Free Trial

Q3 2020 Smart Report

Read the full report below, or enter your email to download the PDF.


Table of Contents

  1. Threat Volatility
  2. Weekend Attack Patterns
  3. Desktop vs. Mobile Web
  4. Facebook Browser
  5. Threats by Geography

Download the Report

Join us for a short 20 minute webinar discussing the report results.

Register Now

About this Report

This report is built using threat and attack data gathered from the behavioral analysis of tens of billions of impressions each month, in real time, on over 7 million websites and apps across the cleanAD network.

Read on for full details on the data and insights contained in the report (no form fill required!). 

Note: You are welcome to share and republish the data and charts included in this report, we just ask that you attribute the source and link back to this page.

malvertizing ad revenue insights webinar

Threat Volatility

Threat level in Q3 remained volatile and choppy on the heels of Covid.

Across 2020 as a whole, surges in threat levels were observed around major holidays like the 4th of July and Labor Day.

Based on this pattern, we forecast a very busy Q4 as we enter holiday season.

Threats by Quarter

Q3-2020 threat level Smart Report Q3202001

Click to Tweet

But, what does it all mean?

  • Threat level: Q3 threat level was 72% higher than average. Overall threat level remained higher than average when compared to previous quarters.
  • COVID effects: Q3 threat level dropped 7% from Q2. While threat level is still higher than average, it has dropped precipitously from the COVID-related highs experienced in Q2.
  • Major spikes: This quarter, the threat level was influenced strongly by several major attacks occurring across the entire publisher network.

Q4 is poised to be a massive revenue-driving quarter.

- Marshall Moritz, Director of Business Intelligence & Data Analytics

Click to Tweet

While we are still seeing some effects from the COVID-19 pandemic, malvertising activity has begun to return to normal levels.

In typical years, Q4 is a huge revenue-driver for publishers with holiday shopping trends. This year, you can expect some significant increases above normal levels due to the large volume of political ads around the election.

All in all, Q4 is going to be a massive revenue-driving quarter.

Weekend Attack Patterns

The bad guys are targeting weekends for attacks.

We observed and prevented several 24-48 hour malware attacks, which consistently occurred on weekends.

Six of the 7 major attacks occurred on Saturdays and Sundays. The outlier, and largest single attack, August 27th, was a Thursday.

Q3-2020 threat levels over time Smart Report Q3202002

Click to Tweet

Threat Spikes

Attack patterns. We observed and prevented several 24-48 hour malware attacks, which consistently occurred on weekends. The bad guys use this pattern to drive maximum disruption at times when publishers have their hands off the controls, giving bad actors a chance to conduct their actions while no one is around to immediately address the attacks.

Shortcomings of traditional methods. This pattern makes it clear that tools that aren't "set it and forget it" in nature will not protect against weekend attacks, as staff is not on hand to deal with issues manually.

Weekend Attack Trends

In 2020, weekend attack levels were 5-20% higher. In fact, this is not a new trend. This pattern is consistent over the last three quarters.

Q3-2020 attack patterns Smart Report Q3202003-1

What About That Big Spike on 8/27?

How was the attack executed?

  • The attacker launched a small scale attack on 8/24, scaled and then peaked on 8/27. By 8/29 the attack was over.
  • The attack was executed primarily through a single SSP, but did touch multiple SSPs in the ecosystem.
  • 92% of threats from this unique attack were delivered through Facebook browser.

CleanAD is one of the only tools on the market today that uses behavioral analysis to detect and stop malvertising.

We use the very behavior of malicious code against malvertisers to catch them in real-time while they are trying to serve malicious activity to real users.

This method allows AdOps team to truly be "hands off" on the controls, with comfort that malicious ads will be stopped, whenever they occur.

Allow your AdOps team to truly be "hands off" on the controls, with comfort that malicious ads will be stopped, whenever they occur. - Kathy Knott, VP Client Success

Click to Tweet

Desktop vs. Mobile Web Attack Timing

Weekends have a 1,000% Higher threat level than weekdays On Desktop.

Weekdays have a 28% Higher threat level than Weekends On Mobile Web.

Q3-2020 threat level day of week Q3202004-1

Click to Tweet

Desktop vs. Mobile Web

The bad guys use different tactics to execute attacks on desktop vs. mobile web. 

Major Differences Between Desktop and Mobile Web in Q3:

  • Attack origination from SSPs was very different on desktop vs. mobile web
  • Primary Attack Types are different on desktop vs. mobile web
  • 7 SSPs Dominate threats on desktop
  • 5 SSPs Dominate threats on mobile web
  • 1 SSP overlap between the top offenders on desktop vs mobile web 

Dominant SSPs on Desktop

7 SSPs accounted for 75% of threats.

Q3-2020 originating ssps Smart Report Q3202005

Click to Tweet

Dominant SSPs on Mobile Web

5 SSPs accounted for 75% of threats. 

During Q3, mobile attacks were primarily focused through 5 individual SSPs, only one of which was also a top offender on desktop.

Q3-2020 Smart Report Q3202006

Attackers alter their methods to gain the best ROI. Through small probing attacks, they gauge success and then scale attacks that show the greatest return.

In Q3, it was apparent that they treat web and mobile web completely differently. They attack both in completely different ways, at different times, and through different channels.

Ultimately what this means is that you need to ensure you are protected from any angle.

Attackers alter their methods across different mediums to find the biggest gain through each. - Matt Peck, Director, Client Partnerships 

Click to Tweet

Attack Types

Primary attack types employed in Q3 were dramatically different on desktop vs. mobile web.

Q3-2020 attacks desktop vs mobile Smart Report Q3202007-1


Click to Tweet

Why Such Different Attack Types?

Clickjacking: A Clickjacking attack creates a transparent, clickable overlay that is written in code on the website page but is invisible to a user, which results on any click (or tap if you’re on mobile) on that page being read as a “click” to the attack target page.

Relies on "tap" to scroll to achieve desired affect.

Other Redirect Attacks: Other redirect attacks use a combination of triggers or code set-up functions to trigger a forced redirect rather than the transparent overlay method to create a fake click to a target attack page.

Relies on a wider Variety of user actions to achieve desired affect.

But, What Does It All Mean?

Largest Attack Vector: The majority of attacks on desktop and mobile web were either Redirects or Clickjacking. These are the most profitable types of attacks, and the easiest for attackers to execute.

Client Side Injections: Client side injection attacks are more prevalent on desktop as they are often executed through nefarious browser extensions, which aren't present on mobile devices.

Attack Balance: The most important thing to note is that attack types are very different between desktop and mobile web primarily because different attack types are easier to execute in each case.

In general, redirect attacks are the most profitable for bad actors because they are taking advantage of multiple forms of ROI.

These types of attacks usually focus on taking users to a phishing-style page in order to collect user information for nefarious purposes.

They also may be gaining revenue from getting ad placements (having others pay them for those placements).

Redirect style attacks offer the most ROI for bad actors. - Jeffrey Matthies, Engineer

Click to Tweet

This cycles through several groups of SSPs throughout the quarter, and the landscape is always shifting. In general, malvertisers are going full throttle on a few SSPs while already testing on their next batch of platforms to constantly evade being caught.

Facebook Browser

The bad guys are targeting facebook's embedded browser. On mobile, Facebook browser is the most dominant source of threats.

Facebook browser continues to be the most attacked browser, accounting for 52.4% of attacks by volume. Facebook browser had 52.4% of total attacks despite accounting for only 6% of total page views.

Facebook's threat level was 2x higher than Snapchat and 6-8x higher than traditional browsers like Chrome, Safari, Firefox, and their Mobile complements.

Q3-2020 attack by browser Smart Report Q3202008-1

Click to Tweet

Threats by Geography

The Us, Canada and Europe showed the highest threat levels.

While the top targeted geographies remain relatively steady, threats shifted around between different European countries and we've seen more activity in South America than past quarters.

Q3 Threats by Geography

Top geographies by Threat Level remain the US, Canada, and Europe.

Q3-2020 malvertising threats geography Smart Report Q3202009

Click to Tweet

Top 15 Geographies by Threat Level in Q3

Below you will see the top 15 attacked countries, along with with their change in ranking from the previous quarter in parenthesis.

  • United Kingdom (+7, +68% QoQ)
  • United States (+3, -9% QoQ)
  • Switzerland (-2)
  • Ireland (-1)
  • Canada (+9, +12% QoQ)
  • Malaysia (New to Top 15, +2000% QoQ)
  • Italy (-6)
  • France (+7)
  • Netherlands (+4)
  • Finland (New to Top 15, +30% QoQ)
  • Sweden (New to Top 15, +56% QoQ)
  • Belgium (-5)
  • Singapore (-7)
  • Australia (New to Top 15)
  • Argentina (New to Top 15, +167% QoQ)

Cloaking attacks are on the rise, and very hard to detect with most current methods. We've seen a large surge in activity with this particular attack delivery method in Q3.

What is Cloaking?

Cloaking is a type of attack that misuses native "dynamic creative" features of advertising platforms to get ads that might otherwise be banned in front of end-users.

Anatomy of a Cloaking Attack

Many advertising platforms have the ability for users to provide what’s called “dynamic creative” where, based on user signals, different versions of the creative may be displayed. While dynamic creative has many good uses, bad guys can use it to bypass ad screening methods.

The most common things we see bad actors take advantage of swapping creative are:

Images: Bad guys will utilize cloaking to swap in a clickbait image or fake news that would otherwise be banned.

Clickthru URLs: Bad guys will utilize cloaking to swap in links to landing pages that are scams or fraudulent.

Cloaking misuses native features of advertising platforms, like dynamic creative, to get ads that might otherwise be banned in front of end-users.

Cloaking is poised to be one of the most prevalent threats in Q4. - Alexey Stoletny, CTO

Click to Tweet


About is the most effective solution to prevent malvertising, as well as protect revenue and user experiences across all platforms.

cleanAD analyzes the behavior of every action, on every page, across all devices for malicious activity and eliminates threats in real-time.

Case Study

Learn how Pub+ alleviated malicious redirects that were causing business disruptions and eating into revenue.

The solution worked exactly as described. Simple, effective, and smart. Following implementation we saw all key financial KPIs improve... and our end users were no longer complaining about bad user experiences.

- Omry Aviry, Chief Product Officer at PubPlus

Read the Case Study →

Download this Report