Free Trial

Q3 2021

SMART Report


Fresh insights on the latest malvertising trends, tactics, and attack types impacting the online publishing world.

Read the full report below, or download the PDF for later.

q3 2021 feature


Download a PDF Copy

← Don't Have Time to Read The Full Report Now?

We'll email you a downloadable PDF version of the guide and you can read later.

dots background white (2)


In Q3 2021, malvertisers continued their time-honored tradition of modifying existing attacks and testing entirely new attacks in their efforts to evade detection. 

This quarter, we saw them lean more heavily into the use of malicious landing pages and non-redirect style attacks.

In addition, we have new data this quarter which has allowed us to compare how different classes of anti-malvertising tools fared against various attack types, providing valuable data for publishers to understand how they can best protect themselves and their users against these novel threats.

About This Report

This report is built using impression and threat data gathered from sites across the entire cleanAD network.

The data included in this report is collected through behavioral analysis of tens of billions of impressions each month, in real time, on over 8 million websites and apps.

Malvertisers are becoming more sophisticated and harder to detect.

Background blue-1-1

Top 5 Takeaways from Q3 2021:

  • Threats posed by malicious landing pages are increasing

  • Familiar foes have launched new attack vectors

  • Non-redirect threat activity continues to grow

  • Other leading anti-malvertising tools show lack of effectiveness in blocking new attacks

  • Other leading anti-malvertising tools show decreasing effectiveness against attack mutations

The Q3 2021 cleanADindex:

  • Q3 2021 Threat Level

  • Threat Level Changes by Country

  • Threat Level by Device Type

  • Attacks by Device Type

  • Attacks by Browser

  • Social Media Browser Attacks

  • SSP Attack Targeting

Increases in Threats from
Malicious Landing Pages

In Q3 2021, we observed an uptick in malicious landing page attacks. Some hallmarks of these attacks include: 

  • Many malicious landing page attacks were delivered through Native Ad Platforms which tend to be lower cost and have less internal oversight.

  • The majority lead to investment or crypto scams, often tied to unlicensed offshore investment platforms.

  • These types of attacks tend to blur the line between security and quality since there is nothing malicious about the ad itself. Instead, they rely on users to legitimately click the ad, and all malicious activity happens on the landing page.


New Threat Classes and Threat Variants from Familiar Foes

In Q3 2021, some of the biggest and most well-known malvertisers tested new attack types:

  • Some of the most well-known threat actors used new obfuscation techniques, supply paths, and methods for concealing familiar malicious payloads.

  • Attacks were delivered across a much larger set of web and mobile properties using smaller frequency caps, resulting in lower impression counts per property.

  • These changes in attack patterns reduced the instances of large scale single day attacks, resulting in a stable day-over-day threat volume.

  • Ultimately, these behaviors helped malvertisers evade detection, highlighting the importance of using an anti-malvertising solution that can detect novel threats as they are being launched.



Non-Redirect Threat Activity Continues to Grow

In Q3 2021, we saw a continued rise in the volume of non-redirect style attacks including:

dots background black (1)
  • Pixel stuffing (a.k.a. Pixel Fraud) was at an all time high in Q3 and is continuing to rise.

  • Ad stacking attacks occurred across thousands of properties, delivering dozens of invisible ads in each instance of attack. Attacks occurred across a variety of browsers, including desktop, mobile and in-app (e.g. Snapchat).

  • Client-side injection attacks continued to be a significant threat, causing ad injections, data exfiltration and journey hijacking on web properties. These attacks originated from both ISP-level code injections as well as browser extension level injections.


Comparison of Anti-Malvertising Tools: The Data

In Q3 2021, we analyzed* data relating to the performance of three other top anti-malvertising tools to determine their effectiveness in blocking emerging threats.

  • In general, with more “stable” redirect style attacks we saw similar performance and efficacy amongst anti-malvertising tools. Based on data from two consecutive observation periods, it appears that all three tools are continuously improving their protection, and able to block a good percentage of the mutated threats.

  • Unlike cleanAD, none of the other leading anti-malvertising tools are successfully blocking many of the client-side injection or pixel stuffing attacks, which, as previously mentioned, are increasing in volume.

  • New classes of redirect style attacks from existing groups of bad actors are not picked up quickly by traditional  anti-malvertising tools. When these threats are identified, only a limited number of threat variants are being blocked. Given trends previously mentioned regarding threat actors executing smarter attacks with delivery and frequency capping, this makes it easier for these attacks to evade detection by traditional anti-malvertising tools.

*Our cleanAD script, due to its position on page, has visibility into other anti-malvertising tools that wrap ads, and therefore enables us to surface insights about whether those ads have been blocked or allowed to pass through un-blocked.

Comparison of Anti-Malvertising Tools: What Does it Mean?

Other anti-malvertising tools integrated on a per-creative level often let threats of the following types pass through and execute without blocking:

  • Novel or new threats.
  • Mutations on existing attacks. This is especially noticeable on newer attack types versus more “stable” threats.
  • Entire classes of threats, until they become regularly repeated by malvertisers and “stabilize.”

*Our cleanAD script, due to its position on page, has visibility into other anti-malvertising tools that wrap ads, and therefore enables us to surface insights about whether those ads have been blocked or allowed to pass through un-blocked.



Fighting Sophisticated Malvertisers is Hard Work 

“It felt like we were playing a game of whack-a-mole. We spent half our time trying to detect and identify malicious actors and the other half communicating with publishers and working to repair relationships.”

- Matt Cannon, COO, Venatus Media 

Read the Case Study


Published quarterly, the cleanADindex measures threat levels and attack patterns by geography, device type, browser, and SSP.




Q3 2021 Threat Level

Malvertising threat levels rose significantly throughout Q3 2021, growing 238% QoQ. 

We observed large spikes from single-day attacks, as well as longer, sustained attacks that dominated the last 2 weeks of September. 

There were no dog days of summer for malvertisers; July 4th and Labor Day both showed major attack spikes. 

The quarter ended with a bang, as new threat classes were discovered and blocked, yielding the highest threat levels year-to-date.


Threat Level Changes by Country

Malvertisers’ efforts spanned the globe in Q3, as threat levels rose in nearly all geographies. Countries like France, Italy, the US, the UK, and Brazil maintained their high rankings, with many threat levels increasing by 200% or more. 

France and Canada, the highest countries by threat level in Q2 2021, both experienced 40% declines in QoQ threat level during Q3. Despite these declines, France continued to have the highest threat level in Q3, while Canada dropped to seventh.  

European countries like Austria, Switzerland, the Netherlands, Portugal, and Ireland saw the largest percentage increases in QoQ threat level.


Threat Level by Device Type

dots background black (1)

Mobile Web continued to experience the large majority of threats in Q3, consistent with the trend seen throughout 2021.

Threat activity was sustained across all device types, including Mobile App, but saw the most consistency and highest peaks across Mobile Web.




Make the Bad Guys Pay for Targeting Your Audience

“I love sticking it to the bad guys. cleanAD forces malvertisers to pay for their ads, and they get no return for their efforts. I feel vindicated knowing their campaigns perform worse as a result of the tools we have in place.”

Lila Hunt, Head of Digital Ad Strategy, System1

Read the Case Study

Attacks by Device Type

The overall composition of threats by device type remained consistent with previous quarters, with mobile web accounting for 95% of attacks in Q3.

While desktop and mobile web both increased in threat level, they did so proportionally to previous quarters, so overall composition remained nearly identical.


Attacks by Browser

Facebook was the most attacked browser in Q3, primarily due to a specific attack surge in September. 

Threats on Facebook remained active throughout the quarter, including a spike in July, and the overall volume of threats increased by 850% during the quarter.

Both Chrome Mobile In-App (675%) and Safari Mobile In-App (1500%) browsers experienced significant QoQ increases in threat volume.

Chrome was the most attacked desktop browser, and the sixth most attacked browser overall for the quarter. Edge and Safari both ranked in the top 9 most attacked browsers, with 100%+ QoQ increases in attack volume.


Social Media Browser Attacks

In Q3, Facebook was responsible for the majority of threats on social media browsers, accounting for over 99% of total threat volume in that category. 

The prolonged attack that occurred for most of September was mainly targeted to Facebook and Android, across a variety of publishers,  accounting for the majority of threat volume on those browsers for the entire quarter.


SSP Attack Targeting

Q3 2021 was the second consecutive quarter where we saw 100% turnover within the top 5 SSPs by threat level ranking.

The #2 most attacked SSP was inactive in Q2, but by contrast was subject to consistent attacks throughout Q3, resulting in a significant rise in its rankings.

Rotation of the top SSP offenders continued in Q3 as it has in previous quarters, an indication that bad actors are constantly moving to new platforms to evade detection and circumvent protection mechanisms.



DSP Attack Targeting

In Q2, the largest concentration of threats on a single DSP was 67%; by contrast, in Q3, the largest concentration dropped to 54%, and affected a different DSP. 

The two largest DSP sources of malvertising activity in Q3 were both inactive in Q2.



Threat Classifications

  • The second half of Q3 saw the discovery and growth of a new attack, a malicious landing page investment scam.

  • A pixel stuffing fraud-style attack was a constant presence throughout Q3, with the highest threat activity in August and early September.

  • The spike in threat levels on August 20th and 21st was the result of a redirect attack.

  • The spike on September 10th was a single-day redirect attack.


CTA-Background-Dark (1)


Try cleanAD Free

Start using cleanAD. 

Stop chasing bad actors.

14 Day Free Trial