Free Trial

Q4 2021

SMART Report


Fresh insights on the latest malvertising trends, tactics, and attack types impacting the online publishing world.

Read the full report below, or download the PDF for later.

Q4 2021 SMART Report on malvertising trends from


Download a PDF Copy

← Don't Have Time to Read The Full Report Now?

We'll email you a downloadable PDF version of the guide and you can read later.

dots background white (2)


Coming off a volatile Q3 that saw several large spikes in malicious landing page attacks, redirects returned in Q4 as the dominant form of attack type. These attacks primarily targeted mobile devices and their native browsers, unlike Q4 2020 where Facebook was most targeted.

Malicious landing pages continued to surge as malvertisers experimented with new varieties of fake news sites, scam investment invitations and fraudulent consumer products. 

Client-side and server-side exploits saw continued growth with new threats via user’s browser extensions, and websites compromised by supply chain attacks. This growth furthers the need for security solution that protects the entire page and session, not just ‘wrapping’ ads.

All in all, Q4 displays a multitude of active bad actors responsible for a variety of threat classes, often utilizing different threat vectors to evade detection from traditional anti-malvertising tools and exceed the scope of their protection, further increasing the need for a future-proof, preventative approach to site and platform security.

About This Report

This report is built using impression and threat data gathered from sites across the entire cleanAD network.

The data included in this report is collected through behavioral analysis of tens of billions of impressions each month, in real time, on over 8 million websites and apps.

Malvertisers are becoming more sophisticated and harder to detect.

Background blue-1-1

Top Takeaways from Q4 2021:

  • Redirect threats make comeback late in the quarter.
  • Malicious landing page threats continues to scale as schemes diversify.
  • Ad stacking IVT runs rampant, leading to billions of invisible ads served through many platforms.
  • New attack via Chrome browser extension enters ecosystem, targeting Google Tag Manager.
  • Supply chain attacks infect websites and victimize visitors.

The Q4 2021 cleanADindex:

  • Q4 2021 Threat Level
  • Threat Level Changes by Country
  • Threat Level by Device Type
  • Attacks by Device Type
  • Attacks by Browser
  • Desktop Browser Attacks
  • SSP Attack Targeting
  • Threat Classifications

Redirects Make a Comeback

In Q4 2021, there was a surge in redirect attacks from several different threat actors, late in the quarter:

  • Increases were largely driven by a brand-new threat that clean’s behavioral solution was able to detect within the same minute the campaigns were launched.

  • This new attack, from a very prolific & active malvertiser, evades standard detection methods by constantly switching domains & obfuscation, targeting cellular connections, utilizing multiple layers of cloaking, etc.

  • Attacks scaled in December with sustained activity through the end of the year, even as other threat types dipped.

  • Threat activity like this can often see sizable increases from November to December as malvertisers rush to fill the now open supply, post-BFCM buildup.
Redirect threat screenshots from Q4 2021 SMART report from


Malicious Landing Pages Proliferate and Diversify

In Q4 2021, we continued to see increases in volume and heterogeneity of malicious landing pages threats, rampant on both standard display and native ads:

  • Through advancements in MLP detections, clean has been tracking bad actors as they evade Safe Browsing and Google detections.

  • Most pages are cloaked, usually replacing destination pages using traffic distribution systems or in-page redressing to dynamically redirect to different pages.

  • Fake news articles from popular media outlets are among the most common redirects, and will differ based on region. 

  • Deceptive sign-up pages for fraudulent investment platforms, often identifying association with popular tech stocks or cryptocurrencies, are also prevalent.

  • Polished and professional seeming ecommerce sites that facilitate the purchase of fraudulent goods or services also make up a significant portion of the landscape.
Malicious landing page examples from's Q4 2021 Smart Report


Billions of Invisible Impressions via Ad Stacking IVT

In Q4 2021, invisible ads were delivered in the billions, across hundreds of sites through just one of the schemes we track, impacting multiple SSPs:

  • IVT was detected across other sites via our partner distribution, even on sites using other security and fraud solutions.

  • Delivery and integration can vary among sites, but each variant leads to a dozen different bidding processes kicking off within unseen ad frames.

  • Bad actors employed several methods to avoid discovery and evade investigation.

Code execution for GTM injection from Q4 2021 Smart Report

Browser Extension Attack Targets GTM

In Q4 2021, browser extensions were exploited in novel ways, including a yet another NEW threat which injects malicious code through Google Tag Manager:


dots background black (1)
  • Though immediately detected & blocked by clean’s comprehensive protection, the client-side malware attempts to deliver a malicious script into the top-levels and ad frames.

  • The infected GTM script ultimately results in rewriting displayed ads, loading various sites with specific affiliate parameters into 1x1 frames and generating additional pop-up ads, notifications & windows.

  • Such injections are frequently observed in the US, Europe, as well as Australia, New Zealand and Russia.

Browser extension attack example from the Q4 2021 Smart Report from

Supply Chain Attacks Cause Havoc

In Q4 2021, clean observed sites compromised by malware originating from websites use of “trusted” open-source projects, shared libraries, or other 3rd party code:


Background blue-1-1
  • Advertising is not the only entry point to account for when investing in security solutions. Sites use a vast array of software and services which are all susceptible to 3rd party breaches.

  • These attacks can result in unwanted popups, fraudulent alerts or malicious redirects, but also more serious violations like stealing of personal information, putting site visitors at significant risk.

  • We forecast that this problem will continue to grow, due to ease in scaling attacks through commonly used software and lucrative opportunities to gain access to all sorts of systems, highlighting the necessity to protect the full page with a holistic approach to blocking.

Supply Chain attack examples from the Q4 2021 Smart Report from

Picture of Matt Cannon from Venatus


Fighting Sophisticated Malvertisers is Hard Work 

“It felt like we were playing a game of whack-a-mole. We spent half our time trying to detect and identify malicious actors and the other half communicating with publishers and working to repair relationships.”

- Matt Cannon, COO, Venatus Media 

Read the Case Study


Published quarterly, the cleanADindex measures threat levels and attack patterns by geography, device type, browser, and SSP.


Image of reporting backend


Q4 2021 Threat Level

Threat Level in Q4 declined 46% QoQ, coming off an the elevated August and September levels that dominated Q3.

Overall, Q4 Threat Level sustained higher lows than Q3, but also experienced lower highs.

And while volatility decreased, we still observed increases around crucial Q4 events, specifically around BFCM and Christmas.

Q4 Threat Level might have decreased from Q3, but it was still 50-80% higher than the first half of the year.

Q4 2021 Threat Level


Threat Level Changes by Country

Geographically, Europe and North America continue to experience the highest Threat Levels.

Germany and Canada were highest in Q3, both up 250%+ QoQ, followed by Netherlands, Finland, and France.

US ranked 6th, down slightly from last quarter (-13%).

Asia-Pacific saw large increases in Q4, specifically New Zealand, South Korea, Singapore and Indonesia.




Q4 2021 Smart Report Threat Level by Country


Threat Level by Device Type

dots background black (1)

Q4 was the first quarter of 2021 not dominated by Mobile Web.

Mobile Web and Desktop experienced similar Threat Levels in October and November, but Mobile Web trended upwards in December.

Mobile App Threat Level exploded in December, the first sustained period of attacks in 2021.




Q4 2021 Threat Level by Device Type


Lila Hunt from System1


Make the Bad Guys Pay for Targeting Your Audience

“I love sticking it to the bad guys. cleanAD forces malvertisers to pay for their ads, and they get no return for their efforts. I feel vindicated knowing their campaigns perform worse as a result of the tools we have in place.”

Lila Hunt, Head of Digital Ad Strategy, System1

Read the Case Study

Attacks by Device Type

Similar to Threat Level, Q4 was the first quarter of 2021 to see increases in desktop and mobile app attacks.

Threat volumes on Desktop ticked up (but down on Mobile Web), thus more distribution of attacks in Q4.

While Mobile Web still accounted for ⅔ of attacks this quarter, Desktop increased to 29% while Mobile App accounted for 4%

Screenshot 2022-01-31 141726


Attacks by Browser

Safari Mobile In-App and Chrome Mobile In-App accounted for the #1 and #2 spots with less than a 1% difference between them.

These browsers are inclusive of both Mobile Web (Embedded Browser) attacks, and traditional Mobile App attacks.

Facebook decreased in Threat Volume by nearly 90%, falling out of the #1 spot for the first time in nearly a year

With an increase in Desktop threat volume, we measured 4 desktop browsers inside the Top 10 (Chrome, Edge, Safari, Firefox).

All Desktop Browsers increased QoQ between 17% and 99%.

Attacks by browser type 2021


Desktop Browser Attacks

Chrome and Safari both experienced a large attack in Mid-October and was the largest attacked Desktop Browser consistently during Q4.

All desktop Browsers increased together around the holiday periods: December 10th, December 20th, and finally in the post-Christmas period.

Since the New Year, Desktop Browsers across the board have again seen large increases in attack volumes.
Desktop browser attacks, Q4 2021


SSP Attack Targeting

Over the past 2 quarters, the Top 5 SSPs with highest threat levels saw very little turnover with 3 of the Top 5 SSPs in Q3 staying in the Top 5 in Q4

The rest of the Top 10 saw greater change in Q4 with much lower ranked SSPs jumping to the top spots.

 Screenshot 2022-01-31 142324


Threat Classifications

Threat class composition continued to diversify in Q4, with the top 3 attack types now responsible for less than 70% of attacks, down from 88% in Q3.

September & early October were dominated by a widespread crypto scam.

By November, pixel stuffing became most prevalent as this cryptocurrency scam retreated and redirect threats decreased temporarily.

Several different redirect threats returned in December, rounding out the end of the quarter. 

Q4 2021 Threat Volume by Classification


CTA-Background-Dark (1)

Try cleanAD for free

Try cleanAD Free

Start using cleanAD. 

Stop chasing bad actors.

14 Day Free Trial