Getting serious about malvertising with TAG

Authored by Alex Calic, Chief Revenue Officer, The Media Trust

3 steps to anti-malware certification

cmyk TAG Certified Against Malware

Malware is a serious problem in the digital advertising ecosystem. Not only is it a contributing factor to ad blocking adoption, but also a significant driver of ad fraud. The World Federation of Advertisers estimates that the total cost of ad fraud could exceed $50B by 2025. Clearly, something must be done.

Various groups have attempted to address this malware problem with little success, but one group is taking decisive action. The Trustworthy and Accountability Group (TAG)—supported by the IAB—recently launched a malware certification program. As an inaugural certification recipient, The Media Trust is fully behind this initiative—just ask for program details.

The certification program is open to any entity that touches creative as it moves through the digital advertising ecosystem, from buyer to intermediary to seller. Even malware scanners like The Media Trust have the option to participate and commit to industry efforts for creating a healthier advertising supply chain.

Benefits: Reap what you sow

TAG’s “Certified Against Malware” seal is awarded to enterprises that can demonstrate adherence to rigorous anti-malware standards, especially those delineated in TAG’s Best Practices for Scanning Creative for Malware.

The program yields a host of benefits for publishers and their upstream partners. Specifically, participating companies can:

  • Improve their enterprise security posture: Adoption of continuous, 24/7, client-side scanning of digital advertising campaigns detects malware before it propagates to consumer devices.
  • Speed incident response: By allowing The Media Trust to send simultaneous alerts to you and your business partners, you reduce the time needed to resolve the issue across your entire advertising value chain.
  • Satisfy upstream partner requirements: Demonstrate compliance with advertiser and/or buyer directed policies for security.
  • Protect your brand value: Receive a “Certified Against Malware” seal from TAG to signal your enterprise’s efforts to identify and remediate malware in the digital ecosystem, a key element in many value propositions
  • Prove digital asset governance: Discovery and validation of all parties executing in your digital ecosystem supports enterprise-wide governance and risk frameworks.

Requirements: Steps to anti-malware certification

Anti-malware certification program participants promise to adhere to malware scanning best practices, make best efforts to identify and terminate malicious activity, and submit to a TAG-directed audit.

You, too, can join industry efforts by following these steps:

  1. Complete TAG registration: If not already a TAG-registered company, fill out the registration form, signal interest in malware certification (fees may apply), and designate both a TAG Compliance Officer and a primary malware point of contact. Indicate anticipated anti-malware certification path:
  • Self certify: Enterprise submits forms and documentation directly to TAG
  • Independent validation: Accredited audit firm or digital media auditor submits forms and documentation to TAG on the enterprise’s behalf
  1. Evaluate digital advertising ecosystem: To determine a reasonable scanning cadence, companies need to understand existing inventory flowing through the environment and the involvement of all upstream partners. Review existing inventory and assess typical volume by in-house, direct and programmatic; and, also consider the volume percentage by display, mobile, video, header bidding, etc.

Upstream partners should be identified and points of contact for security violations documented. Appraise each partner according to their history of addressing malware incidents, industry reputation and general relationship experience. Especially if a direct contract is not involved, discuss respective malware scanning responsibilities.

  1. Scan inventory: Implement malware scanning according to TAG’s Best Practices for Scanning Malware and document the entire processes. As a Certified Against Malware scanner, The Media Trust provides documentation on the scanning protocol for your environment including resolution procedure for malware incidents (Red Flag event).

NOTE: Watch this quick overview of TAG’s recommended scanning cadence.

Terminate malware: What are you waiting for?

The future of the digital ecosystem rests on everyone’s shoulder—advertiser, agency, ad tech and publisher. Let’s make it a better place. Verify your inventory is malware-free. The Media Trust can show you how—Just ask.

The Great Data Leakage Whodunit

Safeguarding valuable, first-party data isn’t as easy as you think

If your job is even remotely connected to the digital advertising ecosystem, you are probably aware that data leakage has plagued publishers for many years. But you are most likely still in the dark about the scope and gravity of this issue. Simply put, data leakage is the unauthorized transfer of information from one entity to another. In the digital ad ecosystem, this data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorization. Today, this scenario is much more complicated due to the sheer number of players across the digital advertising landscape, which causes data loss to steadily permeate the entire digital ad industry, and leading to a “whodunit” pandemonium.

Surveying the Scene

On average, at The Media Trust we detect at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and in some cases more than 100, depending on the size of the campaign, type of ad, and so forth. The other contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, CDNs and other middlemen that actively participate in the delivery of the ad as it moves from advertiser to publisher. Just imagine the cacophony of “not me!” that breaks out when unauthorized data collection is detected. To make matters worse: few understand how data leakage impacts their business and ultimately, the consumer. As a result, an unwieldy game of whodunit is afoot.

Sniffing out the culprit(s)

To unravel this data leakage mystery, let’s get down to brass tacks and build a basic story around just four actors: Bill the Luxury Traveler (Consumer), Brooke the Brand Marketer (Brand), Blair the Audience Researcher (Agency), and Ben the Ad Operations Director (Publisher).

data-leakage-who-dunnit

Bill the Luxury Traveler

Case File: As a typical consumer, Bill researched vacation package for his favorite Aspen resort on a popular travel website. He found a great bargain but wasn’t ready to make the final booking. As he spent the next few days thinking about his decision, he noticed ads for completely different resorts on almost every website he visited. How did “they” know he wants to travel?

Prime Suspects: Bill blames his favorite resort and the leading travel website for not protecting or, even worse, selling his personal data.

Brooke the Brand Marketer

Case File: Brooke is the marketer for a popular Aspen luxury resort. She invested a sizeable percentage of her marketing budget on an agency that specialized in audience research and paid a premium to advertise on a website frequented by consumers like Bill. To her dismay, she realized that this exact target audience is being served ads for competitive resorts on several other websites. How did her competitors know to target the same audience?

Prime Suspects: Brooke questions her ad agency leaking her valuable audience information to the ad ecosystem and also fears the leading travel website does not adequately safeguard audience data. What Brooke does not suspect is her own brand website, which could by itself be a sieve that filters audience data into the hands of competitors and bad actors alike.

Blair the Audience Researcher

Case File: With a decade of experience serving hospitality clients, Blair’s agency specializes in market research to understand the target audience and recommend digital placements for advertising campaigns. However, one of Blair’s prestigious clients questioned her about the potential use of the brand’s proprietary audience data by competitors. How does she prove the client-specific value of her research and justify the premium spend?

Prime Suspects: Blair is concerned about the backlash from her clients and the impact on the agency’s reputation. She now has to discuss the issue with her trading desk partner to understand what happened, but she is unaware that she is about to go down a rabbit hole that could lead right back to her client or the client’s brand website as the main culprit.

Ben the Director of Ad Operations:

Case File: Ben is the Director of Ad Operations for a premium travel website. As a digital publisher, the sanctity of his visitor/audience data directly translates to revenue. In this scenario, he suffered when his valuable audience data floated around the digital ecosystem without proper compensation Almost every upstream partner had access to his audience data and could collect it without permission. When his data leaked it devalued ad pricing, reduced market share and customer trust, and also raised data privacy concerns. How does he detect data leakage and catch the offending party?

Prime Suspects: Everyone. Publishers like Ben are tired of this whodunit scenario and the resulting finger-pointing. While ad exchanges and networks receive a bulk of the blame for data collection, he is aware that many agencies, brand marketers and their brand websites play a role in this caper, too.

And at the end of the day, consumers, people like Bill whose personal data is stolen, are ultimate the victims of this mysterious game.

Guilty until proven innocent

While the whole data leakage mystery is complex, it can be cracked. The first step is accepting that the entire display industry is riddled with mistrust and every participant is guilty until proven innocent. Several publishers, responsible DSPs, trading desks, exchanges, marketing agencies and brands have already taken it upon themselves to solve this endless whodunit. To bolster their innocence, these participants need to carefully review:

  1. Data Collection: Get smart about the tools used for assuring clean ads and content. Your solution provider should check for ad security, quality, performance and help with data protection. Reducing excessive data collection is the first step in addressing data leakage.
  1. Data Access: With the General Data Protection Regulation (GDPR), EU-US Privacy Shield, and many more such timely regulations, the onus is on every player in the digital ad ecosystem to understand what data their upstream and downstream partners can access and collect via ads. Instead of today’s blame game, the industry should slowly see accountability for non-compliant behavior.
  1. Governance: Every entity across the ad ecosystem should adopt and enforce stricter terms and conditions around data collection and data use. This is especially crucial for publishers and brands – the two endpoints of the digital ad landscape.

Ultimately, every participant in the digital advertising ecosystem first needs to monitor and govern their own website in an attempt to close loopholes that facilitate data leakage before pointing fingers at others.

Ad Ops can rest a bit easier with malware resolution strategies

Sharing of malware incident information proving a success

Ad Ops can rest easy

The continuous threat of malware in the advertising ecosystem keeps many advertising operations professionals awake at night. The speed at which ads are bought and served and the number of players involved comes at a steep price—vulnerability to malware. For years, The Media Trust has tackled this vulnerability head on by detecting malware in our clients’ digital ecosystems and providing the critical details that allow the malware to be located and shut down. Impacted clients then communicated these details with the specific partner serving the infected ad. This daisy-chain process involves a series of communications with upstream partners, a process that can take up to 72 hours while the malicious ad continues to circulate.

To minimize the daisy-chain effect, The Media Trust introduced Media Scanner’s Resolution Services, an information sharing service that provides for simultaneous communication of malware alert details among partners. Announced in April, Media Scanner’s Resolution Services has proven to be a resounding success with 20 digital publishers and more than 20 ad tech partners enrolled in just under six months.

Reaping what you sow

Media Scanner’s Resolution Services is a SaaS-based service that provides real-time information sharing with upstream and downstream business partners about malicious ads detected in a client’s advertising operation. As part of the Media Scanner product family, this solution is available as a complimentary add-on to existing clients with significant ad tag volume.

Designed for publishers, ad networks, ad exchanges, demand platforms and paid-content engines, the service’s continuous, real-time information sharing compresses cycle times for malware detection, notification and remediation from several days to mere seconds, drastically reducing infected tags’ ability to harm site visitors and the site’s brand reputation. By compressing this cycle time, companies can speed incident remediation, protect revenue by ensuring ad tags stay active and strengthen business relationships.

Real-time, actionable malvertising intelligence delivers a host of benefits to the entire digital ecosystem.

  • Revenue continuity: By sharing malware incident data with the upstream party serving the malware, bad ads are removed more quickly thereby allowing ad tags to remain active and generating revenue.
  • Improved incident response: By allowing Media Scanner to send an alert to clients and their mutually-impacted business partners, everyone realizes a shorter cycle time to resolve the issue across the entire advertising value chain.
  • Streamlined incident handling: Once an anomalous ad tag is detected and confirmed, The Media Trust automatically notifies all impacted partners throughout the advertising ecosystem, which ensures the ad can be removed and then permanently blocked.
  • Enhanced security posture: 24/7 access to information on malicious ad tags improves not only the health of a publisher’s advertising operation, but also strengthens their organization’s security posture, bridging the gap across ad ops, sales, marketing, site operations and security teams.
  • Strengthened relationships among partners: Real-time communication and cooperation generates a positive network externality that improves the overall health of the entire online and mobile advertising ecosystems and severely limits malware’s success rate.

In the past few months, this solution simultaneously communicated hundreds of malware incidents to impacted publishers and their authorized ad tech partners, greatly accelerating the termination of malware, removing hours—sometimes days—from the cycle. This increased speed of malware incident resolution exponentially improves the level of protection across the greater online and mobile advertising ecosystem. But more can be done.

An eye to the future

Ad tech providers want to get into the game and initiate this program with their buying partners, attesting to the true value of Media Scanner’s Resolution Services. The Media Trust is now working with ad tech clients to share incidents with authorized agency media buyers and trading desks—a critical step to tackling malware as it enters the advertising environment. Malvertising will never be eradicated, but, limiting its ability to rapidly propagate throughout the digital ecosystem helps everyone rest a bit easier.