Click Forensics CEO Pellman On The Malware And Malvertising Fronts

Click ForensicsThe online advertising world continues to be challenged by ne’er-do-wells as Click Forensics released results from its latest quarterly, deep-dive into the company’s fraud detection data. The Company identified challenges with display advertising where “a pop-up or pop-under (…) rotates brand advertisers’ banner ads every 10-15 min in an effort to seemingly boost impression figures.” Read the release.

CEO Paul Pellman discussed the latest on malware and malvertising. How is the malware scheme you describe reaching websites – through display ads from exchanges, specific ad networks? Any ideas on how it can be prevented?

PP: The Click Forensics Malware Lab has been finding two generic types of malware.  The first, more common version, is actually installed on the visitor’s machine as a result of some other seemingly innocent download.  It can be spread via e-mail attachments or through lots of “freeware” that people install on their machines.  Once installed, these Botnets can take control of browser functions or simply open pop-unders to display ads for nefarious ad networks.  The best way to prevent these is for visitors to be diligent and use updated antivirus software from Symantec, McAfee, and others.

The second type is not really malware at all, but is the one more commonly talked about in AdExchanger circles.  Namely, visitors to ad supported sites get served all sorts of ads that they never see, whether in pop-unders, zero-by-zero iFrames, or invisible pages.  The generic term for these schemes is “ad stuffing.”  Advertisers can protect themselves from both types of fraud by employing ad verification and/or audience verification platforms.

What IS the malware? Any trends there?

Much of the malware we found recently came from different types of toolbars.  These are browser plug-ins that purport to assist with search or provide some other value for the visitor (weather, sports scores, etc.), but in reality are also hijacking browser activity for the benefit of the author.  One toolbar we found turned organic search results into paid clicks by routing searches to a parked domain site and channelling clicks through several ad networks.  It’s very difficult to trace which are complicit in the fraud and which are innocent participants.

From a marketer’s perspective, would using frequency caps or buying on a CPC basis might lessen the impact of inflation impression?

Frequency caps might help a display advertiser minimize the impact of these schemes, but it can’t defeat them completely.  As far as converting everything to CPC, it might work in the very short term but, as we well know, click fraud becomes an issue.  The best protection is the diligent monitoring of campaigns and the use of an audience/ad verification platform.

I didn’t see you mention malvertising versus malware in your release. Do you distinguish between the two?

We use “malvertising” to refer to ads that send visitors to a place that is bad for them.  The ad itself may not be infected, but its intention is to trick the visitor into doing something damaging.  For example, the ad on a little over a year ago warned visitors to click through to a site where they could “update their virus protection.”  Of course the download included all sorts of malware, but the ad itself was more accurately described as malvertising.

By John Ebbert

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

1 Comment

  1. The purpose of this non-visible banner rotation (pop-unders, etc.) isn’t necessarily to pump impression levels… it’s to cookie-stuff the user’s browser so that the network gets credit for a ton of view-through “conversions” that were going to happen anyway. has played this game since day 1, using AIM inventory (the little postage stamp-sized ad at the top of your buddy list) to rotate in banners and refresh the view-through cookies constantly. Of course, 99% of the time your buddy list is behind all of your other windows. But they end up getting last-view attribution on a ton of conversions.

    Yes — clicks can be fraudulent too. So the only way to measure true lift is to 1) pay on a click-to-conversion basis only, or 2) run an A:B study (the honest way) to evaluate total lift of both views and clicks. But in any case, an advertiser should only ever pay for click conversions… Ahem: