The email lands in your inbox: Major brand CPM, go live today. The sender’s domain is unfamiliar, but the offer sounds lucrative. They’re offering premium rates, a fast turnaround, and a recognizable brand. You hesitate for a moment, but the temptation is strong—after all, a quick launch could mean significant revenue.
Before you reply, take a step back. What feels like an exciting opportunity might be a gateway for one of today’s most sophisticated online ad scams. The world of malvertising has evolved dramatically since early incidents, such as the New York Times malware attack more than a decade ago.
Today, malicious actors use artificial intelligence (AI), deepfakes, short-lived infrastructure, and automated ad systems to infiltrate even legitimate websites. Publishers must assume that every unsolicited ad deal is potentially hostile until proven otherwise.
What is Malvertising?
Malvertising is the insertion of malicious code or redirects within seemingly legitimate ad creatives. It remains one of the most costly and damaging forms of digital fraud. It’s not just about tricking visitors into downloading malware. It’s also a reputational and legal risk for publishers who unknowingly serve harmful ads.
The tactics are now more advanced, and the deception is layered across multiple platforms, networks, and technologies.
Recent cases show just how far these schemes have come:
- In 2025, Microsoft uncovered a campaign in which malvertising redirectors were embedded into illegal streaming websites. Simply visiting those pages triggered a chain of redirects that ended at GitHub repositories hosting information-stealing malware, affecting nearly a million devices globally.
- Cisco Talos identified another campaign called PS1Bot, which uses PowerShell and C# to execute in memory and deploy modular payloads directly through ad creatives.
- In Brazil, deepfake celebrity ads have become a national issue. One campaign utilized AI-generated Reuters to promote fake giveaways and investments, defrauding consumers of over 20 million reais.
- Similar scams have spread across Facebook, Google, and YouTube, including a fraudulent TradingView Premium offer that redirected users to malware-laced landing pages.
Alternative ad systems are vulnerable as well:
- Google and security partners recently dismantled SlopAds, a massive ad-fraud network hidden within more than 224 Android apps that generated fake ad traffic through invisible WebViews, collectively downloaded 38 million times.
- On connected TV (CTV) platforms, DoubleVerify found that bot fraud now accounts for approximately 65 percent of invalid impressions—an alarming number for premium video publishers.
Why Publishers Are Still Vulnerable
These examples demonstrate how modern malvertising operations blend technical sophistication with social engineering. Fraudsters exploit the trust between publishers, agencies, and ad exchanges. They spin up new domains, certificates, and hosting environments within hours—faster than blacklists or manual checks can keep up. Even experienced publishers can be deceived when an offer appears legitimate on the surface but conceals malicious code beneath.
A Modern Playbook for Prevention
To minimize risk, publishers must adopt a security-first mindset toward advertising. Every deal should be verified through layers of technical, contractual, and behavioral checks. Below is a practical framework for safeguarding your ad operations in 2025.
- Verify domain legitimacy: Always perform a WHOIS lookup to confirm when and where the domain was registered. Domains created within the last few months or using privacy masking should be treated as suspicious. Verify that the email domain matches the company name and that DNS and SSL records are consistent.
- Investigate the company identity: Visit the advertiser’s website and look for authentic business signals such as a physical address, phone number, and staff profiles. Research them on LinkedIn and cross-reference with corporate filings. Legitimate agencies are transparent about their clients and leadership.
- Validate brand representation: If the advertiser claims to represent a major brand, never rely on the contact details they provide. Call the brand’s corporate switchboard directly and request to speak with the contact by name. Fraudsters often spoof brand affiliations to gain credibility.
- Request and review tax documentation: Ask for a W-9 or equivalent business form showing a registered address and EIN. Invalid or mismatched details are a strong indicator of fraud.
- Inspect all ad creatives: Require both static assets (image or HTML5) and full JavaScript tags for review before launch. Scan the code for obfuscation, redirects, or base64 encoding. Malicious campaigns often hide payloads inside dynamic scripts or third-party calls.
- Control where scripts can run: Whitelist approved domains within your ad server or content-security-policy headers so that creatives can only execute from verified sources. Block any creative that references unlisted URLs or CDNs.
- Use contracts that define boundaries: Every insertion order should specify approved creative formats, hosting domains, and delivery methods. Include clauses for audit rights, termination upon detection of fraud, and payment clawbacks for invalid traffic.
- Launch in limited phases: Never expose all inventory immediately. Start with a small percentage of impressions and monitor performance before scaling up. Abnormally high click-through rates or sudden traffic surges often indicate non-human activity.
- Integrate independent verification: Employ third-party services such as DoubleVerify, Integral Ad Science, or Anura to detect invalid traffic, measure viewability, and verify creative domains. Automated anomaly detection provides a second layer of protection.
- Set real-time monitoring and alerts: Implement analytics dashboards that track impression velocity, geographic distribution, and device mix. Trigger alerts for sudden deviations or unexplained spikes in engagement.
- Audit campaigns post-launch: Compare the actual domains and impressions delivered against what was listed in the insertion order. Keep records of anomalies and blacklist any partner or network that fails verification.
- Train your team continuously: Ad ops, sales, and marketing teams should receive periodic training on identifying fraudulent offers, reading creative code, and escalating suspicious inquiries. Many scams succeed simply because someone didn’t know what to question.
The Stakes Are High
Modern malvertising is not the same threat it was in the early days of online publishing. Today’s fraud networks use machine learning to mimic human behavior, deepfakes to fabricate legitimacy, and distributed infrastructure to rotate through thousands of identities overnight. They thrive on urgency… launch today, with limited slots and a bonus CPM… because speed prevents scrutiny.
Privacy laws and signal loss due to third-party tracking have also made detection more difficult, providing fraudsters with even more cover. For publishers, the line between ad operations and cybersecurity has become increasingly blurred. Accepting an unverified campaign is now equivalent to granting an unknown party access to your infrastructure.
Protecting Revenue and Reputation
If an offer sounds too good to be true, it probably is. High CPMs, vague agency names, and rushed launch requests are warning signs, not opportunities. Taking the extra time to verify identities, inspect code, and stage rollouts may slow the deal cycle, but it’s the only sustainable way to protect both your audience and your brand.
Malvertising hasn’t disappeared—it has evolved. But so have the tools and best practices available to defend against it. With disciplined verification, strong contracts, and continuous monitoring, publishers can safely monetize their inventory without falling prey to the next wave of digital deception.
Related Martech Zone Content
