As malware and malicious ads become more widespread, the pressure is on to block these harmful ads from being delivered to publishers. Ad networks work to keep publishers satisfied with ad performance while maintaining a good user experience. However, with cybercriminals always seeming one step ahead, the fight to stop malvertising can feel like a losing battle.

What is malvertising?

Malvertising is the practice of using malicious online ads to spread malware. Malvertising ads are generally flashy and brightly colored, intended to get the user’s attention. These types of ads are easily noticed as they rarely blend into the site or look natural.

What are the different types of malvertising?

Browser redirects are one of the most common types of malvertising ads, using redirection to bring visitors to malicious or unwanted websites. Once on the website, users can be infected with malware that steals personal information or installs other unwanted software. The data is secretly collected without the user’s permission, and could range from personal data like login credentials to less sensitive data such as searches performed or sites visited.

Pop-up or Pop Under Ads
Pop-ups and pop under ads have lessened in popularity because most modern browsers are able to detect and block them. However, users running out-of-date browsers could still be susceptible to them. These ads can be very distracting and annoying for the user experience.

Ads for Questionable Products or Services
These type of ads promote products or services that are questionable or fraudulent, and clearly never live up to their advertising claims. The main intent is to lure the user into purchasing based on false claims.

Challenges with Blocking Malicious Ads

Publishers typically work with multiple buyers who purchase their ad inventory. These buyers in turn work with multiple advertisers. Because of this arrangement, it can be difficult to not only track down which buyer the ad came from, but who the originating advertiser was when a malvertising ad is detected.

Ad blocking, or creative blocking, is typically done in a reactionary manner rather than in real time because analysis needs to be done prior to classifying the ad as malvertising. As most ads are delivered via JavaScript or some other dynamic method, the actual ad markup and assets are retrieved by the client rather than the ad server. The ad markup and assets can be analyzed only after the ad’s already been delivered to the user, making it unmanageable to block a malicious ad the very first time it’s sent to a user.

Once an ad is classified as malvertising, the next challenge is being able to preemptively identify it the next time it’s sent. While the original code sent to the user will be very similar each time, the ad markup returned by the JavaScript can hide a malicious component. In order to block it on the client side, a solution must be created within an SDK or some other method. Keep in mind that since multiple ads can be packaged into one JavaScript code, there is the potential danger of blocking legitimate ads when attempting to block malvertisements.

Checking Ad Markup on the Ad Server

One potential solution to this problem would be to call the ads from the ad server first to analyze them. Only if they passed the checks on the ad server could the final ad markup then be returned to the publisher. While this approach would appear to be an ideal solution, it is not problem-free either.

First, if the ad has to be called initially from the ad server and analyzed, the ad response can be slowed, causing the ad to render more slowly. Slower loading ads could make users leave and cause publishers to lose out on potential revenue.

Second, calling, rendering and analyzing ads on the ad server is complicated. There are numerous things that must be checked in order to identify malvertising ads such as redirects, malicious URLs, etc. Some of these checks require a list to be maintained; since malvertising developers are constantly evolving their methods, the logic of detecting them needs to also keep up. As a result, there is a significant amount of ongoing development required.

Third, the process of calling and rendering an ad on the ad server will most likely cause the impression tracking pixel to fire. This can incorrectly record an impression for the ad before it has actually been shown to a user. If this process is performed frequently on the ad server, it can significantly impact reporting. Firing the impression pixel from the server can result in two negative outcomes:

  • If the ad doesn’t pass the malvertising checks and get sent to the user, an impression would be falsely logged without the ad ever being shown.
  • The buyer may discount multiple impressions from the tracking pixel as fraud, causing the publisher to lose revenue from the ad.

Lastly, some malvertising ads (i.e. ads for questionable products and services) are subject to interpretation, making it tricky to develop logic that easily identifies them. In these instances, automated detection may not be possible, so a certain amount of manual work is required to detect and block these types of ads.

Due to these challenges, most publishers choose to go with a third party ad quality measurement vendor solution. The vendors help to monitor the incoming ads and notify the publisher if they find anything suspicious. Most of these services work well and are a much more efficient solution for publishers since they won’t have to build and maintain the detection service in-house.

Using a third party vendor requires publishers to be reactionary in creative blocking since the ad code must first be sent to the third party vendor for analysis. When using a third party solution, it is important to continually test the same tag multiple times each day, particularly if it returns rotating ads. While this may not be the ideal implementation, it’s better than not having any solution in place.

Blocking Identified Bad Ads

Detecting bad ads is only half the challenge; actually blocking them is another adventure. Typically, publishers must work with their advertisers to block malvertisements. When a publisher works with multiple buyers, it can be difficult to identify the offending party as well as the advertiser sending the ad. Fortunately, some buyers provide a creative ID, which can be useful for identifying and blocking ads.

In addition to finding the mystery advertiser, the ad markup may or may not provide a create ID to identify the ad. This can be problematic as the user reporting the malvertising, often does not provide the ad markup itself, making it difficult to track down the ad and block it. Without the ad markup, the publisher would need to make the request over and over again, in hopes of having the ad returned so they can examine the code. This can be inefficient and time consuming.

Ad Blocking Software

Because publishers are not successfully blocking malvertisements (e.g. recent malware attacks on Huffington Post and Forbes users), more and more users are starting to install ad blocking software. This can have a significantly negative impact on a publisher’s revenue, so it is vital that publishers implement solutions to prevent malvertising ads.

Malvertising is an ever growing problem within the ad industry and publishers must take on some of the responsibility of protecting their users. Because malvertising developers continue to evolve and become more creative in their methods, it has become a game of cat and mouse. However, publishers cannot afford to stand still – they must take the steps alongside ad networks to help clean up the ad industry so that users don’t need to resort to blocking all ads.