Malvertisements are display ads that serve threatening Javascript, usually on a targeted basis, in order to hijack a browser, serve malware, or commit ad fraud. Basically, any display ad that delivers a code-based threat to the visitor’s browsing session can be thought of as a malvertisement.

Over the last few months, we have been averaging between 10 and 15 billion impressions monitored per month for our realtime blocking product. At a network wide block rate that hovers around 0.5% for security violations, this gives us a sample set of ~75MM incidents to look at from a birds eye view.

Here’s some trivia based on the last 30 days of data:

To put these statistics into words: malicious campaigns leave the display ad landscape just as quickly as they enter it.

Here’s a helpful visualization:

The line graph above is the daily volume observed from a typical malvertising campaign as it happened upon our radar over the course of the month of February.

The campaign rapidly reaches peak volume within two days of its first appearance before it normalizes to a trickle. In the next 30 to 60 days it’s likely that we will never see this campaign again.

Here’s a visualization of the frequency with which campaigns like this appear:

This scatter plot shows how many new malvertising campaigns have been detected by day in the month of February. The majority of these campaigns will follow a similar pattern of rapidly peaking within 48 hours of launch before they fade away into relatively negligible volumes.

The rapid pace at which these campaigns appear, vanish, and rotate is what creates a true sense of urgency around immediate mitigation.