10 Easy-to-Keep Resolutions for Safe Online Shopping

This article by Pat Ciavolella, Head of Malware Desk and Analytics at The Media Trust, was originally published in Fraud & Identity Today on December 18, 2017.

Read article

Let’s admit it; online shopping can sometimes feel like junk food – it’s really good when you “virtual window-shop” but there is some element of guilt when you finally decide to splurge. Unfortunately, just like junk food binges can harm your health, online shopping can hurt you, too—malware and stolen card details are just the tip of the iceberg!

There is proof in the pudding: 2017 bore witness to several unsettling examples of ecommerce website attacks. In the Spring, at least 25 reputable, mid-tier ecommerce sites were compromised to steal customer payment card details. Then, six months later it was revealed that some of the world’s popular websites—a list that includes several brand-name retailers—were found recording your every keystroke.

Experiencing the effects of a digital compromise is a likely prospect for the average online shopper; it’s no longer something that only occurs during high-volume shopping periods or on dodgy websites. According to Adobe Analytics, online sales hit a record-breaking $6.59 billion on Cyber Monday, up 16.8 percent from 2016. How much of these record-breaking online sales were safe for you as a consumer? Good question. But, in preparation for 2018, everyone can resolve to be more vigilant.

A good first step is following these 10 easy-to-keep resolutions to protect your online shopping adventures:

 1. Judge loyalty programs: treat as guilty until proven innocent!

Read the fine print when signing up for loyalty programs that enable you to take advantage of additional discounts. Many retailers share your personal information with industry partners to promote seemingly complementary products, but the security of your personal data is not guaranteed.

2. Be a grammar guru: make sure URLs are spelled correctly

Domain spoofing is a widespread issue. It is easy to get enticed by a deal for a new gadget only to end up shopping on a completely fake website that has purposely been setup to entice and trick users, e.g., greatsales.com vs. gratesales.com. Also, pay close attention to grammar and spelling on various pages of the website, too. It’s easy to accidentally navigate off a legitimate site to a spoofed site.

3. Do a little detective work: check brand legitimacy

While shopping online, chances are, you are looking at multiple brands of goods. Before hitting the buy button, verify if the brand has a legitimate website, physical address and customer reviews before you splurge. Again, it doesn’t hurt to continuously keep an eye out for spelling errors on the url/domain and also general website text grammar. It’s unlikely a reputable brand would accidentally have these types of errors.

4. Build a routine: change passwords, often

This basic security practice is one that many consumers need to adopt. Changing passwords often, possibly a weekly or monthly basis, and creating strong passwords is important. And, no, your birthday isn’t a good password.

5. Seek trouble: with the payment page

Did you see an error message popup on the payment page? Or, did an error message flash just after you hit submit on your order? Chances are, there is something amiss and threat actors are trying to steal your payment card information. For the most part, the payment page should look “clean”, mimic other pages and contain minimal text – it shouldn’t have too many images, ads or other offers.

6. Confirm credibility: check for security certificates

Review the website’s security certificates, especially those on the payment page. While there is no guarantee that these certificates protect against a website attack, you at least want the ecommerce platform to meet industry security best practices around online payments, e.g., comply with PCI DSS standards.

7. Be perceptive: watch out for abnormal website behavior

Redirects, ad overload, ads that auto-refresh continuously, videos or images that take too long to load could signal some kind of trouble, possibly a compromise. Leave the site immediately by closing the tab and/or browser; you may even want to power off your device.

8. Work on reflexes: steer clear of fake updates and surveys

If the webpage displays a survey promising more discounts on completion or prompts you to update a plugin/ software, close the page down as quickly as possible. These are typical ploys to facilitate phishing or exploit kit drops. Don’t fall for it; some of these “you’ve won” scenarios ask an endless stream of user-identifying questions with a promise of a reward at the end. The reward never appears. Exit the browser right away!

9. Don’t walk and shop: mobile isn’t always safe

You might think you are better off shopping on your mobile phone, but carried-targeted malware is on the rise. This malware is only triggered if a person is visiting an infected website through a mobile device using data, i.e., the malware will not drop if you are on a secure Wi-Fi network.

10. Develop reading habits: start with privacy policies

Learn a little bit more about how cookies are used, how information about you is either shared or protected.


To mock or not to mock?

Avoiding fraudulent advertising campaign verification is critical for publishers


That is the question frequently asked by media publishers trying to meet advertiser demands related to digital campaign success. The industry’s intense focus on viewability and transparency issues associated with ad fraud hijacks the limelight from another vital area of interest for advertisers: Are campaigns actually running as contracted?

What the advertiser wants, the advertiser gets

To justify the millions (and millions!) of dollars spent promoting products, advertisers rightfully demand proof that their campaigns execute as promised.

From expected ad rendering on the page to accurate targeting by geography and behavior profiles, advertisers want to know that the right ad has been served in the right way in the right location on the right page to the right demographic. In fact, when considering the average spend of a large-scale national campaign flight, many advertisers will assert they deserve to know their campaign is performing as promised.

Authenticated ad inventory yields benefits

The advertising ecosystem is a dynamic environment processing millions of ads covering billions in spend at any one time. Considering that 5% of display and mobile ads are served incorrectly at launch and countless more break during flight, publishers need to actively monitor and protect their ad-generated revenue channels.[i]

Authenticated ad inventory helps publishers secure ad revenue by avoiding pre-planned delivery overages to compensate for anticipated discrepancies. In addition, it also reduces the frequency of misfiring campaigns, thus minimizing instances of “make good” campaigns.

Ad verification is more than good looks

Reputable publishers recognize the value of their high-quality inventory and demonstrate it by providing proof of ad delivery according to established terms. This is a complicated prospect in an age of large-scale campaigns incorporating ads of varying formats (i.e., HTML5, pre/mid/post-roll video, native, etc.) through multiple platforms (i.e., display, tablet, smartphone, gaming consoles, etc.) across increasingly granular targeting segments.

A Photoshopped “mock-up” or full-page capture of the ad on a screen is a start, but it isn’t enough. Presenting a “mock-up” of how an ad should look could be considered fraudulent as it’s not a true representation of how an ad performs across all formats, devices and geographies. In fact, several industries (Tier 2 automotive, pharmaceutical, etc.) and countries (especially those in Latin America) regulate advertising-based billing processes and require third-party verified screenshots upon invoice presentation.

Beyond the visual of “how” an ad looks on a device, publishers must prove that each ad is delivered as contracted with the advertiser. Continuous monitoring of campaigns at launch and throughout flight will quickly detect errors associated with targeting, creative and device-specific issues that impede optimal campaign execution.

Authentication of possibly hundreds of ad combinations—by size, format, device and geography—is used by publishers to substantiate inventory value and by advertisers to audit and measure campaign ROI.

Consider this

To verify accurate ad placement, execution and targeting, a publisher must consider these five factors:

1.    Legitimacy: Screenshots of ads in a live environment truthfully demonstrate that an ad is delivered to the right target. A “mock-up” or “test page” may display how an ad appears on a site, but in reality it provides a false sense of security for how the ad is actually executing. It also infers that the ad will render the same across all devices, OS, formats and geographies.

2.    Accuracy: Mock-ups can’t prove ad placement as many ad units only occur behind paywalls or require an IP address in order to serve the correct messaging to the individual user.

3.    Automation: Imagine scaling the manual process of verifying ads across the overwhelming number of devices, browsers, user profiles, formats, sizes and geo-locations. Without automation, the task is almost impossible. Leverage technology to streamline the process.

4.    Costs: Carefully consider the total cost of ownership when deciding between an in-house or outsourced process. While in-house resources are easier to control, it is difficult to secure funding and keep the staff engaged. On the flip side, outsourcing requires integration, training, probable coordination with targeting vendors, and continuous oversight which could ultimately be more costly than anticipated—not to mention the complications of managing a remote team, in a case of choosing a non-local entity if a non-native entity is selected.

5.    Quality Assurance: Reliance on mock-up designs to certify campaign execution will not catch errors that occur at launch or throughout the campaign flight.

Ad verification is a complex, yet critical endeavor for publishers looking to highlight inventory value. Don’t mock it.


[i] The Media Trust analysis of millions of ad campaigns verified over the course of 10 years.

Ecommerce: Are you ready for the 2014 holidays?

It’s the most wonderful time of the year…for ecommerce.

For many, the cooler temperatures and shorter days signal the start of holiday shopping, and the 2014 holiday season is expected to witness a 15.5% increase in ecommerce sales. Mobile transactions will constitute a third of that number generated, with the average consumer spending $248 online. For others, the increased volume of online shopping serves as a tempting target for web-based attacks in the form of malware, and consumers are the innocent participants.

Malware attacks skyrocket during the holiday season. This makes sense when you consider that more than 25% of total U.S. annual online sales are expected to occur in November and December.With more than $6.5 billion in ecommerce sales expected this year, you can bet the online ecosystem will be targeted.

Much like retailers stock the shelves, ecommerce sites load up with images, product descriptions and advertisements promoting this season’s must-have items and offering discounts in preparation to cash in on the uptick in website visitors. However, this super-sized volume also attracts those looking to make a quick buck by taking advantage of your customers and their online shopping activities. They hijack your ads or third-party content to deliver nefarious code that auto installs on your site visitor’s device. Often, due to fraudsters’ ever-increasing sophistication, these ads or images don’t even require user action. The process of simply serving the impression of an infected ad, image or product review can set the malware wheels in motion.

The Media Trust has had a front-row seat to these activities for the past few years, witnessing the doubling and sometimes tripling of attacks via web-based advertisements or “malvertising” from November through January. The attacks typically kick into high gear on the Wednesday before the U.S. Thanksgiving holiday, a time when many employees charged with supporting and maintaining your website are at home enjoying the long weekend. The staff required to keep the website operational focus only on functionality and often don’t notice the anomalous, third-party code piggybacked to their ads and third-party content.

What’s the worst that can happen? Your website and/or ads become a flashpoint for a major attack, infecting thousands of your customers or potential customers with harmful malware. Typically, the malware downloads an exploit kit onto a customer’s device and mines for system weaknesses to leverage, like passwords or access to personal bank accounts. Sometimes, the hijacked content redirects valuable customers to a fraudulent site, resulting in lost revenue. In either scenario, your customers experience a negative interaction with your brand.

The reality is that your public-facing ecommerce site, quite possibly the bread and butter of your business, can serve as a prime purveyor of malware to your customers. The only way to prevent such attacks is to monitor all ad tags and website code executing on the browser or app, including your own code and that of third parties, data management platforms, advertising re-targeters, analytic firms and sales platforms. Continuous, 24/7 monitoring ensures the detection and analysis of all unknown or anomalous ads and third-party code served to the site, and real-time detection enables ecommerce operators to quickly remove and then block the suspicious or malicious ad tag or code before any damage to site visitors or brand occurs.

Brand protection, revenue security and site performance–those are the best holiday gifts to give and receive.