The convergence of massive political ad spend and unprecedented online engagement mark the 2024 U.S. election cycle as a compelling malvertising case study.
A recent analysis of malvertising threat activity observed by the Human Defense Platform revealed a spike in threats and ad quality violations leading up to and during the election. Malvertisers are opportunists who exploit surges in attention and ad volume, targeting news websites during peak consumption hours. By examining these attack surges closely, we gain a crucial understanding of how malvertisers behave during periods of increased spending and user engagement, allowing us to apply these insights and strengthen protection ahead of future threats.
Election Season Insights: Malvertisers Follow the Traffic
In the two months leading up to the November 2024 presidential election, HUMAN’s Malvertising Defense detected a 30,000% spike in political ads. This volume created an ideal smokescreen for malicious ads to blend in, as they could hide behind the increased volume of advertising leading up to and following the election.
Unsurprisingly, threat actors focused on national and local news outlets, capitalizing on the increased visibility and high traffic during peak reporting periods. Researchers observed that malicious ad activity consistently spiked during evening hours, aligning with rises in online news consumption driven by high election interest. This approach dramatically increased the likelihood of malvertisers’ attacks hitting their marks and victimizing visitors to the websites—the sheer scale of the surge meant a much wider potential spread for these attacks. The night of the election itself recorded the most significant spike in this targeted malicious activity, followed by Inauguration Day.
The primary malvertising tactics observed were redirect attacks and malicious landing page (MLP) attacks, through which users navigate to deceptive sites by clicking on misleading, attention-grabbing, or clickbait creative images. These were by far the most common category of attacks on the news sites.
HUMAN observed three prominent MLP attack subtypes and their respective volume trends in the hours leading up to and during election night, which involved social engineering, deceptive creative, and payment fraud to maximize attacker profits:
- Fake product phishing scams involve the promotion of a product known to be of poor quality or never delivered to purchasers. Attackers charge customers varying prices, including recurring subscriptions and/or multiple charges, all of which users did not consent to receive. They also attempt to collect sensitive user information, including bank details and Social Security Numbers, through a “Become Affiliate” section of the site.
- Cost-saving scams often feature an “advertorial” aesthetic, designed to garner trust by convincing users that the landing page is a legitimate news article. They utilize sensationalized headlines and content designed to encourage users to purchase a product that either never arrives or is essentially non-functional on arrival.
- Tech support scams use fake security alerts to trick users by using simple yet vague creative images that directly entice site visitors to click. Threat actors direct users to a site that displays numerous pop-ups and alerts claiming that malware or a virus compromised their device. The pop-ups then prompt users to call the displayed number, which is when threat actors attempt to extract personal information through social engineering.
The Broader Threat Landscape: Sophistication Will Only Grow, Traditional Defenses Aren’t Enough
Malvertising isn’t limited to elections: any high-traffic event, such as a major sporting event, sales “season” (think Black Friday), prominent entertainment release, or viral news cycle, offers a target. These attackers continue to innovate by employing tactics such as advanced cloaking to bypass creative reviews, behavioral triggers to evade detection, and adaptive scams tailored to user interests. Without proactive defenses, publishers and platforms will always be playing catch-up.
Legacy solutions that rely on manual review and static rules struggle to keep pace with rapidly evolving tactics. Instead, organizations must shift from reactive, maintenance-heavy approaches to proactive defense systems that scale automatically. By implementing real-time, page-level malvertising protection that operates without manual intervention, they can be ready for traffic surges whenever they occur. Unlike traditional approaches requiring constant updates and additional staffing during surges, page-level solutions scale seamlessly without extra attention when protection is needed most. These defenses also learn from attack patterns in real time, staying ahead of morphing campaigns that easily bypass network-level filters.
The Case for Page-Level, Real-Time Protection
Platforms and publishers must future-proof their defenses to protect revenue, reputation, and users.
The sophistication of malvertising will continue to increase, so defenses must stay one step ahead. Proactive, page-level protection—like HUMAN’s Malvertising Defense—offers:
- Behavioral detection to stop threats in real-time
- Landing page scanning to catch threats that bypass creative reviews
- API-driven automated blocking for operational efficiency
- Adaptive ML models powered by telemetry from 20 trillion weekly digital interactions
- Protection that scales automatically in response to sudden traffic surges
Purpose-built solutions like HUMAN’s Malvertising Defense help publishers and platforms alike protect themselves from the impact of timed malvertising attacks.