Why advertisers and media companies need to take malware threats seriously

Digital threats are more prevalent than ever across the connected landscape. Organized crime is heavily involved, and rogue states appear to be using malvertising (malicious advertising) to attack critical infrastructure. For example, Ukraine was barraged with phishing redirects and backdoors delivered by advertising before Russia’s invasion in 2022.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) identifies malware delivered through advertising as the most prevalent initial infection vector — because threat actors play the long game. Backdoors like SocGholish installed on user devices, offer attackers future access as they can perpetuate more drastic assaults, such as draining bank accounts or potentially executing ransomware on a user’s employer.

Even if a consumer isn’t fooled by a, “You’ve won a gift card!” phishing attack, malicious actors use fingerprinting to garner data and optimize targeting for future attacks. As the drumbeat for digital privacy thumps louder and louder, the industry seems to have missed that malware is the most privacy-invasive tech out there.

Search marketing has also been plagued by malware and scammers, with security experts advising consumers not to click on search results or ads labeled “sponsored” as some threat actors are using these to spread malware or otherwise deceive users. Government agencies regularly install consumer-level ad blockers across employee devices, but this isn’t enough as threat actors know how to bypass such measures.

Disregarding malware threats can lead to lost revenue and brand safety issues

Within the digital media and advertising industry, malware and malvertising are often seen as a mere annoyance — or worse, a cost of doing business. There’s far more concern about (and money thrown at) advertiser brand safety when even a minor malware outbreak can easily cost publishers and ad tech companies six figures in lost revenue.

It’s foolish to shrug off the malware threat, but the sense of frustration and helplessness that marketers feel is understandable, with relatable cries of “What am I supposed to do about it?” In the hunt for more revenue, many companies have given up some control and let diligence slide, opening the kind of vulnerabilities that threat actors salivate over.

What’s important now is switching from reactive to proactive approaches: taking heed of major security trends that can help publishers, ad tech and even advertisers protect consumers — and their businesses.

Without proper due diligence, programmatic video arbitrage leads to harmful consequences

While some people may believe that a little arbitrage — intermediaries skimming off a bit of the CPMs and maybe racking up some tech costs — isn’t so harmful and that video advertising is too expensive to attract malvertisers, this isn’t true.

Throughout 2023 and 2024, the highly prolific threat known as GhostCat (or ScamClub) jumped to desktop video and ramped up malicious campaigns to new levels. On-page video units started delivering phishing redirects, ultimately utilizing programmatic video arbitrage to hide the source. Rampant finger-pointing commenced as players could not figure out responsible partners in the massive web of auctions.

On-page video units deliver healthy revenue checks to publishers every month, but they must practice due diligence when onboarding partners. And the same goes for the video unit providers themselves — they must exercise extreme caution with how many and which demand sources they work with, or find themselves in a nightmarish situation.

The corruption of legit advertisers’ landing pages compromises vulnerable consumers

MS-ISAC currently ranks SocGholish as the most widespread malware by far. Long a plague of email and search marketing, this threat is dominating display advertising via a common and highly economical strategy: hacking the landing pages of legit advertisers. These malicious actors get brands to pay for the distribution costs of their malware, adding to the brand safety and threat detection urgency. 

SocGholish is the king of the drive-by download, which infects targeted user devices as soon as the malicious payload is delivered — no extra clicks are required. Advertisers need to step up their game in threat detection lest their businesses suffer the reputation of leading to ransomware attacks (and a brand safety nightmare).

While SocGholish may be the most consequential attack via a compromised landing page, it’s not the only one. A commonly used open-source JavaScript library, purchased by a suspicious Chinese company, began delivering malware to pages where it was embedded in June 2024. More than 100,000 websites, including major brands, were compromised.

On top of malware affecting brands and websites, these schemes are spreading to senior citizens, too. 

Every time seniors go online, they’re under attack and these schemes are depressingly effective. Threat actors use cloaking (based on viewability technology) and fingerprinting to prey on older Americans. They have become disturbingly good at targeting the most vulnerable in society. And economic pressures in the digital media and advertising space have opened up more gaps for them to exploit.

Keeping consumers safe online has never been harder. While advertisers feel the impact of ambitious threat actors, protecting consumers is now more connected to media and advertising’s success. Consumer trust is essential to thriving in the challenging modern market. It’s time the industry took digital threats more seriously — for consumers’ sake and to save their businesses.

Sponsored by The Media Trust