Yesterday’s Malware Solutions Won’t Solve Tomorrow’s Problems

In Steven Spielberg’s 2009 sci-fi hit, Minority Report, police employ the psychic abilities of clairvoyant “Precogs” to stop crime before it happens. And while the predictive law enforcement program nearly eliminates premeditated crime, it struggles to resolve crimes of passion in time to save the victims.

In the realm of publisher monetization, ad ops teams have been fighting a similar uphill battle in their efforts to tackle the criminal actions of malvertisers.

The Rise of Malvertising and Predictive Solutions

By various accounts, the meteoric and profitable rise of malvertising from 2017 to 2019 equated to over $1 billion in lost revenue for publishers each year.

WITH THE SUPPORT OF safeguards the user experience and gives publishers peace of mind through world-class service and innovative products.

In the beginning, the code used for fraudulent redirects was simple and often went undetected until it was just too late. The publisher lost out on the revenue and the user got a bad experience (or worse) — while malvertisers lined their wallets.

Publishers soon grew wiser to these threats and flocked to, what were in essence, their own Precog (“real-time”) solutions that allowed them to identify when and where a bad ad was about to happen and stop it in its tracks.

By conducting post-mortems on the malicious ads that made it through their defenses, publishers and anti-malvertising vendors were able to develop lists of red flags that they could use to identify future malvertising attacks, either via pre-scanning or blocklisting, and stop them before they happened. While the tools were helpful for identifying and blocking known threats, they were unable to spot new or novel threat types and automatically determine whether they should block the ads from running.

A good decision meant a bad ad was successfully blocked, while a bad decision meant a good ad was never filled.

Like Minority Report, these solutions only eliminated attacks that resembled previously-identified malvertising patterns but left the door open for criminals to maintain their profitability with a more sophisticated approach, trading high-volume, constant advertising attacks for less predictable, low-level frequencies, often capping the instances per publisher.

“Malvertisers realized their accounts would be shut down the moment they started blasting out their ads, so they began coming up with better techniques to hide in plain sight,” says Alexey Stoletny, CTO,  “Malvertising isn’t gone. It’s just buried – much like a needle in a haystack – within a larger volume of non-malicious creatives or spread out in a way that makes it harder to detect. This more measured approach has enabled many malvertisers to evade detection by pre-scanning and blocklisting tools.”’s Q2 2021 Summary of Malicious And Reputational Threats (S.M.A.R.T.) report cites short duration campaigns as just one of the ways malvertisers have been getting more creative and extreme in their execution of attacks.

And so the cycle continues, each side improving their strategies and tactics daily to win the malvertising game.

Except that for the publisher, winning isn’t winning at all. And for malvertisers, losing isn’t losing.

Who’s Really Footing the Bill for Malvertising Prevention?

The burden of cost for preemptively identifying and blocking bad ads lies solely at the feet of the publisher. And because this approach often means that blocked ads don’t get filled at all, revenue cannot be recovered.

Malvertisers, on the other hand, don’t stand to lose a thing – their ads simply don’t get served and they deploy the same code again in different ways.

“This goes to the heart of the issue. Malvertisers don’t have a reason not to come back and try again,” says Kathleen Booth, CMO, “If a bank robber could break into as many banks as they wanted without fear of prosecution as long as they didn’t actually steal anything, they would keep attempting to break in until they found a bank with plenty of money in it. Publishers need to be the bank that makes the robber pay for the unsuccessful break in. That’s the only way to keep them from coming back.”

“The Best [Malvertising] Defense Is a Good Offense”

According to Booth, the industry has now reached a tipping point at which the focus must shift away from eliminating the problem of malvertising and toward putting systems in place that deter fraud by letting malvertisers know that these crimes are not worth the time or the effort to commit them.

The solution is not about reacting to the problem in “real-time” as most anti-malvertising vendors will tell you. Instead, it’s about empowering publishers with tools to move beyond pre-scanning and blocklisting and toward the use of a “behavioral graph” that dynamically identifies both known and novel malicious ad attack patterns as the ad renders. This way, publishers can fill the ad and protect the user experience, but at the fraudster’s expense.

“Hard work and good tools beat the smarts here,” says Stoletny.

Having staff dedicated solely to the issue of ad monitoring is just one part of the equation. Considering that malvertisers commit all their time to getting bad ads out there, publishers without highly-skilled, highly-paid employees dedicated solely to the issue are already at a disadvantage.

For the best outcomes, recommends a combination of dedicated staff and the right anti-malvertising technology partner that:

  • Still allows you to execute on your own KPIs. Your partner should be able to provide details on how they will preserve your revenue and how they will measure effectiveness.

  • Bases their ad blocking decisions on a larger number of data points. The more data points they have in their ‘decision engine’, the less likely they are to make the wrong decision. Furthermore, they should be able to prove what they blocked and why.

  • Provides coverage for as many impressions as possible using real-time discovery. Many existing anti-malvertising tools employ real-time blocking based off of blocklists that are obtained by manually scanning just a small percent of the total impressions.

After all, making the wrong decisions in ad blocking can be as costly as not acting on them at all.