Malware-infested Q4 Highlights Growing Danger in Open Programmatic

Malware-infested Q4 Highlights Growing Danger in Open Programmatic
featured image

Malvertising in the open programmatic marketplace proliferates as premium buyers shift to private marketplaces

Malvertising doesn’t take a holiday, but it still tends to decline in the fourth quarter as programmatic prices get too rich for malvertisers’ liking. However, as the ongoing pandemic continues to weigh on the digital ad ecosystem, the presence of malware in Q4 was significantly higher than 2020—and every prior year analyzed by The Media Trust.

While the number of average monthly malware incidents detected by the Digital Security & Operations team predictably declined from the dizzying heights of 2021-Q3, it was still 64% higher than the elevated rate of 2020-Q4 (see Figure 1 above). Yeah, you guessed it: Malware is getting worse.

Buyers Pivot

Figure 2: Growing private marketplace spend will enable malvertisers to further build their open marketplace presence.

The dramatic increase in Q4 malware must be evaluated alongside remarkable shifts in how premium advertisers are buying. While eMarketer reports that programmatic advertising represented ~90% of digital display spending in 2021, private marketplaces accounted for ~$15 billion versus the ~$12 billion dropped in the open marketplace.

After growing 48% in 2021, private marketplace spend is predicted to increase another 21% in 2022 and make up 59% of all RTB spending (see Figure 2). The open marketplace will only grow ~5% in 2022, and represent 41% of all RTB.

Private marketplaces are clearly becoming the preferred path for premium advertisers to find audiences programmatically. The general 2021 explosion in malware shows that the open marketplace is increasingly the territory of bad actors—a dangerous place to monetize, but still a necessity for the large majority of digital publishers.

Private marketplace spend is predicted to increase another 21% in 2022 and make up 59% of all RTB spending.

Malvertising Buffet

Just as stunning as the amount of malware circling the ad ecosystem in 2021-Q4 was the variety. But seeing what malvertisers deployed in Q4 gives us insight into what bad actors have in store for 2022.

Redirects: October marked the peak of a mighty resurgence in redirect incidents. After rising 170% since the beginning of 2021 (see Figure 3), redirects took a sharp plunge in November and continued to fall through December.

Figure 3: Redirects peaked in October 2021 after climbing all year.

Malicious Clickbait: The Media Trust’s Digital Security & Operations team detected a 9X increase in FizzCore malicious clickbait events in November 2021 from a September nadir (see Figure 4). Going beyond scams, FizzCore employs cloaking tactics to hide both malicious creative and payload—often phishing schemes or PII theft. Although the November outbreak was about half of the major barrage detected in July, it was still massive compared to the relative calm of previous months.

Figure 4: The digital ecosystem was awash in FizzCore malicious clickbait in November 2021.

Fake Antivirus/Software Updates: November also saw a sudden burst of “scareware” fake software update incidents—a 50% jump over the beginning of the year. What’s old is new again—most of the pop-ups were classic bogus warnings about fake viruses. (See Figure 5). Such a short burst typically indicates testing for a larger attack.

Figure 5: Many of the fake antivirus/software update incidents in November 2021 were classic “scareware” creative falsely claiming a consumer’s device was infected.

Scams. The 2021 surge in scam ads did not let up in Q4—there was even an uptick in December when almost all other types of malware were falling. While scam creative included shady mortgage lead generators and dubious investment schemes, sketchy retailers promoting gift guides dominated the pack (see Figure 6).

Figure 6: While scam creative detected in 2021-Q4 was diverse, gadget gift guides from shady retailers were highly prominent.

E-skimmers: As we detailed in December, e-skimming typically proliferates in Q4 with efforts to steal holiday shoppers’ credit card information. However, even in this area the 63% increase over 2020-Q4 was remarkable.

Sailing Rough Programmatic Waters

As more premium programmatic spend is headed to private marketplaces, it’s become easier than ever to become a prolific malvertiser. Bad actors are selling turnkey solutions for phishing, ransomware, and other malicious software, effectively multiplying the amount of malicious content in the space. And as always, the most efficient way to deliver malware to victims is through the open programmatic marketplace.

The high amount of malware detected in 2021-Q4—when malware levels typically subside because of high demand and higher CPMs—shows that the open programmatic marketplace is only getting seedier. But there are still plenty of premium advertisers in the open marketplace, and publishers can haul in substantial revenue.

Keeping consumers safe and delivering high-quality ad experiences while monetizing through the open marketplace is simply growing more difficult.

Keeping consumers safe and delivering high-quality ad experiences while monetizing through the open marketplace is simply growing more difficult. The solutions are out there—a creative blocker is table stakes, but it’s only as good as the malware data fueling it, and how often that data is refreshed.

Original-source malware data will always top third-party data because they’re certified fresh, and can avoid false positives with corresponding revenue loss. The quality of your malware data has never been more important when it comes to succeeding in the open marketplace.

But beyond creative blocking, publishers must be careful when it comes to their open market demand partners, and require them to continuously scrutinize tags and landing pages for malware and unwanted content. Publishers should also demand these practices from their private marketplace partners, as those deals are only so secure—malware can slip in via cloaking, compromised landing pages, or other forms.

Continuous monitoring of publisher’s own properties is also essential because not all malware comes through ad channels, but also scanning can alert teams to the presence of unsavory and unauthorized vendors.

Even if the open programmatic seas are becoming increasingly treacherous, the right tools can help diligent publishers safely navigate them—and thrive.