Huge increase in fraudulent video ads in recent months

Huge increase in fraudulent video ads in recent months

Video advertising has always played a significant role in the industry: effective, costly, and safe. Previously, it posed no threat and required minimal effort from AdOps for verification. However, the situation is rapidly changing.

Recently, Yuval Shiboli, Product Director at GeoEdge, reported a new scam scheme called ScamClub that spreads malicious redirects through VAST and VPAID tags. Since then, such attacks have become widespread. Moreover, other fraudsters have likely noticed ScamClub's success, and we can soon expect copycats to emerge. The graph below shows a huge increase in such activities. Publishers and SSPs must immediately pay attention and take appropriate measures.

The cybercriminal group ScamClub uses VAST tags to redirect users to fraudulent sites. ScamClub inserts malicious scripts into MediaFile elements in VAST, allowing them to perform redirects regardless of whether the user watched the ad. The main impact was on mobile devices in the USA, affecting about a dozen major SSPs and DSPs.

How Automatic Redirection Works

How Automatic Redirection Works

If you haven't read the first article on AdMonsters, here's a brief description of the scheme.

Fraudsters check digital fingerprints on both the client and server sides to avoid detection. After sending information from the client and its verification by the server, a response to the POST request returns with instructions for the user's device to redirect to the next site. This redirection code includes several methods to enforce the redirection. Such a diverse attack strategy increases the chances of successful redirection and makes it harder for security systems to detect and identify the attack.

Fraudsters' Penetration into Video Ads

For a long time, video was considered the safest channel in digital advertising. The high cost of inventory deterred fraudsters from attacking this channel, and they focused on more accessible and vulnerable ad slots in display advertising. As a result, many publishers, SSPs, and even video platforms did not check incoming ads for malware.

However, it's essential to understand that fraudsters have become active in using video ads. GeoEdge's security research first identified the video malware epidemic in July 2023. As seen in the chart below, the number of incidents has significantly increased now.

Growth of Fraudulent Video Ads
AdMonsters

ScamClub's malicious VAST and VPAID attacks affected many SSPs, including all major industry players. Video platforms also experienced similar impacts from fraudsters.

AdOps teams increasingly receive complaints from publishers who get negative feedback from their users and editors about fraudulent ads. These ads appear as system messages and offer users to download fake software updates or antivirus programs that can record and transmit their banking information or credentials to fraudster servers.

While a significant increase is already visible, this is just the beginning. In the next 12 months, a noticeable increase in fraudulent redirects in video can be expected.

How do ad verification platforms combat malicious ads?

  • Real-time creative scanning. Companies like GeoEdge, Confiant and The Media Trust scan ad creatives, including videos, in real-time. They analyze each ad element to detect potentially malicious scripts or redirects embedded in VAST and VPAID tags.
  • Digital fingerprint verification. These platforms use technologies to verify digital fingerprints on the client and server sides. This helps determine if the ad attempts malicious actions, such as forced redirects.
  • User experience emulation. Platforms like DoubleVerify and IAS use user interaction emulation to test ad creatives. This includes simulating clicks and interactions with the ad to detect if it redirects the user to malicious sites.
  • Pattern analysis and detection. Protection systems like Confiant use big data analysis and machine learning to identify patterns characteristic of malicious ads. This allows for promptly detecting and blocking new types of attacks, including redirects.

Time to Strengthen Protection

Time to Strengthen Protection

It's time to strengthen the video technology stack. Publishers should understand the importance of monitoring and protecting their infrastructure, as it is no longer safe. This change in daily processes is critical.

SSPs must start reevaluating ad sources for video, understanding that they can no longer consider them safe. They need to recognize the presence of malicious ads in this channel, which many believe will significantly increase.

And, of course, don't forget about CTV. How safe is it? It is unlikely that users will click on ads, visit malicious pages, and fill out forms from their smart TVs. However, with the emergence of QR codes in CTV ads, new risks may arise as fraudsters gain the ability to redirect users scanning the code from their mobile devices.

A New Approach is Needed

Due to numerous mechanisms that block the operation of security systems, new approaches are required. In our experience, it is not enough to monitor the video ad itself; it is necessary to monitor the page on which it appears. By monitoring the entire page, security teams can promptly identify, analyze, and classify fraudulent ads and their new variants, proactively blocking them at every appearance.

What to Do?

Fraudsters have breached the defenses and are rushing inside

Video advertising is no longer safe and needs careful monitoring. Fraudsters have breached the defenses and are rushing inside. However, the industry is not defenseless. To counter this growing threat, a new level of cooperation within the industry is required. By working together, we can more effectively identify and mitigate video threats, sharing knowledge to strengthen collective protection.

Related Materials