×

Now & Next: Malvertising

Now & Next is a feature written by the ExchangeWire Research team. Every four weeks, we review the latest research, provide impartial insight and analysis of current trends and provide predictions for the future of advertising and marketing technology. This feature focuses on malvertising.

What started out as bad-taste pranks by computer geeks in the early days of the internet, has long become a million-dollar business, that is not only directed at the public in general, going beyond specifically targeted governments or individuals for purposes of stealing financial or personal data, but affects the advertising industry in particular. Viruses, worms and trojan horses have been replaced by sophisticated spyware, adware, and other forms of malicious programmes – designed for profit. Because there is nothing more valuable than personal details and financial data or passwords, or fraudulent clicks.

Malicious advertising

Malware is intrusive software that uses code, active content and scripts to spread spyware, adware etc. On the most basic level, malvertising refers to fraudulent online advertising with the purpose of spreading malware. With the growing sophistication of technology – and hackers – it has become increasingly difficult to distinguish fraudulent ads from genuine online advertising. Typically, malware targets websites that attract a lot of traffic, or popular, widely-used apps in order to reach as wide an 'audience' as possible.

It shouldn’t come as a surprise then that 90% of malware attacks are launched via legitimate sites, i.e. popular, heavily trafficked websites and mobile apps sites that have not been built for the purpose of malvertising. This makes publishers unwittingly complicit, as well as advertisers and ad tech providers. After all, it is also the third-party code included in websites for the purpose of ad serving, which may provide a loophole for malicious attackers to spread their malware.

Similarly, vulnerabilities could possibly be found within the programmatic chain of processes that enables the serving of an ad to a specifically targeted audience, namely third-party providers such as ad networks and exchanges, DMPs, data analytic tools and platforms, video serving platforms, or any kind of marketing automation platform, amongst others.

Piggybacking on ad tech?

To be clear, these third-party providers are not the cause of malvertising – but they are caught up in the mess as their data is contained on affected websites and misappropriated by the malicious agents because they provide exactly what malware needs: data and records of user behaviour that facilitates the specifically targeted serving of an ad. Malware, thus, piggybacks on third-party data and targets its victims at a large scale; and it does so essentially the same way as legitimate advertisers when serving ads, and ad tech providers when deploying their services.

So, has programmatic inadvertently propelled malvertising? "Although it plays a role, I wouldn’t place the blame of malvertising’s increase squarely on the shoulders of programmatic", says Chris Olson, CEO, The Media Trust. "Digital ad spending continues to increase, with the IAB reporting USD$59.6bn (£41.3bn) spend in 2015 – a 20% increase from the previous year. Combine this volume with the reach of programmatic, and the ease of executing a malicious campaign, and you have an attractive environment for motivated bad actors. In fact, The Media Trust has seen a YOY doubling of ad-related malware during the past few years."

A bad name may not seem a particularly serious consequence of malvertising for programmatic. But then consider botnets as another form of malvertising – which may hit a more sensitive spot with the industry. Ad bots can be invisibly activated on users’ computers, creating fake browsers in the background that visit websites and click links – unbeknownst to the users. In concert with thousands of ad bots, they create a huge botnet with the sole purpose of fabricating invalid traffic and click fraud, creating fake views – for which advertisers pay.

According to software security experts Cyphort, malvertising increased by 325% in 2014. The Media Trust puts the number of new malware programmes detected every day at a staggering 400,000. The Association of National Advertisers projected that ad fraud would cost global advertisers more than USD$6bn (£4.16bn) in 2015. And this figure is set to rise to USD$7.2bn (£5bn) this year, according to the ANA/White Ops. Their report from earlier this year has also found that media with higher CPMs was more vulnerable to bots and that in general, programmatic ad buys displayed higher levels of fraud: "Programmatic display ads had 14% more bots than the study average, while programmatic video ads had 73% more bots than average."

Finding and fixing just one malware attack is syphoning valuable resources, and could cost USD$62k (£43k), The Media Trust calculates, incurring an average cost of USD$3.2m (£2.2m) per year, per company. The IAB puts a price tag of USD$17m (£11.8m) in measures to fight malvertising in the US and calculates a total of USD$1.1bn (£762m) in revenue losses, due to malvertising activities in the US. Included in this number, however, are USD$781m (£541m), the IAB says are lost due to users installing ad blockers – a move made by users not only to avoid pesky ads, but also to eliminate the source of malware, adware, and spyware. Connected to this are revenue losses of USD$57m (£38.5m), due to black listing by ad blockers.

The question remains, whether the ad tech community is doing enough to battle malvertising. The Media Trust's Olson believes that, while understanding the risks malvertising poses to their business models, the attempts made so far are not enough: "From attempting to pre-screen buyers and preview ads, to sharing violation information and adopting header bidding strategies, the industry has tried various approaches with some success. But, in the end, these tactics aren’t going to adequately mitigate the risks of malvertising. Short of approving every ad before it renders on a publishers page, the complexities of navigating the advertising ecosystem are resource- and cost-prohibitive for publishers and providers alike."

Chain reaction

Ultimately, malvertising hurts advertisers and ad networks: while adware merely delivers (unsolicited) advertisements on user screens, spyware susses out users’ browsing habits, displays ads on user screens, and redirects traffic. Botnets create fake views, making advertisers pay for nothing. As a simple way out, users install ad blockers in a bid to prevent malware from infecting their computers, a reaction that does not only reflect users’ expectation to consume content for free, but also their bad experiences with advertising. The result: millions of dollars, pounds, and euros lost in advertising revenues.

Programmatic has unwittingly contributed to that. The automation of online advertising, and the resulting complex web of relationships between companies that facilitate the selling and buying of ads or measure and serve advertising, has made it harder to identify the sources of malware. The industry has woken up to the threat and is working on damage-control. In their November 2015 US benchmarking study, the IAB, for instance, put together a list of preventive measures. Apart from implementing technology solutions to detect malware and/or loopholes in internal systems, the industry body placed emphasis on a less technology-heavy approach: evaluating business partners (whether they be advertisers, agencies, or ad tech providers) to make sure that they are reputable, malware-protected, diligent companies, and encouraging the "good actors in the industry to share information". Fighting evil by being good.

Will it be enough? Malvertising is here to stay, anyway. Provider of security products, WatchGuard, predicts that malvertising attempts will triple in 2016; with cyber criminals obfuscating their malicious advertisements by encrypting them in HTTPS format. Malware analysts expect malvertising campaigns to become more targeted, and reacting to the growing use of smartphones and tablets, to focus increasingly on mobile. The security software specialists Trend Micro believe that 2016 will be a turning point, as both advertisers and cyber criminals react to the increasing use of ad blockers. The former will have to find new ways of serving ads securely, closing loopholes and preventing malicious attacks, or in the words of Olson: "The industry needs to take a hardline approach regarding malvertising. Any manipulation of ad-based, revenue-generating code (i.e., advertising, paid content, native, video, etc.) to orchestrate anomalous activity, not germane to the code’s expected execution, is malvertising. As such, it should not be allowed and actively terminated."