In 2020, yet another vector of attack has deployed by scammers, fraudsters and other bad actors to harm the digital advertising ecoystem. For years, we’ve been on guard against malicious code hidden in ad creative, ready to deploy without the user’s knowledge. However, in this latest wave of attacks, the user is lured to a dangerous landing page by willingly clicking on a deceptive ad. Once on that page, the user gets hit with a phishing scam, a fraudulent product offer, or a prompt to download malware.

Evasive tactics

Just last year, discussions about ad quality, the industry’s attention was largely – and rightfully – focused on auto-redirects. But as the COVID pandemic spread, bad actors quietly ramped up efforts to evade ad security tech by enticing users to willingly click on bad ads.

Publishers have seen an onslaught of ads for questionable health-related products, and products bearing fake celebrity endorsements. With publisher CPMs falling, those bad actors were able to buy the inventory. With a large, anxious captive online audience, they were able to convince many users to click through to pages where they would be vulnerable to scams and malware.

For publishers, this scenario underscores the security and QA importance of inspecting not only the ad creative, but the landing page it leads to. To keep users safe, publishers need closer analysis of what awaits the user after the click. If you can recognize a fraudulent or otherwise unsafe landing page, you can flag the creative itself as a potential risk.

Powers of deception

Let’s get back to how this current wave of attacks plays on the user’s mindset. Deceptive ads are a long-running problem in the digital advertising ecosystem. These ads may show a celebrity’s name, a deceptive product description, or even a message that appears legit. And in many cases, the landing page keeps up the ruse.

Deceptive ads often lead to deceptive sites. Unfortunately, many of these are counterfeits of actual premium sites. Bad actors rely on borrowed prestige, copying the design and branding of well-known, premium media outlets. These bad actors also create counterfeit landing pages for sites relevant to different geographical regions and different interests. This, in turn, allows them to target their attacks.

Revenue problems

Those attacks often come in the form of phishing scams and cryptocurrency schemes. They also frequently offer fraudulent or low-quality products (including unregulated supplements or medications) and malware downloads. This is a great risk to the security of the user’s devices, personal information and wallet.

It’s also a risk to the publisher’s wallet. Users will conclude the publisher hosting the deceptive ad has condoned that ad, its buyer, and its buyer’s landing page. And then they will avoid the site that led them down this path, depriving the publisher of its ability to monetize future sessions.

If the user believes the counterfeit site they’ve landed on is the real site of a premium publisher, that user may even lose faith in the counterfeited publisher. Both publishers appear untrustworthy, and the only party to blame is the bad actor.

Tricks of the trade

Detecting deceptive landing pages is a complicated proposition, though. In large part, this is because malvertisers will often use cloaking methods to obfuscate the ad’s content and landing page content. They’ll send a dummy creative to the publisher, with the landing page URL hidden somewhere in the code. The ad will appear legit to a scanner, and the code will swap in the malicious creative (with the hidden URL that will open when the user clicks) as the publisher page loads. Cloaking utilizes layers of deception that are designed to evade creative scanning technology, and that are too complicated to be routinely detected manually.

Cloaking is a preferred method of many of today’s most dangerous malvertisers and scammers. The method evades scanners because it can differentiate environments where there is a human user, and where there is a non-human user (that is, a scanner or a bot). Then it shows different content to each. To stop cloaked attacks, publishers need technology that can detect the real (hidden) URL and inspect the landing page. And, because the creative is flipped as the page loads, that technology must be automated and must function well in real time.

Security solutions

Deceptive landing pages, hiding behind tantalizing ads, should be a top security concern for any legitimate, quality publisher with an engaged audience. But bad landing pages can be detected — allowing the creative to be blocked before the page loads — using existing technology. However, that technology must be sophisticated enough to analyze the landing page and the creative in real time. This needs to happen before it can reach the user, harm them, and deter them from returning to, and monetizing, the publisher’s site.

To be effective, the tech must first be able to analyze the ad creative for patterns that indicate malicious activity, including cloaked code. The tech then must be able to analyze the text and images on the landing page in question. It must be able to recognize signals that indicate fraudulent activity and security risks. And, again, it must be able to do so in real time.  

In today’s complex digital media reality, publishers cannot simply take a defensive and reactive stance on ad security and quality. They must act aggressively and proactively. They must take the fight to the bad actors’ landing pages. And the industry has the tools to do so safely and effectively.