Malware and Publisher Revenue: How to Monetize Without Compromising User Security

It has probably happened to you. You open a site to read one specific thing, and before the page loads, a popup tells you your phone is infected, or the browser drags you off to the App Store, or a download starts that you didn’t ask for. You close the tab. You don’t come back. You don’t think about which ad served it. You think the site is sketchy.

Your readers do the same thing. A lot of publishers underestimate this part when picking a monetization partner, and it’s the part Google’s Chrome team, the EU’s Digital Services Act, and your returning users are all paying attention to.

The numbers are still significant. Confiant’s Mid-Year 2025 Malvertising & Ad Quality Index found that roughly 1 in 78 ads delivered to real users posed real risks, including scams, malware, and AI-generated deception.

The worst-performing major platform let bad ads through nearly 300 times more often than the best – roughly 1 in 70 impressions versus 1 in 20,000. 

Both had access to the same kinds of advertisers. The variable was feed control: scans before any ad loads on the page, watching the landing page across the campaign’s full run, and a policy team that permanently bans advertisers who break the rules. 

---

What Malvertising Actually Means

Each of these looks the same to a user: the site did something they didn’t ask for.

On the defense side, every category needs its own layer. Pattern-matching scans cover known malware creatives. Watching the landing page across the campaign covers cloaking. Behavior-based checks cover scripts that only fire on mobile or in a specific GEO. A network’s safety story is the sum of the layers it stacks.

• Forced redirects. An ad script bounces the user off your page to a landing site, often a fake software update or app store page. Google’s Abusive Experiences policy flags this as a publisher-side violation, even when the redirect comes from an ad slot.
• Drive-by downloads. Malicious code attempts to install something the moment the ad loads, with no click required. Less frequent than they used to be, but still showing up in less-moderated ad sources.
• Fake update and antivirus prompts. Banners that mimic system warnings (“Your software is outdated”, “Viruses found”). These rely on the publisher’s design context for credibility.
• Phishing destinations. The ad itself looks normal; the landing page asks for credentials. Hard to catch by just looking at the ad image.
• Malicious browser extensions. A growing share in 2025: Confiant’s mid-year index notes the category jumped from 9% to 19% of the threat mix, particularly hitting mobile users in the US, Spain, and Italy.
• Cryptojacking scripts. The ad runs a miner in the background. Less visible, but it heats the device and drains battery, and users notice.
• Cloaking. The campaign passes moderation showing a clean creative and clean landing page, then swaps the destination URL after approval. This is the harder one to catch with a one-time review.

Together, these are what publisher-facing copy usually shortens to “bad ads”. The detail matters because different defenses catch different things.

---

What’s at Stake for the Publisher

Imagine a publisher on a network with looser filtering. A bad ad lands on the page, gets reported, gets pulled. Weeks later the damage shows up in three places, and each one feeds the next. Strict filtering is what keeps that loop from starting.

• User trust. Returning visitors are your most valuable traffic. A single forced redirect or fake warning is enough to turn a daily reader into a one-time visitor. You won’t see this loss neatly in any dashboard either – it shows up weeks later in your direct-traffic numbers.
• Google penalties. If the Abusive Experiences Report flags your domain, you get a 30-day window to fix the issue and resubmit for review. If you do not, Chrome starts blocking all ads on the flagged pages. It’s the floor falling out, ads stop loading on the affected pages until the warning is lifted. Search Console will show you the trigger, sometimes with a screenshot or short video of the element that caused the warning.
• Revenue decay. Clean feeds compound in your favor over time. CTRs hold, users return, and CPMs stay where the network’s optimization can place strong offers. A flagged domain loses ad coverage, gets dropped from the lists of advertisers who pay top rates, and becomes harder to monetize even after the warning is lifted.

---

Where the Revenue Actually Leaks Out

Even the biggest sites get hit. 

In November 2023, the malvertising group known as ScamClub pushed fake McAfee virus alerts onto readers of Associated Press, ESPN, and CBS, with 96% of victims on iPhones: the attackers were deliberately targeting iOS to bypass desktop ad blockers, and they routed through 16 different ad exchanges to do it. 

At Insider Inc. (Business Insider), Confiant’s case study reports more than 43.8 million ads with security or quality issues blocked over time across 9.66 billion monitored impressions. That’s the scale of attempts even at top-tier publishers: what slips past is what costs the publisher money.

What does that cost look like? 

Rarely a single visible event. HUMAN Security documented a publisher network called PubPlus that, during peak malvertising attacks on its sites, lost more than 50% of page views per session and conservatively estimated 3% of monthly revenue gone. Sessions shortened, returning users came back less often, and CPMs drifted down.

Strict filtering is what keeps that scenario from starting. With those layers in place, sessions stay full, returning users come back, and CPMs hold where the network’s optimization can keep them.

---

What Strict Filtering Has to Handle

Much of strict filtering’s job is what happens after a campaign goes live: a creative swapping its landing page an hour after approval, an advertiser registering a new account after a ban, a campaign that scanned clean in the morning behaving differently by the afternoon. 

The list below covers what that work has to handle.

• Every impression is filled individually. Each ad shown to a reader is picked from a large pool of advertisers in the moment. Every one has to be checked before it loads.
• Post-approval changes. A creative can pass review and then quietly change its landing page an hour later. That’s cloaking, and it means filtering has to keep watching after a campaign is live.
• Repeat offenders cycling new accounts. A banned advertiser who re-applies under a new entity is a recurring pattern Monetag’s policy team documents in its own Premium Ad Feed post (they call it multi-accounting, and they ban it).
• Open standards and abuse channels. IAB Tech Lab’s ads.txt and sellers.json make it possible to verify which networks are authorized to sell a publisher’s inventory. A working abuse-report channel completes the loop.

---

What You Can Do as a Publisher

Every protection traces back to one choice: whose tag goes on your site. After it’s installed, your job shifts to watching for the things you want a second pair of eyes on. The list below covers both moments.

Before placing a tag

• Run your domain through Google Safe Browsing and VirusTotal before you apply. A domain that shows up flagged will be turned down at intake on any network with strict feed control – fix the listing first.
• Read the network’s public materials on ad safety. A network that openly documents both scans-at-submission and ongoing landing-page monitoring tells you something about what they’ve actually built.

After the tag is live

• Watch Search Console for Abusive Experiences notifications. They arrive automatically and give you 30 days. Drop everything else and fix the trigger.
• Find the network’s abuse reporting channel before you need it. On a strict network you may never use it. If something does slip through, the response time on that one report tells you how they handle exceptions.
• Open your site on a clean device or in a private window every so often – no browser extensions, no ad blockers, no logged-in state. That’s what a first-time visitor sees, and it’s often different from what shows up while you’re editing.
• Ad-quality services like GeoEdge, Confiant, and Human Security add a publisher-side scan that catches creatives in real time. They’re typically a larger-publisher tool with custom pricing – worth knowing about, even if a smaller site doesn’t need them today.

---

What a Good Network Already Does

If you’re sizing up a network, here’s what to expect from a serious one. 

Creative scanning catches known malware signatures before any ad loads. Watching the landing page across the campaign is what stops cloaking – the move where a creative passes review and then swaps its landing page hours later. 

A manual policy review team handles the edge cases, particularly new advertisers and campaigns that change behavior after going live. Permanent bans paired with multi-account detection close the loop on advertisers who break the rules and try to come back under a new entity.

Beyond those four, signals like TAG Certified Against Malware seals, third-party audit reports, or a published transparency dashboard are useful additions when a network has them. Confiant’s 300x gap between platforms is an outside number you can actually point to when comparing networks on safety the same way you’d compare them on CPM.

---

What Monetag Does Specifically

Monetag’s ad safety stack is documented openly across the company blog and Help Center. The most detailed source is the Premium Ad Feed post, which describes a policy team that reviews each campaign before it goes live and keeps reviewing it through its run. 

Alongside that human layer, ads are scanned around the clock by automated anti-ad-fraud and malware-prevention tools. Campaigns that violate the rules are rejected outright, and advertisers caught violating them are banned with no readmission.

The reject categories are spelled out: malware, scareware, fake tech support, misleading claims, sexual content, and unauthorized brand logos do not enter the feed. 

Cloaking – where a creative passes review and then quietly swaps its landing page after approval is caught by an in-house tool that monitors every campaign’s destination URL across its full lifetime and stops the campaign the moment the URL changes. 

Advertisers who get banned and try to re-register under a new entity are picked up by multi-account detection and re-banned; the Premium Ad Feed post publishes how often that happens.

---

The Compliance Layer: Google, the DSA, and What’s Coming

Two regulations now sit between a publisher and their ad revenue: Chrome’s enforcement of Google’s Abusive Experiences policy and the EU’s Digital Services Act. Both have already produced concrete consequences for sites and for ad networks. A publisher who understands both has more warning when something goes wrong, and more leverage in choosing who to work with.

• Google’s Abusive Experiences Report has been live since Chrome’s late-2018 enforcement update and continues to expand the list of triggers. The current policy explicitly includes auto-redirects, fake UI elements (scrollbars, close buttons that lead to ads), invisible layers designed to hijack clicks, and content designed to look like system warnings. A flagged publisher gets a notification in Search Console, a 30-day fix window, and a re-review process. After that, Chrome blocks all ads on the affected pages.
• The EU Digital Services Act is the bigger structural change. As of 2025, ad networks themselves are treated as platforms under the DSA and are subject to transparency obligations on how they show ads, restrictions on targeting based on race, religion, sexual orientation, and similar data, and a complete ban on targeted ads to minors. In December 2025 the Commission issued its first non-compliance decision and fine under the DSA, hitting X with a €120M penalty in part for ad transparency breaches.

---

A Short Pre-Flight Checklist

Before adding any ad tag to a domain you care about:

• Domain is clean in Google Safe Browsing and VirusTotal
• Network openly documents both scans-at-submission and ongoing landing-page monitoring
• Direct support channel for reporting a specific ad, with a defined response time
• Quarterly check of Search Console for Abusive Experiences signals
• Quick test on a clean device after every major site or ad-stack change

None of this is hyper-complicated. All of it is cheaper than recovering from a Chrome block.

---

The Bottom Line

Monetization and user safety work in the same loop. A clean feed protects returning traffic. Returning traffic is what keeps CPMs and CTRs where the network’s optimization can find good offers. 

The publishers who win the next two years are the ones who treat ad safety as a revenue feature.