Does the world need yet another tech company to combat malvertising on the internet?
“Well, do you still constantly see malvertising when you browse the internet?” said Seth Demsey, co-founder of Clean Creative, an anti-malware company started by a handful of security experts and Oath vets who exited before the name change.
Touché.
Based in Baltimore, Clean Creative came out of stealth on Tuesday with former Oath SVP of publisher platforms Matt Gillis as CEO, a roster of 30 publisher clients and 19 employees with plans to hire more throughout 2019. The team has been working on the technology for over a year.
Malware continues to plague the advertising ecosystem because common tactics like blacklists and creative scans aren’t up to the task, said Demsey, whose previous day job was chief technology officer of AOL/Verizon’s ads business.
Blocking known threats leads to a false sense of security. You’ve got to catch the unknown threats, and you’ve got to do it at scale, Demsey said.
“Otherwise, it’s always going to be that cat-and-mouse game, because you’re up against people who are highly motivated to keep doing this – it’s lucrative for them,” he said. “These guys just have to modify three characters of their code and they can get their exploits back out into the ecosystem again.”
Publishers add a line of JavaScript to their web page or app and Clean Creative monitors any code being executed in ads in real-time on live traffic to determine whether it’s doing something it shouldn’t, like triggering a popup or a redirect. The creative can still render – so the publisher can still get paid – but the malicious code is halted in its tracks. The code then gets classified and added into Clean Creative’s threat library.
In this way, the technology can automatically find and root out bad code it’s not specifically looking for and then block related threats in bulk rather than on a threat-by-threat basis.
“We found an exploit that attacked Vodafone cell phones, for example, but only on Android and only in the Facebook webview,” Demsey said. “We would never have found that or tested for that, but one day the system dinged and said, ‘Hey, take a look at this sucker.’”
Demsey said that the company’s detection technology comes across new forms of malvertising all the time, but he doesn’t like going into detail, at least not publicly.
“Sometimes, honestly, I chuckle when I see some new exploit and think, ‘Well, that’s super-creative,’” Demsey said. “But we don’t want to open up new threat vectors by alerting someone who doesn’t happen to know about a new method already. We don’t want to make it any easier for people building these scripts.”
Because it’s certainly not easy out there for digital publishers trying to make a living.
“It’s so hard to build an audience, retain users, create great content, have an incredible user experience – but even if you do it, a bad guy can destroy all of that hard work with one simple malvertising campaign,” Gillis said. “And most users won’t say anything. It’s like a bad meal at a restaurant. They won’t tell you how bad it was – they’ll just leave and go elsewhere.”
