It’s Time for Publishers to Implement Measures to Combat Device Fingerprint Malvertising

These spammy pop-ups attach to legitimate ads

A desktop screen shows a bunch of windows saying things like click to continue with this video
Even if it isn't a publisher's intention, it reflects poorly on them to have these pop-ups on their site. iStock
Headshot of Eliya Stein

Have you ever been distracted on the couch, scrolling Facebook for the latest news, scanning the sports highlight reel or flipping through one of those celebrity gossip slideshows with the TV blaring in the background? Let’s be real—we all have. It’s all fun and games until that harmless perusing turns into an inescapable page that says something like, “Congrats! You just won a $500 Amazon gift card. Click here to redeem!”

Now you’ve become one of the millions of victims of weaponized advertising, a little-known term whose effects have been widely experienced. These ads are more than just a nuisance. They have malicious code attached that can do anything from cryptojacking to forced mobile redirections, like infamous fake gift card scams. In the industry, we call it malvertising, and it’s only getting worse.

These cybercriminals started by exploiting cookies in order to track individual users and create more effective phishing scams and malicious ad campaigns that steal revenue from publishers and data from users. But now they’ve evolved.

They know that they’re being hunted, and as the industry uncovers more of their tactics, these malvertisers are becoming more sophisticated. Fingerprinting techniques allow them to detect the presence of anti-malvertising software and determine if the device presents an opportunity for them to serve their malicious code or not, making them harder to find.

Publishers look responsible for serving bad ad experiences, driving away their audience and forcing them to lose out on profits.

The most common weaponized ad, the gift card redirection, occurs when malicious code is attached to a legitimate ad that spawns a pop-up. Any website that has programmatic advertising is in danger of propagating these scams. The end result is that these ads hurt an advertiser or ad platform’s reputation. Meanwhile, publishers look responsible for serving bad ad experiences, driving away their audience and forcing them to lose out on profits. That’s not to mention the security risks for end-users, who are having their data stolen and computers and phones slowed down by malware.

Publishers must take action

It’s imperative, now more than ever, that publishers who want to fix this problem take the time to vet their demand partners, consider the unique risk involved when they onboard a new demand source and play with floor prices. Sometimes even a direct deal can introduce a ton of potentially risky programmatic demand. Fortunately, there are several things publishers can consider to get ahead of bad quality or malicious demand.

The first is to avoid auto-refreshing in ad slots. It’s understandably tempting to build a user experience that promotes frequent refreshing because it results in more impressions, but publishers that utilize short refresh time might experience diminishing returns from an ad quality perspective. When a visitor sees 30 to 40 ads in a single session, they tend to hit advertiser frequency caps, which creates an opening for bottom-of-the-barrel ads to win the auction.

Beware the slideshow and direct deals

We often see this problem increasingly surface on publisher sites that have infinite scroll or slideshow layouts, especially where the ads refresh on every slide. Users often click through slides rapidly, sometimes spending less than a second on each. If each new slide refreshes the ad, the refresh speeds create an open invitation for malvertisers.

Premium publisher inventory is always in high demand on the buy side, and there are plenty of second-rate platforms vying for an opportunity to place a widget on publisher sites with the promise of high CPMs, but that widget can be a wolf in sheep’s clothing. Sometimes a direct deal like this can introduce risky programmatic demand. In fact, some vendors run just their own pre-bid stack within their unit. This means up to a dozen SSPs and exchanges that the publisher might not recognize have the chance to serve ads to end-users.

Finally, even though we have seen that security issues can surface at any CPM, playing with floor prices can make a big impact when it comes to weeding out some bad ads. The mileage may vary, but the idea is that some malvertisers are bottom feeders looking to bid low, and they won’t aim for a moving target.

In 2018, we benchmarked that one in every 200 programmatic ads contains some sort of malicious code. That might not sound like much from a percentage standpoint, but when you think about billions of ads served, the number is staggering. If there’s one thing that’s certain about these criminals it’s that as long as publishers and ad-security companies become more adept in catching them, they will become more creative in how they carry out their deceitful deeds in the darkest corners of the web.

Eliya Stein is a senior sales engineer at Confiant.