HUMAN Blog

3 Ways to Combat Malvertising

Written by Andrew Reed | July 18, 2023

In the media and publishing business, trust is everything. And malvertising is enemy number one. Hacking, redirects or spam cause serious damage to the user experience and by extension, the brand's reputation. When your users don't trust your site or have a poor experience, that inevitably translates into decreased revenue. 

I hate to say it, but malvertising isn't going away anytime soon. Instead, publishers and advertising platforms need a plan to combat it, and there are several methods to choose from. Read on for three ways to mitigate malvertising, so you can determine which one is best for your business.

1. Pre-scanning

Traditionally, pre-scanning has been one of the main ways to get rid of a malicious ad or ad network on a website. The goal of the malware pre-scan is to identify malware before an ad goes live and is served to website visitors. 

Malware scanning occurs in sandbox environments. Here, malicious code is recognized and automatically rejected. Sandboxing creates a “fake” environment with automated technology that attempts to detect a malicious program before serving an ad to a website's users. It’s a common line of defense for publishers and can stop some malvertising campaigns. 

Strengths of pre-scanning

Pre-scanning can identify bad ads before they go live. When it works, bad ads are neutralized before they ever reach the end-user. 

Weaknesses of pre-scanning

Pre-scanning has been around for some time, which means it's well known by bad actors. Expert malvertisers have had plenty of time to find effective workarounds. For example, some malvertisers use code that recognizes sandbox environments and only displays safe versions of the ad in a sandbox. This allows the malicious creative to bypass pre-scanning.

Research indicates that there are now artificial intelligence components to malicious software that can evade pres-canning in virtual environments altogether. If malware attacks can leverage AI, malware pre-scanning may not just be insufficient; it could become obsolete.

In addition, pre-scanning can generate false positives and negatives. Good ads may not get through and bad ads may slip by. When good ads aren’t served, advertising revenue is lost. When bad ads are served, the end-user is negatively impacted with a malware infection and/or poor user experience.

2. Blocklisting

Blocklisting is a way to provide “batched” protection for malvertising. It works on any web browser (Internet Explorer, Google Chrome, etc.). Web pages use blocklist tools as a way to identify a known malicious advertisement. These URLs or code snippets are tied to malicious actors and the unwanted ads are not accepted during the bidding process.

As an anti-malvertising solution, blocklisting is activated during the ad selection process, but before the creative renders and the bad actor pays for their impression.

Malicious advertising, domains, URLs and snippets that aren’t present on the list of “known bad” offenders will be let through undetected. This means the malicious payload can be deployed as part of an exploit kit and the attacker ultimately gains access to the end-user.

Strengths of blocklisting

Blocklisting prevents ads with known malicious domains, URLs and snippet from displaying on your site.

Weaknesses of blocklisting

The landscape of malvertising (and the people who perpetrate it) is constantly evolving. It may be obvious to even a casual observer that a lengthy list of known bad ads is hard to maintain and impossible to keep current or comprehensive.

Blocklisting can’t catch novel attacks, meaning that any new kind of code or unrecognizable bad actors from the list can easily get past the checkpoint. Cybercriminals are able to quickly and efficiently generate incredible quantities of unwanted ads, and this high rate of production and extensive reach outpace the effectiveness of even the best blocklist tools.

Similar to pre-scanning, blocklisting also often miscategorizes ads. This results in false positives and negatives that cause revenue losses and poor user experience.

3. Behavioral Analysis

Behavioral analysis evaluates ad creative in real time. The process is this:

  • Instead of a sandbox environment, behavioral analysis malware protection solutions run on the page, in the browser or app in realtime.
  • As users are viewing ads, creative will always be allowed to render.
  • Bad ads are stopped in the act of malicious code deployment and the negative actions are prevented from affecting the user.

 

Strengths of behavioral analysis

Behavioral analysis addressing the real problem of malvertisers who bypass pre-scanning in a virtual environment or aren’t listed clearly as bad actors on a blocklist. There is absolute certainty that the ad was, indeed, bad, which eliminates the issue of false positives or negatives.

Furthermore, malvertisers are still forced to pay for ads on your platform, even though their malicious creative is blocked. When the malicious ad runs, the digital property owner still gets paid, even though the bad ad is stopped before ever getting to the user. 

Stop Malvertising in It's Tracks

No longer are ads performing the same way in both a sandbox and user environment, nor are bad actors using the same URLs, creative or methods numerous times. Consistency in performance and creative are essential to effectively catch bad actors using the traditional pre-scan or blocklisting methods.

HUMAN Malvertising Defense uses behavioral analysis to safeguard publishers, platforms, and their audiences from malware attacks. Easily implemented via page-level code, the solution provides revenue protection for publishers and mitigates malicious creatives for platforms. The result is dynamic and future-proof protection that goes beyond pre-scanning and blocklisting.