Bad Actors Went Bargain Hunting On Cyber Monday Too!

Thought Leadership

Omry Aviry
5 min read

This article was originally published on Medium, by

Publishers without protection feel the steep costs of malvertising

It was probably an unproductive day at the office for many on Monday. A recent survey from Robert Half Technology, a human resources consulting company, found that 52% of employees planned to shop online on Cyber Monday. And while Internet traffic scaled on Monday as many were hunting for online bargains, websites in the digital media world were seeking cover from a nasty malvertising attack that took flight just as the workday got started on the East Coast. You see, bad actors were starting their bargain hunting bright and early Cyber Monday too!

Malvertising hurts — period. It hurts the user experience when users inadvertently land on pages they didn’t want to go to — especially when they can’t get back to the content they want to read. It hurts the brand of the website when users have a poor user experience. It hurts the key metrics that drives publisher advertising revenue — like time spent on site when a site is under attack.

While many publishers are aware of and feel the negative effects of malvertising, putting a price tag on the impacts can be challenging for some. That is, unless you are one of the most sophisticated platforms driving paid content distribution on the planet. In that case, understanding the steep costs of Malvertising on Cyber Monday is easily quantifiable. PubPlus, one of the market leaders in revenue attribution technology for publishers distributing content on paid channels estimated that malvertising was costing them almost 3% of their overall revenue annually…until they partnered with

It would make sense that if you were trying to deceive users into clicking an ad on Cyber Monday that you would make it look like it came from an online retailer. Congratulations Walmart Shopper! Congratulations, you won an Amazon Gift Card! All logical ads that you could expect users to fall for on a day like Cyber Monday — which is exactly what we saw. The bad actors chose creatives that they knew would fit right in with the shopping mindset that customers were in on Cyber Monday. Creatives that users would be lured to engage with. It’s as if they planned it — and well, they probably did. Executions like this aren’t haphazard — they are usually very methodically executed. The 7 a.m. start time on Cyber Monday was no accident. The bad actors showed up and started their attacks just as users started their day in search of bargains. Perfect timing for the bad actors.

Back in late April we received an email from a company called PubPlus. We had just released a blog post telling a successful story of malware prevention with another partner. The story resonated with a few of the team members at PubPlus, and they were eager to see if we could deliver similar results for them as we had with other partners.

PubPlus has long felt the effects of malvertising. Chief Product Officer Omry Aviry claimed, “we’ve been dealing with malicious redirects that disrupted our business since long before header bidding took off — back to the days of the waterfall.” They were well versed on the pain points, and they were looking for a solution.

If you are a publisher and don’t know PubPlus — you really should. PubPlus is a revenue attribution platform that helps publishers grow their audiences profitably by reaching new users through social and native channels like Facebook, Snapchat, Taboola, and more. PubPlus’ technology attributes in real time the cost spent on each paid channel to the revenue generated from it, down to the campaign (channel, Geo and device) level, allowing the publisher to understand the real time visitor value and optimize the marketing budget. Creating great content is difficult — and making money out of it is even more difficult. Profitably distributing content is a challenging problem that PubPlus has solved. They are a global leader in this space. And when malvertising strikes, it can easily make profitable growth turn unprofitable immediately. “On a day when attacks would scale, we might experience a loss of over 50% of our page views per user session,” said Aviry. In other cases, PubPlus wouldn’t be able to feel the exact pain in their revenue, but instead their users would tell them directly. “Our end users are vocal, and when they are experiencing an impaired user experience related to malicious ads, they let us know in the comments section of our Facebook posts.”

Finding a solution to solve the malvertising challenge was critical for PubPlus. Experiencing an attack like the one this week on Cyber Monday without the right protection would be devastating to their business. They’d felt the impacts before and were hoping we could give them the protection they needed.

December 2, 2019 hourly Threat Network unique SSP threat volume.

There was a pronounced spike in malicious ads noticed when the team hit our dashboard on Monday morning — showing the hourly data from December 2. The attack on Cyber Monday started at about 7 a.m. (represented by the light blue line). As you can see from the chart above, there were a few SSPs experiencing low level attack probing over the course of the day. However, one particular SSP was under fire from a high magnitude of attacks by these bad actors throughout Cyber Monday. protects publishers and platforms from these threats by analyzing and preventing the execution of malicious JavaScript at run-time. When our partners implement our simple single line of JavaScript, takes care of the rest by blocking the malicious activity in real-time. We save our partners time, money, and help them protect the strong reputation they worked so hard to earn.

Threat level on some sites hit as high as 50% on Cyber Monday — meaning, a malicious ad was attempting to hijack one in every two page views. An attack of this nature would be devastating on many different levels to a publisher that is operating without protection from these threats. The user experience would surely be terrible, and the monetization would be severely impaired on the site as key metrics impacting monetization would be negatively impacted.

By Monday evening at 7 p.m. EST, there was no sign of this threat slowing. It has scaled quite significantly since 7 a.m.. Peak Internet traffic hours in the United States were coming over the next few hours, and it seemed like this bad actor was intent on reaching as many people as it could on Cyber Monday — bargain or not!

PubPlus went live with protection in late May 2019, immediately prior to the attacks on Memorial Day weekend. During their 30 day free trial, PubPlus conducted A/B testing of across multiple sites — with the key goals of measuring effectiveness of our solution, and quantifying potential revenue loss if the websites would not be protected in the best way possible. They found the results to be impressive.

Three PubPlus sites showing two sites that were protected during an attack, and one that was not. Session depth on the unprotected site declines 50% when under attack, and regains normal session depth once protection is replaced on the site.

“We noticed that when our sites were under attack, we would see a drop of 50% of our session duration and total page views per session without protection in place,” said Aviry. “Once adding the protection on, we could easily see our sessions and other critical operating metrics return to normal.”

As stated earlier in the post, PubPlus also did extensive analysis to understand the implied revenue loss that malvertising would have on their business if it remained unsolved. “While malvertising tends to come and go, we conservatively estimate that our monthly revenue loss was estimated at close to 3%,” noted Aviry. “This doesn’t even factor in the other benefits of ensuring our readers the best reading and user experience our sites offer.”

Monday at 12 a.m. until mid-day on Tuesday — the attacker was showing no signs of slowing down.

As of this writing, it’s now 2:00 p.m. on Giving Tuesday — almost 30 hours after the Cyber Monday malvertising attack began. As of this time — the attack is unfortunately still ‘giving’. While there is a noted valley in the line graph you see above (hourly data from December 2 and 3 across the Threat Network), it wasn’t really slowing down. Simply it was moving with the waking hours of U.S. based Internet traffic. Seems like the bad actors are still trying to extend that Cyber Monday feeling into the rest of the week!

If you have been experiencing challenges with malicious ads that are impacting your user experience, your monetization, or your reputation — let us know and we can help. Drop us an email at offers publishers and platforms a 30 day free trial to give you a complete understanding of how malicious ads could be impacting your business. Every day isn’t like Cyber Monday, but don’t you want to be prepared for it just like PubPlus was?


Omry Aviry
Omry is the Chief Product Officer at PubPlus. His passion for mobile and web environments got him in the loop: Define, Design, Test, Repeat. Defining, designing and developing great products and features is both Omry's passion, and his job. Apart from his tech obsession, Omry is a huge car enthusiast, doting husband, and a father to two beautiful children.