Editors’ note: In this series, “Unmasking Malvertising,” we explore various ways in which malvertising is executed to help us collectively see the digital landscape not just as defenders, but through the eyes of those who would exploit it. In our first installment, we explored the role of obfuscation in malvertising. In this second part, we examine the resurgence of auto-redirects and how this classic threat has evolved to bypass modern defenses.
Like classic villains in a thriller, malvertising tactics rarely stay defeated—they retreat, evolve, and return with new disguises. While attack type popularity might shift to tactics like pixel stuffing and clickbait malicious landing pages (MLP), the auto-redirect has stood the test of time and continues to plague the ecosystem. Their resurgence reminds us that in the digital security arms race, constant vigilance is key. For publishers and ad platforms, these attacks threaten more than just security—they damage visitor trust, increase bounce rates, and ultimately jeopardize revenue streams. As malvertising threats continue to evolve, understanding their cyclical nature becomes essential for maintaining both visitor confidence and business sustainability in our increasingly complex digital ecosystem.
Auto-Redirects: The Original Digital Hijackers
When you think of “malvertising,” auto-redirects may be the first thing to come to mind—the quintessential attack defining the threat itself. These invisible hijackers emerged as digital advertising’s phantom menace, exploiting the supply chain’s complexity with malicious JavaScript activated only after clearing security reviews. One moment, visitors were browsing the trusted publisher content they had chosen; the next, they were being redirected, without any interaction with an ad, to scam sites or malware delivery systems.
Publishers lost visitor trust and platforms saw publisher clients questioning their ad inventory quality. Both suffered revenue impacts from interrupted sessions and deteriorating business relationships. Publishers responded with stronger verification protocols, platforms enhanced security scanning, and specialized anti-malvertising companies emerged with focused detection technologies. For a time, these combined efforts eliminated certain auto-redirect threats entirely and pushed certain threat actors out of the ecosystem.
Why Now? Unpacking the Auto-Redirect Resurgence
Our data shows that over one-third of all pages attacked in the past year were attacked using a redirect. These forced navigation attacks continue to exploit the basic ad delivery process, targeting those critical milliseconds between bid and ad content loading, where auto-redirects can hijack a user’s browsing session.
Today’s auto-redirect malvertising campaigns employ sophisticated cloaking and fingerprinting, as well as other techniques that make detection difficult. These forced redirections typically remain dormant during security scans, activating only when they detect specific parameters like geographic locations or device types, or even something extra specific like being present in a touch screen environment, that indicate a valuable target. This selective triggering explains why so many auto-redirect attacks pass review processes only to forcibly navigate users away from legitimate content later.
Similar contextual targeting tactics were observed during election cycles, as detailed in our analysis of malvertising trends tied to political events.
The resurgence of auto-redirects also stems from economic incentives that remain as compelling as ever. Affiliate fraud, subscription scams, and malware distribution all continue to generate significant revenue through forced navigation. When combined with the increasingly complex digital advertising supply chain—where responsibility for malvertising prevention often falls into gaps between publishers and ad tech platforms—these factors have created ideal conditions for this classic attack vector to flourish once again.
From Simple to Sophisticated: The Evolution of Auto-Redirects
Auto-redirects in malvertising have evolved from simple JavaScript commands into sophisticated, multi-layered attacks. This evolution is not fundamentally about changing the act of redirection—there are a limited number of ways to move a user from one webpage to another with JavaScript or HTML—but rather about the increasing sophistication of the disguise and execution. This complexity has transformed what was once a straightforward detection challenge into a complex puzzle, frequently missed by automated scanning tools and demanding increasingly sophisticated countermeasures.
Early Redirects: Straightforward but Noisy
In the early days, a successful redirect was often rudimentary, perhaps just a basic `window.top.location` delivered inline without masking or a simple `setTimeout` trigger. These were easily detectable through simple code scans or by searching for `setTimeout` functions.
Obfuscation Arrives: Redirect Logic in Pieces
As defenses advanced with basic scanners, attackers adapted, often implementing obfuscation that fragments the redirect mechanisms across various aspects of the ad-serving process, including elements of the ad creative itself, embedded scripts, and even interactions with third-party vendors. Components that appear benign in isolation can assemble into a browser-hijacking form only at run-time.
Context-Aware Redirects: Fingerprinting Before the Jump
Over time, the disguise has become even more elaborate as attackers began implementing fingerprinting before the redirect trigger, instead of explicit redirects within the source code. Tactics have shifted from relying on easily tracked metrics like high click-through rates or consistent bounce rates to abusing device accelerometers and employing event stealing. Event stealing involves malicious actors using event listeners on end-user interactions to initiate redirects. Clickjacking, where invisible full-screen overlays are used, has also emerged as a prominent technique, further complicating detection.
Why Detection Keeps Getting Harder
With each iteration, redirect techniques grow more compartmentalized, conditional, and event-aware—traits that frustrate traditional URL blocking and content-security policies. The next section outlines defense strategies that match this escalating complexity.
Proactive Protection: Defeating Evolved Auto-Redirects
The evolution and increasing complexity of redirect techniques demands correspondingly sophisticated protection strategies. A core challenge in this protection is the fundamental web requirement for users to move freely between pages. However, blocking all off-page navigation, even when intended by the user, harms user experience and advertiser engagement. This dilemma makes protecting specifically against auto-redirect attacks particularly complex.
A Multi-Faceted Protection Approach
This specific dilemma – the need to allow users to navigate freely while protecting against malicious redirects – necessitates a multi-faceted protection approach. Organizations should prioritize continuous monitoring for anomalous activity and deviations from baseline user behavior, alongside regular audits that focus on event listeners and unusual page elements. It is also critical to collaborate with partners who possess both a deep understanding of threat evolution and demonstrated capabilities in actively protecting against such threats. This collaboration leads to protection strategies that go far beyond basic code analysis.
Behavior-First Monitoring and Analysis
To effectively implement these robust protections, the best strategy centers on actively monitoring and analyzing the behaviors leading up to a redirect. With attackers transitioning from simple code injections to elaborate methods—like manipulating event listeners, using invisible overlays (clickjacking), and employing sophisticated fingerprinting—the protective approach shifts from basic code scans to behavioral analysis. By identifying suspicious patterns and using these evolving behavioral indicators, organizations can effectively distinguish malicious redirects from legitimate ones.
From Reactive Signatures to Proactive Defense
Relying solely on known attack signatures in a reactive way is no longer sufficient, as attackers constantly change their methods. Therefore, a proactive protective posture is essential. Protectors must anticipate the resurgence of threats by understanding the economic incentives and vulnerabilities driving these attacks. By proactively anticipating the resurgence of threats and thoroughly understanding the nuanced behaviors that precede malicious redirects, the industry can break the cycle of attack and protect against further harm. This holistic approach of actively monitoring and proactively anticipating threats leads to a safer, more sustainable digital advertising environment, one where visitor trust and business success are mutually reinforcing.
Breaking the Cycle: Continuous Defense in the Age of Resurgent Threats
The resurgence of auto-redirects illustrates security’s cyclical nature—threats retreat, evolve, and return stronger when defenses grow complacent. This pattern repeats across all threat categories, from polymorphic malware to malicious landing pages, as attackers continuously adapt to exploit the advertising ecosystem’s fundamental vulnerabilities: supply chain complexity, speed requirements, and economic pressures favoring revenue over security. These weaknesses ensure threats evolve rather than disappear, challenging the industry’s tendency to declare premature victories.
For publishers and platforms to thrive, they must embrace security as an ongoing process rather than a one-time fix. This means implementing continuous monitoring, conducting regular security reviews, and partnering with specialized security providers who track threat evolution across the ecosystem. Only by anticipating the inevitable return of seemingly defeated threats can the industry break the cycle and create a safer, more sustainable digital advertising landscape where visitor trust and business success reinforce rather than undermine each other.
HUMAN Malvertising Defense
HUMAN’s proven Malvertising Defense solution demonstrates that to combat malvertisers’ efforts, it takes a combination of expert threat research, reverse-engineering, and specialized insight from the HUMAN Malvertising Defense script.
Using run-time behavioral analysis, HUMAN’s Malvertising Defense has the advantage of seeing the attempted auto-redirects play out and thwarting the effort to load a final malicious payload.
Our solution incorporates advanced machine learning, real-time monitoring, and years of expert threat intelligence to protect against these evolving auto-redirect techniques, processing billions of transactions daily to keep major advertising platforms safe from emerging attack patterns.
To learn more about HUMAN Malvertising Defense, click here to talk to a Human.