Free Trial
Free Trial

Q4 2020 Smart Report

Read the full report below, or enter your email to download the PDF.


Table of Contents

  1. Threats over time
  2. Browser & device types
  3. Usage of SSPs & DSPs
  4. Major attacks
  5. 2021 Predictions

Download the Report

Join us for a short 20 minute webinar discussing the report results.

Register Now

About this Report

This report is built using threat and attack data gathered from sites across the entire cleanAD network. The data included in this report is collected through behavioral analysis of tens of billions of impressions each month, in real time, on over 8 million websites and apps.

Read on for full details on the data and insights contained in the report (no form fill required!). 

Note: You are welcome to share and republish the data and charts included in this report. We just ask that you attribute the source and link back to this page.

FINAL Q4 2020 Smart Report (3)

Threat Over Time

Learn more about how threats shifted over the course of Q4 and the entirety of 2020.

Q4 2020 Threat Levels

Q4 threat levels were influenced by major attacks and heavy user traffic days.



Q4 2020 showed plenty of holiday and retail related spikes, particularly right before days with high levels of traffic like shopping- related holidays and the U.S. election (when most of the advertising for those events is taking place).


Q4 2019 vs. Q4 2020 Comparison

Q4 threat levels were far less volatile than the same quarter last year.


Shopping behavior has changed as merchants have responded to the COVID-19 pandemic and the related restrictions on in-person shopping by spreading discounts across the holiday season rather than focusing on specific "discount days."

This, in turn, has resulted in smoother than normal malvertising attack patterns in a quarter that otherwise historically saw concentrated spikes around Black Friday and Cyber Monday.


2020 Threat Levels

Overall 2020 threat levels have mirrored shifts in behavior related to COVID. 


The early part of the year showed significantly elevated threats in line with the timing of the scaling of the pandemic, and somewhat diminishing levels as the year progressed and businesses and individuals adjusted to the 'new normal.'

Browser & Device Types

While the largest attacks of the quarter took place on desktops, mobile remains the channel of choice for malvertisers.

Threat Levels by Device

In Q4, desktop threat level was driven primarily by isolated attacks while mobile threat level remained more consistent.


Desktop threat level remained relatively low with the exception of very specific, targeted attacks.

Mobile threat level on the other hand remained consistently high across the quarter.

Quarter Over Quarter Threat Level Changes

Threat levels have decreased across all device types from Q3 to Q4 2020. 


Click to Tweet


While still holding first place in threat level by more than 2x, mobile has shown a 49% quarter over quarter drop. As brand advertisers reemerged in the second half of the year, we saw a resulting reduction in mobile web threat level.

Desktop threat level dropped by 31% in Q4 and App threat level dropped by 68%


Social Browsers Show Decreased Threat Level

Nearly all social browsers saw decreased threat levels in Q4. 


Click to Tweet


Brand advertisers also reemerged on social, driving down the social threat level. This was driven in part by social shopping, but more importantly, by increased competition for ad space from a surge in advertising related to the U.S. election cycle.

Key Takeaways 

  • Brand demand resurgence in Q4 and increased spend due to election advertising made it more expensive for bad actors to attack, keeping threat levels lower.
  • Desktop is a prime target for isolated attacks, but mobile is where malvertisers focus most of their efforts. While we observed multiple single-day, weekend, desktop attacks in Q4, mobile attacks are consistently present, and actually increased over the course of the quarter.

Usage of SSPS & DSPS to Execute Attacks

2020 saw some interesting shifts in how bad actors utilized both SSPS and DSPS to execute attacks. 

Data from 2020 shows that bad actors are shifting to using more DSPS to attack.

  • Q2 2020: One DSPS was responsible for 75% of threats.
  • Q3 2020: Four DSPS were responsible for 75% of threats.
  • Q4 2020: Six DSPS were responsible for 75% of threats.


2020 Attacks Through SSPS 

Just the highlights:

  • Only 2 SSPs remained in the top 10 for all four quarters of 2020.
  • The most attacked SSP of 2020 held the #1 spot for Q1, Q2 and Q3, then dropped from the #1 to #2 spot in Q4.
  • SSP turnover in the top 10 was relatively high: From Q1 to Q2, 3 new SSPs entered the Top 10 From Q2 to Q3, 7 new SSPs entered the Top 10 From Q3 to Q4, 3 new SSPs entered the Top 10

Data from 2020 shows that the majority of threats are originating from 5-10 SSPS.

Every quarter, the top 5 SSPS accounted for 65-75% of threats.

Every quarter, the tops 10 SSPS accounted for 90% of threats.


The Most Attacked SSP of 2020

A single SSP was responsible for 29% of threats over the course of 2020.


This SSP held the #1 spot for the first 3 quarters and dropped out of the top spot in Q4.

The percentages shown in the graphic denote the share of total threats across the entire network that originated from this SSP each quarter.


The New SSP on The Block

A new SSP took the top spot in Q4 after showing almost no threats early in 2020. 


This very large increase in threat level was driven by a single sustained attack targeted through the SSP.

The percentages in the graphic indicate the share of total threats across the entire network that originated from this SSP each quarter. case study

Major Attacks

Learn more about the major attack spikes in Q4 and how they affected overall threat numbers.

What About That Big Spike on 10/10?

How was the attack executed?

  • The attacker launched a large scale redirect attack on October 10th, a Saturday, and it lasted for only a single day.
  • 18 SSPs were impacted.
  • 100% of attacks targeted desktop devices, with a mix of Mac and Windows devices.
  • Only the US was targeted.

Screen Shot 2021-01-13 at 3.37.10 PM


October Attack Details

The attack was dominated by a single SSP.

61% of threats for this particular attack came through a single SSP, showing how a single attack, executed through a single SSP, can have a far-reaching impact if executed successfully.


Here's the creative that was used in the attack:

Screen Shot 2021-01-13 at 3.40.28 PM

BFCM Attack Timeline

The BFCM attack spiked early and continued over the course of 2 Days.

COVID changes and shifts in how ecommerce merchants utilize deals during the holiday shopping season have both extended and flattened out the rush of ad buying across a longer period. This has opened up opportunities for malvertisers to capitalize on increased traffic during these times, while still benefitting from relatively low CPMs.


What About the BFCM Attack?

How was the attack executed?

  • This particular attack was a redirect attack.
  • The attack was launched and carried out over the course of the weekend between Black Friday & Cyber Monday (BFCM).
  • It affected 22 SSPs, 23 countries and 10k+ apps and sites.
  • Again the attack was 100% focused on desktop devices across all browsers.

Here's the creative that was used in the attack:

Screen Shot 2021-01-13 at 3.45.00 PM

New call-to-action

2020 Threat Level by Geography 

Switzerland holds the #1 spot by threat level, followed by Italy, the US, UK, and Canada.


2020 Geographic Shifts in Threats

As the year progressed, attackers moved between international regions.

Europe was hit hard in Q1 and Q2 but waned in the latter half of the year, likely due to shifts related to the spread of COVID.



2021 Predictions

What do the experts think is in store for 2021? Find out!


The pandemic will continue to impact open market demand and therefore put pressure on exchanges and SSPs to generate revenue.  Expect to see sizable malware attacks as some decide to take risks on "new advertisers" that are actually bad actors.

- Matt Cannon, COO at Venatus Media

Matt Cannon quote

Expect to see an increasing return for bad actors when employing auto-redirects as the value of inventory erodes, and bad actors get better at targeting legacy malvertising systems.

Cloaking will continue to increase in use as the attack type matures.

COVID pressures of 2020 affected anti-malvertising vendors as much as publishers. Expect a consolidation of vendor solutions in 2021 where capital is scarce and vendors will fail to serve their customers at the appropriate levels.

- Jay Crystal, Co-Founder of

Jay Crystal quote

Expect to see yields go down for publishers due to ongoing identity and privacy changes on the web. We know when yield and prices go down, it’s more affordable for attackers to buy, so expect to be seeing more and more net attacks due to price decreases.

- Seth Demsey, Co-Founder of


Seth Demsey quote

In 2020, online behaviors accelerated 5-10 years, creating millions more online customers and more companies that have renewed focus on digital channels, creating more opportunities for issues like malvertising, but also more of a reason to fight against it.

Creating a cleaner, higher-quality marketplace will be in everyone's best interest. Ongoing investigations into Facebook and Google, and increased privacy regulations will give publishers, brands and consumers a voice against issues like malvertising, among others.

Publishers will be more discerning against low quality demand, and tech companies will create more effective strategies for delivering quality.

- Jayson Dubin, CEO & President at Playwire

Jayson Dubin quote

2021 will be a key year in shaping the future of identity on the Web. The big platforms have co-opted the privacy-by-design movement to push a vision for the Web where the browsers are the guardians of user identity and its various marketing applications (targeting, attribution, frequency capping, etc.).

While this framework is probably better from the standpoint of user privacy, the companies that will benefit the most are the walled gardens and big Internet platforms. In other words, the dominance of Apple, Google, Facebook, Amazon would be probably be strengthened by the proposed changes, at the expense of independent publishers and the open Web at large.

At the same time, regulators are starting to realize that these companies are already too powerful and are finally taking action to mitigate this.

- Marty Kratky-Katz, CEO at Blockthrough

Marty Krathy quote

Expect changes to the programmatic landscape as brands shift from viewing it as just a way to monetize at high fill rates to a linear path to direct programmatic sales.

Brand and agency budgets will shift to leveraging their own 1st party data as a larger source of revenue.

This shift will be driven by the ongoing slow death of the 3rd party cookie, the 2020 industry impact caused by the COVID pandemic, and the volatile political/social justice climate as having clear insight and transparency into supply path and ad adjacency becomes increasingly important.

- Richard Marques, CEO at Revcontent


Richard Marques quote

Open Auction global display buying will drop by at least 20%, shifting to Private Marketplaces and other channels.

As better practices for Identity Attribution & Measurement start to drive better programmatic direct relationships and create fewer incentives for malvertising and fraudulent behavior.

- Matt Prohaska, CEO & Principal at Prohaska Consulting

Matt Prohaska quote

Expect malvertising to decline, but become more sophisticated and severe when it does strike.

Essentially, attacks will happen less frequently, but they will be more severe. This is mainly due to the increases in media cost and complexity to reaching audiences.

Unsophisticated malware that generates a lot of value with little effort will decline, and more complex value models and methods will take its place.

- Bob Regular, CEO at Infolinks

Bob Regular quote

With everyone still at home in 2021 and owning more devices than ever, it means more opportunities for criminals to exploit.

Bad guys always continue to innovate to intentionally harm people and businesses through ads. Even in the cleanest of environments, trouble can always arise without protection.

Bad actors will increase sophistication levels and tactics to exploit this reality. Be smart and get ahead of threats as much as you can.

- Erik Requidan, CEO at Media Tradecraft


Erik Requidan Quote'

IDFA related targeting and attribution challenges will lead to higher fill and lower rates.

Advertisers still need to sell and promote products and drive mobile UA. This will require a wider net to be cast to find their target audience and a lower CPM in an attempt to hit their target ROAS.

Lower CPM also means more opportunity for bad actors to infiltrate publisher inventory. Stay vigilant on your yield (offense) and user experience (defense) equally as this shakes out.

- Matt Sherman, Owner at Cove Media

Matt Sherman quote

Dozens of large marketers will launch detailed audits of their ad spend in light of Uber sharing that they wasted $100M of their ad spend.

Ad spend will flow to the publishers that are doing the work of ensuring their supply paths, the ad tech partners who work only directly with buyers and sellers will benefit and the reseller market will come under pressure. As a result, fraud will continue its decline and buyers and sellers will benefit.

The ecosystem will hit a new level of maturity, with lots of public companies, more efficient transactions and better transparency and tools to root out bad actors. Fraud will start to look like it does in the credit card space - random outbreaks rather than systemic large scale issues.

- David Simon,  Chief Revenue Officer at Fyber

David Simon quote


Download this Report