In Confiant's "Demand Quality Report for Q3 2019", the ad fraud and security company analyzed 120 billion ad impressions between January 1st and September 20th that flowed through their systems in order to provide a breakdown of different malicious ad campaigns.

While Confiant's report also discussed low quality ads and banner ads that appear in video slots, we will focus on the detected malicious ads and the campaigns that utilize them.

A malicious ad is defined by Confiant as one that performs unwanted behavior such as a forced redirect to scams, cryptojacking, or ads that infect a visitor's device.

"A creative that includes (usually obfuscated) Javascript that spawns a forced redirect or loads a secondary, or tertiary, payload for similar malicious purposes. Most malicious creatives exist for the purpose of forcing users to interact with phishing scams, but some perform cryptojacking or infect the user’s device to propagate botnets and other nefarious activities."

Breaking down malicious ads

In order to create the "Demand Quality Report for Q3 2019", Confiant analyzed a sample of 120 billion programatic impressions that were captured by their ad creative auditing system.

The good news is that the number of malicious ads making it to a user's browser is decreasing as solutions like Confiant's filter out bad ads, publishers adopt the ads.txt file to prevent unauthorized ads appearing on their sites, and more vigilant and tighter controls among supply side platforms (SSP).

While we are moving in the right direction with the amount of malicious ads dropping from .25% to .15%, there are still a lot of unwanted ads making it to user's browsers and most are only coming from a few lax players.

Of the 75 SSPs, or ad providers, monitored by Confiant, over 60% of malicious ad impressions come from three of them being named as SSP-H, SSP-I, and SSP-D. Even more concerning is that a single SSP is responsible for over 30% of the malicious ads seen by Confiant.

Malicious impression rates of top SSPs

While is it not surprising to see the that SSPs who are responsible for the most malicious ads tend to be slower to respond to attacks, it was surprising to see other SSPs with less malicious ads can be even slower.

Average response time to attacks by SSPs

Finally, malicious advertisers tend to conduct their campaigns around periods where there is less active personnel monitoring the ad networks and thus may be slower to respond to attacks.

As you can see from the chart below, most campaigns are conducted over the weekend, with the largest campaigns happening over a holiday.

When malicious ads are most commonly pushed

The major malvertising threat groups

In Q3 of 2019, four threat actors were responsible for the majority of malicious advertisements being distributed through ad networks.

These threat groups go by the name Scamclub, eGobbler, RunPMK, and Zirconium and while they may perform a steady stream throughout the year, at particular times there are noticeable campaigns showing a heavy ad push by a particular actor.

This is shown below where you can see various campaigns conducted by the different actors at different times over the third quarter.

Malicious ad activity for the four major threat groups

Each threat group tends to focus on a different type of malicious ad and how they go about injecting them into legitimate ad traffic as described below.

Scamclub

Unlike the other threat actors, Scamclub does not make a strong effort to evade detection through fingerprinting and targeting.

Instead, Scamclub will conduct huge campaigns with dozens, or even hundreds, of creatives in order to overwhelm ad network platforms and their security in the hopes that some of these impressions will make it to legitimate web site visitors.

Example Scamclub ad

eGobbler

eGobbler is a known malvertiser who utilizes browser exploits or bugs in order to redirect users to malicious sites. In a previous campaign, eGobbler exploited a WebKit bug in order to infect over 1 billion ads.

Example eGobbler ad

Confiant states that eGobbler is known to target desktop computers that are typically running Windows.

Their Q3 attacks targeted desktop computers, mainly running Windows, with high concentrations of users in Italy, Spain, and Scandinavia. Our researchers found that even when publishers set up iframe sandbox permissions optimally, a pop-up could be spawned when the user tapped on the parent page. Confiant reported this vulnerability to the Webkit team on August 7, and it was fixed in iOS 13. Over the course of its

RunPMK

RunPMK targets mobile traffic on both iOS and Android in order to display scam ads such as ones that state you one an iPhone and the spinning prize wheel.

Confiant has noticed RunPMK performing global attacks that targeted 212 countries.

Example RunPMK ad

Zirconium

The Zirconium threat group is known to use unique fingerprinting methods in order to target users with specific ads.

According to Confiant, their scripts use sophisticated obfuscation and commonly push tech support scams on desktop users.

Example Zirconium ad

Slowly getting better

While there is still clearly a malvertising problem and users should continue to utilize antivirus software that blocks known malicious sites or ad blockers, the ad landscape is improving.

As Confiant notes, there are effective methods of filtering out malicious ads and if SSP remain vigilant and select the right partners, further decreases can continue to occur.

"However, we are encouraged by the continued decline in the rate of bad ads on Confiant publishers, which demonstrates that there are effective mitigation methods, both in terms of technology and partner selection, available to those who wish to use them."