Methodology

Confiant protects publishers and their audiences from malvertising attacks via client-side integrations that block malicious advertisements in real-time. We have coverage on tens of thousands of websites and have monitored over 1 trillion digital advertising events since we have introduced our blocking product.

For every malvertising incident that we block, we collect some metadata about where that ad was served. We don’t store any PII, but for any given incident we know things like device, browser, and geo to name a few. When we aggregate these incidents by ASN, we can explore which networks emerge as outliers when it comes to attack volumes.

Note: ASNs are gathered via MaxMind lookups of client IP addresses.

Exposure Index

The observations that we present in this blog post are based on 3 months of client-side monitoring from Oct. 15, 2019 — Jan. 15,2020. The total number of global malvertising incidents for this time span is ~378MM.

A malvertising incident within the context of this blog post is when an ad is shown on one of our publisher customer’s properties, but prevented from rendering by our security solution. Most incidents are recognized by either the presence of a domain or “creative ID” that is deemed to load unsafe resources, but many times it can be a heuristic based determination as well.

In order to normalize the data presented in this blog post, we introduce the concept of an “exposure index”.

Since we are dealing with such a large dataset, it’s untenable to crunch billions of rows of data that account for each individual ad impression or malvertising incident. Instead, we have taken a one day snapshot of our monitoring volumes by ASN (which is stable day over day) and used this as a baseline in order to establish a ratio that denotes how exposed a network is to malvertising attacks.

For example, an exposure index of 1 is average and an exposure index of 1.01 means that an organization is 1 percent more exposed than average. Please keep this in mind when reviewing the data, as raw blocking statistics can be quite misleading otherwise.