Rogue Third-party Code Driving Ad Fraud

Rogue Third-party Code Driving Ad Fraud
featured image

Malvertising isn’t the only problem on the rise


The digital advertising industry is going through an unprecedented rough patch: downward pressure on ad spend, resulting decline in eCPM, corresponding fall in revenue. In addition to the rise in malvertising publishers also need to worry about the prospect of not getting paid by retailers for their advertising campaigns. Piling on, publishers have another concern regarding the risks of unmanaged third-party code within their digital environments. Currently, rogue—often no longer used and forgotten—third-party code is executing on several premium publisher websites to drive thousands of non-viewable impressions and unnecessary latency issues.

Unknown third-party code causing chaos

Website developers frequently insert widgets—non advertising code—into the web page infrastructure which executes client-side to render the user experience. Recently, a third-party widget from 100widgets[.]com was compromised and leveraged to run a hard-hitting scam. Non-advertising code, 100widgets provides free tools that web designers integrate in their pages to provide a range of functionality, i.e., calendars, social networking buttons, clocks, site speed tests and more. However, this tool is not something typically used in premium publishing environments.

The Media Trust first detected this domain in January executing across a variety of premium websites with little issue. However, as is common in a malvertising campaign, the domain’s behavior changed, and it began to serve dozens of webpages to users via an iframe to render content outside the user’s browser-view. This fraudulent activity reached a crescendo in early May. The served pages ran the gamut from travel and brands to more topical campaigns covering e-learning and adult content. In effect, the widget enabled the creation of a bot by leveraging real-world human activity to open at least 50 unseen webpages without the user’s knowledge—it is a legitimate user, not a legitimate page view. Even worse, many of these appear to be affiliate marketing scams. [Figure 1]

Impression Fraud examples
Figure 1: Example of non-viewable websites opened in the off-page iframe

While the incident does not involve overt malicious activity, it does have serious repercussions across the digital supply chain.

  • Publisher: This unwarranted code execution is enabling fraud via the delivery of non-viewable impressions to other websites.
  • User: The opening of dozens of webpages drives incremental latency issues. As the user reads the page they will experience problems scrolling content as their device continues to load pages behind their active browser session. If the user is on a mobile device this will also drain battery life.
  • Brand: The incremental clicks and page views are driven by bots, throwing campaign metrics into chaos and perpetrating fraud.

Perils of forgotten webpages

Deeper analysis of the incident reveals that the affected brand and publisher websites are, for the most part, section pages or deeper—not the home or front page. In a few instances, the code was detected on international pages with non-English content. The Media Trust cannot ascertain how the code got onto the websites, but believe it is a legacy script. If a bad actor gained credentials to directly place the code it is likely they would have caused more direct harm to both the site and users.
The bigger issue is recognizing this unmanaged third-party code. Third-party code like ads, analytics, CRM platforms, customer recognition platforms, online chat, shopping carts, video platforms are useful, but if unmonitored can lead to:

  1. Redirects and ads that hijack your customer experience
  2. Heavy JavaScript that slows down site performance
  3. Cookies that leak customer data
  4. Malware that puts the security of your users at risk
  5. Calls to third-party domains that increase site latency

In addition to notifying our Digital Vendor Risk Management clients of the anomalous code earlier this year, The Media Trust also alerted the affected publishers and brands to the compromised widget and provided url details to facilitate removal from the website environment.

Digital health checks identify forgotten code

The time is ripe for publishers to audit their digital environment. This means identifying supply paths, evaluating activity—with a close eye on cookies and other data trackers—and analyzing each vendor’s value to the digital advertising chain. Along the way you’ll discover unknown and superfluous code that, if left in place, could be used for future attacks.

Brands are paying more attention to how their ads, customer data, websites and products are sourced and/or manipulated to perpetrate malvertising and fraud in the broader ecosystem. The ability to identify and stop this activity will go a long way in developing stronger—possibly more rewarding—relationships with brands.