The Dangers of Digital Advertising
In the Internet age, publishers have moved from the world of offline to the world of online in droves. This has fundamentally changed the way we participate with publishers, engaging with content rather than simply reading it. At the same time advertising has changed to accommodate the leap in visitors, to target them by extrinsic as well as intrinsic features. An entire ecosystem of many moving parts has sprung up around advertising to satisfy this ever-increasing need to serve targeted advertising, with publishers as the sellers of ad space (selling inventory) to interested buyers through a series of middle-men and data-enriching technologies with which this crowd is well-familiar. With this has come serious impacts to consumers in terms of safety, privacy, and security.
The most serious of these concerns for publishers, and the most directly impactful to consumers, is malicious advertising. Malvertising, as it is known in industry, has wormed its way into programmatic advertising (and even direct buys), impacting all publishers from the smallest to the largest. This is not, by far, the only type of fraud in our industry, like bot traffic, creative stuffing, creative laundering, cookie stuffing, imposter sites, and generally shady ad buying practices by SSPs in particular.
Programmatic buying has opened the door for anyone to buy ad space on a publisher site, and if you’re not one of the top publishers in the world, taking in a significant amount of revenue from private marketplace and guaranteed media, then you likely have a series of partners that you work with to place advertising on your site from all different sources. This requires constant vigilance, working directly with these partners to disable bad advertising, like inappropriate content. Bad actors seek to get your customers to download malware, or to redirect them automatically to scam and phishing sites. Some bad actors target your consumers more specifically, and use targeted, well-designed ads to do their own lead gen, harvesting consumer emails or other information directly from your website. Even with safe frames, even with bounties, malvertising is still incredibly prevalent, with attackers becoming more and more sophisticated.
In some ways this feels like a cold war, and, as with an antivirus, publishers are looking for malvertising as it appears on their properties, just as an antivirus looks for viruses as files appear on your computer. Vendors have popped up in an attempt to fill this gap, like The Media Trust, which is effectively crowd-sourcing malvertising sources, RiskIQ, which constantly scans your ad tags to see what might pop up, and GeoEdge, which scans your properties looking for signs of malicious activity. Google in particular does this in-house, approving every creative on the advertising side and alerting publishers on the property side as to bad behavior. Unfortunately, there are no vendors that specialize in ad fraud that are MRC accredited, the gold standard for advertising, which to date has focused on non-human traffic/bot detection (another highly prevalent issue) rather than malvertising, focusing on protecting advertisers and ad buyers more so than publishers and inventory sellers.
However, to defeat attackers, we must first understand how they find their way onto our websites to begin with. When an SSP goes to buy advertising on behalf of the publisher it doesn’t necessarily care what ad it’s buying. There are tons of SSPs and some farm out large portions of their inventory buying power to whoever is willing to fill that ad space. Keep in mind that these companies are all paid for arbitrage (at every step of the process), and if they don’t fill an ad then they don’t get paid. SSPs may be buying traffic from other SSPs, and on and on, so long as they can satisfy the bid request from start to finish within 100ms.
This allows bad actors to buy from a ton of sources, switching as often as needed. As a result publishers can’t block certain SSPs or even exchanges or DSPs, because the bad guys can just switch where they’re coming from. This is estimated to cost publishers $1–2B each year (billion, with a B) in the US alone, which, to be fair, is in part due to consumers using ad blockers (~71% of this), and in part the cost of malvertising incidents (~18.5% of this), as opposed to lost revenue due to the malvertising itself (~10.5%). I think we’re all hoping Google’s Chrome updates will mean fewer consumers installing ad blockers, creating a healthy balance between the advertising the fuels the web and consumer vexation, specifically regarding pop up ads, prestitials, and more of the most intrusive forms of advertising, but that’s neither here nor there.
While we wait for the industry to mature, malvertisers are taking full advantage, recognizing that there is a closing window for doing this at scale. To maximize profits they are running ads that circumvent all attempts at detection (both in banners as well as video ads) to redirect consumers through a half-dozen affiliates (getting paid at each step) and onwards to spam or phishing endpoints. They are likely being paid for every landing page visit to these spam or phishing sites, which are taken down and pop back up again under a new name sometimes as often as hourly. They are able to switch their entire buying process from SSP to DSP, taking advantage of the many, self-service products now available on the market. Some have gone so far as to set up custom infrastructure on AWS and Google Cloud Compute that will redirect consumers based on flags in their cookies that have already been set. As a result, a consumer may see four or five legitimate ads before being sent to a phishing or scam website, making it nearly impossible to detect early.
Most recently publishers, SSPs, exchanges, DSPs, and vendors have begun to come together to form groups to combat these sorts of issues (like TAG, the Trustworthy Advisory Group), which has laid out plans for information sharing, bot block lists, and a grander scheme to track the purchase of inventory between buyer and seller at each step in the chain. This would allow publishers to identify and eliminate bad links in the chain more quickly, and, more importantly, cut off the cash flow of bad actors.
The ad tech ecosystem is one of the most complex in the world, and it seems to grow more complex every couple of months (e.g., the advent of header bidding). I’m hoping that in the future the industry catches up to this many-year-old problem in a way that’s satisfying to publishers without having a negative revenue impact all its own. I have a healthy skepticism in industry ability to execute, with technology advancing far faster than best practices. Many sites (including AdAge, and even the MRC itself), haven’t implemented SSL, the most basic form of protection for consumers. The future of ad tech security may lie in partnerships, or it may lie in technology, or both (there are certainly plenty of views, mostly contentious, around the use of blockchain in ad tech, as an example). Whatever the future holds, we have a long way to go in an uncertain direction to arrive at a destination with protection for both consumers and publishers. Until then, publishers will have to remain relentlessly watchful.
Do you have questions about ad tech, digital advertising, malvertising, or other related topics? Let me know! I’d love to hear from you.
