Jun 14, 2019

Evolution of mobile redirects: Three new exploit types

Pesky redirect ads continue to plague the advertising ecosystem, infuriating ad ops teams and consumers alike. In fact, Ad Lightning typically sees over 350 different threats plaguing the system every day.

The good news is that blocking solutions have been widely adopted by both publishers and platforms in an effort to stop bad ads. As the technology evolves, fraudsters continue to look for ways to hide their nefarious behaviors and circumvent various protections.

Recently, we've identified three new ways that fraudsters are evading detection:

  1. Redirects are hidden within iframes. The nature of the way programmatic ads are transacted, iframes are commonly used by SSPs to deliver creative. Sometimes, when there are multiple players in a transaction, there can be multiple iframes. Often, on-page solutions can't see into multiple layers of iframes, allowing fraudsters to exploit loopholes simply by hiding themselves in an iframe.
  2. Utilizing timeouts. Fraudsters know that some blocking solutions are 100% dependant on intercepting document manipulation methods to stop redirects. While this is a good practice, it can be easily exploited by fraudsters using functions like "setTimeout " to delay their scripts. Or wait for events like "onBlur" to trigger the behavior on user action

    Here's an example:
        <body marginheight="0" marginwidth="0">
        <input autofocus="" class="_xmy9hcrid1_" onblur="javascript:try{if(navigator.userAgent.indexOf('OS 12_')!=-1){setTimeout(()=&gt;{top.location.href='https://www.fxber.com/track/7586a53b-413a-4580-b05f-e1ecb2abeeab?siteid=60a17756c0f253d3c106cc17e9a69a1b&amp;var1={sitedomain}&amp;var6=60a17756c0f253d3c106cc17e9a69a1b&amp;var5=1';},0);}else{window.open('https://www.fxber.com/track/7586a53b-413a-4580-b05f-e1ecb2abeeab?siteid=60a17756c0f253d3c106cc17e9a69a1b&amp;var1={sitedomain}&amp;var6=60a17756c0f253d3c106cc17e9a69a1b&amp;var5=1');clrinx90(0);clearInterval(window.itvid0);};}catch(e){};" style="width:0px;height:0px;border:0px;" type="text"/>

  3. Sandbox security exceptions. Sandboxing has been known in the industry as a DIY way to counter many types of mobile redirects, providing smaller sites with an easy, cost-effective solution to prevent bad ads from plaguing users. While it still provides a good backstop for some kinds of redirects, the sandbox spec itself isn't 100% clear, nor is it implemented in a standard way across all browsers. As a result, malicious actors have identified security exceptions where sandboxing doesn't work and developed methods to exploit this functionality and redirect the page.

Here's how to make sure you're protected against these threats:

  1. It's important to confirm with your ad security provider that your solution inspects code delivered within an iframe, especially deeply embedded iframes.
  2. Ensure your partners utilize multiple detection methods to stop bad ads.  This is often a combination of a blacklist as well as intercepting document manipulation. 
  3. Don't strictly rely on safeframes or sandboxing to protect your site.
Read More

Jun 12, 2019

Key Takeaways from the Taking Malvertising Fight Upstream Fireside Chat at AdMonsters' Programmania 2019

At AdMonsters’ 2019 Programmania conference our CRO Kate Reinmiller participated in a “fireside chat” with one of our clients and AdMonsters’ Editorial director. Take a look at Kate’s key takeaways from the panel.

By Kate Reinmiller

On Monday June 3rd, I had the privilege of participating in a “fireside chat” at AdMonsters' Ops 2019 conference with our client Connie Walsh, Senior Director of Advertising Operations at Legacy.com. The discussion was moderated by Gavin Dunaway, AdMonsters Editorial Director, and was titled “Taking the Malvertising Fight Upstream.”

It’s a given that as long as ads have been served, publishers have borne the brunt of malvertising and bad creative. But as real-time blocking and other ad quality technology evolves, it’s become clear that responsibility must be shared throughout the supply chain by publishers, SSPs and DSPs alike. Connie and I enthusiastically tackled this issue in our discussion before an audience of approximately 250 digital strategists and media leaders. 

Here are some highlights from our conversation:

The conventional wisdom is that redirect attacks come on weekends—is this the case for you? From your viewpoint, what have been the biggest changes in malvertising strategy over the last year?

From our perspective yes and no. Attacks happen around the clock, however, we do see significant spikes on weekends, especially holiday weekends.  Over Memorial Day Weekend for example we noticed a 175% increase in malicious ads. Fraudsters are aware of client side technologies and using tactics to cloak their code (adding iframes, delaying their scripts, dynamically hosting content).

Connie agreed that holidays, weekends, and Q4/Q1 tends to be the worst for Legacy.  She shared that the biggest shift has been moving toward the on-page blocking solutions instead of reactively responding to user and internal complaints.

How do you get your technology partners to take more responsibility in battling malvertising? 

Connie said that while turning off fringe or heavily reseller demand partners can be an effective tactic, pausing one partner just means it will creep in from somewhere else. She is also frustrated with the same canned responses from their partners, suggesting that the issue isn’t getting strategically addressed higher up the chain.

Happily, Connie called on-page blocking “very meaningful to us because it provides an added layer of protection that we should be getting from our demand partners, but are not.” 

But, now that she doesn’t need to constantly communicate problems back to the partners, it appears Legacy is going silent and everything is fine. That shifts the onus to the publisher to use on-page blocking tactics and takes the pressure off the partners.

In moving ad quality controls upstream, what are the biggest differences in strategies and tactics?

Historically SSPs have used a combination of in-house tools plus server side scanning to look for bad actors. What we've found though, is that those steps don’t provide enough insight into what's happening on the client side. Client side tech makes it much easier to identify the source of issues, and makes it easier for SSPs to take action. Adding real-time ad quality solutions at the SSP level allows for real-time insight into bad creatives, problematic DSPs and buyers so that SSPs can act quickly.  And yes, there are ways to do this that don't have negative revenue impacts on the SSP or the publisher!

Moving upstream allows publishers and demand partners to work together to combat this issue — and starts to put more pressure on the DSPs to take accountability for ads that are entering the ecosystem through self service tools.

How effectively can you trace the sources of malvertising campaigns? 

Connie revealed that “without vendor supported resources, not very well at all.” Legacy (and other publishers) simply don’t have the technical resources to be running Charles Sessions across mobile devices every time they hear a user complain about malicious ads.

One of Connie’s longstanding gripes is that there’s no standardization in the ad request’s call chains and “the handshakes from tech vendor to vendor are not clear, and very cluttered/muddled with other intermediary tech.”

Is all real-time creative-blocking technology created equal? How do you best evaluate what’s on the market?

We believe that the addition of new companies in the space validates how pressing the issue is. Ad quality continues to be a major problem and it's not just limited to malvertising —there are also compliance issues, data leakage and bad content.

Of course, each provider has different strengths. In terms of the actual technology, there are subtle differences that matter. For example, whether or not the provider uses a blacklist, caches scripts or can replace a lost impression are all important details to know.  

Some providers have point solutions while others take a more holistic approach. We're seeing our clients test multiple solutions, which is a good thing. We do believe, however, that after an initial investigation period, it makes sense to limit actual trials to your top two vendors.  Testing longer than a month or so introduces too many variables.  

We typically encourage clients to focus on three key things: seamless integration, solution effectiveness; and the overall experience with the interface and customer service.

Consolidation in the programmatic space is always looming.  What kind of effect will that have on malvetisers and ad quality efforts?

Both Kate and Connie agreed that consolidation is a positive trend as it limits the number of entry points for bad actors and eliminates unnecessary arbitrage. But as long as there are self-serve tools and so much money being transacted in real-time, there will be actors looking to take advantage of the system.

Overall, it was a thrill to participate in this important conversation!  Keep an eye out for a couple of more in-depth interviews with Ad Lightning on AdMonsters following this event.

Read More

May 13, 2019

Our Latest Customer Survey Results are In - They Love Our Mobile Redirects Blocking

At Ad Lightning, we are laser-focused on delivering great results to our customers and ensuring the highest levels of satisfaction. Gaining regular feedback from our clients is crucial —after all, the ad quality battle against mobile redirects and malware is a fast-moving, ever-shifting landscape. Luckily, our customers are a vocal crowd and our most recent customer survey didn’t disappoint. In fact, we’re blushing

We couldn’t help but share some of our favorite comments:

Mobile Redirects Squashed

“Mobile redirects have been our biggest challenge — they were a serious disruption to our site. Our previous Ad Quality partner was not effective in pro-actively identifying and blocking them.  ADL has excelled in bringing this under control.” 

“By working with Ad Lightning, the quality of our user experience has undoubtedly improved. We cannot afford to frustrate visitors, and nothing does that like mobile redirects.” 

“We’ve not had a single complaint about mobile redirects since we’ve partnered with Ad Lightning.”

“In the past 12 months, redirects have been reduced, virtually eliminated.” 

User Interface Props

“The user interface is an order of magnitude beyond the other competitors in the field.” 

“Ad Lightning has an easy to use dashboard and UI. The information provided about each ad served is detailed yet easy to comprehend and typically comes with a screenshot.”

Customer Service Recognition

“The Ad Lightning team provides exceptional customer service. They’re willing to work with us based on what we need. It is truly a partnership that we value.” 

“The team listens to our customer feedback and constantly makes improvements to the product. Which indicates to us that they love what they’re doing and committed to their partners.” 

“What really stands out about Ad Lightning is how knowledgeable and passionate the people on the team are.”

See our previous blog, as well, written by Partner Success Manager Meghan Mark about ADL’s dedication to customer service.

Technical Prowess

“The solution doesn’t cause undue load time that can hurt website revenues and implementation was very easy and fast.” 

“We’ve found that their technical team is nimble in responding to our needs and those of our mutual customers, including several top-tier publishers.”  

“Ad Lightning has streamlined our AQ workflow. With automatic email alerts, we are spending less time chasing bad actors. We are now focused on ensuring our site remains as clean as possible.”

This is amazing feedback!

We’re all aware that poor ad quality, malvertising and mobile redirects pose an existential threat to the digital ecosystem — the industry is in crisis and we’re mindful that our clients have placed a great deal of trust in us. Ad Lightning is determined to help preserve the user experience, eliminate increasingly aggressive bad actors, and ensure that our impact on customers is tangible. 

We couldn’t be more proud of our clients’ feedback and are honored to work alongside them. Keep the comments coming; you don’t need a formal survey to reach us. Connect with your account manager today —or reach out to see how we might work together.

Read More
`` `` ``