Changing The Criminal Calculus: Best Practices In The Fight Against Malvertising

threat exchange-01

The dangers of malware are nearly as old as computers themselves, but the concept of malvertising is a relatively new one to businesses and consumers alike. While the term malware can mean malicious software of any sort delivered by any means, “malvertising” refers to the use of digital advertisements – including creative, tags and landing pages – specifically to distribute malware, often for financial gain.

The first known instance of malvertising dates to 2007, and criminal interest in using ads as a vector for malware attacks has grown slowly over more than a decade now. Malvertising is now a problem at scale, and the scope of that problem has doubled since 2017. Recent research suggests that nearly 1 in every 100 ad impressions are impacted by a malicious or disruptive ad – meaning that more than 20% of user sessions may be impacted by malvertising.

Malvertising degrades consumer trust in the digital advertising industry, and brands face significant financial risk if their ads are found to be “malvertising.” A recent survey of U.S. consumers conducted by the Brand Safety Institute (BSI) and the Trustworthy Accountability Group (TAG) found that 93% of respondents would reduce their spending on an advertised product if the ad had infected their computers or mobile devices with malware, and 73% would stop buying that product altogether.

Because each participant in the ecosystem has visibility into only their subset of the problem, preventing the delivery of infected ads can be challenging without industry coordination. The digital advertising industry has taken significant action to combat the problem of malvertising in recent years, and those efforts are beginning to show dividends.

Keeping ads clean of malicious code is a serious brand safety concern, but the fight against malvertising does not have to be a painful one. By instituting best practices, tightening our collective defenses against malware threats and building a threat-sharing culture throughout digital advertising, the digital advertising ecosystem can change the criminal equation and put an end to the malvertising attacks plaguing our industry today.

Among the best practices described in the White Paper, companies should:

Take responsibility and communicate their commitment by:

  • Creating and sustaining an internal focus on keeping ads free from malware.
  • Developing a “zero tolerance” policy for ads infected with malware.
  • Earning the TAG Certified Against Malware Seal to demonstrate the company has adopted the rigorous standards needed to fight malware

Choose the right partners through steps such as:

  • Knowing their risk tolerance and choosing partners that share and can accommodate those values.
  • Asking the right questions during the RFP process, for example, whether potential partners use malware scanning and real-time detection techniques.
  • Checking if partners have received the TAG Certified Against Malware Seal.

Work closely with partners to develop and execute their strategy by:

  • Designating a trained Brand Safety Officer within the company.
  • Documenting appropriate points of contact at partner companies.
  • Clearly communicating a plan to protect assets before a campaign launches.
  • Stay involved once campaigns are launched by ensuring proper mitigation strategies are in place to stop malvertising attacks at any point in a campaign.

See the bigger picture beyond each individual company by:

  • Providing partners with information about incidents of malware-infected creative, so they can be on the lookout for recurrences of those issues.
  • Supporting industry-wide threat sharing.

Download "Changing The Criminal Calculus: Best Practices in the Fight Against Malvertising"

Read the Press Release