Malvertising degrades consumer trust in the digital advertising industry, and stymies industry growth by feeding ad revenue to criminals. This problem has been compounded by the COVID-19 pandemic, with criminals taking advantage of the crisis to target the digital advertising industry with new COVID-themed malvertising attacks.
What’s the Problem?
While the term malware can mean malicious software of any sort delivered by any means, “malvertising” refers to the use of digital advertisements – including creative, tags and landing pages – specifically to distribute malware, often for financial gain. Malvertising comes in a variety of forms. A legitimate ad can become malvertising – it can be corrupted once it has been placed on a publisher website, when it passes through an ad tech intermediary, or before a campaign even begins. In other cases, criminals create fake advertisers or advertising agencies, pretending to represent legitimate clients in an ad buy while in reality distributing fake ad creative infected with malware. Sometimes, rather than focusing on ads directly, criminals simply compromise third-party scripts or pieces of code (3PC) that are delivered with an ad or page content for measurement or viewability purposes.
Malvertisers have taken full advantage of the COVID-19 pandemic to launch new malvertising attacks, often preying on specific fears about the virus. In a recent whitepaper, the Trustworthy Accountability Group (TAG) outlined findings that malicious or fraudulent functionality is found in 1 out of every 100 online ads, suggesting malvertising affects up to 20% of user sessions. According to recent research, daily malware threats to the digital ad supply chain increased an average of 18% as news of COVID-19 drove increased web traffic. And with unemployment skyrocketing, malvertisers whose criminal pursuits might have previously been a hobby have made orchestrating malware attacks a full-time job. According to research by The Media Trust, several well-known malvertising attacks increased by 300% beginning in March 2020, just as COVID-19 quarantine began in many parts of the world.
Take Action!
TAG has facilitated threat-sharing across the digital ad industry designed to stop malvertising attacks since its inception in 2015 and continues to partner with industry leaders to strengthen its anti-malware certification and threat-sharing programs. Our work has proven that everyone in the digital advertising industry can benefit from following these simple and proven effective best practices.
- Take Responsibility and Communicate Your Commitment. Create – and sustain – an internal focus on keeping your ads free from malware. Develop a “zero tolerance” policy for ads infected with malware. Earn the TAG Certified Against Malware Seal.
- Choose the Right Partners. Know your risk tolerance and choose partners that share and can accommodate those values. Ask the right questions during your RFP process. Look for the TAG Certified Against Malware Seal.
- Work Closely with Partners to Develop and Execute Your Strategy. Designate a trained Brand Safety Officer. Document appropriate points of contact at partner companies. Clearly communicate a plan to protect your assets before a campaign launches. Stay involved once campaigns are launched.
- See the Bigger Picture. Provide partners with information about malvertising incidents and support industry-wide threat sharing to strengthen your own defenses.