Q2 2020 Smart Report

Peruse the content of the report below or download the full PDF.

Smart report thumbnail-1

Table of Contents

  1. About this Report
  2. COVID Effects
  3. SSP & DSP Attack Trends
  4. Browser & Device Trends
  5. About clean.io

Download the Report

Join us for a short 20 minute webinar discussing the report results.

Register Now

About this Report

This report is built using threat and attack data gathered from sites across the entire clean.io network.

The data included in this report is collected through behavioral analysis of tens of billions of impressions each month in real time on over 7 million websites and apps.

View all the Q2 2020 trends below. 

Note: You are welcome to share and republish the data and charts included in this report, we just ask that you attribute the source and link back to this page.

Smart Report Webinar CTA (2)


COVID Effects

How has COVID affected the malvertising landscape?

Major changes in the way we work and consume content, shifts in the behavior of brand advertisers, as well as spikes in the virus itself have all contributed to trends observed in Q2.

Key Impacted Verticals

Smart Report Q2202001-1

Click to Tweet

But, what does it all mean?

  • COVID lifestyle changes: We observed increased threat levels in verticals that saw increased traffic from “Work From Home” lifestyle adjustments (Education, Home).
  • Demand drives threat: Verticals that likely saw a drop in advertising spend level from brand advertisers (Travel, Sports, Auto), and thus driving lower CPMs, maintained higher threat levels.
  • Saved by price floors: News Sites, which often have increased price floors and stricter category blocks, were 20x less likely to see Malvertising than Auto and Education Sites.

COVID-19 has changed the way the world operates. In the last few months many jobs have shifted to work-from-home, education has moved online, global sports and entertainment have paused, and travel has massively decelerated.

COVID has changed the way the world, and malvertisers themselves, operate.

- Matt Gillis, CEO

Click to Tweet

This activity is reflected in malvertising as well; Automotive, Travel, Education, and Sports were the most commonly attacked site verticals in Q2.

As the world continues to adjust to life in a pandemic (the return of sports, a new school year in the upcoming quarter) we expect to see elevated threat levels in the most impacted industries.

Q2 Attack Trends

Attack trends mirrored COVID-related demand shifts. Threat level increased as demand levels reduced, and threats reduced as demand recovered with COVID-19 and quarantine shifts.

Smart Report Q2202002-1

Click to Tweet

While malvertising attacks are predictable around certain holidays, threat levels are otherwise erratic. Add a pandemic to the mix, and the volatility in attacks has been even more severe. Staying vigilant and protected is more important now than ever before.

The only thing that is predictable about the behavior of bad actors is that they are unpredictable.

- Kathy Knott, VP Client Success

Click to Tweet

Q2 began in the midst of a growing pandemic which created a vacuum of brand demand and allowed bad actors to infiltrate the ecosystem. Acclimation to life in a pandemic, alongside natural growth in demand towards the end of the quarter, yielded declines in threat level.

Q2 Threats by Geography

Top countries by threat level closely matched the most heavily affected countries by the pandemic.

Smart Report Q2202003-1

Click to Tweet

The Americas and Europe are the top two regions impacted by COVID-19 thus far; conversely it follows that they are the two regions most impacted by malvertising in Q2. The US, Canada, and 8 European nations make up the Top 10 countries by threats in Q2.

Malvertisers will take advantage of any and all environmental changes that present an opportunity.

- Geoffrey Stupay, Co-Founder

Click to Tweet

Just as the pandemic has inflicted pain on specific countries at different times and with different volumes of cases, malicious code exhibited the same pattern.

Within our Top 10 countries for Q2, we saw Peak Threat Levels occur at different times and at varying maxima.

Key Takeaways

Shifts in demand are key.

What is happening in the world has significant effects on supply prices, thus creating an opportunity for bad actors to access more inventory, more cost effectively, thus driving threat levels up.

Attacks are well coordinated.

Bad actors very quickly shift approaches and conduct attacks that are well coordinated by date and location to make their attacks easier to execute and more effective.

Read the In-Depth Article About COVID Affects →

SSP & DSP Attack Trends

How are attackers using platforms to orchestrate their attacks?

Q2 data shows how bad actors take full advantage of the way the programmatic advertising ecosystem is built and how ad creative flows through that system.

Data from Q2 shows that 90% of total threats originated from 9 SSPs.

Flow of Threats

  1. DSP: Attacker submits ad creative to a DSP. A single DSP allows access to many SSPs.
  2. SSP: SSP enables bids from countless DSPs on ads across their entire network of sites. A single SSP allows access to many sites.
  3. Ad Views: Ad impressions are seen by users. Through a single DSP, attackers can create a massive impact.

Q2 SSP Threat Rotation

Bad actors rotated through 3 major cycles of SSP attacks in Q2.

Click to Tweet

Q2202004-1

Phase 1: The first 6 weeks showed attacks were primarily focused on just 3 SSPs, accounting for 74% of attacks in phase 1.

Q2202004-2

Phase 2:The following four weeks showed a rotation of attacks on 3 new SSPs, accounting for 72% of attacks in phase 2.

Q2202004-3

Phase 3: Finally, the last 3 weeks rotated further to attacks primarily focused on 3 new SSPs, accounting for 59% of attacks in phase 3.

Bad actors are using multiple SSPs as entry points to launch their infectious code onto devices.

The clean.io Network sees attacks focus on a small number of SSPs at once, first through small probing campaigns before scaling to widespread attacks.

Malvertisers constantly run novel small probing campaigns prior to widespread attacks.

- Jason Dobrzykowski, Director, Platform & Channel Partnerships

Click to Tweet

This cycles through several groups of SSPs throughout the quarter, and the landscape is always shifting. In general, malvertisers are going full throttle on a few SSPs while already testing on their next batch of platforms to constantly evade being caught.

Key Takeaways

Attack rotations.

Bad actors systematically rotate attacks across multiple SSPs and DSPs to find vulnerabilities that will drive them the greatest gain.

Exponential impact.

While we saw 90% of the threats coming from 9 SSPs in Q2, we also prevented threats coming from over 63 unique SSPs total, indicating that there is a long tail of SSP probing that occurs.

Read the In-Depth Article About SSP and DSP Attack Trends →

How are bad actors selectively attacking specific tech?

Always on the lookout for vulnerabilities, Q2 data shows how attackers rotate their attack attempts across different browsers, devices and operating systems.

Q2 Browser Trends

Facebook’s embedded browser and Chrome Mobile continue to be the most attacked in the ecosystem.

Smart Report Q2202005-1

Click to Tweet

Q2 Device Trends

7 of the top 10 attacked browsers are mobile. Mobile browsers overwhelmingly hold the lead in threat levels.

Smart Report Q2202006-1

Click to Tweet

Q2 Operating System Trends

Bad actors focused on Android devices as their primary OS. Android OS accounted for a total 58.57% of attacks across the quarter.

Smart Report Q2202007-1

Click to Tweet

Q2 Operating System Attack Shifts

Bad actors rotated efforts between chrome and iOS.

Smart Report Q2202008-1

Click to Tweet

Mobile Browsers - specifically Chrome Mobile and Facebook embedded browser - are the most attacked Browsers in Q2.

While we see attacks across all devices, many attacks are consistently focused on mobile devices.

Mobile allows access to ads at lower price points, making it easier for malvertisers to turn a profit.

- Alexey Stoletny, CTO

Click to Tweet

It follows that Android accounted for 58.57% of all threats in Q2; as it is generally less expensive than iOS inventory, and more popular globally, it allows bad actors access at lower price points to turn a profit at the expense of users.

Key Takeaways

Protecting mobile is key.

Bad actors continue to focus more heavily on mobile in their attacks, so protecting user experience on mobile devices will be an important initiative.

Focus on embedded browsers.

Embedded browsers, particularly Facebook, continue to hold the highest threat vector. Finding ways to preserve user experience in embedded browsers is of utmost importance.

Read the In-Depth Article About Browser and Device Attack Trends →

About clean.io

clean.io is the most effective solution to prevent malvertising, as well as protect revenue and user experiences across all platforms.

Case Study

Learn how Pub+ alleviated malicious redirects that were causing business disruptions and eating into revenue.

The clean.io solution worked exactly as described. Simple, effective, and smart. Following implementation we saw all key financial KPIs improve... and our end users were no longer complaining about bad user experiences.

- Omry Aviry, Chief Product Officer at PubPlus

Read the Case Study →


Download this Report