Research / Insights on current and emerging industry topics
Malvertising: You ain’t seen nothin’ yet
October 30, 2019 | By Louis-David Mangin, CEO and Co-Founder—Confiant@ldmanginOver the last decade, malvertising has emerged as a key attack vector for cybercriminals trying to grab an ever-larger slice of the programmatic digital market, which is expected to total over $80 Billion in the U.S alone by 2021. We saw some major attacks at the tail end of 2018 – The Dandelion Group and the massive eGobbler redirect campaign, for instance. And all indicators point to things being even worse for the tail end of this year.
Our first full-year Demand Quality Report sheds light on the (poor) state of quality controls in programmatic and digital advertising overall. It also revealed how the lack of these controls jeopardizes user engagement. (This is particularly problematic given that engagement is emerging as a key value metric for advertisers and publishers).
A quick look at 2019 so far
Industry efforts to fight malvertising are starting to show some results. We’ve seen notable declines in the rate of in-banner video (IBV) and in the life span of malicious attacks for the first half of 2019.
However, it’s still too early to say that we’ve won the race when one in every 200 programmatic impression remains dangerous or disruptive. The nature of programmatic advertising is highly dynamic and so are malvertisers and their methods of attacks. They are also persistent as we’ve seen with the multifaceted threats from groups like Zirconium, eGobbler, Dandelion, and others. We’ve written extensively about these on our security blog this year.
Within the last three months alone, we’ve tracked a staggering volume of impacted programmatic impressions from eGobbler. We estimate that over 1 billion impressions were maliciously compromised by just one of their attacks during August and September.
The arms race escalates
There’s a digital arms race being waged in every security specialization, and the ad tech sector is no different. What is different is the ad tech sector’s Q4 frenzy, which creates the perfect storm for these digital criminals to execute their malicious attacks. As companies like ours adapt to better protect against new threats, expect malvertisers and other bad actors to keep up their own technological evolution. They orient new attack vectors. And they try and evade detection with new methods that they have honed throughout 2019.
Browser exploits have been the preferred methods for sophisticated attackers this year. We predict that evasion and obfuscation will be the tactics of choice for malvertisers in the upcoming years. Look for techniques like steganography and leveraging protocols like WebRTC and WebSocket.
They will broaden their attack vectors and invent new attack types, too. These bad guys are fully aware of the industry efforts to properly sandbox iframes and curb forced redirects. And they’re already working on further ways around these safeguards.
A serious threat
That means that publishers will have to take the malvertising threat much more seriously if they want to thwart attacks. As publishers take more ownership of their data and attempt to branch out into new revenue streams, they must understand the threats malvertisers pose and be willing to address them proactively.
Failure to do so can cut into a publisher’s already thin profit margins and ruin their carefully optimized sites. Even a half percent of lost profitability due to malvertising can be devastating. So, if you thought the beginning of this year was rough – buckle up. The rest of 2019 will be a bumpy ride!