Researchers at ad security and verification provider GeoEdge have revealed a new form of auto-redirect malvertising hidden in the code of programmatically served VPAID video ads through the global media platform Teads.
VPAID is a technical script that instructs a video player on what ad to play. It also determines the length of the ad, when to serve the ad, and where to place it. It is basically the brains behind the function of the ad.
Auto redirect ads forward the mobile phone screen or browser to a warning about a fake virus or another scam. This typically includes a notice about a prize when clicking on a link or a scam that phishes for personal data.
Adi Zlotkin, Security Research Team Leader, GeoEdge, said that in the past year there has been in increase in sophisticated phishing attacks, prompting “publishers and marketers to go beyond blacklisting” to fight malicious advertisers.
GeoEdge’s research forecast in 2018 that auto-redirect ads cost publishers and marketers $1.13 billion in 2018. That number will rise to $1.3 billion in 2020, according to the company.
The tag for redirecting the ad typically is encoded, making it impossible for them to be found through blacklisting, lists of domains or IP addresses known or suspected as malicious servers.
Finding the auto-redirect malware meant that the GeoEdge research team had to decode the specific tag. With programmatic advertising involving many different companies and functions, the task of decoding each tag as it passes through the programmatic chain is daunting, according to Zlotkin.
GeoEdge’s plans to stop the malvertising are not yet clear. A spokesperson at the company says that feedback is taken very seriously.
A Teads spokesperson said GeoEdge has not approached the company with the information, but engineers plan to look into the issue. “We’ve proactively been reaching out since we were made aware to better understand the specific issue but have not yet heard back,” she wrote in an email to Digital News Daily, adding that the company is continuing to look into the situation, “and with more information will be able to provide a more thorough response.”
One thing is certain — publishers and the entire ad-tech ecosystem must be more diligent in looking for malicious ads.
Blacklisting a domain that served malicious ads may have been effective a few years ago, but not today. Now, the industry needs to use behavioral analytics to uncover patterns that identify malicious activities, according to a company spokesperson.