How Can Pubs Protect Their Sites and Audiences From Bad Actors? Q&A With clean.io CEO Geoff Stupay

Cyber threats and crimes are on everybody’s minds these days.

In early March, the Federal Cybersecurity & Infrastructure Security Agency (CISA) encouraged businesses to shore up their cyber security. Meanwhile, Juniper Research warns digital ad fraud and malvertising will cost the industry nearly $68 billion in 2022. 

But does that mean that all publishers are destined to lose substantial sums to nefarious players? Or are there steps they can take to stem those losses and protect their readers and their reputations?

To find out, we sat down with Geoff Stupay, Co-Founder and CEO of clean.io, a company that’s on the frontline of battling cyber threats, malvertising and digital ad fraud.

WITH THE SUPPORT OF clean.io
Protect your User Experience, Revenue and Brand

Susie Stulz: President Biden is warning about cyber attacks and other threats. Should we be more worried than, say, three months ago?

Geoff Stupay: I don’t think we need to worry more — or less — in terms of cyber attacks and bad actors in the environment today. Fear can be paralyzing if you think about it all the time.

The reality is that we need to approach threats from an alert level, meaning continuous vigilance and looking one step ahead of nefarious actors. World events can elevate alert levels, but they don’t change what we do on a daily basis, which is constant monitoring and hypervigilance.

SS: What kinds of threats do publishers face today?

GS: We’ve identified about 27 different varieties of threats, ranging from a standard redirect — think of the Amazon gift card or Update your Adobe Player scams, which hide in plain sight — to product-level scams, which have spiked over the past few months. 

Product-level scams have multiple forms. They can trick people into investing in a dream, such as a unique opportunity to invest in a hot company like Tesla or Netflix, or they can offer a product that the purchaser never receives or isn’t what was advertised. We refer to that as a malicious landing page.

In terms of digital ad fraud, there are a range of scams that aren’t visible to the naked eye, such as invisible ads that are stacked onto legitimate ones, enabling bad actors to receive payment for displaying ads that aren’t seen by real people, or conversions they didn’t drive. These scams are at the intersection of malvertising and IVT.

The key is to have an intelligent technology stack in place that can detect and evaluate threats in real-time.

SS: It seems as if bad actors have an endless amount of time and motivation to apply their trade. How can publishers protect the readers and their reputation from such scams?

GS: You’re exactly right: scams are profitable and bad actors are extremely well resourced, making it difficult for publishers to defend against them.

The key is to have an intelligent technology stack in place that can detect and evaluate threats in real-time. Partnerships are useful here, and we recommend publishers work with a partner that can spot and evaluate new threats as they emerge and provide real-time protection. 

I also recommend publishers get to know their sites intimately via clear logging, and to establish metrics that tell them when anomalies on their servers occur. This way, if they see a change, they’ll have the details their vendors need to dig into the problem. 

And it’s a good idea to keep an eye on social media to see if readers are complaining about malvertising or scams on your site. If they are, you’ll need to investigate it immediately.

SS: What are some of the things you wish publishers would do to protect themselves and their readers but aren’t yet doing today?

GS: The first is to stop assuming that if they had issues with their sites, their users would report them. This assumption leads publishers to believe they don’t need proactive security systems, which, in turn, makes them inherently vulnerable to bad actors who are constantly probing websites for vulnerabilities.

Second, I’d like to see publishers willing to challenge the status quo that says a certain level of malvertising or threats is unavoidable, which somehow makes it tolerable. We shouldn’t accept “good enough” when it comes to preventing malvertising and fraud. If you see something, say something to your security vendor. 

As an industry, we are always pushing the boundaries from an R&D perspective, and we need publishers to share what they see, no matter how small or inconsequential it may seem. Give us the chance to figure out what’s going on. It’s this level of sharing that leads to the next generation of threat detection.

This ties back to what I said earlier about having clear logging and metrics on your site. GoogleAnalytics can tell you if user sessions are being dropped or if your RPM per session is on the decline. If so, that may be a problem and we want to investigate it, with an eye to developing a preventative mechanism to address it.

SS: As a leader in the space, what keeps you up at night? What worries you most?

GS: I don’t really lose sleep because I’m worried about a specific bad actor. That hasn’t always been the case, but today we have an incredible threat team that’s always pushing the boundaries to stay ahead of the bad guys.

Where I spend most of my time is figuring out how to continue to push protection deeper and wider, which isn’t easy to do. Basically, we need to predict where these scammers might go and where they might iterate.

At the end of the day, it’s a matter of staying vigilant and sticking to a process that allows us to identify new threats — and solutions to them — faster. So what really keeps me up at night is creating and fine-tuning our processes.

To catch these scams, we need to look at real traffic on real instances of ad serving and generate alerts when something violates our threat model.

SS: What motivated you to found clean.io in 2017? What was missing that made you say,  we need to solve this problem?

GS: I was in the publisher space for over 10 years, and relied on header bidding to optimize our revenue. All of the companies I worked with had multiple tools to verify demand, and yet we still continued to struggle with bad ads. I realized an additional approach to scanning was needed.

Here’s why: Bad actors know that their ploys need to survive multiple scans in order to get their ads on a publisher’s page. They’re smart, they’re technically astute, and they’re well-capitalized, which means they’re able to develop ways to evade scanners. They deploy scripts that tell them if they’re in a sandbox environment and therefore subject to detection, and they’ll know to shut off the bad action they’re designed to take. 

To catch these scams, we need to look at real traffic on real instances of ad serving and generate alerts when something violates our threat model.

This client-side approach was the missing piece that the industry needed. A solution needed to be built that ran in real-time, on a real end-user device. One that wasn’t scanning creatives offline or in a sandboxed environment. So, clean was born out of an industry need to be more effective, efficient, and simple. 

SS: So what you’re saying is that while the threats are ever-present and ever-evolving, vigilance can keep them at bay?

GS: Absolutely. The bad guys are smart and motivated, but so are the good guys. And when we work closely with publishers, we can keep them safe.