Malware Trends: May

unique malicious incidents in the digital ecosystem detected each month

Malware on an unsettling trajectory

Distinct incidents continue to climb, steadily growing 25% since January. Considering each incident is detected thousands of times during its lifetime, this increase reflects the current state of today’s digital ecosystem.

Key malware behaviors driving incident trajectory:

  • Redirects: 78% growth. Content is consistently redirecting to malicious content or auto-redirecting users to an app store without any user initiation. 
  • Scams: 45% growth. Content entices users to enter personal information for retargeting and reselling purposes, and/or is frequently related to the selling of products delivering false claims.
  • Compromised content: 31% growth. A delivered creative or landing page has been altered to be directly involved in the execution of malicious activity—e.g., popups, fake software updates, and exploit kits.

Malware increased steadily throughout May, keeping our Digital Security & Operations team busy identifying, evaluating, and then addressing outbreaks. Confirmed malicious activity was added to our blocklist and also shared with the offending provider to clean up incidents and keep revenue channels open. (Figure 1)

  • 2,070 active malicious incidents, on average, managed each day in May
  • 34% Scams: Content entices users to enter personal information for retargeting and reselling purposes, and/or is frequently related to the selling of products delivering false claims.
  • 27% Suspicious: The campaign exhibits anomalous activity; however, malicious intent is not confirmed. Typically, the domain or content is parked, does not exist, or matches previous patterns or characteristics of known malicious activity.

Malware incidents by type
Figure 1: Malware incidents by type during May

 

Interesting Incident: Redirect Barrage

Large-scale redirect campaign started on May 17 and continued through May 22 by cycling through dozens of domains to serve users a fake rewards scheme. What’s interesting is the misplaced recommendation to block the penultimate SSP instead of the malicious campaigns stemming from the malicious buyer on the DSP. This blunt blocking approach causes publishers to lose revenue opportunities.