December 3, 2018 | Product Development | by Alexian Chiavegato

Secure Creatives: Marfeel’s answer to Programmatic Malvertising

Publishers have been playing whack-a-mole with malicious advertising for years. And as we move into 2019, malvertising still remains a threat to the reputation and security of publishers worldwide.

To put it simply, unfortunately, online advertisements provide a solid platform to spread malvertising, with the possibility to reach the eyes of consumers across even the most reputable websites. In a recently released Ad Quality report, Confiant found that 0.5% of ads coming through the open programmatic marketplace contained malicious code. And although half a percent may not seem like much, considering the sheer amount of creatives viewed by consumers on a daily basis, it is still a cause for concern for publishers.

How Marfeel fights malvertising
Since advertisements usually place ad code inside the page, it gives the ad free-reign to do whatever it wants. However, when Marfeel places ads inside your mobile website, the code is not stored within the page itself.

Instead, Marfeel uses a secure iframe with an extra layer of security placed on top. This iframe ensures maximum restriction on the ad itself, while giving it minimum allowance to do what it wants. It only ensures the ad is visible, clickable, and resizable, which prevents fraud, phishing, and other malicious malvertising activity.

We’ve built this answer to programmatic malvertising into the Marfeel 360 solution using a combination of two elements: SafeFrame and sandboxing.

SafeFrame
SafeFrame is an IAB-sanctioned API-enabled iframe that opens a line of communication between the publisher page content and the iframe-contained external content – in this case, an ad. Instead of the ad being placed directly on your website, it’s much like having a secure phone line installed between the ad and the website.

Using SafeFrame, ad content is locked tightly within the boundaries of the iframe, and is unable to access any information about the page where it is being served. Without access to the content of the page, ad content within the iframe cannot interact dynamically with website visitors, or collect any data.

Serving ad content using SafeFrame prevents the potential of disruptive malvertising behavior and the potential security and reputation risks that come with serving ads directly into the page.

Sandboxing
While utilizing SafeFrame can be a powerful way to prevent malvertising, Marfeel implements an extra layer of security against malicious creatives. The sandbox is an HTML5 attribute that can be added to an iframe element, which stops any malicious scripts from coming out of the iframe and taking over the page. It also stops a creative from automatically redirecting a user to another domain, unless the user initiates it.

Sandboxing doesn’t mean ‘an iframe within an iframe’ – it’s instead a way of controlling how content within the iframe interacts with the page. This means that the framed content will also be subjected to certain restrictions, including that JavaScript will not execute within the framed content, and that the content cannot create new windows, dialogs, plugins, and forms.

Conclusion
With cyber-criminal groups still making waves of bad ads to hijack even top-tier websites, malvertising is unfortunately still a talking point for publishers. The emphasis is on both ad tech providers and publishers to prevent the damage before it starts, rather than playing damage control.

Marfeel has been testing and implementing the above techniques to ensure premium publishing websites make their website experience a safe and seamless interaction. This results in publishers earning the confidence of the most important part of their business – their new and loyal readers.