Auto redirects: what they are, how they work, and how they hurt your ad revenue

URL redirection is when a webpage makes itself available under more than one URL address. When a user’s web browser opens a URL that has been redirected, it is instructed to bring them to a web page listed under a different URL.

For example, if a popular website decides to alter its URL, it may maintain ownership of its previous URL but instruct it to redirect users to its new one to avoid confusion and keep up web traffic.

Some other reasons for implementing URL redirect include shortening a website URL, preventing broken links when pages are moved, general privacy protection, and most importantly for this article, phishing attacks and malware distribution.

Nothing is more confusing and frustrating than when you are on a familiar webpage and suddenly your browser sends you across the web to another brand’s site. Sudden redirects not only frustrate and spook users (who may suddenly find themselves on a dangerous phishing website), they also hurt ad publishers whose reputations are being tarnished while web traffic is being sent away to different sites.

In this article, we’ll go over how these redirects work, how they end up on your webpage, how they hurt your publishing business, and what you can do to defend against them.

Phishing attacks are when bad actors pose as reputable brands and businesses to lure users into sharing personal information or downloading malware.

The malware usually works to disrupt a user’s device and make them vulnerable to more phishing attacks or implement viruses to steal information on its own.

One of the most common ways bad actors will lure users into these scams is through malicious advertisements that sneak their way around the ecosystem.

Fraudsters will create fake ads posing as reputable companies, with cloaked URLs to sneak by most standard security protocols. When users click on the ad, they land on web pages that resemble the brand the ad was imitating.

These fake web pages then ask for login credentials, credit card information, or even social security numbers. Anything they believe they can get users to enter onscreen is up for grabs.

In the case of forced redirects, users don’t even have to properly engage with the malvertisers’ ad in order to be redirected to a malicious phishing site.

When hosting ads to their webpage, publishers have to choose how much access to their website they are willing to share with their advertisers.

In most cases, advertisers have to scale to fit different ad units and are looking to track the ad’s viewability and performance. This kind of information is only accessible through the top window and cannot be viewed by windows coming from a different URL.

A top window is a frame that holds all of the content found on a given webpage. Within this window are frame windows that hold individual elements and content on the page. Windows that are from two different domains, such as publisher.com and advertiser.com, cannot access each other.

The best way for publishers to share information would be to develop messaging tools between domains that share what each advertiser may be looking for. But many opt-out of this option because of the need for extra coding that can change advertiser to advertiser.

Instead, most publishers end up granting advertisers full access to their top window, allowing advertisers to do whatever they may please on a publisher web page.

They can scale their ads and collect data on viewability, but can also edit web pages, set cookies, and enable code to force redirects away from your page.

Tactics that malicious actors use to force redirects can vary from case to case. But in all cases, the ad needs to have access to the webpage’s top window.

Without this, the ad remains trapped inside its own ad unit and is unable to affect the publisher’s webpage.

Once advertisers are given this access, there are a few ways they actually implement the forced redirect:

1. At Ad Request LevelAs an ad is being called and travels through ad agencies and DSP/SSPs, fraudsters will edit their ad’s script once it has passed all proper security checks. This way the advertisement appears harmless to those delivering the ad. Once it appears on a webpage, it carries the necessary scripts to implement forced redirects.
2. Implementing Malicious CodeIn this case, the bad actors have already written the code into the ad upon its creation, but have cloaked the ad and buried the malicious code deep within. This way, the malicious behavior only appears under certain conditions (geolocation, device/browser used) and is able to sneak by many security checks.In each of the first two cases, the ad can execute the redirect in a number of ways. With access to the website’s top window, the advertiser can cause any action the user takes to result in a redirect to another web page (i.e. form submissions, link clicks, ad engagements). Meaning that any action a user takes can swiftly redirect them to the malvertiser’s preferred webpage.It is also possible for these ads not to require any action from the user at all. “Physical” clicks from users can be replaced with automatic clicks from scripts, sending the user to a phishing site without engaging with anything on the page.
3. Meta Refresh RedirectWhile still carried within the code of the ad, meta refreshes behave slightly differently than the examples given above. In this case, a script is given to refresh the page and load a different URL, either in an existing tab or a new one. In both cases, the user is redirected to a new and unintended webpage.

Besides the incentive to lure users into phishing scams, untrustworthy monetization groups and ad networks have their own incentives to force users to these malicious sites.

And that is, of course, money.

Most legitimate display ads only see click-through rates of around 0.35%. With forced redirects, advertisers will see “click” through rates somewhere between 90-100%, as their automatic redirects prop up their numbers, allowing them to charge their advertisers for unbelievable results.

Because of this, many ill-intentioned monetization groups and ad networks will disguise themselves for long periods of time as perfectly harmless to lure in unexpecting advertisers and/or publishers, only to implement shady tactics down the line.

For advertisers, this can quickly swallow up advertising budgets without seeing any meaningful results.

For Publishers, this can devastate your engagement metrics and send your ad revenue plummeting.

Malvertising affects publishers in several ways. Having your site affiliated with phishing scams and forced redirects is bad news for customer loyalty. While these intense tactics might earn you some extra cash in the short term, users will eventually start avoiding your site because they now consider it potentially dangerous to their privacy and device.

Beyond this, it will likely lead them to search out ad blocking software. This means even after you remove these redirects from your site, users will be returning with ad block enabled, preventing you from earning impressions. And earning a user’s trust back after such a negative experience is historically difficult.

If you are not actively exploring the front end of your site, catching redirects before they impact your metrics and revenue will be tricky.

Make sure you personally take the time to see if ads are forcing you off of your site. This way, you can catch fraudsters before they begin to crash your publishing metrics.

More importantly, make sure you are partnering with reliable ad networks and SSPs. You are more than likely paired up with multiple SSPs, which can make it difficult to track which ones may not be as trustworthy as they let on.

If you start experiencing drop-offs in your metrics, try turning certain SSPs off and on to isolate the issue and discover which ones are serving you bad ads. You can then end your relationship with them or add them to your blocklist.

Giving access to your top window certainly makes things easier, but it also leaves you vulnerable to attacks. Realistically, it would be wise to separate what advertisers are given access to your top window and which aren’t.

In a direct buy situation, where you have a streamlined relationship with your advertiser, giving them access is perfectly acceptable. But programmatic deals should be more restricted. Try using SafeFrames in these situations, so you can still give sizing/viewability data back to advertisers without giving them access to your webpage.

But while blocking fraudsters and using SafeFrames are effective preventative measures, they are far from final solutions. Sophisticated malvertisers know how to easily work their way around these features, and will continue to attack your site.

Many publishers turn to ad security experts to help track down malicious groups, but you often end up playing a game of whack-a-mole. Knock one fraudster out, and another appears shortly after.

HUMAN Malvertising Defense removes the need for blocklisting by uniquely detecting malicious behavior at runtime. The solution uses behavioral analysis of each ad impression to detect unwanted behavior and block harmful activity while still allowing ad impressions to fire. This means that fraudsters still pay you for ad impressions, even though their malicious ad is being blocked on your site. Not only do you still get paid, but you also create a financial disincentive for bad actors.

Malvertising Defense eliminates threats with unmatched precision. A single line of code protects your site, without adding increased latency or maintenance overhead of bulky blocklists. This preserves user experience and trust, without sacrificing revenue.