The Goal of Compliance

As an ad network the goal of Compliance is to ensure that your Publisher network is of high quality so that your Advertiser network can get a good ROI for their offers. You also need to protect your valuable Publisher network from non compliant ads and malvertising. Without this protection it creates a bad ad experience for Publisher site visitors and possible exposure to exploitation from cyber criminals for end users. So the role of Compliance is to police your ad network, now let’s look at this in more detail.

The Role of Compliance

Setting your network Guidelines

As an ad network you should set your Publisher and Advertiser Guidelines. These are the rules that all your clients should abide by in order to be able to be given access to your platform. The Guidelines are a list items that are not permitted. These Guidelines should be displayed prominently on your website so that Advertisers and Publishers are aware of them before and after they have signed up to your network. Your Guidelines should be aligned with IAB industry standards and Google and the Coalition for Better Ads. These industry bodies set the global standards for all online advertising to ensure that advertisers get the best ROI, that browsers, such as Chrome do not block ads that are served and also ensure your Publishers have a good ad related user experience.

Approving Publisher websites

For Publisher Compliance, websites should be evaluated. Does the content fit with the offers your Advertisers are looking for contextually? Is the website's content of high quality? Does the website have copyright to show content images that are displayed? What is the quality of the website's traffic? Poor quality will mean poor conversions for Advertisers. Does the website contain too many ad zones? If there are too many it will be bad for end user experience therefore it will have low quality traffic and there will be too much competition for end user attention for your Advertisers’ offers.

Approving Advertiser campaigns

For Advertiser compliance, ad creatives should be checked for quality, weight and visual content. Are the images of poor quality? Do they infringe any copyright? Do they look squashed because the dimensions are wrong? Are the creatives too heavy, meaning a Publisher’s site will be slow to load, which could lead to penalization from Google. Do they meet Google’s and the Coalition for Better Ads regulations? For example flashing images, fake video play buttons, fake close buttons are not acceptable. Ad campaign texts should be checked to ensure that the offer can be promoted on your network and that the way the texts are phrased fit in with your Guidelines. Each campaign's landing pages should be checked to see if the urls work, that the offer is the same one as stated in the ad creative, and landing page images and texts should also be evaluated. 

But there is more…

Unfortunately, there are many cybercriminals using online ads for Malvertising campaigns, which is our next subject.

Malvertising

Cybercriminals use the same advertising strategies as legitimate ad companies, except that malvertisements will either try to download malware directly to website visitors' devices upon clicking on the bad ad, or send visitors to websites that distribute viruses, ransomware or other unwanted and malicious programs. Sometimes malvertising uses potentially fraudulent activities to try to exploit end users for financial gain and/or steal their personal data. Bad actors will provide ad campaigns that may seem totally compliant, but obfuscated code may be hidden inside the ad creatives and landing pages. Or once the legitimate campaign is approved by Compliance, the cybercriminals will change various stages of the ad campaigns flow to to inject malvertising.

Some forms of Malvertising

Malware can be disguised in ads offering free antivirus or even security utilities, stating that the end user's device is infected with Trojans or Viruses, when in reality these are malicious related products. Called Scareware, these kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. 

Drive-by attacks are when end users click on a malicious ad and a hidden script will run in the background and look for vulnerabilities on the user’s device so that it can secretly download and execute a malicious application such as Ransomware. This is also used in Drive-by mining, ads use a piece of javascript code to mine different cryptocurrencies directly through the visitor's browser secretly using their CPU power.

Ransomware is a form of malware that essentially holds an end user’s device’s system captive while demanding a ransom. The malware restricts user access to their device either by encrypting files on the hard drive or locking down the system and displaying messages. The end user then has to make a payment to the cybercriminal to unlock their device, either by credit card, leading the end user to possible further financial exploitation or in cryptocurrency.

Malicious URLs host unsolicited content: spam, phishing, drive-by exploits, etc. and lure unsuspecting users to become victims of scams: monetary loss, theft of private information, and malware installation

Phishing URL takes the end user to a phishing site which might trick users into revealing their personal information such as passwords, phone numbers, or credit card details. The content pretends to act, or looks and feels, like a trusted entity, for example, a browser, operating system, bank, PayPal or government. 

Auto-downloads automatically download a file/executable/application without user interaction.

Auto-redirects contain a script causing a web page to break out of any frames "framing" it, resulting in automatically redirecting the visitor to another website/page.

Back Button Hijack are ads that contain a script that allows an advertiser to manipulate the end user’s browser history. Usually it consists of inserting one or several pages in the browser history, which would prevent the user from going back to the previous page he was coming from.

There are many more forms of malvertising and cybercriminals are extremely tech savvy and try many different ways to exploit an ad network. Malvertising distribution via digital advertising is a continual battle for ad networks. It is important to protect Publishers and end users from being exposed to malicious ads. Malvertising can happen on any ad network at any time, including giant ones like Google.

Fighting Malvertising

A Compliance team should have a solution that checks ad campaigns before launch and also after they have launched on your network. This can be done manually with a team of Compliance Officers, manually together with an automated solution, or with a dedicated automated solution.

There are several companies that offer an automated solution to check campaigns for malvertising both before and after launch. One company is AdSecure which uses crawler technology to scan the full chain of an ad campaign: the creative, the landing page, the urls, redirections chains, etc. It interacts with the campaign, just as an end user would do. These scans can be activated before the campaign launches and while it is running and if anything is discovered it immediately alerts the Compliance team, so that the campaign can be stopped and any appropriate action can then be taken for example, blocking the advertiser account, reporting to the police, etc.

AdSecure is a very effective solution, each year the company releases a Violations Report. These findings provide insights into cybercriminal malvertising behavior during each year taken from data from the large ad network client base AdSecure protects. Here are some highlights from their 2021 report which you can read in detail here:

• 1 in 20 scans reveal 4 or more violations detected in a single ad campaign: By adding several different violations in one ad campaign, it allows malvertisers to be much more effective in their exploitation attempts. Some common tactics they use are a chain of different violations including: the ad creative, the landing page, url, redirection path/chain, hidden code within in iframes. Their aim is the hope that even if one or two violations get discovered, others can still slip through undetected.
• 36.7% of all scans detected User Experience Violations: User Experience Violations directly affect the end user browsing experience with annoying or malicious activity within ad campaigns. Overall just over one third of all scans detected this type of violation.
• 22.8% of all scans detected User Security Violations: User Security Violations harm the user’s online safety by trying to steal personal data or exploit them financially, such as using malicious URLs, Drive by Crypto currency mining, Scareware, Randsomeware and Browser Lockers.
• 1.6% of all scans detected poor IAB Standard Ad Quality: As mentioned earlier in this post, AdSecure also has an IAB Standards detection that allows ad networks to scan the quality of ads to ensure they meet the industry standards.

Compliance Benefits for Your Business 

There are several benefits from ensuring that you have a full Compliance solution to monitor your ads:

• Higher revenues: By ensuring you have only clean and high quality traffic on your network, this will attract Advertisers because their offers are more likely to convert with your traffic sources. This in turn increases the eCPM for your Publishers ad zones, which leads them to make more of their traffic available to your network to monetize. 
• A great end user ad experience: If your networks ad campaigns are in line with IAB industry standards they are optimized to provide the best experience for the end user. As a result, such ads consistently drive higher levels of user interest and click rates, and can be a key difference between a higher or lower conversion rate for digital ad campaigns. 
• Your Publishers’ Google rankings: Meeting IAB Standards lets your Publishers know that the ads shown on their websites from your network avoids any penalisation from Google for poor site performance, ensuring that their sites are high in Google rankings and visible to all potential users. 
• Brand safety for your Publishers and safety for end users: By protecting Publishers from malvertising you are protecting their reputation with end users. Any end user that suffers from malvertising from a Publishers site will never visit the website again. Plus ensuring that end users are not exposed to any malvertising keeps their browsing experience safe which is beneficial for the greater good of the online ad industry. 
• More competitive: Strong Compliance gives your business a more competitive edge, so use the opportunity to explain this to all your current clients and prospective clients. You can communicate this through a dedicated webpage, blog post, emailed newsletter, and your rules and guidelines.
• No bad media coverage: Security blogs and media jump at the chance to expose an ad network or publisher who has served malvertising. These articles are then posted and can easily be found with a Google search. Having a robust Compliance solution protects yourself from this kind of negative exposure, which can negatively affect your business.

Conclusion

All in all, Compliance gives your ad network a strong business reputation. Brand safety, a great user ad experience and quality traffic will enhance your reputation as one of the best in the industry, by proving you are addressing the malvertising issue by policing your network. As an ad network this builds brand loyalty from your Publisher clients, in fact Publishers expect their partners to eliminate bad ads. The time has passed where Publishers were willing to tackle this issue on their own. While many have strong processes in place, they now expect their ad platform partners to do likewise, and will consider who they partner with on that basis. This is why having Compliance for your ad network can be considered one of your most important assets.