With the average user seeing around 5,000 online ads daily, and one in 5,000 ads leading to a malicious cloned site– most users are exposed to one malicious cloned site a day.

As sites today outsource the ad content on their pages to a vast array of third-party ad networks, malicious marketers conveniently slip through the programmatic net, allowing them to go toe-to-toe with legitimate advertisers. Since January 2020, the pandemics negative effect on CPMs and ad quality has led to a new wave of bad ads hijacking even top tier sites.

Hacking Us Softly

Users would never willfully download arbitrary malicious code if blindly prompted by a site; here’s where malvertising comes into play. While the phenomenon of “fake ads” is a long-standing issue on the ad quality front for publishers, we’re now seeing a new variation of the tactic. In the relatively new cyber threat, users are served deceptive ads linking to deceptive sites.

These ads spread fake news, present false or misleading information, or trick users into thinking they’re going to read more about a certain product or celebrity, but link out to unrelated scam site. In the most recent attacks, users are prompted with deceptive ads that lead to cloned landing pages that rely on borrowed prestige– copying the design and branding of well-known, premium media outlets.

A New Attack Method Emerges: Deceptive Sites

For years, the industry has been on guard against malicious code hidden in ad creative, ready to deploy without the user’s knowledge. Now, much of the malicious activity occurs on the landing page, in fact, the ad can be free of malvertising, but the landing page is choke-full of malicious code. This is part of the content marketing push on the part of malicious marketers, who intentionally put malicious attributes on the landing page rather than in the ad itself.

Lately, one of the main sweet spots of using online ads to infect users’ devices ‘socially engineers’ users to a malicious landing page by luring users to willing click on a deceptive ad. Once on that page, the user is hit with a phishing scam, a fraudulent product offer, or a prompt to download malware. Not to mention, many of these landing pages are counterfeits of actual premium sites. Cybercriminals intentionally create counterfeit landing pages for sites relevant to different geographical regions and different interests, in turn, allowing cybercriminals to up their ROI.

Cybercriminals-Turned-Content Marketers Are Expert Advertisers

As COVID-19 gave malicious marketers new opportunities to generate revenue from content, cybercriminals have begun investing in marketing and creating deceptive sites with personally targeted content because its proven to be six times more effective than auto-redirect ads. With the seasonal peak in malvertising approaching, GeoEdge, a leading cybersecurity vendor, estimates that 89% of publishers serve deceptive ads, with 42% of those publishers facing user complaints and 20% forced to contend with a loss in revenue or users.

Cybercriminals’ newfound ease of access to premium inventory, coupled with the recent switch toward content-driven malvertising has increased security risks for publishers, putting their revenue, partnerships with advertisers, and consumers at risk. GeoEdge’s security research suggests that the latest trend in malvertising to date this year has caused half of all malicious advertisements — and as the end of the year nears, GeoEdge expects an increase in the number of cloned news websites. The low cost and the better marketing environment of cloned media websites have resulted in cloned versions of the “Today” show, CNBC, Fox News, Forbes, and BBC, according to GeoEdge’s research.

Attack of the Copycat

Nearly any website can be copied, but retail shopping sites, travel booking sites, and banks are the chosen favorites among cybercriminals. Ultimately, cloned media websites enable malicious marketers to benefit from the content’s fake legitimacy, next to which their ads appear. At first glance, these sites look legit, and may even have a domain that’s quite similar to the original site. And the mimicked design didn’t cost much to replicate either, Photon Research revealed that a template for a cloned site for some of the biggest online brands starts at $2-3, a cloned e-commerce site page will cost $20.43, and a cloned banking site page sits at $67.91.

Adi Zlotkin, GeoEdge’s VP of Data and Security revealed earlier this month that, “The countries which have been most negatively impacted are also the countries with the highest incomes because there simply is more money to steal. These countries included Japan, Australia, New Zealand, the United States, Canada, the UK. Ultimately, these countries tend to be more advanced in their use of the internet, too. Now, we’re starting to see more attacks in other high-income countries, including the Gulf states in the Middle East, as well as in emerging markets in South America, Asia, and Eastern Europe.”

The Value of Trust in Programmatic

Two things are for certain, trust is vital to the future of the publishing industry and online advertising underpins a huge slice of publishers revenue. It’s obviously against advertisers and publishers’ interests for users to increasingly associate online ads with malware and abuse. The risk for publishers, of course, is that internet users who are fed up with malicious ads will turn increasingly to adblocking software or worse, abandon their sites entirely. And in ad-supported media, malvertising poses a deadly risk.

Security is always a cat and mouse game – of measure vs. countermeasure and malvertising is no exception. Now that cunning cybercriminals have discovered how to twist digital advertising to nefarious means and use our own vulnerabilities against us, what’s necessary to counter the social engineering threat? For publishers, this scenario underscores the security and QA importance of inspecting not only the ad creative, but the landing page it leads to. It boils down to robust ad security, meaning deep ad and landing page analysis.To keep users safe, publishers need deeper insight of what awaits the user after the click.

Searching Beyond the Creative

Deceptive landing pages, hiding behind tantalizing ads, should be a top security concern for all publishers and fortunately, malicious landing pages can be detected — allowing the creative to be blocked before the page loads. However, security technology must be sophisticated enough to analyze the landing page and the creative in real-time. This needs to happen before it can reach the user, harm them, and deter them from returning to and monetizing the publisher’s site.

In the user’s mind, page content and ad creative are part of the same unified experience. All of these ad quality issues — fake ads, brand-unsafe ads, predatory offers, phantom product ads, ads for substandard products — are user experience issues that devalue quality publishers’ sites and put publishers’ relationships with the audiences at risk. In this equation, users are sitting ducks that bad actors are willingly preying upon. It’s imperative for publishers in an upended digital landscape to take control of their sites, their relationships with their audiences, and their capacity to protect their users from poor experiences and socially engineered scams.

Alisha Rosen
GeoEdge