It’s tempting to write off malvertisers as simply an annoyance or unsophisticated criminals, but nothing could be further from the truth.
Far from being crude spammers, malvertisers are sophisticated, smart, persuasive, and often more technologically savvy than many of their legitimate advertising counterparts. And they’re extremely dangerous and costly. The last IAB estimate put the cost of malvertising at just over $1 billion. In case that figure isn’t troubling enough, here are a few more reasons why you need to take the threat seriously.
Malvertisers are technologically savvy advertisers. They not only know how to code, traffic, and place ads -- they’re skilled at using a variety of exploits to redirect users and circumvent security measures.
They are also masters of programmatic, shopping for placement on the same buying platforms and publications as legitimate advertisers. Malvertisers are attracted to ad tech for the same reasons legitimate advertisers are -- programmatic provides incredible reach and targeting capabilities -- and malvertisers make full use of these capabilities to find their victims.
Their primary aims are to compromise users’ machines to build botnets or gain access to potential phishing victims. These avenues open up a world of nefarious possibilities, including affiliate scams, sale of PII, and ad fraud.
Ultimately, malvertisers combine proficiency with the same tools and approaches that any ad sales, ops, or engineering professional might use with a deep understanding of security vulnerabilities. They are experts in both fields, which makes them an extremely challenging adversary.
Malvertisers aren’t just successful because of technology -- much of their edge is psychological.
Users have been warned to protect their personal data since the birth of the Web. With e-commerce, the warnings extended to their financial data, and now in the age of high-profile privacy breaches across everything from social, to email, to credit reports and scores, the average person is far more vigilant than they would’ve been years ago.
This means malvertisers have to work hard to convince users to fall for their tricks, and that involves psychological operations (also known as PSYOPS). Whether that means setting up sites that spoof legitimate publisher domains to scrape user info, or dangling the offer of a “free” gift card in exchange for completing some seemingly benign activity, malvertisers are skilled at coercing users to act against their own privacy and security interests.
They’re also skilled manipulators when it comes to the advertising community, since malvertising begins with biz dev. Before the first bad ad is delivered, the malvertisers have to gain entry to the ecosystem. To find that backdoor and cover their tracks, they exploit the fragmentation of ecosystem: the hundreds of intermediaries that sit between advertisers and publishers. A common technique is to pose as an agency in order to form relationships with multiple DSPs, using stolen creatives to lend an air of legitimacy to their campaigns. They then run large numbers of media buys to help hide the activity.
Malvertisers have mastered working under extreme time constraints. While legitimate advertising campaigns can run for days, weeks, or even months, “bad ads” don’t have that luxury. The average malvertising campaign runs at high volume for only 1-2 days, and few last beyond 30 days. Therefore, malvertisers have a much shorter time to execute these campaigns, which means they have to maximize what they can do before they’re identified and shut down.
Last, but certainly not least, is the fact that malvertisers are accomplishing all of these feats while working under the added strain of avoiding detection.
Their challenge, on top of the typical attention and conversion hurdles that “real” advertisers face, is to hide the intent of their activities while accomplishing the same goals. They have to quickly deploy malicious campaigns while hiding in plain sight, trick users into clicking, downloading or otherwise engaging, and often optimize campaigns in real-time using analytics and tools they’ve hacked together.
This ability to deliver results under pressure is what makes staying one step ahead of malvertisers difficult for the average publisher (or ad buying platform). It’s also why the security tools developed to counteract them need to be just as thorough, nimble, and innovative.
Original article published in the MarTech Series