Q3 2021
SMART Report
Fresh insights on the latest malvertising trends, tactics, and attack types impacting the online publishing world.
Read the full report below, or download the PDF for later.
.png?width=500&name=coupon%20whitepaper%20Graphic%20(3).png)
.png?width=1500&height=600&name=dots%20background%20white%20(2).png)
EXECUTIVE SUMMARY
In Q3 2021, malvertisers continued their time-honored tradition of modifying existing attacks and testing entirely new attacks in their efforts to evade detection.
This quarter, we saw them lean more heavily into the use of malicious landing pages and non-redirect style attacks.
In addition, we have new data this quarter which has allowed us to compare how different classes of anti-malvertising tools fared against various attack types, providing valuable data for publishers to understand how they can best protect themselves and their users against these novel threats.
Top 5 Takeaways from Q3 2021:
-
Threats posed by malicious landing pages are increasing
-
Familiar foes have launched new attack vectors
-
Non-redirect threat activity continues to grow
-
Other leading anti-malvertising tools show lack of effectiveness in blocking new attacks
-
Other leading anti-malvertising tools show decreasing effectiveness against attack mutations
The Q3 2021 cleanADindex:
-
Q3 2021 Threat Level
-
Threat Level Changes by Country
-
Threat Level by Device Type
-
Attacks by Device Type
-
Attacks by Browser
-
Social Media Browser Attacks
-
SSP Attack Targeting
- Many malicious landing page attacks were delivered through Native Ad Platforms which tend to be lower cost and have less internal oversight.
- The majority lead to investment or crypto scams, often tied to unlicensed offshore investment platforms.
- These types of attacks tend to blur the line between security and quality since there is nothing malicious about the ad itself. Instead, they rely on users to legitimately click the ad, and all malicious activity happens on the landing page.
- Some of the most well-known threat actors used new obfuscation techniques, supply paths, and methods for concealing familiar malicious payloads.
- Attacks were delivered across a much larger set of web and mobile properties using smaller frequency caps, resulting in lower impression counts per property.
- These changes in attack patterns reduced the instances of large scale single day attacks, resulting in a stable day-over-day threat volume.
- Ultimately, these behaviors helped malvertisers evade detection, highlighting the importance of using an anti-malvertising solution that can detect novel threats as they are being launched.
.png?width=1500&height=600&name=dots%20background%20black%20(1).png)
- Pixel stuffing (a.k.a. Pixel Fraud) was at an all time high in Q3 and is continuing to rise.
- Ad stacking attacks occurred across thousands of properties, delivering dozens of invisible ads in each instance of attack. Attacks occurred across a variety of browsers, including desktop, mobile and in-app (e.g. Snapchat).
- Client-side injection attacks continued to be a significant threat, causing ad injections, data exfiltration and journey hijacking on web properties. These attacks originated from both ISP-level code injections as well as browser extension level injections.
Fighting Sophisticated Malvertisers is Hard Work
“It felt like we were playing a game of whack-a-mole. We spent half our time trying to detect and identify malicious actors and the other half communicating with publishers and working to repair relationships.”
- Matt Cannon, COO, Venatus Media
cleanADindex
Published quarterly, the cleanADindex measures threat levels and attack patterns by geography, device type, browser, and SSP.
Malvertising threat levels rose significantly throughout Q3 2021, growing 238% QoQ.
We observed large spikes from single-day attacks, as well as longer, sustained attacks that dominated the last 2 weeks of September.
There were no dog days of summer for malvertisers; July 4th and Labor Day both showed major attack spikes.
The quarter ended with a bang, as new threat classes were discovered and blocked, yielding the highest threat levels year-to-date.
Malvertisers’ efforts spanned the globe in Q3, as threat levels rose in nearly all geographies. Countries like France, Italy, the US, the UK, and Brazil maintained their high rankings, with many threat levels increasing by 200% or more.
France and Canada, the highest countries by threat level in Q2 2021, both experienced 40% declines in QoQ threat level during Q3. Despite these declines, France continued to have the highest threat level in Q3, while Canada dropped to seventh.
European countries like Austria, Switzerland, the Netherlands, Portugal, and Ireland saw the largest percentage increases in QoQ threat level.
Mobile Web continued to experience the large majority of threats in Q3, consistent with the trend seen throughout 2021.
Threat activity was sustained across all device types, including Mobile App, but saw the most consistency and highest peaks across Mobile Web.
Make the Bad Guys Pay for Targeting Your Audience
“I love sticking it to the bad guys. cleanAD forces malvertisers to pay for their ads, and they get no return for their efforts. I feel vindicated knowing their campaigns perform worse as a result of the tools we have in place.”
Lila Hunt, Head of Digital Ad Strategy, System1
The overall composition of threats by device type remained consistent with previous quarters, with mobile web accounting for 95% of attacks in Q3.
While desktop and mobile web both increased in threat level, they did so proportionally to previous quarters, so overall composition remained nearly identical.
Facebook was the most attacked browser in Q3, primarily due to a specific attack surge in September.
Threats on Facebook remained active throughout the quarter, including a spike in July, and the overall volume of threats increased by 850% during the quarter.
Both Chrome Mobile In-App (675%) and Safari Mobile In-App (1500%) browsers experienced significant QoQ increases in threat volume.
Chrome was the most attacked desktop browser, and the sixth most attacked browser overall for the quarter. Edge and Safari both ranked in the top 9 most attacked browsers, with 100%+ QoQ increases in attack volume.
In Q3, Facebook was responsible for the majority of threats on social media browsers, accounting for over 99% of total threat volume in that category.
The prolonged attack that occurred for most of September was mainly targeted to Facebook and Android, across a variety of publishers, accounting for the majority of threat volume on those browsers for the entire quarter.
Q3 2021 was the second consecutive quarter where we saw 100% turnover within the top 5 SSPs by threat level ranking.
The #2 most attacked SSP was inactive in Q2, but by contrast was subject to consistent attacks throughout Q3, resulting in a significant rise in its rankings.
Rotation of the top SSP offenders continued in Q3 as it has in previous quarters, an indication that bad actors are constantly moving to new platforms to evade detection and circumvent protection mechanisms.
In Q2, the largest concentration of threats on a single DSP was 67%; by contrast, in Q3, the largest concentration dropped to 54%, and affected a different DSP.
The two largest DSP sources of malvertising activity in Q3 were both inactive in Q2.
- The second half of Q3 saw the discovery and growth of a new attack, a malicious landing page investment scam.
- A pixel stuffing fraud-style attack was a constant presence throughout Q3, with the highest threat activity in August and early September.
- The spike in threat levels on August 20th and 21st was the result of a redirect attack.
- The spike on September 10th was a single-day redirect attack.
.png?width=1500&height=600&name=CTA-Background-Dark%20(1).png)
