AdSecure’s Security Violations Report for Q2 2019 reveals increases in Adware and Scareware attacks

AdSecure, the innovative digital security company that works with ad platforms and publishers to ensure a secure engaging online advertising experience for users, has released their security violations report for Q2 2019. 

For this report AdSecure analysed more than 200,000 ad campaigns across multiple regions, devices, and browsers for our partners between 1st April to 30th June. These findings provide insights into cyber-criminal behaviour during Q2, particularly highlighting the evolution of said behaviour additionally when compared to our Q1 results, allowing us to identify any new, or changing tactics present in the attacks that fraudsters launched.

AdSecure’s innovative crawler is powered by modern browser technology, allowing the platform to adapt quickly to the always changing world of digital advertising security. It’s this approach that led to our early detection of the looping push notifications (or push lockers, as we refer to them around the office!) that mutated as an offshoot of more traditional browser lockers, and were such a big part of the Q1 threat landscape. 

What we can see when comparing Q1 and Q2 is that, with the consistent detection, notification, and elimination of these looping push violations, threat actors moved on to new methods of threat delivery, often switching their target locations as well.



What AdSecure classifies as security violations are those threats that pose a strong and real danger to the security of a user’s system, and often their personal data. These are the “big name” attacks that most will be familiar with: malware, phishing URLs, and ransomware to name a few. 

Browser lockers - including the looping push variant we encountered frequently in Q1 -- fall under this category, as do Adware and Scareware, both of which became a highly preferred weapon for cybercriminals in Q2. 



In Q2 cyber criminals ramped up their attacks for Spring, AdSecure observed a major increase in detections for Adware and Scareware violations compared to Q1:

  • Adware attacks increased by 4854% 
  • Scareware attacks increased by 727%
  • Phishing showed an increase of 71%
  • Malware detections decreased by 27%

AdSecure’s Product Manager Mat Derval commented, “Adware is one of the easiest forms of malware to distribute, and is often ignored or goes unnoticed by its victims and is most commonly used for crypto mining or spy tools that watch everything the victim does on their device. Scareware is a persistent problem and a quick way for criminals to obtain payments from inexperienced victims. Phishing was less prolific compared to Adware and Scareware, and is less effective because victims are more educated in being able to spot this cyber crime. Specific Malware detections did decrease this quarter, one reason here could be that fraudsters switched their efforts into Adware and Scareware attacks in Q2.”   

Derval continued, “Even though Malware decreased slightly, in June AdSecure detected a much higher peak of 5 times more detections than in April and May. This was due to helping one of our clients uncover and keep control of a large scale attack by being able to update in real-time our detection rules engine and catch every variation the cybercriminal was trying to submit/spread on their network. This occurred over a few days at the end of June/beginning of July and the malvertising attack was targeting Android devices globally. Luckily we stamped it out from our client’s network.”

AdSecure’s Sales Manager Bryan Taylor added, “After discovering and classifying the looping push locker mutation, overall browser lockers detections peaked in April and continued to decline in May and June. By June detections fell 17%. Thanks to our technology we have stopped tens of thousands of these violations being distributed. Since our looping push discovery most browsers have updated their software to block these attacks so we recommend that end users update their browsers to the latest version to finally stamp out this highly intrusive violation.”


User experience violations, while not as immediately dangerous as a threat that puts user security at risk, they are still very important for publishers and their ad serving partners to be aware of and to control. A bad user experience that goes unresolved is a sure fire way to drive users away from affected sites. No one wants to continually deal with back button hijacks, forced redirects & downloads, or even annoying JS alerts each and every time they visit a favourite site. 

Overtime these nuisances lead to a drop in site visits, have a major impact on revenue streams, which in turn limits a publisher’s ability to create the kind of engaging content that draws in visitors. Basically, it’s a vicious circle. "


In Q2 AdSecure detected substantial increases for Auto downloads and JS Alert violations compared to Q1:

  • Auto download detections increased by 154% 
  • JS Alert entry & exit detections increased by 108%
  • Back button hijacking detections increased by 51%
  • Suspicious TLD detections increased by 31.6%
  • Auto redirects to app store detections decreased by 9.2%



One of the key indicators to see how prolific malvertising is, is to examine the detection to scan ratio in Q2:

  • Looking at both security and user experience violations, out of every 10,000 scans 585 violations were detected
  • Breaking this down reveals that 53 were security violations and 532 were user experience violations

Why were the user experience violations a higher ratio than security violations? This is due to the high detection of JS alerts on entry and exit (242 detections per 10,000) and back button hijacking (223 detections per 10,000)  

The more serious security violations are:

  • Adware: 1 in every 10,000 detections
  • Malware: 2 in every 10,000 detections
  • Scareware: 20 in every 10,000 detections



Looking at how these detections were spread across Mobile and Desktop during Q2, the percentages are as follows:


  • Threat actors are sophisticated, intelligent, and not easily defeated. What we see in terms of the evolution of threat detection between one quarter to the next is that when one form of attack is eliminated, fraudsters quickly change tactics and deploy new attack methods to continue delivering malicious threats inside ads. They will also switch their target locations when it makes sense to do so. The key to staying on top is to monitor ads as often as possible, wherever and whenever they are running. 
  • The goal with malvertising, and other digital threats, is to keep the bad campaign running and profitable for as long as possible. This means that threat actors will often employ a “throttle down, throttle up” approach to their efforts. This can mean that a scareware attack could be highly active over the weekend, when ad-operations teams are, like most of us, enjoying their weekend, and then disappear come the start of the new week. Attacks can dramatically increase during a public holiday, and then throttle down to avoid detection, before kicking in again at another time deemed most likely to avoid detection. This is another reason for continuous monitoring, as the clean ad running right now could easily be infected in an hour’s time. 
  • Beware the “easy” solution. It doesn’t exist. In the past year the concept that real-time blocking is the only solution publishers will need to keep their ads clean and users safe has created a false sense of security, and led to many end users dealing with threats that websites assumed were being blocked. Client side real-time blockers can only identify threats they’ve previously encountered and cached, meaning any new mutation will slip through the cracks. A comprehensive solution, powered by frequent daily scanning and observation and enhanced by both pre and inflight blocking tools, is still the best approach to eliminating all threats to the digital ad supply chain. 



Our first violations report looking at Q1 2019 was the beginning of our commitment to providing a detailed look at how malicious activity evolves over time, and now with this Q2 report we get a more detailed glimpse at the highly adaptable, changing behaviour of cybercriminals. Heading into the second half of 2019 we’re very excited to perform further ongoing analysis, and provide our partners with upcoming tools designed to provide real-time insight and threat filters at the pre-flight campaign stage, and automatically monitor what threats could be lurking across an entire website. 


AdSecure provides constant detection and notification of security, compliance & quality issues within the digital ad supply chain. It’s our mission to uncover every threat, protect every user, and keep every ad secure. 

To learn more about AdSecure, or have a conversation with a member of our team, visit

Recommended Posts