Most of malicious ads come from three sources, according to Confiant. Founded in 2013, Confiant appeared because “the world’s most sophisticated advertisers aren’t Verizon or P&G, but criminals using the industry for their own, selfish ends. We believe in the intelligent application of technology to fight back and make media safe for everyone”.
120 billion ad impressions analyzed
In their “Demand Quality Report for Q3 2019”, the company analyzed over 120 billion ad impressions between January 1st and September 20th. They flowed through their systems to provide a breakdown of different malicious ad campaigns.
Specialists talk about the low quality ads and banner ads that appear in video slots. But the report also focuses on the detected malicious ads and the campaigns they are used in. Confiant defines malicious ads as those that perform unwanted behaviour. They include a redirect to scams, ads that infect devices or cryptojacking.
Breaking down malicious ads
In the “Demand Quality Report for Q3 2019“, over 120 billion impressions captured by their auditing system are analyzed.
They discovered a good thing, too. The number of malicious ads that make it to a user’s browser is decreasing. Solutions that filter out bad ads are the reason for this. Also, publishers adopt the ads.txt file to prevent unauthorized ads appearing on their websites. At the same time, the supply side platforms (SSP) are more careful.
So, the malicious ads dropped from .25%, to .15%. Still, there are a lot of unwanted ads. Most of them are coming from a small number of sources.
Confiant monitored 75 ad providers. It discovered that over 60% of malicious ad impressions come from SSP-H, SSP-I, and SSP-D. Also, the most concerning fact is that a single SSP is responsible for over 30% of the malicious ads.
Malicious advertisers conduct their campaigns around certain periods. This is when less active personnel monitors the ad networks. Thus, they may be slower to respond to attacks. So, most campaigns happen over the weekend and the largest campaigns over a holiday.
The major sources for malicious ads
Confiant discovered that four threat actors were responsible for most of the malicious ads, in Q3 of 2019. These are: Scamclub, eGobbler, RunPMK, and Zirconium. Although they perform a steady stream throughout the year, at particular times there are detectable campaigns that show a heavy ad push by a particular actor.
Each threat group tends to focus on a different type of malicious ad.
Scamclub does not make a strong effort to evade detection through fingerprinting and targeting. But it conducts huge campaigns with dozens, or even hundreds, of creatives. Thus, they try to overwhelm ad network platforms and their security. Their hope is that some of these impressions will make it to legitimate web site visitors.
eGobbler is a malvertiser that uses browser exploits or bugs to redirect users to malicious sites. eGobbler mainly targets desktop computers running Windows. Their attackers focus on users in Italy, Spain, and Scandinavia. “Our researchers found that even when publishers set up iframe sandbox permissions optimally, a pop-up could be spawned when the user tapped on the parent page. Confiant reported this vulnerability to the Webkit team on August 7, and it was fixed in iOS 13.”
RunPMK targets mobile traffic on iOS and Android and displays scam ads such as ones that state you won an iPhone and the spinning prize wheel.
Confiant has noticed RunPMK performing global attacks that targeted 212 countries.
The Zirconium threat group uses unique fingerprinting methods to target users with specific ads. Their scripts usually push tech support scams on desktop users.
Improvements in the ad landscape
While there is still clearly a malvertising problem and users should continue to utilize software that blocks known malicious sites or ad blockers, the ad landscape is improving.
“However, we are encouraged by the continued decline in the rate of bad ads on Confiant publishers, which demonstrates that there are effective mitigation methods, both in terms of technology and partner selection, available to those who wish to use them.”