levels occur at different times and at varying maxima.
Shifts in demand are key.
What is happening in the world has significant effects on supply prices, thus creating an opportunity for bad actors to access more inventory, more cost effectively, thus driving threat levels up.
Attacks are well coordinated.
Bad actors very quickly shift approaches and conduct attacks that are well coordinated by date and location to make their attacks easier to execute and more effective.Read the In-Depth Article About COVID Affects →
How are attackers using platforms to orchestrate their attacks?
Q2 data shows how bad actors take full advantage of the way the programmatic advertising ecosystem is built and how ad creative flows through that system.
Data from Q2 shows that 90% of total threats originated from 9 SSPs.
Bad actors rotated through 3 major cycles of SSP attacks in Q2.
Phase 1: The first 6 weeks showed attacks were primarily focused on just 3 SSPs, accounting for 74% of attacks in phase 1.
Phase 2:The following four weeks showed a rotation of attacks on 3 new SSPs, accounting for 72% of attacks in phase 2.
Phase 3: Finally, the last 3 weeks rotated further to attacks primarily focused on 3 new SSPs, accounting for 59% of attacks in phase 3.
Bad actors are using multiple SSPs as entry points to launch their infectious code onto devices.
The clean.io Network sees attacks focus on a small number of SSPs at once, first through small probing campaigns before scaling to widespread attacks.
Malvertisers constantly run novel small probing campaigns prior to widespread attacks.
- Jason Dobrzykowski, Director, Platform & Channel Partnerships
This cycles through several groups of SSPs throughout the quarter, and the landscape is always shifting. In general, malvertisers are going full throttle on a few SSPs while already testing on their next batch of platforms to constantly evade being caught.
Bad actors systematically rotate attacks across multiple SSPs and DSPs to find vulnerabilities that will drive them the greatest gain.
While we saw 90% of the threats coming from 9 SSPs in Q2, we also prevented threats coming from over 63 unique SSPs total, indicating that there is a long tail of SSP probing that occurs.Read the In-Depth Article About SSP and DSP Attack Trends →
How are bad actors selectively attacking specific tech?
Always on the lookout for vulnerabilities, Q2 data shows how attackers rotate their attack attempts across different browsers, devices and operating systems.
Facebook’s embedded browser and Chrome Mobile continue to be the most attacked in the ecosystem.
7 of the top 10 attacked browsers are mobile. Mobile browsers overwhelmingly hold the lead in threat levels.
Bad actors focused on Android devices as their primary OS. Android OS accounted for a total 58.57% of attacks across the quarter.
Bad actors rotated efforts between chrome and iOS.
Mobile Browsers - specifically Chrome Mobile and Facebook embedded browser - are the most attacked Browsers in Q2.
While we see attacks across all devices, many attacks are consistently focused on mobile devices.
Mobile allows access to ads at lower price points, making it easier for malvertisers to turn a profit.
- Alexey Stoletny, CTO
It follows that Android accounted for 58.57% of all threats in Q2; as it is generally less expensive than iOS inventory, and more popular globally, it allows bad actors access at lower price points to turn a profit at the expense of users.
Protecting mobile is key.
Bad actors continue to focus more heavily on mobile in their attacks, so protecting user experience on mobile devices will be an important initiative.
Focus on embedded browsers.
Embedded browsers, particularly Facebook, continue to hold the highest threat vector. Finding ways to preserve user experience in embedded browsers is of utmost importance.Read the In-Depth Article About Browser and Device Attack Trends →
clean.io is the most effective solution to prevent malvertising, as well as protect revenue and user experiences across all platforms.
Learn how Pub+ alleviated malicious redirects that were causing business disruptions and eating into revenue.
The clean.io solution worked exactly as described. Simple, effective, and smart. Following implementation we saw all key financial KPIs improve... and our end users were no longer complaining about bad user experiences.
- Omry Aviry, Chief Product Officer at PubPlus