• All Articles

Q1 2023 Malvertising Trends

By Giles

April 25, 2023

19 Q1 2023 Malvertising Trends

What makes AdSecure the best malvertising detection solution for ad networks and publishers? Not only the large amount of malvertising and ad quality detections using the latest crawler technology, but also its annual Violation Reports. AdSecure also examines specific quarters to see what the latest malvertising trends are along with any data on malicious Cybercriminal activity in the online advertising space.

Malvertising is the scourge of the online advertising ecosystem. It negatively affects the ad networks that serve the malicious advertising campaigns for not checking campaigns before launch and also while active for hidden code and violations. It affects the publisher sites that display the malicious ads on their websites, damaging their reputation with end users and also exposing their end users to dangerous and fraudulent activities. And finally, it affects the end user who may have their personal and financial data compromised, their devices may be damaged or hijacked without them even being aware of malicious programs and more.  This is why AdSecure is the best malvertising detection solution for ad networks and publishers. We keep our clients up to date on malvertising trends and strategies, so our clients are prepared and ready to stop any form of malicious advertising in its tracks before it can be exposed to end users. 

So let's see what Cybercriminals concentrated on in Q1 2023 and how this compares to Q4 2022.

"Almost 1 in 20 scans detected 4 or more violations in a malicious ad campaign."

In Q1 almost a quarter of all ads running on ad networks and publisher sites that are AdSecure clients, contained at least one violation. Here’s the breakdown comparing both quarters:

Malvertising Trends Q1 2023

However, despite slight decreases in 2 or 3 violations hidden in ad campaigns in Q1, almost 1 in 20 scans revealed Cybercriminals had hidden 4 or more violations in ad campaigns. That's an increase of 3.23% on Q4.

Malvertising insight: Bad actors try to confuse Compliance departments, by adding as many different hidden violations as possible in order to avoid detection. Luckily, AdSecure is the best malvertising detection solution because it has the tools to discover and stop all forms of malicious advertising throughout the entire ad supply chain.

Malvertising Trends: Top 10 violations for Q1 2023

Looking at the top 10 violations detected in Q1, 2 were in the User Security category, 3 in the User Advisory category and 5 in the User Experience category:

SSL Non Compliant (User Security) 21.7%

Threat Intelligence (User Advisory) 19.6%

Unsafe Adult Content (User Advisory) 14%

Suspicious TLD (User Advisory) 11.8%

Landing Page Error (User Experience) 10%

Malicious URL  (User Security) 7.9%

Back Button Hijack (User Experience) 6.2%

Java Script Dialog On Entry (User Experience) 4.4%

Permission Notification (User Experience) 3.3%

Auto Redirect (User Experience) 1.1%

Malvertising Trends: Comparing Q1 2023 with Q4 2022

Let's look at the violations that showed significant increases in detection in Q1 compared to Q4. This is why AdSecure is the best malvertising detection solution on the market, bringing you data and trends to keep your online advertising business ahead of the game. This way we can show you where Cybercriminals concentrated their malicious activity in Q1 2023.

+119% Unwanted programs

The top increase came from unwanted programs. These can be bundleware, junkware, or PUAs (Potentially Unwanted Applications) and other software programs that end users didn't want installed on your computer. Usually an end user clicks on an ad to download a software they are interested in, but by clicking download they also download a bundle of programs that they don’t want. These unwanted programs can:

  • Slow the end users device down
  • Display many annoying ads
  • Add toolbars that steal space on the browser
  • Collect private information

Malvertising insight: This is an old tactic, but it seems as though Cybercriminals have re adopted this technique in Q1.

+85.8% Phishing URL

In second place came Phishing URL. This is a particularly bad security breach for end users. Generally, after clicking on the malicious ad, the end user is sent to a phishing site which aims to trick the end user into revealing their personal information (for example, passwords, phone numbers, or credit cards). The content pretends to act, or looks and feels, like a trusted entity — for example, a browser, operating system, bank, or government.

Malvertising insight: Phishing is a tried and tested type of attack by Cybercriminals as they pose as what appears to be an official entity. This preys on non-savvy internet users and particularly the older generation who can be easily duped by this type of attack.

+60.7% Pop-up

In third place in Q1 we see Pop ups. While some ad networks serve Pop-ups as ad formats, many publisher sites do not want to show them, or limit the number of Pop-up ads, because Google penalizes websites for showing this ad format, and it is considered annoying to the end user.

Malvertising insight: Malvertisers still try to show end users Pop-up ads because they are very eye-catching and don't require user interaction. If users don't block Pop-ups in their browser, they might be lured by the malicious ads and end up clicking on them.

+28.8% Auto redirect & +14.5% Auto redirect app market

In fourth and fifth place came two forms of redirects. The first one are ads that contain a script causing a web page to break out of any frames "framing" it, resulting in automatically redirecting the visitor to another potentially malicious website/page. The second violation are ads that automatically redirect the end user to the App Stores without any end user interaction.

Malvertising insight: Both of these violations are classed as User Experience, which ruin the end user experience. These violations can cause annoyance, and even panic as it seems like the website where the ad was served is taking over the end users device by redirecting them to sites and app stores they had no desire to go to. It is interesting to note that Cybercriminals have distributed malvertising on app stores like GooglePlay in the past, therefore this type or redirection is generally always for malicious purposes.

+12.5% SSL Non Compliant

This was the biggest violation detected in Q1 and shows a +12.5% increase in volume compared to Q4 of last year. SSL Non Compliant are ads that contain at least one unsecured item in the chain of resources (unsafe, no https, mixed content, ssl version or cipher mismatch). If an ad's link is using an unsecure connection or http, it means that it is not encrypted and sensitive data can be compromised, not only compromising the end user’s security, but also being automatically blocked by Google and being flagged as unsafe. This can heavily hinder the hosting website’s reputation.

Malvertising insight: No legitimate advertiser would have an unsafe landing page that is not compliant with Google, because this would affect the advertiser's sales and create a negative brand image for the advertiser’s product(s). Any SSL Non Compliant violation will lead to a malvertising attack on the end user.

+6.3% Back Button Hijack

The violation that showed the seventh biggest increase in detections. The function of the back/forward button on an end user’s browser is to simply navigate you across the pages stored in your browser history. Back Button Hijacking is an ad security threat which manipulates the end user’s browser history, keeping them stuck on a certain page by inserting one or several redirects in their browser history, to then forward them back to that specific page. This abusive behavior of hijacking a user's browsing history has been considered a violation by Google Advertising Policies. 

Malvertising insight: Malvertisers using hijacking back buttons, insert scripts in order to direct users to a different page when the back button is clicked. They want users to stay on their page or site longer rather than leaving the website right away. In fact, with the script, users can be directed to any page, it could be exactly the same page, or an ad, or any place that could help the website owner generate more revenue. The cyber criminal wants to control the end user’s browsing experience for some kind of gain.

If the page inserted between the current page and the previous page is an ad, then every time the user clicks on the back button, the page will reload and generate a new ad. The more impressions the ads on a website get, the more revenue for the owner. For this reason, lots of marketers use the Back Button Hijacking ad security threat as a tactic to get a second chance for their product or service to be seen, which results in more profit.

+3.2% Landing Page Error

This detection shows the end user an alert that has identified a broken link (404 Error, 5xx, timeouts, etc.) in the path (intermediate redirect links inside the chain) between the click URL and the landing page. 

Malvertising insight: These broken links can make the end user feel unsafe when clicking on ads on a specific website, which can damage the site’s reputation with the end user. Additionally, this results in advertisers paying for campaign impressions, but because of the broken flow from ad to landing page, their offers will not convert.

IAB Standards Detections

Another reason why AdSecure is the best malvertising detection solution is its IAB Standards detection tool that scans ads to verify that the ads are aligned with IAB recommendations to abide by industry standards. The number of IAB Standards detections increased by 12.9% in Q1 compared to Q4. There are 4 IAB detections that AdSecure scans for:

IAB Dimensions: The IAB recommends certain ad dimensions that contribute to the majority of revenue and are sufficient to advertise across multiple screen sizes. This detection will flag ads that are not compliant with the IAB standards in terms of ad dimension.

IAB Ad Weight: Ad weight is the total size of all the ad assets being delivered to the browser at a given phase. This detection will flag ads that are not compliant with the IAB standards in terms of ad weight (initial load and sub-load). IAB recommends an ad size with an initial load of maximum 50KB and a sub-load of maximum 100KB.

IAB Ad Compression: To optimize the file size for delivery of an ad to a browser, the assets within the ad should be delivered in compressed formats such as gzip. This detection will flag ads that are not compliant with the IAB standards within this category, which means they are not delivered in a compressed format.

IAB Ad Request Count: Ads consist of multiple resources. The number of requests made to fetch these resources has a significant impact on the load performance of the ad as well as on the page where the ad is displayed. This detection will flag ads that are not compliant with the IAB standards in terms of ad request count. IAB recommends a maximum of 10 requests.

Aligning with the industry’s IAB Standard ensures that the ads shown are of the highest quality, ensuring excellent ad engagement from end users. To find out why ad quality is important, check out this in depth article.

Further Reading for Malvertising Trends

For further reading check out AdSecure’s findings for violations in Q1 looking at how Malvertisers specifically targeted mobile devices in our article How Cybercriminals attacked mobile users in Q1 2023. To find out more about how Malvertising works and why Cybercriminals are so prolific within the online ad industry check out our article What is Malvertising? And How To Stop It.  You can also check out Security Weeks article Malware Trends: What’s Old Is Still New.


If you are an ad network or publisher and you want the industry’s best malvertising detection solution, look no further than AdSecure. AdSecure offers 360 degree monitoring and protection for your ad supply chain by automating your ad verification process before ad campaigns go live & while they are running. Why not start a free 14 day trial and find out how AdSecure can protect your business from Cybercriminals.

Share this article on