Malware Blocking: The New Fraud on The Block

Security Fraud Ahead

This article was written by Niles Rowland, Vice President of Product Management at The Media Trust.

4 reasons to question the marketing hype

If fraud happens whenever someone pays for something they don’t receive, then publishers should consider if they are the victims of fraud when it comes to malware blocking. Tools promising to protect their users, domains and the digital ecosystem from malware actually don’t, and they’re paying for it. 

Malware blockers have become the go-to solution for protecting websites from malicious advertising and redirects. But while it claims to be a lot of things – effective, good for UX, lightweight and responsive to upstream partners – we would know by now if that were true. 

Since mid-2017 when malware blocking went mainstream, the number of malware and redirects has actually increased, and blocking – far from preventing that – has actually exacerbated it. 

Malware blocking strategies exposed

The marketing playbook for blocking contains tactics that mislead either by generalization or obscurity. As a consequence, publishers do not experience the long-term benefits they expect, and instead suffer from a new set of problems.

As a product manager for a malware blocking product, I’ve worked with our clients to help them understand the true value of a malware blocker and its role in a comprehensive security solution. Let’s break down the hype. 

1. Blocking numbers mislead by counting more than malware and redirects

When researching blockers, a publisher often hears that they are good for UX. But while malware and UX problems go together, they are not the same thing: by conflating one with the other, blockers exaggerate the amount of malware actually detected. If you’re being charged by the number of blocks then this practice actually works against you. Even worse, you’re left with the impression that your digital environment is more secure.

In fact, blockers often generate revenue and performance issues on websites by overblocking, targeting legitimate content and useful third-party code. While some of this vigilance may result in improved performance, publishers are not given much control if their properties are crippled.

2. Blockers depend on unreliable data sources

In order for a malware list to be useful, it must be both accurate and timely. But according to our tests, the third-party data sources relied on by most other blockers are neither, lagging behind real-world malware data by 2-5 days, and misidentifying creative policy failures as malware.

In addition, the public availability of these lists impedes their usefulness, as they are actively monitored by threat sources and used to change tactics long before blockers can detect them. Examples of this practice abound.

3. Blockers see “instances,” not incidents

In AdTech, “incident” refers to malicious content or behavior originating from the same threat source. A single incident may generate thousands or even millions of impressions, constituting the work of one actor. (In fact, we recently had one incident reach more than 41,000 impressions in less than 12 hours.) However, the same actor may enter the ad chain through multiple domains and digital vendors and appear like a different attack.

Blockers can, therefore, prevent a malware incident originating from one domain or vendor, but fail to detect it from another. On average, more than 1500 incidents are active every day, and about 8,000 new, unique domains are detected each month, so in reporting instances, blockers leave publishers with an inflated sense of security.

4. Overblocking rewards volume and leads to loss of revenue for publishers

The over vigilance of blockers has led, in some cases, to DSPs finding their entire domain blocked. In the first place, this disincentivizes the DSP from actually working with blockers, or paying attention to partner notifications.

In the second place, publishers are forced to initiate a call-back for a replacement ad, from which they will receive substantially less revenue, all while fronting the costs for an unnecessary block. These costs accumulate over time, making blockers more expensive than they appear from the outset.

Refuting False Promises

In some cases, the claims made about blockers are not merely deceptive, but outright false.

  • Low-Latency: In one case, we tested a blocker that advertised 50 millisecond latency, and found that the number was consistently substantially higher. Far from being lightweight, blockers will often add substantial load to a site and its content.
  • Perfect Solution: Publishers are sometimes told that blockers can provide “100% security”. This is obviously not true, because – as we see on a daily basis – malicious code successfully bypasses them.
  • Partner Notification: While blockers offer communication with upstream partners, vendors are not provided with the information needed to identify their buyers, leaving the communication one-sided. In fact, we’ve had digital vendors reach out to us asking for clarification on a competitor’s notification. Seriously.
  • Better UI: Working with dozens of clients, we built an easy-to-use workflow for implementation. Reporting dashboards are flexible, allowing you to select data set, time frame, chart type, and scope. Download the charts or the raw data – your choice.

When considering the whole picture, popular ideas about blockers leave out a lot of information. But more than that, they reflect simple misunderstandings of technology and the digital landscape. 

How to Fix Your Blind Spots

Blockers are not a comprehensive, long-term security strategy, but publishers still need solutions to secure their domains. Protecting your digital assets requires being informed - here’s how to do it:

1. Know what you’re buying 

There’s no way to make an informed decision without understanding the alternatives. When in the market for a security solution, compare competitors directly (apples-to-apples) and understand the difference.

2. Find a real security provider

The only security provider worth investing in is one who works in the real world. An ideal blocker knows what to block because it doesn’t only block: it continuously scans the web and analyzes information immediately to provide timely protection. 

3. Control your digital ecosystem 

Taking ownership of your place in the digital supply chain is the first step to protecting it. That starts by:

  • Identifying partners: know who’s operating on your domain, their history and their credibility
  • Communicating policy: develop specific standards for security on your domain, and communicate to upstream and downstream partners
  • Monitoring for compliance: continually scan your digital properties for compliance with the rules
  • Enforce policies: terminate relationships with non-compliant partners, don’t waste money constantly blocking them 

At The Media Trust, we believe this approach represents the best solution to the problems with digital media today. From forging relationships with more than 2000 of the most frequently used media vendors through the Digital Vendor Network, to identifying 8,000 malware incidents each month through continuous scanning, we create and promote a more effective alternative to today’s security solutions.