How Cybercriminals attacked mobile users in Q1 2023

How to protect mobile ads

Mobile continues to grow in dominance as the device that generates the most internet traffic.  According to Oberlo, in February 2023, 60.67% of all web traffic came through smartphones. Cybercriminals know this too and will target malvertising at mobile websites just as much as desktop websites. The question is, how to protect mobile advertising from cybercriminals? And how do Cybercriminals attack mobile users? AdSecure examined violation detection data during Q1 2023. It found that mobile advertising violation detections stood at 46.7% and desktop violation detections at 53.3%. Let’s take a closer look to see the many different tactics used to target malicious advertising at mobile devices.

Mobile browsers and malvertising

According to Statista Android maintained its position as the leading mobile operating system worldwide in the fourth quarter of 2022, with 71.8% share, while iOS accounted for around 27.6% of the mobile operating system market. However, if we look at AdSecure’s violation detection data for iOS devices using Safari versus Android devices using Chrome, it is more disproportionate, with Safari attacks at 44.7% and Android Chrome attacks at 55.3%. 

Mobile browsers and malvertising How Cybercriminals attack mobile users

Insight: Because iPhone users tend to be more affluent, Cybercriminals clearly try to attack iOS mobile users with as much effort as Chrome users.

Top 3 targeted mobile devices for detections per operating system

iOS devices for detections:

iPhone 8 

iPhone 8+

iPhone X

Android devices

Samsung Galaxy S10

Nexus 6 

Google Pixel 3

As you can see these device models are older than the current latest models from manufacturers. iPhone 8 was released back in 2017 and in the Android list, Nexus 6 was released in 2014 and is now discontinued. 

Insight: How do Cybercriminals attack mobile users? Cybercriminals target older handsets because in some cases, older handsets tend not to have the latest software protection updates. They also assume that less tech savvy people tend not to get the latest smartphone models or upgrade their devices for many years. This makes them prime targets for malicious activity. So what was that malicious activity in Q1 targeting mobile devices? 

Mobile Q1 violation types

Looking at the share of each violations category detected on mobile, let's see how Cybercriminals attacked mobile users in more detail:

How Cybercriminals attack mobile users

How do Cybercriminals attack mobile users? User Security violations

In Q1, the top 2 violations which took the lion's share of violations were SSL non compliance, which detects ads that contain at least one unsecured item in the chain of resources (unsafe, no https, mixed content, ssl version or cipher mismatch). The second largest was Malicious URLs which are inserted into ads with the intent of hosting all kinds of unsolicited content such as spam, phishing, and drive-by exploits. Like other kinds of malvertisements, a Malicious URL is designed to lure unsuspecting users to scam sites, which can lead to serious issues such as monetary loss, theft of sensitive information, and the appearance of malware. At first sight, Malicious URLs can look like legit landing page URLs intended to be a part of an ad’s sales funnel. They can go completely undetected by ad platforms and publishers, representing a real threat for the end user.

Top 5 most scary User Security violations for end users

Taking a deeper dive into AdSecure’s detection data, there are a selection of violations that are perhaps the scariest to happen to an end user on their mobile device. In Q1 there were no detections found for Randsomware, perhaps the one violation that brings the most fear for end users, by blocking their device and files unless a ransom is paid. But this did not stop Cybercriminals attempting to exploit end users with the following user security violations:

Browser Locker 42.3%: This violation disables any form of action that can close the browser. In a better scenario, advertisers force users to accept Push Notifications in the browser, otherwise it will loop the users in the browser. In a worse scenario, all attempts to close the browser will result in a warning message box appearing. The purpose of browser lockers is not only to scare but also to create the illusion that the mobile device has been locked. What's happened is that the browser is stuck in between a flurry of alert dialogs that won't seem to go away, no matter how many times they are clicked on.

Drive by Cryptomining 31%: Cybercriminals hijack the end users mobile device to use its processor to secretly mine for Crypto currency for the Cybercriminal. Also called Crytpojacking, the end user has no idea their device has been hijacked. 

Unwanted Programs 14.5%: This violation downloads unwanted software on the end users mobile device via an executable file or mobile application. Programs could be malware, fake antivirus software, etc.

Scareware 7.1%: These are ads claiming that the end user’s mobile device is infected with a virus and that the end user needs an antivirus software, which may, ironically, actually contain a virus that could harm the mobile device, causing costly repairs or, even worse, lead to identity theft. Scammers often use the names of well-known companies that specialize in software to gain end user trust. The Scareware pop-up advertisements aim to mimic genuine warning alerts generated by security software.

Phishing 5.1%: After clicking on an ad the end user is sent to a phishing site which aims to trick the end user into revealing their personal information (for example, passwords, phone numbers, or credit cards). The content pretends to act, or looks and feels, like a trusted entity — for example, a browser, operating system, bank, or government.

How do Cybercriminals attack mobile users? User Experience violations

User Experience violations damage the end user experience on how they interact with ads served on a publisher site. Here are the top 5 User Experience violations AdSecure detected in Q1 on mobile:

Landing Page Error 44.2%: This is when an end user receives an alert when the system identifies a broken/dead link (404 Error, 5xx, timeouts, etc.) on the ad’s landing page or when a broken link is identified in the path (intermediate redirect links inside the chain) between the click URL and the landing page. 

Back Button Hijack 24.6%: Back Button Hijacking is an ad security threat which manipulates the end user’s browser history, keeping them stuck on a certain page by inserting one or several redirects in their browser history, to then forward them back to that specific page. This abusive behavior of hijacking a user's browsing history has been considered a violation by Google Advertising Policies.

Javascript Dialog On Entry 15.9%: A Javascript alert that pops up without user interaction on entering a website.

Permission Notification 10.3%: This violation attempts to ask the end user for permission to send notifications to them.

Auto Redirect 5%: Ads that contain a script causing a mobile web page to break out of any frames "framing" it, resulting in automatically redirecting the visitor to another potentially malicious website/page.

How do Cybercriminals attack mobile users? User Advisory violations

User Advisory violations can provide a poor user experience, driving end users away from websites. This affects the traffic quality of websites and also trust in the websites' ads. The top 5 User Advisory violations AdSecure detected in Q1 are as follows:

Threat Intelligence 34.6%: This detection is based on AdSecure’s Threat Intelligence service and reports if the URL was flagged for a violation in any AdSecure analysis in the previous 30 days.

Unsafe adult content 32.5%: This violation shows ads to end users that contain ad creatives featuring adult content which may contain elements such as nudity, pornographic images or cartoons, or sexual activities. Publisher sites do not want to show ad creatives featuring pornography to end users, unless it is an adult website. It is also potentially harmful for children to be exposed to these ads.

Suspicious TLD 23.1%: Free or suspicious top-level domains are frequently used by Cybercriminals who are setting up hosts for spam emailing, scams, shady software downloads, malware distribution, botnet operations and "phishing" attacks, or other suspicious content. 

IAB Standards 8.1%: The IAB Standards measure the performance of ads against the IAB Industry standards to stay Google compliant, more on this in our next section. 

Crypto ad 1.7%: As cryptocurrency advertising has been regulated by more and more countries, this AdSecure detection identifies misleading or non-compliant cryptocurrency promotions. 

IAB Standards and mobile advertising

AdSecure’s IAB Standards detections are crucial to ensure that ad networks and publishers are serving ads that meet the online advertising industry standards set by the Interactive Advertising Bureau (IAB). This can mean the optimal weight of an ad served, serving pixelated or squished ad creative images, etc. If an end user sees a squashed ad image for example, he is unlikely to click on the ad. Not only does this affect the professional image of the publisher's site that is serving the ad, but also the ad network that is supplying the demand. 

In total, 4.24% of all ads targeting mobile devices scanned by AdSecure in Q1 2023 showed that the ads did not meet the IAB industry standards. That's 1 in every 23 ads on mobile. Of the four IAB Standards AdSecure scans and detects, here are the percentages of each detection in Q1 2023:

IAB Standards and mobile advertising

Two particularly important IAB Standards are the Ad Dimensions and Ad Weight detections. For example, the mobile screen is small and therefore the ad creatives dimensions need to fit into the standard mobile ad format sizes for an optimal end user ad experience. Secondly, 53% of mobile users abandon a site if it is slow to load, and Google penalizes websites that load too slowly. If the website is serving heavier than the industry standard ad weights, this will slow down a mobile device, which could lead to Google rankings for the website being affected. 

Malvertising on mobile, the conclusion

According to Statista, in 2022, mobile advertising spend worldwide was estimated to be worth 336 billion US dollars. By 2023, the mobile advertising market is expected to grow to 362 billion US dollars, a growth of 7.73%. With such a high market value, mobile advertising is the biggest growth sector for ad networks and publishers to monetize. With this huge volume it is easy to see how and why Cybercriminals attack mobile users, they use various tactics to secretly inject malicious advertising campaigns into the ad supply chain. This is highly damaging for ad networks and publishers, not to mention the end user who ends up becoming a victim. As mobioes are now core to everyone's existence, if a Cybercriminal succeeds in infecting or taking over a mobile device, the effects can be devasting for the end user.

Now you can see how Cybercriminals attacked mobile users. So how do you protect mobile ads? AdSecure offers 360 degree monitoring and protection for your ad supply chain by automating your ad verification process before ad campaigns go live & while they are running. Why not start a free 14 day trial and find out how AdSecure can protect your business from Cybercriminals.


AdSecure is exhibiting at DMEXCO

DMEXCO is Europe’s leading digital marketing & tech event and AdSecure is exhibiting with our partner, white-label ad serving technology solution EXADS. The show is held in Cologne, Germany from September 21- 22.

Meet with Customer Success Manager Guandi Bai on our stand in the World of Tech Hall 06.1 | Stand E040 at the show.

Why meet with Guandi?

If you are an Ad Network or Publisher, with AdSecure’s 360 degree Malvertising Prevention and Ad Quality Solution you can:  

  • Eliminate malicious ads
  • Detect non-compliant and low quality ads
  • Identify unsafe and offensive ad content
  • Measure ad performance against industry IAB standards

Our solution helps Publishers keep websites free from malvertising, unsafe and non-compliant ad content. We help Ad Platforms automate compliance tasks and assist teams to drive high quality ad delivery, meet industry standards and be free of malvertising.

Our recent Q1 & Q2 Violations Report shows that 1 in 5 scans reveal 1 violation, and 1 in 80 scans reveal more than 4 violations. The report shows the scale of malvertising and ad quality trends targeted at AdSecure’s client networks which AdSecure detected and stopped from being exposed to end users.

Our Detections

We have over 40 violation detections including:

  • User Security Violations such as Adware, Browser Locker, Drive-by Crypto Mining, Malware, Scareware, Ransomware, etc.
  • User Experience Violations including Auto-downloads, Back Button Hijack, Landing Page Error, Device Permission Requests, etc
  • User Advisory Violations including Heavy Ad, Suspicious TLD, Unsafe Content, IAB Standards, etc

See a full list of our detections here

Book a Meeting

If you are attending DMEXCO you can find out more by booking a meeting with Guandi here or visit her at our exhibition booth World of Tech Hall 06.1 | Stand E040



How to stop Malvertising: AdSecure's Violations Report 2021

How to stop Malvertising

For this report AdSecure analysed over 200 million ad campaigns globally between 1st January to 31st December 2021. These findings provide insights into cybercriminal malvertising behaviour during 2021: When did they deliver their attacks? What were their malicious weapons of choice? What did AdSecure’s detections reveal? How to stop Malvertising with AdSecure's excellent Malvertising detection features.

1 in 20 scans reveal 4 or more violations detected in a single ad campaign

24.21% of scans detected 1 violation +8.9% increase comparing Q1/2 to Q3/4
10.21% of scans detected 2 violations +12.3% increase comparing Q1/2 to Q3/4
6.85% of scans detected 3 violations -9.3% decrease comparing Q1/2 to Q3/4
5.05% of scans detected 4 or more violations +19.3% increase comparing Q1/2 to Q3/4

How to stop Malvertising. AdSecure's Violations Report 2021

Insight: Scans of ad campaigns showing 4 or more violations increase by +19.3% comparing Q1/2 to Q3/4. By adding several different violations in one ad campaign, it allows malvertisers to be much more effective in their exploitation attempts. Some common tactics they use are a chain of different violations including: the ad creative, the landing page, url, redirection path/chain, hidden code within in iframes. Their aim is the hope that even if one or two violations get discovered, others can still slip through undetected.

Overview of the percentage of violations

AdSecure categorizes violations into specific groups. In the pie chart below you can see the overview percentage of each category. 

How to stop Malvertising. AdSecure's Violations report 2021

Now we will go into more detail for each category

36.7% of scans detected User Experience Violations.  

User Experience Violations directly affect the end user browsing experience with annoying or malicious activity within ad campaigns. Overall just over one third of all scans detected this type of violation. Lets look at how to stop Malvertising with AdSecures User Experience violation detections for each quarter: 

How to stop Malvertising. User experience violations AdSecure's Violations report 2021

Looking at each quarter, overall this category was more or less consistent throughout the year with a slight drop in Q4. Now let's look at the top 5 User Experience Violations as a percentage:

How to stop Malvertising. AdSecure's Violations report 2021

36.4% LandingPage Errors show the end user an alert that has identified a broken/dead link (404 Error, 5xx, timeouts, etc.) These can be damaging for a few reasons: 

  • The end user may think that clicking on ads on the website where the violation happened could lead to them feeling unsafe when browsing the website
  • The advertiser, who may be legitimate, will not see any conversions for their offer, because of the defective link
  • If an ad network is serving the ad on the publishers site, it may not have checked the full ad campaign flow which could cause issues with their publisher client

23.7% Permission Notification is a permission request to send notifications to the user, examples are:

  • Camera: A permission request to access the user’s camera.
  • Microphone: A permission request to access the user’s microphone.
  • Geolocation: A permission request to track the user's location.
  • Clipboard: A permission request to copy text to the clipboard.
  • General: A permission request to send notifications to the user.

While these Permissions are common practice when an end user downloads an app for example, they are very annoying for the end user if they have just clicked on an ad. Additionally cybercriminals use them in the hope that the end user clicks to accept and then the bad actors can access personal files and data from the end user's device.

19.6% JS Alert on entry/exit are Javascript alerts that pop up without user interaction when entering a website or when the user wants to close the active tab. Javascript dialogue boxes can negatively affect a user's browsing experience as they often appear as warning messages or confirmation dialogues asking for the user's consent on specific options. These Javascript dialogues themselves are not harmful, however, some bad actors use this tactic and insert malicious code to infect unsuspecting user's devices, which can be cause serious security threats to the user if they click or input any information into the dialogue boxes.

17.3% Back Button Hijack this is hidden inside ads where a script that allows the malvertiser to manipulate the user's device browser history. Usually it consists of inserting one or several pages in the browser history, which would prevent the user from going back to the previous page he was coming from. This abusive behavior of hijacking a user's browsing history is considered a violation by Google. If advertisers maliciously insert ads between the current website and the previous page, the users might be exposed to unsafe ads or unwanted content.

3% Auto Redirect uses a script within the ad causing a web page to break out of any frames "framing" it, resulting in automatically redirecting the visitor to another website/page. Some cybercriminals use auto-redirects for phishing scams to trick internet users and make them hand over their usernames, passwords or personal information. They can also redirect users to malicious websites and trigger the installation of malware or harmful software to infect their devices. 

User Experience Violations peak activity

AdSecure detects 15 different User Experience Violations and there were some interesting trends with these violations outside of the top 5, here are two examples:

Auto Pops are ads that automatically trigger pops (both pop-ups and tabunders) without user interaction. Google penalizes websites that show Pop-ups to end users. In Q3 there was a massive detection spike with cybercriminals concentrating a lot of activity using this violation.

How to stop Malvertising. AdSecure's Violations report 2021

Auto Downloads are ads that automatically download a file/executable application without user interaction which can contain harmful files, viruses, or malware that are quietly installed on the user’s device. This can be dangerous as most of the time the user is totally unaware. In Q2 & Q3 our detections show that cybercriminals drastically increased their activity with this violation compared to the other quarters.

How to stop Malvertising. AdSecure's Violations report 2021

Insight: Each User Experience violation is considered by Google to be non-compliant. For repeated violations it can affect a Publisher’s Google ranking and come with a risk of being blocked by the world’s biggest browser Chrome. For ad networks, allowing these violations to reach end users will affect relationships with any Publishers affected on their ad network. And of course, these are all considered as annoyances or attacks by an end user, ruining that user’s browsing experience on the website where they encountered them.

22.8% of scans detected User Security Violations.

User Security Violations harm the user’s online safety by trying to steal personal data or exploit them financially. Lets look at how to stop Malvertising with AdSecures User Security violation detections over each quarter:

User security violations AdSecure's Violations report 2021

Looking at each quarter, Q1 showed the lowest detections, before cyber criminals boosted their activity for these violations from Q2 onwards, where they remained consitent at around 1 in 4 of all detections.  Now let's look at the top 5 User Security violations as a percentage:

AdSecure's Violations report 2021

Malicious URL accounting for 7 out of 10 of all User Security violations detected. Malicious URLs host unsolicited content (spam, phishing, drive-by exploits, etc.) and lure unsuspecting users to become victims of scams (monetary loss, theft of private information, and malware  installation). Once an ad is clicked that contains a Malicious URL, the end user is redirected to a landing page and becomes exposed to whatever the malvertisers have in store. Perhaps this violation is one of the easiest for bad actors to use because if an ad network or publisher’s compliance team don’t regularly check ad campaign flows after they have launched, cybercriminals change the url of a previously approved campaign to set their exploitative measures in place. 

SSL non-compliant came in second at 28%. These are ads that contain at least one unsecured item in the chain of resources, it could be unsafe, no https, mixed content, ssl version or cipher mismatch. If an ad's link is using an unsecure connection or http, it means that it is not encrypted and sensitive data can be compromised. Google automatically blocks unsecure connections and flags it as unsafe to the end user, which can damage the reputation of the website that hosted the ad reputation with the end user. 

For publishers and ad networks, identifying and eliminating unsecure HTTP resources isn’t just a best practice when it comes to providing security to users, but also for securing revenue and making sure each running campaign is optimised for user engagement for a successful conversion.  How to stop Malvertising for ad security violations is imperative for a safe end user browsing experience.

1 in 50 User Security violations detected were for Drive by crypto currency mining. Clicking on an ad of this type activates a piece of javascript code to mine different crypto currencies directly through the visitor's browser, without the user knowing, basically stealing the users bandwidth and processing power on behalf of the cybercriminal. How to stop Malvertising by detecting Crypto currency mining from AdSecure’s detection arsenal revealed that there was a large peak in Q2 for this violation, but a significant drop in Q4. 

AdSecure's Violations report 2021

One of the reasons for this could be related to countries banning crypto currencies. China made big headlines when it banned them in 2021, in fact 42 other countries including Egypt, Iraq, Qatar, Oman, Morocco, Algeria, Tunisia, Bangladesh, Bahrain and Bolivia have implicitly banned digital currencies by putting restrictions on the ability for banks to deal with crypto, or prohibiting crypto currency exchanges, a summary report by the Law Library of Congress was published in November. 

User Security Violations peak activity

Looking closely at the 2021 quarters we can see how cyber criminals switched to and from different types of violations throughout 2021. This demonstrates the effectiveness of AdSecure, because once an ad network or publisher has detected violations with AdScure’s solutions and removed the offending campaigns, those bad actors tried with another tactic in the hope of avoiding detection, luckily AdSecure detected the fact that cyber criminals has switched tactics and ad networks and publishers were able to stop these malvertising campaigns.  Please note Q4 had no significant peak for any particular User Security violation.

AdSecure's Violations report 2021 Browser Locker, Malware, AdWare

Browser Locker peaked in Q1 at 80% of all Browser Locker violations detected during 2021. This violation runs a script in the web browser and its main purpose is to disable any form of action that can close the browser – such as clicking the close button and pressing certain shortcut keys. All attempts to close the browser will result in a warning message box

AdWare peaked in Q2 at 60.6%. Adware is software that downloads or displays unwanted ads when a user is online, it collects marketing data and other information without the user's knowledge, or redirects search requests to certain advertising websites.

Malware distribution had a big peak in Q3 at 76%. Malware is a general category of malicious code that includes viruses, worms and Trojan horse programs. It is used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. 

How to stop Malvertising for these above violations isn't difficult thanks to AdSecure’s detection arsenal.

15.5% of scans detected non-safe adult content.

AdSecure identifies ad creatives that feature Non-safe adult content/Not Suitable For Work (NSFW) images or videos. The definition means content that contains elements such as photos/cartoons showing nudity or sexual activities. AdSecure found that one sixth of the total scans in 2021 detected adult content in ad creatives. Users do not want to be accidentally exposed to any sexually explicit content within ad creatives or on an ad’s landing page. This is doubly important for the website that is displaying those ads, because the website does not contain any adult content, but unscrupulous advertisers might use this kind of imagery. Therefore, filtering out unsafe adult content is very important for publishers who want to keep their users happily engaged with their websites. Currently several countries including the UK, Australia, Germany, France and Ireland are developing age restriction laws for online content so that under 18’s are not exposed to adult content online. How to stop Malvertising for this non-safe content? It is imperative for publisher sites that are open to all age groups to use AdSecure's Ads Classification feature in order to detect and then block ad creatives that feature adult content. As you can see this violation increased up to Q3 or 2021:

non safe adult content AdSecure's Violations report 2021

Insight: Publisher sites could be breaking the law in certain GEOs, for example 3.4% of detections for adult content were detected in strict Muslim countries in the Middle East including Algeria, Saudia Arabia, United Arab Emirates, Egypt, Tunisia.

12.7% of scans detected Suspicious TLDs.

Suspicious TLDs are top-level domains frequently used by cybercriminals who are setting up hosts for spam e-mailing, scams, shady software downloads, malware distribution, botnet operations and "phishing" attacks, or other suspicious content.  Looking at each quarter:

Suspicious TLDs AdSecure's Violations report 2021

Although more or less constant throughout 2021 except for a 3% rise in Q3. Please note, that it may not be necessary to block all domains flagged as suspicious, it is our policy at AdSecure to inform clients of the URLs potential relationship to malicious activity so that clients can make an informed decision.

“10.7% of scans detected Threat Intelligence.”

One in ten scans triggered AdSecure’s Threat Intelligence. This detection reports if the URL was flagged for a violation in any AdSecure analysis in the previous 30 days. Looking quarter by quarter, in Q3 there was a 10% increase comparing Q1 & Q2:

Threat Intelligence AdSecure's Violations report 2021

Threat Intelligence assesses the probability and the severity of the campaign’s URLs threat by rating it’s risk from 1 (low) to 5 (severe) acting as the first line of defense, eliminating potential risks before going live.  Which is a highly useful tool for publishers and ad networks.

“1.6% of scans detected poor IAB Standard Ad Quality.”

AdSecure has an IAB Standards detection tool that scans ads to verify that the ads are aligned with the industry standard IAB recommendations. Looking quarter by quarter:

IAB Standards AdSecure's Violations report 2021

Thanks to this detection, clients have seen a substantial drop in IAB violations in Q3 & Q4. Compared to Q1 & Q2 where 1 in 40 campaigns were not aligned with the IAB, by the last two quarters of the year this had dropped significantly. This is important because, by using this AdSecure detection, publishers and ad networks discovered and then advised advertiser clients of the need to align with IAB standards.

IAB standards lead to higher levels of user engagement and overall conversion, meaning that these standards play a key role in maximising revenue for each campaign. For publishers, website performance can be heavily impacted if industry advertising standards are not met. It creates a bad user experience and end users are less likely to click on the ad, affecting publisher eCPMs. Additionally, now that Google has added web content performance into it’s SEO rankings, monitoring for low performing ad content can help publishers ensure they avoid SEO penalties in the future. 

Here is a breakdown of the percentage split of the 4 IAB violations:

AdSecure's Violations report 2021

Dimensions were the biggest issue with almost half of all IAB violations, it is important that the standard recommended display ad sizes are used for ad creatives, so that the end user sees a good image or they are unlikely to click on the ad. 

How Malvertisers attacked specific GEOs

How to stop Malvertising in specific GEOs is another advantage of AdSecure as your ad security solution, Cyber criminals are constantly targeting various GEOs, some with more attention than others. AdSecure has previously analysed data from 2021 looking at some of the most important GEOs that need protection. Did you know that India has become one of the most popular Geolocations for Malvertisers to target. Check out the 5 key insights related to ad security activity and ad quality issues in the UK in Q3 & Q4. The US is the most targeted GEO by malvertisers, Discover what tactics malvertisers used to target the most popular GEO for bad actors: The United States.

How AdSecure detects violations

How to stop Malvertising overall? AdSecure's ad verification system is built around a custom-made crawler capable of simulating a wide array of devices and locations. It allows the users to automatically scan ad tags and site pages for all kinds of malvertising and non-compliant issues in real-time. Unlike older solutions, AdSecure's crawler is powered by Chrome, and built on the same modern browser technology that powers today’s online world. This technology interacts with digital ads as an end user would to acertain exactly what the end user will be exposed to throughout the entire flow of the ad campaign.

As a comprehensive, modern and 360 degree ad quality solution, AdSecure provides easy pre-flight campaign verification, post flight ad campaign scans while they are running, ad performance monitoring through our IAB Standards compliance widget, and monitoring of the visual content of ads using our Ads Classification modules.  How to stop Malvertising? AdSecure is all you need.

Start a free AdSecure trial for 14 days.

Malvertisers are boosting their Malware and Phishing scams

Malvertising and Phishing protection

In Q4 of this year cybercriminals were making the news headlines. Angling Direct's domain, website and social media accounts were compromised by hackers, redirecting users to an adult website; Electronics retailer MediaMarkt got hit by ransomware that demanded $240 million dollars after stopping its online shopping service in Belgium and the Netherlands. In Q3 AdSecure also saw some big spikes in user security violations as bad actors launched their Summer attacks. Malware detections increased by 1285.19% with the majority concentrated in July and August. Phishing detections also increased by 413.97%. Adware, Browser Locker and Scareware also increased 15.74%, 8.65% and 4.82% respectively, and now, in Q4 detections for these user security violations are still high. To demonstrate some tactics used by Cybercriminals, here are two examples of Malware and Phishing campaigns, both recently detected and stopped by AdSecure:

#1 Malware attack in Turkey

Cybercriminals used Discord's Content Delivery Network to host malicious payloads. Discord is a popular VoIP, instant messaging and digital distribution platform used by approximately 140 million people.

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers. 

However, many files sent across the Discord platform are malicious, pointing to a significant amount of abuse of its self-hosted CDN by bad actors who create channels with the sole purpose of delivering these malicious files.

Malvertisers use infected campaigns to target online gamers, luring them into downloading fake versions of popular online games that actually contain malware. The image below is the landing page of one of these malware campaigns detected by AdSecure on 3 November 2021. As you can see the text is in English, only the month November (Karim) is in Turkish. Additionally note that egyptian gamers is spelt incorrectly.

Malware and Phishing protection

This campaign triggered an apk file that downloaded automatically to the user's desktop or mobile device. When we checked the auto-downloaded file we discovered that the file was detected as Trojan/Malware by 15 security vendors. 

Malware and Phishing protection

The files are often renamed as Gaming software or Google PlayStore games to trick end users, and the file stored on Discord's CDN used the link in the following format: https://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}

How did AdSecure detect the malware?

AdSecure’s Ad Discovery tool works by first detecting and then analysing all ads it encounters on web or mobile site pages, engaging with the ads as a user would, performing analysis both on the main site page, and by clicking on each ad — be it a banner, native, popup, popunder, etc — to detect any malicious activity a user might encounter in the redirection paths of this campaign and on any landing page the end users could be sent to. Once the violation was detected, AdSecure notified the client in real-time so the client's compliance teams could identify the campaign and ban the fraudulent advertiser from their ad network to prevent the bad actor from infecting more end users.

#2 Phishing scams using fake Lucky Draws

Phishing is often considered as the easiest way for financial gain for Cybercriminals. One method is through fake Lucky Draws from well known social media platforms. To show an example, AdSecure detected the following scam on an entertainment website in the United Arab Emirates in September. The ad showed up as a popunder. 

Malware and Phishing protection

The scammers used the Whatsapp logo and fake likes and comments on this landing page to fool end users into believing the lucky draw was legitimate. However, once the user spun the wheel to win a prize, they were asked to give away their personal information and credit card details to receive a prize. The victims only realized that they had been scammed after being informed by their banks about unauthorised transactions. The scammers also changed the URL 2 days later, to promote an adult dating offer. The landing page showed pornographic images which is illegal in United Arab Emirates.

How did AdSecure detect the phishing scam?
The client used AdSecure's API integration giving them a full malvertising and ad quality control system including the detection of adult content. Once the violation was detected, AdSecure's API integration allowed the client to reject, suspend or further monitor the ads, redirection paths and landing pages in real-time, giving the client full control over their ad supply chain. The ability to be able to use AdSecure’s Ad Classification tool enabled the client to detect that the malicious URL was displaying adult content, so it could be quickly removed from their ad supply chain, without which, it could have caused the website severe legal problems in their country as well as potentially for end users that viewed the pornographic landing page.


Cybercriminals use more sophisticated methods to lure unsuspecting end users into parting with personal and financial information via malware and phishing and other user security violations. With the ever increasing time that internet users spend online on a range of different devices, it is more important than ever to defend and protect end users against malvertisers. Publishers and ad networks have a duty to serve clean advertising and keep their end users safe. That is why it is essential that publishers and ad networks have a 360 degree ad security and ad quality solution like AdSecure as their first line of defense against cybercriminals.


1 in 40 scanned ad campaigns do not meet the IAB Standards

IAB Standards

As a prequel to AdSecure’s soon to be released Violations Report Q1 & Q2 we looked at whether ad campaigns were aligned with the IAB industry standards. This was carried out using AdSecure's IAB Standards detection tool that scans ads to verify that the ads remain compliant with the industry standard IAB recommendations. During Q1 and Q2 of 2021, AdSecure detected that 1 in 40 (2.4%) of all scans revealed ad campaigns were not meeting the IAB Standards. Out of those 2.4% of scans, the following graph shows the percentage detections related to each IAB Standard detection:

IAB Standards detections

Insights: Ad campaigns aligned to the IAB standards lead to higher levels of user engagement and overall conversion, meaning that these standards play a key role in maximising revenue for each campaign. 

Website performance can be heavily impacted if industry advertising standards are not met. It creates a bad user experience and end users are less likely to click on the ad, affecting publisher eCPMs. 

Additionally, now that Google has added web content performance into it’s SEO rankings, monitoring for low performing ad content can help publishers ensure they avoid SEO penalties in the future. The weight of ad creatives is also important, because fast loading ‘light’ ads create a better end user experience and keep Publishers in line with Google’s Chrome web browser which unloads ads that use excessive amounts of a user’s bandwidth and device CPU. Unloaded ads show the following message within the Publishers ad zone where the ad should be:

Blocking by Chrome

This can also happen with HTML/Iframe campaigns where the creatives are not meeting IAB standards.

AdSecure’s IAB Standards detection tool is used by publishers and ad networks to identify non aligned campaigns in order to stop the campaigns before they cause publishers problems, and are a way for ad networks to contact advertisers to inform them to resubmit creatives in order to meet the industry standards and help them maximise their campaign revenues.