How Malvertising Shapes Behavior and Threatens An Industry: A Q&A with Yuval Shiboli, GeoEdge

In February, the FTC reported that U.S. consumers lost $8.8 billion to scams, many of which occurred online. The volume of scams is up 30% over 2021 and is 70% higher than it was in 2020. The surge in malvertising has been a source of concern for Yuval Shiboli, Director of Product Marketing at GeoEdge.

From 2022 to 2023, his company monitored and analyzed billions of live advertising impressions across premium websites, apps, and SSPs to assess the overall ad quality in today’s digital ecosystem. The results, published in GeoEdge’s Q1 Ad Quality Report are worrying, which is why Yuval is sounding the alarm.

The results show that scammers changed tactics around 2020, shifting from using auto-redirects to lure users to malicious domains, to relying on clickbait ads to take them to these destinations.

Yuval is concerned that if the industry doesn’t make a serious dent in malicious ads and malvertising, consumers will cease to click on ads and even cut back on their online news consumption — developments that will have far-reaching ramifications for the industry and society as a whole.

To understand the extent of the problem, we asked Yuval about GeoEdge’s most recent Ad Quality Report.  

How Malvertising Shapes Behavior and Threatens An Industry

AdMonsters: Your report shows a significant uptick in malicious and clickbait advertising since the first of the year. Can you explain why that is?

Yuval Shiboli: I think we can thank the recession and its impact on market expectations for that. With advertisers cutting back their ad spend, floor prices are dropping, publishers are accepting lower bids, which is causing the average CPM to decrease.

This phenomenon leads to a greater volume of low-quality ads being placed in publications, as there is a strong correlation between the price and quality level of advertising.

Additionally, now that some SSPs are loosening their tight grip on advertisers, it’s easier to enter the market with new scams and tactics.

AdMonsters: Of all the impressions that are filled with ads, what percentage of those ads are scams or malicious?

Yuval: It depends on the country. In the US, it’s one out of every 170 ads. In the UK it’s one out of every 140.

AdMonsters: Wow, I thought it was one out of a thousand or so.

Yuval: You’re not alone. Most people in the industry believe the same, but the problem is much more severe.

87% of Clickbait Ads From Just Two SSPs

AdMonsters: Your report says that 87% of the clickbait ads you’ve measured stem from just two SSPs. Are publishers aware of where these ads come from?

Yuval: If they work with an ad security solution they’ll be able to see exactly how each SSP performs, and which ones deliver the most clickbait ads and malvertising. Those ads won’t be displayed, of course. But they should take that data to the SSP and ask them to address it. 

GeoEdge relays ad quality data to SSPs, but the amplification of our collective voice is bound to compel SSPs to take action.

AdMonsters: Are the SSPs responding to your reports?

Yuval: Some are, some aren’t. Again we see a strong correlation between performance and response. The platforms that don’t pay attention to the reports deliver the most low-quality ads.

AdMonsters: As the largest SSP in the market, how does Google fit in the uptick of scams?

Yuval: Everybody on both the sell side and buy side works with Google, and everyone assumes that its platforms are clean and safe. We’ve found the opposite is true, and that of all the SSP providers, Google is the least motivated to block bad ads. Now that so many SSPs have left the market, no one can stop working with them, and they know it.

...of all the SSP providers, Google is the least motivated to block bad ads.

I just read Google’s 2022 Ad Quality Report, in which they reported for the entire year they blocked 5.2 billion ads, which sounds like a lot. But read the fine print, and we learn that most of those ads are blocked for reasons such as copyright infringement or third parties using trademarks they’re not entitled to use. On one page of the report, however, we see that Google blocked just 4.5 million ads for malicious or unwanted software. We know that hundreds of millions of such ads are served. If Google did more to stop such ads, we could spare the consumer a lot of pain.

Misleading Product Offers Most Notorious Clickbait

AdMonsters: What are some of the clickbait ads you see most frequently?

Yuval: There’s a section in the Ad Quality Report where we detail the top five scams that we block. The most frequent are misleading product offers, such as fantastical financial offers. This time last year the scams were all about crypto, but they are less so now. Now we’re seeing ads promising medical transformations, such as hair regrowth, that type of thing.

Celebrity endorsements are another common tactic. These ads will say things like, “See what Elon Musk invests in,” in order to lure people into a scam investment.

AdMonsters: Why are these obviously fake ads getting through the SSPs?

Yuval: The successful scammers use fingerprinting and cloaking to ply their craft. Ad cloaking is a sophisticated camouflage technique that scammers use in the programmatic ad environment to hide malicious creatives and landing pages. With cloaking, scammers only expose scam ads after their campaigns have been scanned by the SSP and deemed safe. 

The fraudsters are very selective in who they show their malicious ads, looking for users who are scam-worthy, meaning there is no security detection software in the environment.

AdMonsters: The report talks about luring people to malicious destinations. Explain this scam.

Yuval: These are ads that typically involve fake celebrity endorsements that lead users to a page that’s designed to look like a legitimate site, such as People magazine. For instance, scammers these days are using fake Kevin Costner endorsements for a range of products, such as CBD gummies. The user clicks, is taken to a malicious page, and enters his or her credit card information for a product that never arrives.

AdMonsters: According to your research, forced browser notifications are one of the most frequent techniques to scam users. How do they work?

Yuval:  These types of scams exploit push notification functionality, which itself isn’t inherently bad. Forced browser notification scams occur when a user clicks on the scammer’s ad and is taken to a landing page but in order to access the content, the user must click “allow.” Most people don’t understand what it means to allow a site to push notifications to their browsers, so they click. Once they do, it opens a gateway for the scammer to push all sorts of notifications to the user, such as a popup saying that a virus has been detected on their computers.

How Publishers Can Keep Scams Off of Their Sites

AdMonsters: How can publishers keep such scams off of their sites?

Yuval: First, the SSPs need to test campaigns on a continuous basis so that they are prevented from purchasing inventory to begin with. And publishers need to look at the entire ad experience, meaning the ad and the landing page to which users are led.

AdMonsters: Who is responsible for combating these types of scams within the publisher’s organization?

Yuval: It typically falls to the AdOps group, which is responsible for monetizing the site and generating revenue. Typically we don’t see a position like a “fraud czar” or something like that. The AdOps people we’ve spoken to are highly frustrated because they don’t have the tools to fight malvertising effectively or to even tie back bad ads to the SSPs that sold them. They spend a lot of time optimizing revenue, A/B testing, and trying new SSPs, but then they hear about a malicious ad from the editorial team and they’re at a loss as to how it arrived on their sites or how to prevent them.

AdMonsters: Are there tools to prevent malicious ads, and to verify that the landing pages aren’t full of malvertising?

Yuval: Yes, of course, and the strongest ones are those that can detect scams after a user clicks on the ad, a functionality that is critical now that the majority of scams occur post-click. But publishers must be willing to pay for them. They need to hear from their users that malvertising and malicious ads are spurring distrust in online news.