Free Trial

Q2 2021

SMART Report

Read the full report below, or download the PDF for later.

q2 report

Download a PDF Copy

← Don't Have Time to Read The Full Report Now?

We'll email you a downloadable PDF version of the guide and you can read later.

dots background white (2)


Variety is the name of the game in this quarter’s edition of the SMART Report. In many ways, malvertisers are looking to vary the methods of their attacks, the ways in which they evade detection, and the number of unique mutations they use.

All of this simply means that they are harder to fight. The more different ways a bad actor has to execute an attack, the harder that attack becomes to prevent.

This quarter saw new variations on cloaking attacks, deliberate misuse of standard platform features to execute attacks, and a wider variety of upstream fraud. 

Additionally, the bad guys are getting really good at rotating their efforts quickly, executing hundreds of attack mutations each lasting only a short duration. Ultimately this means if you are relying on solutions other than behavioral analysis, by the time you’ve caught on to a specific attack, the malvertisers have already moved on to another mutation.

About This Report

This report is built using impression and threat data gathered from sites across the entire cleanAD network.

The data included in this report is collected through behavioral analysis of tens of billions of impressions each month, in real time, on over 8 million websites and apps.

Malvertisers are becoming more sophisticated and harder to detect.

Background blue-1-1

Top 5 Takeaways from Q2 2021:

  • Wider Variety of Attack Types
  • Increase Variation of Cloaking Attack Types
  • Rise in Short Duration Attack Mutation Probing
  • More Variety in Upstream Fraud
  • Increasing Use of Less Well-Known Attack Techniques

The Q2 2021 cleanADindex:

  • Q2 2021 Threat Level
  • Threat Level Changes by Country
  • Threat Level by Device Type
  • Attacks by Device Type
  • Attacks by Browser
  • Social Media Browser Attacks
  • SSP Attack Targeting

Wider Variety of Attack Types

In Q2 2021, there were more types of clever ad misuse than ever before, with an increasing prevalence of variations including:

  • Continued increase in the variety of cloaking attacks, across both ad creatives and landing pages
  • Misuse of native ad platforms for malicious landing page delivery
  • Continued ISP-level compromise, client-side injections, and even chrome extension scams replacing script contents
  • Publisher website clones and compromises
  • Continued increase of in-app threats
  • Further variety in the types of forced redirect threats


Increased Variation of Cloaking Attack Types

Continued increase in the variety of cloaking attacks, across both ad creatives and landing pages

Q2 2021 saw a continuous increase in cloaking attacks, including the use of a larger variety of different types of cloaking attacks across both ad creative and landing pages.

At the creative level, bad actors employed both dynamic and static cloaking attacks. Static cloaking at the creative level can be initiated both at the time of initial ad set-up or during follow-up.



At the landing page level, bad actors use multiple techniques to attack victims including creating deceptive landing pages, replacing destination landing pages using traffic distribution systems, or utilizing in-page redressing to dynamically redirect users to malicious landing pages.

Rise in Short Duration Attack Mutation Probing

dots background black (1)

While the number of known attacker groups that are responsible for the majority of malicious ads has remained relatively steady from previous quarters, the sheer variety of attack mutations has grown.

In Q2 2021, we saw a rising trend in which attackers introduce multiple new attack mutations and test each specific attack for 10-15 minutes, then stop. This renders many anti-malvertising solutions ineffective as they are unable to respond in such short time frames.

We also continued to observe threats that search for and evade detectable anti-malvertising solutions.


More Variety in Upstream Fraud

Bad actors use malvertising to achieve a variety of objectives. In Q2 2021, we observed a rise in attacks designed to perpetrate upstream fraud, including:

  • Credential stealers
  • Targeted website compromises
  • New browser vulnerabilities and regressions being exploited
  • Ad stacking
  • Pixel stuffing
  • Invisible ad scams
  • Affiliate scams


Increasing Use of Less Well-Known Attack Techniques

Q2 2021 saw increased cases of some of the more obscure, or less common, attack types, including:

Heavy Ads

The volume of Heavy Ads increased throughout Q2. These significantly affect Core Web Vitals (CWV) scores and, ultimately, ad performance.

Misuse of Platform Features

Bad actors are launching more campaigns that deliberate misuse of various platform features (e.g. ad delivery or ad targeting settings) in order to serve bad ads to certain subsets of recipients. 

Sample Heavy Ad

heavy ad phone-1




Fighting Sophisticated Malvertisers is Hard Work 

“It felt like we were playing a game of whack-a-mole. We spent half our time trying to detect and identify malicious actors and the other half communicating with publishers and working to repair relationships.”

- Matt Cannon, COO, Venatus Media 

Read the Case Study


Published quarterly, the cleanADindex measures threat levels and attack patterns by geography, device type, browser, and SSP.


Screen Shot 2021-07-16 at 11.43.17 AM


Increasing Use of Less Well-Known Attack Techniques

Despite a few large single day attacks, aggregate threat level declined for the second consecutive quarter, down 15% overall from Q1 2021 and nearly 50% from Q4 2020. 

The last 6 weeks of Q2 showed a steady rise in threat levels that represent a 600% increase from Memorial Day through the end of the quarter. 

We observed (and blocked) 3 single-day attacks during the quarter, in early and mid-April, and again in late May. This behavior was consistent with pre-COVID volatility patterns: sudden single-day attacks from a variety of bad actors preceded and followed by a quiet period.


Threat Level Changes by Country

France had the highest threat level of any country in Q2 2021, a surge of 580% from the previous quarter.

Notably, we observed consistent increases across Europe with France, UK, Italy, and Norway all growing 100%+.

Regionally, Central and South America experienced the most consistent increases in threat level, with Venezuela, Mexico, Brazil, Chile, and Colombia all increasing QoQ. 

We also saw large drops in threat levels across APAC, notably Australia, New Zealand, and Japan, which all dropped more than 80%.


Threat Level Changes by Country

dots background black (1)

The single day attacks that accounted for the largest spike in threat levels during Q2 were primarily targeted at Mobile Web.

Historically, single-day attacks have typically targeted Desktop and occurred on weekends, but this has not been the case thus far in 2021

In the 2nd half of the quarter, we observed steady growth in both Desktop and Mobile Web threat levels.




Make the Bad Guys Pay for Targeting Your Audience

“I love sticking it to the bad guys. cleanAD forces malvertisers to pay for their ads, and they get no return for their efforts. I feel vindicated knowing their campaigns perform worse as a result of the tools we have in place.”

Lila Hunt, Head of Digital Ad Strategy, System1

Read the Case Study

Attacks by Device Type

The composition of threats by device type remained consistent with the previous quarter, with Mobile Web accounting for 94% of attacks in Q2, down just 1% from Q1.



Attacks by Browser


Safari Mobile was the browser that experienced the highest volume of attacks in Q2, with 2x the number of attacks than any other browser.

Desktop browser threat volumes were mixed, with threats decreasing 60% on both Safari and Firefox, but increasing 14% on Chrome.

Some of the largest QoQ decreases in threat volumes occurred on Chrome Mobile (-51%) and Facebook (-53%) browsers.


Social Media Browser Attacks

Despite experiencing a 60% decrease in threat volume QoQ, Facebook remains far and away the most attacked social media browser in the ecosystem.

Snapchat, Instagram, and Pinterest remain far behind, though with sporadic threat behavior during the course of the quarter. 

Instagram was particularly active in the final three weeks of Q2, up more than 400% from the average of the first 10 weeks of the quarter. 


SSP Attack Targeting

Rotation of the top SSP offenders continued in Q2 as it has in previous quarters, an indication that bad actors are constantly moving to new platforms to evade detection and circumvent protection mechanisms.

The Top 5 SSPs (by threat level ranking) in Q2 2021 all took over from positions outside of the Top 10 in Q1.


This is the largest quarter-over-quarter change that we’ve experienced in SSP concentration in any quarter since we began tracking.

CTA-Background-Dark (1)


Try cleanAD Free

Start using cleanAD. 

Stop chasing bad actors.

14 Day Free Trial