Malvertising Doesn’t Take a Holiday

Grill fire is an apt metaphor for holiday malware attacks

Malvertising typically attempts to exploit publisher vulnerabilities during holiday weekends; Gavin Dunaway provides easy steps to stay vigilant.

I can already smell the charcoal on the grill, the chlorine in the pool, the salty air wafting off the waves. I can feel the sand between my toes, cold water splashing my pale legs, and the sun beating down on my face. I can even taste hot dogs smothered in mustard and onions to disguise the fact the guy manning the barbecue got distracted and burnt them to near cinders. (“Well, I just like my weenies super charred, ok?”)

Memorial Day is within spitting distance, and the 2021 holiday will probably be epic as freshly vaccinated folk around the US escape from their homes after more than a year of pandemic worry and semi-isolation. I can already imagine the massive traffic jams as highways across the US clog up with holiday travelers… 

And I can also already imagine the malvertising spikes hitting publishers across the Internet.

Weekend warriors

In general, malvertisers love to drop malicious campaigns over weekends, thinking they can overwhelm publishers, SSPs, and ad quality providers operating with skeleton crews. A three-day weekend potentially means an extra day of malevolence, but this Memorial Day may be particularly attractive to scammers. 

First off, it’s also the UK’s Spring Banking Holiday, which just widens the threat actor’s targeting pool. Second, publishers, SSPs, and ad quality provider holiday crews might be stretched even thinner than other holidays. High numbers of vaccinated people in the US with cabin fever from 15 months of forced semi-isolation likely makes for more workers taking extra time off. Third, our Digital Security & Operations team is already reporting an uptick in redirects.

The Media Trust has seen this story before—even last year when many around the US were reluctantly spending holidays at home. Like clockwork, in 2020 we detected malware booms right around the big holidays like Memorial Day, Fourth of July, and Thanksgiving, as well as smaller holidays like Columbus Day.

Malware spikes during American holidays
Figure 1: Even during locked-down 2020, The Media Trust detected serious spikes during holiday weekends—major and minor.

This moment is also worrisome because premium advertiser spend still hasn’t quite bounced back to pre-pandemic levels, and we’ve detected a lot of suspicious activity of late around nasty malware types like mobile-device targeting Ghostcat-3PC. In addition, we’ve seen a 4X jump in FizzCore-like malicious clickbait since the beginning of the year, as well as other vicious malware types embracing FizzCore’s malevolent payload strategy. There’s a lot of villainy afoot in the digital ad space recently.

Evasive maneuvers

Here are some tips to stay vigilant in protecting users as malvertisers try to take advantage of the holiday weekend.

Raise the floors! It’s not a foolproof tactic, but bumping up your floors in the open programmatic marketplace can ward off malvertisers looking for cheap hits. At the same time, some bad actors will pay more if there’s a higher propensity to hit their targets (typically specific devices and environments), so hiking the floors is only one move in a defensive strategy.

Keep a lookout. Many publishers will have someone (or multiple people) on the ops team spend some time clicking through the site to evaluate user experience and see what ads appear. Even though your team may be thin during the holiday weekend, make sure they get on the site and go hunting for weirdness (or outright bad activity). And hey—you should also ask The Media Trust to help out...

Boost your malware scanning. To some extent, the above is what client-side site-scanning does in an automated fashion and at scale. Client-side scanning can easily emulate tons of different users, including diverse cookie pools, devices, and geos. This enables your ad quality provider to not only identify malicious campaigns as they emerge but also detect those that may cloak themselves (a process called… cloaking) by delivering innocuous creative unless being served into a target environment (e.g., a mobile device). 

Your scanning should be tied directly into your on-page bad-ad blocker, updating your blocklists as soon as malvertising is detected—it’s a one-two combo for user safety. Bumping up your scan rate is a great way to offer more protection during a potentially perilous moment.

What’s most important is that publishers have the ability to easily control whether ads from 'high-risk buying platforms' are blocked. Not only should ad quality providers track high-risk demand sources, they should also empower publishers to manage their own risk profiles.

Consider restricting the high-risk buying platforms. Over-blocking can be a suck on revenue—malicious actors will use any and every DSP they can find to push their bad ads. Some platforms are better than others at stopping these bad actors (and malvertisers are crafty in hiding their malignant code), so just because malware comes through a platform, it doesn’t mean everything coming through that platform is malware. 

If you block a whole buying platform because it’s deemed “high risk,” you’re potentially missing out on the legit ad spend coming through those pipes. The more revenue-effective strategy is to count on your ad quality provider to precisely identify malevolent campaigns and end-buyers and then block them specifically.

That said, when your crew of ad ops guardians is not at full strength during a holiday weekend, restricting high-risk buying platforms might add a level of protection. What’s most important is that publishers have the ability to easily control whether ads from “high-risk buying platforms” are blocked. Not only should ad quality providers track high-risk demand sources, they should also empower publishers to manage their own risk profiles.

Get your holiday on with your guard up

I wish you all a happy holiday weekend—but I also wish your properties and users protection from bad actors trying to exploit this moment. You can stay vigilant against bad ads while ensuring your revenue team gets a well-deserved breather… Possibly an extra-well done hamburger too.

I mean, who doesn’t like the taste of lighter fluid?