How to tackle malicious ads & malvertising

Malvertising is a new definition of the words of malicious advertising. Malv

Background with blue elements.

Malvertising is a new definition of the words of malicious advertising. Malvertising is the concept of a criminal attack, where someone intentionally inserts malicious code into advertising networks with the aim of causing harm. In this case, malicious ads are shown instead of legitimate ads that originally was intended to be shown.

Malvertising and malicious ads can appear on any site online, high-quality site or not. Malicious ads usually automatically redirect users to malicious websites. Malicious ads and malvertising is a common problem today that most sites have experience from at some point, unfortunately. Below we will dig deeper into how it’s possible for malvertisers to get into the system and what measures to take if this happens to you and your website.

How does Malvertisers work?

Attackers make it very difficult for ad networks to distinguish harmful ads from legitimate ones. Malvertisers advertise the ‘same way’ as legitimate advertisers, but instead, they place infected media or text ads into the ad network. In theory, you run a chance to get infected by clicking the malicious ad. In this case, malvertisers usually use some sort of CTA to get your attention and mentally try to force you to click the ad. Typical drivers here are a “warning” that you are infected with a virus and the solution to remove it. Free content, too-good to be true lottery victories and surveys are also popular methods to get you to click.

Another way you can get infected is by downloading one or more infected files into your system without your consent or knowledge. This latter method is known as a drive-by download and it’s a genius way to get users infected without having them to even click on anything. In this case, an invisible landing page is created and just loading the web page hosting the ad might infect you.

Are Malvertising and adware the same thing?

Many mixes up the terms malvertising and ad malware with adware. They are not the same thing, however, adware is another form of harm affecting online advertisement.

Adware is a software that gets installed on your computer, usually packed up with legitimate software to get users to install it. Also “fake versions” of legitimate, existing programs are a great way to get into your computer. For instance, if you find an otherwise expensive program suddenly for free, it’s probably adware and category “too good to be true”.

How do I protect myself against malvertising and malicious ads as a publisher?

If you are a big player in the ad industry, you most likely have fallen victim to malware at some point. Make sure your basic security is the best possible. Protect your website from spam and run a cybersecurity program to scan your system regularly. As explained earlier, malvertisers come in the same way as advertisers, so traditional security measurements might not always be enough to prevent falling target for malware.

Malvertising is a relatively new “trend”, having its real breakthrough around 2007 onwards. At this early stage, it was easy to trick users into it since it was something nobody could prepare for. Still, a few years ago, you could minimize the risk of malicious ads on your site simply by raising the floor price, since only high-quality bidders could afford expensive ad spots. Today we are facing a completely different scenario since malvertisers have extremely high budgets and can afford to pay a lot, therefore a high CPM will not drive them away.

Ad networks serve millions of ads daily and it’s very difficult, next to impossible to test every single ad that is shown.  Yet the only solution that fully prevents malvertising on sites is that DSP’s have better control over the creatives. A policy of for instance not changing a creative after it’s been confirmed or only show specific types of files such as JPEG or PNG and not allowing JavaScript could prevent malicious ads from appearing. By working with qualitative DSP’s you also minimize the risk of getting malware on your site.

There are tons of ad scanning platforms available today, but unfortunately, they are very expensive and yet not bulletproof. You can end up getting harmful ads on your site despite the fact that you are paying a shitload to prevent this from happening.

How does Kiosked handle cases of malvertising and malicious ads?

There’s a common misunderstanding of what to do when a malicious ad is detected on a publisher’s website. Very often the publisher removes the scripts as quickly as possible and informs their monetization partner after this, if at all. Malicious ads usually originate from the DSP, and this is the channel you should secure. By taking off the script you prevent all possibilities to track where the ad came from. A publisher might work with multiple monetization partners and by taking off one script, you are not blocking the source of malware, instead, you might have blocked a source of income for no reason.

If you detect a malicious ad on your site, let us know immediately. Do not remove the script before letting us know. We will handle it for you. Common measures in these cases are restricting some DSP’s from buying or blocking sites.

Sandboxing

Kiosked also has different levels of <iframe> available. Iframes build a ‘container’ around ads so that the resources related to them are held separately to the parent page. This prevents style leaks and can also help reduce JavaScript interface incompatibilities.

No system can guarantee a 100% fraudulent free environment, but our safety measures are very effective, and we can apply three different levels of security.

No sandboxing – This is what’s applied by default. It’s a regular iframe that contains the mediated ad item.

Secure Mode = Light Sandboxing – HTML5 iframe sandboxing attributes applied, this prevents top page navigation.

Extreme Mode – Restrictive iframe sandboxing with complete lockdown, this means that no JavaScript can access the parent page.

HTML Sandbox attributes

If an HTML5 sandbox flag is not mentioned here, it is by default blocked. There is no security risk missed due to unimplemented or unrecognized flags.

Hopefully, this post cleared out how to tackle malicious ads. If you have any questions, don’t hesitate to drop us a line, we are always happy to help.