It’s Time To Get “Real” About Malvertising

Alanna ClarkThe Sell-Sider” is a column written by the sell-side of the digital media community.

Alanna Clark is Director of Business Development at AdMeld, a publisher yield optimization company.

Three-day weekends, holiday seasons, a plethora of Q1 inventory. These are all normal signals and events throughout the course of our year but also triggers for more unseemly activities, namely malvertising.

The digital advertising space has always had its share of bad actors. But as the ecosystem has grown in size and complexity, so has the cunning of those who use it to spread malware. Malware puts consumers in danger, wastes the industry’s time, and sucks billions from the world economy. Until recently, speaking openly about these issues was taboo—especially for those companies that didn’t want to risk being branded as ‘malware infested.’ This kind of attitude has led to the perpetuation of two major malware myths:

Myth #1: Dealing with malvertising is the ad networks’ problem.
Ad networks get a bad rap, and though some of them deserve it, the truth is that even premium websites, marketplaces, yield optimizers, DSP’s and exchanges have had to grapple with malware despite their best efforts. Pointing the finger at networks can be satisfying (and sometimes it works), but it only gets us so far.

Myth #2: Your company has NEVER had to deal with malvertising.
Pulleeease. We’ve ALL fallen victim to this at least once (and probably a few times more we never knew about.) From here on in, if anyone tells you they’ve never had a malware-related issue, it’s completely appropriate for you to mutter an incredulous expletive under your breath.

An Ounce of Prevention
Eliminating the malvertising threat starts by taking the right steps in your own organization. Whether the deal is discretionary or direct, here are a few basics that should be on your checklist. (Feel free to contribute more in the comments!)

  1. Vet the Deal Origin
    Use tools like Google’s Investigative Research Engine, to get intelligence on the company providing the creative. You can also use apps like DomainTools’s Domain History search to see if an associated domain or server has a sketchy past.
  2. Account for the Advertiser’s Ad Serving
    In some cases, publishers, yield optimizers, DSPs, and networks are banning third-party creatives and copying them to their local servers to ensure nothing is swapped in on serve time.
  3. Pay Special Attention to Rotating Tags
    If you’re not serving the ads, a new creative/executable/forwarding URL can be rotated in at any time. A tag that runs clean on Friday morning can be a very different beast at 11 AM on Saturday. Ad tag scanning services are important, but so is staying vigilant. Some companies are beginning to ban rotating tags outright, especially when served over Real Time Bidding infrastructures where transparency and advertiser lists are key.
  4. Beware of Prepaid Deals
    While attractive and in most cases innocuous, prepaid deals are a red flag that should cause you to stop and take a much closer look.
  5. Watch for Suspicious Timing
    This means “last minute” deals, branded national deals coming from overseas, etc.
  6. Premium Brands Don’t Always Equal Safety
    Companies like American Express have spent billions developing brands of strength and security. That’s exactly why malvertising perpetrators try to hijack their creative and pose as their agencies.

Employ The Right Tools

Companies such as The Media Trust and ClickFacts have built technology to help scan ad tags/creatives and the like, cross referencing virus databases maintained by the likes of Google, Avast, McAfee and Symantec. Google has created an Anti-Malvertising Team with a site that helps you do background checks on potential partners, get best practices, and more. Yahoo’s Right Media has a homegrown Creative Tester and Spyware/Click-fraud Scanner, and Microsoft has been going after Malvertisers themselves in court.

Get Involved
In a climate of co-opetition and frenemies, working together to stamp out malvertising is a cause we can all agree on. To Google, Yahoo, Microsoft, Pubmatic, Rubicon, and anyone else who’s interested: we hope to work more closely with you on this. Perhaps a good first step would be creating an official list of best practices for ultimate approval by the IAB.

What do you think?

As skilled as any one of us is at dealing with malvertising, I think we’d all rather live in a world where we never have to. Working together is the fastest way to get there.

Follow AdMeld (@AdMeld) and (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Addendum to Myth #1 – The advertising network isn’t always trying to deal with malvertising. There’s one minor one right now that has several kinds of it, and which even ignores the publisher’s ad restrictions.

  2. Great post. All of us in the online advertising industry fall victim to malvertising and must build systems that can automatically scan and catch malicious internet activity (ZEDO does, as best at it can). Ad networks are certainly at a higher risk, but that doesn’t mean we should leave the alone to solve the problem.