A partnership for the ages consummated in just a few hours
Winter Is Coming, but things are getting warmer for RTK.io
This week marked the first episode of the final season of Game of Thrones. It’s a show that helped coin the phrase ‘Winter Is Coming.” The meaning of the phrase is intended to be one of warning, and constant vigilance. No phrase could ring more true with the state of malvertising in the digital media ecosystem at the moment. This is a story of how the stakes have changed, and how one of our partners turned winter into summer in a matter of hours.
Throughout the first quarter, we had been talking with Gareth Glaser, the CEO at RTK.io about building a partnership together. Gareth’s company is one of the leaders in delivering a platform to publishers to manage Header Bidding, and deliver an outsourced ad operations solution. They deliver a product that is pretty turn-key for publishers — and knowing the impacts that malicious ads can have on publishers monetization and their end-users, RTK.io was looking for a solution that would be simple and effective to protect their valued publisher partners.
It was the morning of Friday March 29th. It had been pretty quiet since Presidents’ Day. There had been very few large scale attacks in the back half of the first quarter. But, being the last Friday of the quarter generally means that ad dollars are strong and flowing. Brand advertisers are alive and well. Publishers want to be sure their traffic quality remains flawless to capture the maximum amount of media spend they can with just a few days remaining in the quarter. An email popped into the inbox — and it was Gareth. It was time to get cracking. RTK.io was ready to partner with us — but there was a sense of urgency. Not only did we need to get a contract complete, but Gareth wanted to see if we could do that, and also get a few of their publisher partners protected before the weekend. Did I mention it was 2pm on Friday afternoon? By 5pm, we had executed an agreement, put protection in place with 3 separate publishers, and were actively behaviorally analyzing and protecting RTK’s customers. Three hours from email contact, to contract, to code on page, to protection. Why was there so much urgency? Very quickly post launch — our dashboard answered the question.
After spending 8 years helping publishers drive monetization success across desktop, mobile, and video — I now have an incredible lens to see some of the most destructive threats that impact the ecosystem we helped build. At one point years ago, I thought malicious ads might just be a fad. An annoyance. They would go away (I would hope). We could raise floors and beat it that way. We could create a demand whitelist of ‘only the good guys’ (assuming we know who the good guys are). We could sandbox. We could use safe frames. We could catalog and block offending urls. Everything we tried, worked — until it didn’t. The cat and mouse game was alive and well. But, we were bringing knives to gun fights. The ‘bad guys’ were only getting smarter, and more well funded. And unfortunately, as it turned out, it was not a fad. The problem is not going away. Malicious ads are here to stay. It’s about time everyone gets serious about it.
I’ve been fortunate to be serving as the CEO of Clean Creative now for the last three months. Our company delivers a powerful SaaS solution which conducts behavioral analysis to eliminate malicious ads on live traffic in real-time, preventing publisher revenue loss while ensuring a flawless experience for the end-user. Most importantly — we have always felt that if the solution was to be market leading, we needed to make the exploits of these bad actors unprofitable, which we have done.
After walking many miles throughout my career as a publisher, and as an operator of one of the largest supply-side platforms, I was eager to be able to take a step and sit behind the curtain. Eager to understand how and why people want to bring down this thing we’ve built up. Eager to lead a company that has a technology solution that the market absolutely needs. The lens I now have gives me total clarity to the problem — but more importantly, a better idea of how we need to solve it, and who is responsible to solve it. The short answer — it will take all of us.
You’ve probably experienced it — “you’ve won an Amazon gift card”, or “Congratulations for being a Verizon user”…but you didn’t click anything. It just took over the screen of your mobile phone, and it ruined your experience. The landing pages look real — just like the Verizon Facebook page you see above. But, this isn’t Verizon doing marketing — it’s malware! The back button doesn’t work, and you can’t get back to the page that it happened on. Frustration sets in. And remember, you work in this industry! Imagine how Jane End-user feels when this happens. And it is happening far too often lately. Malicious ad redirects are one of the most prevalent and palpable types of Malvertising. They destroy the user experience, and significantly negatively impact publisher monetization.
The last time I blogged on this topic, it was Presidents’ Day weekend. Historically, the bad actors strategically executed their attacks when no one was watching. They would wait until evenings and weekends when ad ops professionals were not sitting at their desk. Generally a holiday weekend was a ripe time to conduct an attack. Attacks like the one on Presidents’ Day weekend generally lasted 2–3 days. They would come, and they would go. And soon, they would pop up again just like a game of Whac-A-Mole at the State Fair. Lately, the bad actors seem to be much bolder than before. Persisting. Sustaining. And pressing the gas like we have never seen before. The data below tells that story.
This chart represents the number of aggregate threats prevented on our Threat Network over the last two weeks. As you can see, the first few days of April were quiet. But it quickly changed on the first weekend of April. We have seen a sustained elevated threat level now that has lasted for the last 11 days. We are living in a new world. One that requires vigilance. One that requires speed. One that requires effectiveness. One that requires simplicity. One that requires all of us to think differently than we have in the past. This time, it’s different.
Let’s take a step back and look at how the data has changed over time. As folks say — a picture tells a thousand words.
The above line graph represents the top 10 unique threats that were attempting to attack our Threat Network during the week of Presidents’ Day in February 2019. As you can see, some blips early in the week, and some sustained attacks over the weekend. While there are 10 lines in this graph — it is really only two that stand out (blue and green). These two unique campaigns attempted to do plenty of damage to the ecosystem that week, with the others in the top 10 simply running at low levels to evade detection.
The above graph shows a different date range — this time, we are showing the last week of March. Obviously, the image looks quite different than Presidents’ Day. Leading up to the weekend, you can see quite a few unique threats probing and preparing to attack. A significant surge on March 29th is noted by the emergence of a new threat that had not been seen prior in the week. Lastly, look at all the vibrant colors. More visible threats from more sources. It looks like the bad actors have readied more weapons, and in more places. It is important to note that these attacks aren’t coming from a single source, a single campaign, or a single SSP or DSP. The folks conducting these attacks are highly sophisticated performance marketers that have plenty of resources behind them. They have spread themselves widely throughout the ecosystem.
The chart above represents the top 10 threats for the first seventeen days of April. Kind of looks like a rainbow doesn’t it? You’ll notice that the beginning of the month was quiet for the first three or four days. On the 5th of April, we started to see some acceleration leading into the first weekend of April. Normally we would expect these to die down after a few days, but on Monday the 11th you can see a whole host of new threats driving malicious activity. As old ones get shut down or go dormant, new ones begin (and accelerate). This the ‘new world’ I am referring to. As I said earlier in the post, Wednesday marked the 11th day of a sustained elevated threat level. The ecosystem is feeling it, consumers are feeling it. And if you haven’t taken appropriate action to protect your business and your users — there is no better time than now.
The dashboard wasn’t lying. Yes — 53.36%. RTK.io’s publisher threat level in the first 24 hours post launch was over 50%. This means that over 50% of all of their publisher’s page views were attempted to be hijacked by malicious ads. To put that in perspective — prior to our protection being in place, fifty percent of the users were having an incredibly bad customer experience. But not only were their users suffering, their monetization was being significantly negatively impacted as well. Users who are being redirected are users who aren’t engaging with content, and therefore aren’t viewing ads.
Our solution is the only solution in the industry that truly makes malvertising unprofitable for the bad actors. While other competitor solutions block urls, ours blocks the malicious actions. While other competitor solutions block revenue, ours enables revenue. With our solution, the bad actors buy the ads and we simply display the creative that they have had approved — usually a simple McDonald’s or American Express ad that the bad actors have stolen from the internet. By doing this, we force the bad actors to make a financial investment. And because we prevent the malicious actions from happening, the user doesn’t end up being redirected to a “You’ve won an Amazon Gift Card” landing page. Since this is prevented, the bad actor gets zero engagement from their media buy — and they in turn decide to not spend on the media properties that they can’t get conversions on. This is a significant difference in the market — with our solution, it doesn’t necessarily look like there’s an anti-fraud solution in place that the bad guys now need to reverse engineer — it looks like the publisher doesn’t perform for their campaigns. So they stop buying. Organically. The image above represents the first three days of data on the RTK.io account of the aggregate threats prevented. As you can see, the bad actors have quickly decided to take their exploits away from RTK’s publisher partners and move their exploits onto sites that are not protected by Clean Creative. We think it’s a novel approach to a complex problem that has been plaguing the ecosystem for years.
But the story with Gareth and the team at RTK.io doesn’t end that weekend at the end of March. As I indicated earlier, April has been the most active month we have seen in our existence. And while we have seen sustained attacks at Threat Network level for the last 11 days, each publisher sees unique malicious behavior on their properties. In the chart above you can see RTK.io’s publisher partners experienced sustained attempted attacks for a four day period from April 6th to 9th — with a peak on Saturday April 6 with close to 500,000 attacks prevented in a single day. But after a few days of attacking and experiencing zero ROI, the bad actors again take their malicious exploits elsewhere to sites and apps that are not protected by Clean Creative. Beyond that, some light probing here and there where the bad actors are always testing out new ways to penetrate our protection. This sort of probing will never cease. It’s like burglars driving up and down streets looking for homes with no lights on and no security systems signs. They might not break in, but they are looking for who is home and who is away.
We are really proud of the partnership that we have been able to build with RTK.io. If you want to understand why Gareth and the team at RTK.io chose to partner with Clean Creative, just ask him. The numbers speak for themselves. But, there are also lots of similarities in the DNA between our companies. We are both startups, smart, and scrappy. We want the industry that we built to be Clean. And we want to challenge each other to make the ecosystem that we work in better for all constituents. It works, and it feels right — exactly the way a partnership should be.
So, welcome to the ‘new world’. Bad actors are getting smarter. They are acting in a different and more sustained manner than we have ever seen. The complexity and the sophistication of their attacks is leveling up. The current heights of malicious activity are almost three times that of the activity we saw on Presidents’ Day weekend. For many publishers, Presidents’ Day weekend was a five alarm fire. Not sure what I would call the current fire, but it is bigger than ever. Fortunately, for our partners — they are protected, and making money from these bad actors. Hitting them in their wallets. Where it counts.
I said earlier that it is going to take all of us to solve this challenge. Think about it — the more publishers that are protected by Clean Creative, the fewer places the bad actors have to conduct their exploits and derive profits. Join Gareth and the other thousands of sites and apps that have chosen to make their marketplaces Clean. We’d love to help you write your story, just like we did with Gareth. We are headed into another holiday weekend. Don’t hesitate to reach out to me at matt@cleancreative.io if you are experiencing issues. We’re here to help, and maybe we can break the record for fastest customer onboarding that we set with Gareth and team a few weeks back. We’re up for the challenge!