Ad security is vital for the online advertising ecosystem. In our annual Violations Report, AdSecure analyzed over 296 million scans of client ad campaign flows between 1st January to 31st December 2022. The results in this report bring you a historic outlook of data analysis for 2022 in the detection of malicious ads, malicious campaigns, cybercriminal malvertising behaviour ad compliance and poor ad quality. These findings provide many different insights including: When did they deliver their malvertising attacks? Which quarters were impacted most by specific violations? What were their malicious tools of choice? What did AdSecure’s detections reveal? What GEOs suffered from higher malvertising activity?
"Almost 1 in 4 scans detected 1 violation that could harm the end user."
Almost a quarter of all ads running on ad networks and publisher sites that are AdSecure clients, contained at least one violation. This percentage includes User Security, Use Experience and User Advisory detection categories, and ad creatives that do not meet the industry IAB Standards. All violations detected by AdSecure can seriously affect the experiecne and welfare of the online end user. Whether it is by putting their data’s security at risk, damaging their devices, hindering their navigation experience, exposing them to explicit content, or showing them poor quality ad creatives.
Here’s the breakdown for 2022 globally for 2022.
If we compare Q1 & Q2 data with Q3 & Q4 data, we can see noticeable increases on the second half of the year:
Scans detecting 1 violation July-December saw an increase of +14.6%. For 2 violation detections this number was up +43% compared to the first two quarters. 3 violations up +37.1% and for 4 or more violations a huge increase of +161.5. This shows that as the global cost of living crisis hit, cyber criminals looked to boost their malicious activities with malvertising campaigns.
"Cyber criminals have also been affected by the global economic crisis, causing them to increase their malicious ad campaigns for financial gain."
Insight: The global cost of living crisis has significantly affected the revenue of many advertisers who promote classic offers such as dating, cryptocurrency or financial investment verticals, which used to generate good profits. But now there are less end users signing up for such services due to the aforementioned lower consumption ability. This has led unscrupulous advertisers to look for other means in order to generate income and one of those activities is via Tech Support scams. The cost of living crisis has not only affected consumers but online criminals too have seen their revenues decline from illegal online activities, therefore they have ramped up their activities for exploitation.
A common tactic used by malvertisers is adding several different violations in one malicious ad campaign, This means that, even if one or two of their violations are detected, they might still have a few more embedded within the path from ad creative to landing page, making their attempts more effective, giving cyber criminals even more opportunities to compromise ad security for ad serving platforms. This is why, on top of a dedicated compliance team, it is key to use an ad security and ad quality solution like AdSecure, which identifies every single violation and alerts ad serving platforms so that the campaigns can be removed and the approriate action can be taken to protect the ad server and its clients busineses as well as protecting the end users. AdSecure can scan pre launch, post launch of campaigns. Lets now look in more detail at specific violations during 2022.
"Globally, Quarter 3 saw malvertisers concentrating the majority of their malicious ad campaigns with User Security violations."
Percentage breakdown of all AdSecure's violation categories
AdSecure categorizes violations into specific groups. In the pie chart below you can see the overview percentage of each category.
Now we will go into more detail for each category.
26.4% of scans revealed User Security violations affecting ad security
User Security Violations endanger the end user’s online safety across all devices, it is a key category that affects an ad network or publishers ad security. These types of violation commonly try to steal personal data or exploit end users financially. The most common detection within the User Security category is Malicious URL, which represents 70.2% of violations within the category. If we compare User Security detections for each quarter, they accounted for the following percentages of total violations:
Insight: One of the contributors to this spike on Q3 was Scareware. Scareware is one of the most frightening ad security violations. Scareware ads claim that an end user has a virus and is in need of antivirus software which may, ironically, actually contain a virus that could harm their devices, cause costly repairs or, even worse, lead to identity theft. Scammers often use the names of well-known companies that specialize in computer software to gain your trust. The pop-up advertisements aim to mimic genuine warning alerts generated by computer security software. Once again, this could be due to the rise of global prices and economic fluctuations throughout the year, prompting cybercriminals to ramp up their activities!
The top 5 detections in the User Security violation category
70.1% were Malicious URLs, which are URLs that host annoying or dangerous content such as spam, phishing and drive-by exploits all aimed to compromise ad security. They are designed to trick the end user into giving away their sensitive information, downloading malware, and other scams which could end up in destroyed personal devices and monetary loss. The end user clicks the ad, to then be redirected to a landing page containing the malicious content. As we can see, Q3 saw a spike in Malicious URL activity inside malicious ad campaigns:
29.3% were SSL-non-compliant detections, which are ads that contain unsecured items in the chain of resource. Unsecured items are how this detection causes ad security issues. Items include an unsafe link, or have no https, contain mixed content, a ssl version, or a cipher mismatch. If an ad's link is using an unsecure connection or http, it means that it is not encrypted and sensitive data can be compromised, not only compromising the end user’s security, but also being automatically blocked by Google and being flagged as unsafe. This can heavily hinder the hosting website’s reputation. Once again, comparing each quarter with the yearly total:
As we can observe, massive increases in activity were observed in Q3 and Q4. Luckily for ad networks and publishers, AdSecure detects this, allowing them to immediately remove unsafe pages from the ad supply chain.
0.3% Cryptocurrency miner detections: These ads contain hidden javascript code which activates when clicked on. The unsuspecting end user’s device will then be used to mine different crypto currencies directly through its browser. Cybercriminals are basically stealing the users bandwidth and processing for their own profit, leading to very decreased performance and even increased internet data costs and even electricity bills for the end user, which is particularly worrying during the ongoing energetic crisis.
"Cryptocurrencies have had a bad year in 2022, this is shown in cyber criminals not seeing value in exploiting end user devices for mining for crypto, however as values started to recover in Q4 we see an upward trend in this violation's detection."
Because of the volatility of cryptocurrency and the several big collapses including the news story in Q4 about the FTX exchange collapse, we can consistently observe huge decreases in Q2 and Q3, and then a slight recovery in Q4. In Q2 and Q3 we had the hacking of Axie Infinity’s Ronin Bridge, the TerraUSD/LUNA collapse, the Three Arrows Capital collapse, Voyager Digital’s fall, and the Celsius crash and liquidity crisis. So Crypto mining in Q2 and Q3 might not have generated sufficient revenues for cyber criminals. It will be interesting to see how many detections AdSecure detects in Q1 2023.
0.2% Browser-locker detections: Once an ad infected with this violation is clicked, the end user will become unable to leave the browser, through running a script which disables any form of action that can close the browser – such as clicking the close button and pressing certain shortcut keys. All attempts to close the browser will result in a warning message box (Javascript alerts). This violation was extremely popular in Q1:
0.1% Phishing-url detections: A phishing site might trick users into revealing their personal information (for example, passwords, phone numbers, or credit cards). The content pretends to act, or looks and feels, like a trusted entity — for example, a browser, operating system, bank, or government. This detection is based on Phishing URL violations from Google WebRisk. We can observe an increase from Q1 28.1% to Q3 29.6% and then a significant decrease in Q4 to 3.8%:
User Security Violations tendencies and peak activity
As you can see a lack of ad security is very damaging and it is very common for cybercriminals to try and quickly adapt to internet security tendencies and security software updates - they always try to be one step ahead! Looking closely at each quarter of 2022, we can see how they constantly switch from one technique to another once their attempts get caught and blocked. Here is where AdSecure comes in: Once an ad network or publisher detects a violation using AdSecure’s advanced software solution and then removes the malicious content, malvertisers try with another tactic in the hope of avoiding detection. Here you can see the top 4 tactic changes:
Unwanted Programs: This detection, based on Google WebRisk, downloads unwanted software that is an executable file or mobile application that engages in behavior that is deceptive, unexpected, or that negatively affects the user's browsing or computing experience.
Malware: This detection, reported by VirusTotal, hides malicious code within an ad that includes viruses, worms and Trojan horse programs targeting end users to compromise their ad security. It is used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.
21.9% of scans detected User Experience Violations
User Experience Violations disrupt the end user’s browsing experience with annoying or malicious activity within ad campaigns. Here are the top 5 detections in the category:
30.9% detections in this category were Landing-page-error. This detection shows the end user an alert that has identified a broken link (404 Error, 5xx, timeouts, etc.) in the path (intermediate redirect links inside the chain) between the click URL and the landing page. These broken links can make the end user feel unsafe when clicking on ads on a specific website, which can damage the site’s reputation with the end user. Additionally, this results in advertisers paying for campaign impressions, but because of the broken flow from ad to landing page, their offers will not convert! This detection peaked in Q3 and in Q4:
26.4% Javascript-dialog-on-entry: This detection highlights Javascript alerts that pop up without any interaction when entering a website or when the user wants to close the active tab. Javascript dialogue boxes can be very alarming to the end user. They often appear as warning messages or confirmation dialogues asking for the user's consent on specific options, impacting their user journey throughout a publisher site. This detection’s presence was bigger in Q1 with 28.4%:
20.3% Permission Notification: This violation requests permission to send notifications to the user to access their device’s camera, microphone, geolocation, clipboard, etc. Permission requests are fairly common, when an end user downloads an app, or gives location access, etc. However, they are unsolicited and possibly alarming for an end user that has just clicked on an ad. Besides, cybercriminals use them in the hope that the end user clicks to accept and then the bad actors can access personal files and data from the end user's device, for instance tracking their location for non compliant targeting purposes. This detection’s presence was bigger in Q1 with 28.3% of the yearly total, and in Q3 with 26.4%.
18.9% Back-button-hijack: A hidden script allows bad actors to access and manipulate the user's device browser history. Usually it consists of inserting one or several pages in the browser history, which would prevent the user from going back to the previous page he was coming from.
3.5% Auto-redirect: once again, this detection uses a script that causes a publisher site to break out of any frames "framing" it, resulting in automatically redirecting the visitor to another site that has not been solicited by the end user and generally contains non compliant content. Some cybercriminals use auto-redirects for phishing scams to trick internet users and make them hand over their usernames, passwords or personal information. This violation peaked in Q1.
"Compromised location data alert! Cybercriminals can access end users locations including home addresses for future financial exploitation and personal data breaches with Permission-geolocation violations."
Permission geolocation is a violation that, through hidden code in a corrupted ad, prompts a pop-up message asking the end user to give them permission to track their device’s geolocation. Once again, it can be very alarming for an end user to interact with an ad on a website and then get this message, as they may feel that their device’s safety has been compromised! And they are not completely wrong: If said user ends up accepting the permission request, bad actors know their specific location. Cybercriminals can use this address to:
- Access other sensitive personal information such as credit card and bank details
- Create fake IDs using an end user’s personal information to make purchases online or obtain credit, etc.
- To live track their location, for example if they know the end user’s address they will know when the end user is not at home and could commit burglary.
- Hacking into their PayPal accounts or personal email accounts, social media, work accounts, etc.
AdSecure acknowledges this violation as a potentially dangerous one, which proves once again how important it is to use AdSecure as a malvertising detection solution to protect the end user from harm.
As we can see, malvertisers displayed peak activity in Q3. Luckily, because of this AdSecure detection, it decreased significantly by Q4.
22.9% of scans detected Threat-intelligence
This detection reports if a URL within an ad path has been flagged for a violation in any AdSecure analysis in the previous 30 days. Threat Intelligence assesses the probability and the severity of the campaign’s URLs threat by rating it’s risk from 1 (low) to 5 (severe) acting as the first line of defense, eliminating potential risks before going live, becoming a key tool to protect end users from potentially dangerous or annoying content. This detection experienced increases in Q3 & Q4:
Because of the retroactive vision of Threat-detection, this tool can be very useful to learn more about the behavior of malvertisers online.
"14.6% of scans detected non-safe adult content, which could lead to exposing minors to pornographic ad creatives."
Non-safe adult content contains elements such as photos and cartoons showing nudity or sexual activities. AdSecure detected 14.6% scans with NSFW/Non-safe adult ad creatives. Users do not want to be accidentally exposed to any sexually explicit content within ad creatives or on an ad’s landing page, especially if they are underage! This can be highly damaging for the website that is unknowingly displaying those ads, because the website does not contain any adult content, but malvertisers might be using this kind of content unbeknownst to them, heavily damaging their business reputation.
A brand reputation damaged by non-safe adult content can result in loss of traffic and revenues, and legal liability to underage users being exposed to explicit content whilst in their websites. Besides the association of the publisher sites with unsavory content, a negative browsing experience for some users, children might see the adult content, which could lead to legal action against the site from government bodies.
Insight: After the Law of 30 July 2020 aimed at protecting victims of domestic violence, the obligations regarding age verification online were reaffirmed, and several countries such as Ireland, Germany, France, some US states, Australia and the UK, have been developing further age restriction laws to protect users under 18 against adult content, as well as age verification software to reinforce such laws.
11.6% of scans detected Suspicious-tld
Suspicious TLDs, or top-level domains, are used very frequently by cybercriminals who are setting up hosts for spam emails, scams, shady software downloads, malware distribution, botnet operations and "phishing" attacks, or other suspicious content. Looking at each quarter we can see that this detection has remained fairly stable throughout the year:
It is important to take into consideration that it may not be necessary to block all domains flagged as suspicious. At AdSecure we inform clients of their campaign’s URLs potential link to malicious activity. Then it is up to them to decide whether to block certain links or not.
"A decrease from 2021, in 2022, 0.9% of scans detected non-alignment to the IAB Standards."
Compared to 2021 (1.6% of scans), we have seen a decrease in IAB Standards detections. This is great news because it shows how more and more advertisers have aligned themselves with the IAB Standards after being advised by the ad platforms and publisher sites that they work with, who use AdSecure’s IAB Standards tool. This useful tool verifies:
- Ad Dimension: Scans for the correct pixel x pixel size, otherwise the ad creative will appear squashed when displayed.
- Ad Weight: Scans to ensure it does not exceed the recommended maximum KB both on initial load and sub load.
- Ad Request Count: Scans to check it does not exceed more than 10 requests.
- Scans to check that all assets are compressed to the recommended file compression.
Here is a breakdown of the percentage split of the 4 IAB violations:
Aligning with the IAB standards is important, because it leads to a better user experience and journey, increasing engagement and ad campaign conversion, and, in turn, maximizing revenue. For publishers, website performance can be heavily impacted if industry standards are not met. It creates a bad user experience and end users are less likely to click on the ad, affecting publisher eCPMs. Additionally, Google can penalize or even block websites that do not abide by certain weight and quality standards. Such is the importance of ad quality, which means that it is key for both ad networks and publishers to take this detection seriously.
Insight: Iab-ad-dimensions were the most prevalent detection across the year, with over half of all IAB violations. This is an issue because it is important that the standard recommended display ad sizes are used for ad creatives to ensure a satisfactory user experience, displaying ads properly and not adding onto the loading times.
How Malvertisers attacked specific GEOs
Looking at how malvertising affected users worldwide, the US became the most popular location for Malicious URL detections, across the year, accounting for 29.8% of Malicious URL detections worldwide. On the other hand, the UK has also remained a popular destination for Drive-by mining, with 27.5% of these violations. We can also see some interesting fluctuations across quarters. For instance, Ukraine was one of the most popular locations for browser Locker detections in the first half of the year (Q1 & Q2), with 93% of all Adware violations concentrated in this GEO. This could be caused by Russian cyber attacks during the ongoing war.
Conclusion
AdSecure helps publishers and ad networks across the globe secure their business and protect their brand and end users by making ad campaign’s monitoring easy, detecting anything from malvertising to load times, and everything in between, pre and post campaign launch. Built around a custom-made crawler capable of simulating a wide array of devices and locations, AdSecure's crawler is powered by Chrome, and built on the same modern browser technology that powers today’s online world. Whether you are an advertiser, a website publisher, or an ad supply platform, AdSecure can provide excellent coverage to monitor your ad tech supply chain or website content and flag any ads that could cause issues for you and your brand. Contact us for more information on how we can protect your business! If you want to learn more about Malvertising, please read our blog post What is malvertising? And How To Stop It.