Read the full report below, or enter your email to download the PDF.
This report is built using threat and attack data gathered from the behavioral analysis of tens of billions of impressions each month, in real time, on over 7 million websites and apps across the cleanAD network.
Read on for full details on the data and insights contained in the report (no form fill required!).
Note: You are welcome to share and republish the data and charts included in this report, we just ask that you attribute the source and link back to this page.
Threat level in Q3 remained volatile and choppy on the heels of Covid.
Across 2020 as a whole, surges in threat levels were observed around major holidays like the 4th of July and Labor Day.
Based on this pattern, we forecast a very busy Q4 as we enter holiday season.
But, what does it all mean?
Q4 is poised to be a massive revenue-driving quarter.
- Marshall Moritz, Director of Business Intelligence & Data Analytics
While we are still seeing some effects from the COVID-19 pandemic, malvertising activity has begun to return to normal levels.
In typical years, Q4 is a huge revenue-driver for publishers with holiday shopping trends. This year, you can expect some significant increases above normal levels due to the large volume of political ads around the election.
All in all, Q4 is going to be a massive revenue-driving quarter.
The bad guys are targeting weekends for attacks.
We observed and prevented several 24-48 hour malware attacks, which consistently occurred on weekends.
Six of the 7 major attacks occurred on Saturdays and Sundays. The outlier, and largest single attack, August 27th, was a Thursday.
Attack patterns. We observed and prevented several 24-48 hour malware attacks, which consistently occurred on weekends. The bad guys use this pattern to drive maximum disruption at times when publishers have their hands off the controls, giving bad actors a chance to conduct their actions while no one is around to immediately address the attacks.
Shortcomings of traditional methods. This pattern makes it clear that tools that aren't "set it and forget it" in nature will not protect against weekend attacks, as staff is not on hand to deal with issues manually.
In 2020, weekend attack levels were 5-20% higher. In fact, this is not a new trend. This pattern is consistent over the last three quarters.
How was the attack executed?
CleanAD is one of the only tools on the market today that uses behavioral analysis to detect and stop malvertising.
We use the very behavior of malicious code against malvertisers to catch them in real-time while they are trying to serve malicious activity to real users.
This method allows AdOps team to truly be "hands off" on the controls, with comfort that malicious ads will be stopped, whenever they occur.
Allow your AdOps team to truly be "hands off" on the controls, with comfort that malicious ads will be stopped, whenever they occur. - Kathy Knott, VP Client Success
Weekends have a 1,000% Higher threat level than weekdays On Desktop.
Weekdays have a 28% Higher threat level than Weekends On Mobile Web.
The bad guys use different tactics to execute attacks on desktop vs. mobile web.
Major Differences Between Desktop and Mobile Web in Q3:
7 SSPs accounted for 75% of threats.
5 SSPs accounted for 75% of threats.
During Q3, mobile attacks were primarily focused through 5 individual SSPs, only one of which was also a top offender on desktop.
Attackers alter their methods to gain the best ROI. Through small probing attacks, they gauge success and then scale attacks that show the greatest return.
In Q3, it was apparent that they treat web and mobile web completely differently. They attack both in completely different ways, at different times, and through different channels.
Ultimately what this means is that you need to ensure you are protected from any angle.
Attackers alter their methods across different mediums to find the biggest gain through each. - Matt Peck, Director, Client Partnerships
Primary attack types employed in Q3 were dramatically different on desktop vs. mobile web.
Clickjacking: A Clickjacking attack creates a transparent, clickable overlay that is written in code on the website page but is invisible to a user, which results on any click (or tap if you’re on mobile) on that page being read as a “click” to the attack target page.
Relies on "tap" to scroll to achieve desired affect.
Other Redirect Attacks: Other redirect attacks use a combination of triggers or code set-up functions to trigger a forced redirect rather than the transparent overlay method to create a fake click to a target attack page.
Relies on a wider Variety of user actions to achieve desired affect.
Largest Attack Vector: The majority of attacks on desktop and mobile web were either Redirects or Clickjacking. These are the most profitable types of attacks, and the easiest for attackers to execute.
Client Side Injections: Client side injection attacks are more prevalent on desktop as they are often executed through nefarious browser extensions, which aren't present on mobile devices.
Attack Balance: The most important thing to note is that attack types are very different between desktop and mobile web primarily because different attack types are easier to execute in each case.
In general, redirect attacks are the most profitable for bad actors because they are taking advantage of multiple forms of ROI.
These types of attacks usually focus on taking users to a phishing-style page in order to collect user information for nefarious purposes.
They also may be gaining revenue from getting ad placements (having others pay them for those placements).
Redirect style attacks offer the most ROI for bad actors. - Jeffrey Matthies, Engineer
This cycles through several groups of SSPs throughout the quarter, and the landscape is always shifting. In general, malvertisers are going full throttle on a few SSPs while already testing on their next batch of platforms to constantly evade being caught.
The bad guys are targeting facebook's embedded browser. On mobile, Facebook browser is the most dominant source of threats.
Facebook browser continues to be the most attacked browser, accounting for 52.4% of attacks by volume. Facebook browser had 52.4% of total attacks despite accounting for only 6% of total page views.
Facebook's threat level was 2x higher than Snapchat and 6-8x higher than traditional browsers like Chrome, Safari, Firefox, and their Mobile complements.
The Us, Canada and Europe showed the highest threat levels.
While the top targeted geographies remain relatively steady, threats shifted around between different European countries and we've seen more activity in South America than past quarters.
Top geographies by Threat Level remain the US, Canada, and Europe.
Below you will see the top 15 attacked countries, along with with their change in ranking from the previous quarter in parenthesis.
Cloaking attacks are on the rise, and very hard to detect with most current methods. We've seen a large surge in activity with this particular attack delivery method in Q3.
Cloaking is a type of attack that misuses native "dynamic creative" features of advertising platforms to get ads that might otherwise be banned in front of end-users.
Many advertising platforms have the ability for users to provide what’s called “dynamic creative” where, based on user signals, different versions of the creative may be displayed. While dynamic creative has many good uses, bad guys can use it to bypass ad screening methods.
The most common things we see bad actors take advantage of swapping creative are:
Images: Bad guys will utilize cloaking to swap in a clickbait image or fake news that would otherwise be banned.
Clickthru URLs: Bad guys will utilize cloaking to swap in links to landing pages that are scams or fraudulent.
Cloaking misuses native features of advertising platforms, like dynamic creative, to get ads that might otherwise be banned in front of end-users.
Cloaking is poised to be one of the most prevalent threats in Q4. - Alexey Stoletny, CTO
clean.io is the most effective solution to prevent malvertising, as well as protect revenue and user experiences across all platforms.
cleanAD analyzes the behavior of every action, on every page, across all devices for malicious activity and eliminates threats in real-time.
Learn how Pub+ alleviated malicious redirects that were causing business disruptions and eating into revenue.
The clean.io solution worked exactly as described. Simple, effective, and smart. Following implementation we saw all key financial KPIs improve... and our end users were no longer complaining about bad user experiences.
- Omry Aviry, Chief Product Officer at PubPlus