Every hour of every day a million little crimes are committed online. And every time it happens, hundreds of legitimate businesses all over the world, with boards and shareholders and mission statements — some of them publicly listed — put the proceeds of those crimes in their own pockets. They do so knowingly.
Some people might consider it extraordinary that technology businesses — businesses that claim they can discern the intent of one buyer from a billion in milliseconds — somehow can’t recognise when millions of ads a month are served to a single unique user ID in, for instance, Bela
And, say ad fraud researchers, those companies will not change until financial incentives are removed or the cost of their negligence becomes impossible to sustain.
Vast, unimaginable criminality
Fraud, like the poor, will always be with us. So it’s a question of tolerance. Brands — and ultimately consumers — are now paying handily for the tolerance that informed the first two decades of the adtech industry’s evolution.
Online advertising fraud is a huge problem. And it is getting worse, according to studies, even as some in the adtech industry claim it is getting better.
Juniper Research, for instance, says the cost of ad fraud to brands will reach $US44 billion by 2022. That would make it the second-largest black market in the world. Little wonder, then, that law enforcement is apparently taking notice.
Reports from the US last week say the Federal Bureau of Investigation is now looking into media trading practices and transparency.
That story, reported in Campaign Brief, is consistent with a Digiday report last year from DMexco which noted, “The FBI [is] investigating online fraud and [is] talking to adtech vendors at the conference to try and educate themselves about the problem. I heard one of them say to a vendor that the scale of the problem in online advertising was ‘crazy’ and unlike anything they had seen before. They’re looking into the Chinese bot farms and the Israeli ad networks that are trying to peddle fake traffic.”
The Campaign Brief story, if accurate, would represent the second significant inquiry into the advertising world pursued by the US Justice Department in the last 18 months. As we reported last year, it is already scrutinising alleged bid-rigging by agencies in an investigation led by attorney Rebecca Meiklejohn.
The reports also gel with other darker rumours that Which-50 has encountered in the past year, such as the suggestion that law enforcement agencies in Singapore and the Middle East are examining the use of the adtech ecosystem by organised criminal syndicates for money laundering. Despite three independent references on the matter, we have not yet been able to confirm this independently with law enforcement.
As with all criminal enterprises, the leaders in the ad fraud world operate in the shadows. While the perpetrators are unknown, Dr Augustine Fou, a leading researcher in the ad fraud world, says many companies in the supply chain — like adtech platforms and ad networks — benefit from the flow of impressions through their networks.
“They are not committing the fraud but they are complicit in allowing it to continue,” he said. “Brands and marketers are also partly to blame. They are the ones who want to buy more quantity at lower cost, and this incentivises the bad guys to make fake ad impression inventory and sell it to them at low costs.”
According to Lizzy Foo Kune, research analyst at Gartner, “The industry has yet to fully address the scale of ad fraud. To date, I think that’s been because marketers really had few tools to face the issue themselves.”
Foo Kune says much of the onus for mitigating fraud has been on publishers, with marketers left to work with ad verification vendors on their media buys. “But that’s not enough. It’s possible for bad actors to buy traffic that’s been certified by the major verification vendors.” She references work by Method Media Intelligence as an example of how this works.
“Interestingly, Cybersecurity companies are beginning to recognise the opportunity, and many are looking to apply their technology to this space — and I find that innovation encouraging.”
Waving, or drowning?
The extent and trajectory of the ad fraud problem remain contentious questions. Ad fraud consultants we spoke to say the tech sector is barely containing the threat.
Some, like Dr Fou, effectively accuse industry leaders of behaviour that at worst amounts to willful blindness.
In an interview with Which-50 last week, Fou said many participants in the digital advertising supply chain do not want the fraud to stop because they make too much money providing platforms for it.
It is an accusation Which-50 has heard before, including from inside some adtech companies themselves, where sales leaders tell us the urgency to meet their targets often overrides the kind of vigilance required to keep fraudsters from their rewards. In fairness to local practitioners, we tend to hear this more in the US.
Dr Fou told Which-50 that the scale of ad fraud is truly enormous and far larger than anyone realises or is willing to admit.
Marketers have to carry some of the blame, he said. “After all, it would be embarrassing for a marketing manager to admit to his/her boss that the millions of dollars of digital ad budget which they approved were actually given to cyber criminals and drove no business outcomes.”
Everyone knows about ad fraud, but most still think it doesn’t affect them or they are actively trying to cover it up.
As a simple experiment, we rang the risk management departments of a number of Australia’s leading financial institutions and could find no evidence that they are actively investigating how much money their marketers are losing to fraud.
Adtech companies themselves are rarely accused of fraud. Instead, most of the fraud that Which-50 has investigated is committed by bad agents exploiting technical and process weaknesses found in the legitimate adtech ecosystem.
The rewards are significant. One former fraudster last year described to Which-50 how a small operation he worked in, with only three staff running a fairly unsophisticated grift, was raking in $US25,000 a week.
Our recent report about the MegaCast app serving tens of thousands of video ads in the background — irrespective of whether the app was engaged — operated at different scale altogether.
Another example: last year Forbes reported that a “… South Korean company, Kiniwini, hid an illegitimate ad clicking function inside 41 apps, most of which were games.”
That scam was uncovered not by Google, which manages the Android app store, but by security company Checkpoint. As Forbes noted, the scam bypassed Google’s Bouncer technology which is designed to mitigate against fraud. This was because the offending capability was downloaded after installation.
Google also missed the MegaCast racket. It was actually discovered by Pixalate which revealed the details in a company blog.
Accusations of direct fraud by adtech companies are more rare, although not unheard of. Occasionally these come to light where companies are accused directly of fraud by their competitors — such as when Steelhouse and Criteowent at each other in the US courts in 2016.
The parties settled their arguments shortly before their respective lawyers were due to commence the legal discovery process, telling the market through a statement that once they had a better understanding of how each other’s business worked, they realised it was all just an unfortunate misunderstanding.
Which-50 is not accusing either company of fraud. Rather we merely point out that each accused the other of exactly that before they settled.
For its part, the industry — through formal bodies such as the IAB — claims it is fighting back against criminal elements.
Jonas Jaanimagi, Technology lead at IAB in Australia, tells Which-50 there are two types of ad fraud: general and sophisticated.
“General is standard non-human traffic generated by bots and spiders, and other benevolent search-engine crawlers. Sophisticated is the work of genuine fraudsters who are making the effort to pass off the resulting fake behaviour as legitimate. This latter category has to be identified through technologies running advanced analytics and multipoint corroboration,” he says.
The IAB, with much fanfare, launched its Ads.txt initiative last year, which has certainly helped address one small part of the ad fraud ecosystem: domain spoofing.
Domain spoofing occurs when advertisers (or their agents) are tricked into thinking they are buying from a legitimate site, like CNN, but they are not.
According to Yaron Oliker, CEO and co-founder at Unbotify, “This has been addressed by different vendors and the slow but positive embrace of Ads.txt promoted by the IAB.”
But even that initiative has its flaws. Some the earliest adopters of ads.txt included web sites which themselves benefit from fraud. Ads.txt will merely confirm that the ad is being served to the nominated web site, but it won’t stop the publisher of that site then engaging in fraudulent activity.
Still, everyone agrees it has moved the ball forward.
… or your money back
The adtech sector is also more willing than in the past to provide refunds to clients where fraud is established.
We noted in a report on this year’s Ashton Media Programmatic Summit, “In 2016 under former CEO and founder Brett Wilson, [TubeMogul, now Adobe] became one of the first video DSP services to guarantee the quality of the inventory in its system by providing refunds to brands if a small, arbitrary level of fraudulent inventory was identified and breached during a campaign. But it wasn’t the first to offer refunds. DataXu led the way in 2015 and lately platforms like Pubmatic, and Appnexus have followed suit.”
And as we also reported earlier this year, some companies, such as Pubmatic, are investigating charging models that would remove the financial rewards for ad fraud that cost-per-click (CPC) models encourage — although their motivation is pricing transparency, not fraud prevention.
At the coalface
Which-50 has spent the last month discussing the current state of ad fraud with leading consultants, researchers, and practitioners in the market.
We started by asking what are the most common types of fraud, and amongst the less common which are the most profitable.
Impression fraud is committed simply by causing fake ads to load, using a variety of means: bots hitting web pages, or mobile apps loading ads in the background or in background processes. Click fraud, meanwhile, is a two-step process for bots: first cause the ad to load, and then click on it. The fraudsters get paid on a CPC basis.
Asaf Greiner, founder, and CEO of Protected Media said, “In our experience, performance marketers are able to maintain a clean environment with considerably more ease than awareness advertisers. Performance marketers have a lower tolerance for invalid traffic so when they do experience fraud, it’s always in the low double-digit rates.”
He said such marketers are often capable of filtering out bad audiences because they can identify a clear correlation between what looks like fraudulent traffic and what ends up being ineffective traffic.
“It’s difficult to quantify the average cost of ad fraud for an advertiser because it depends on the strength of each party’s anti-fraud vendor. The key for advertisers to mitigate the risks of ad fraud is to use the best anti-fraud vendor they can afford because all fraud detection solutions were not created equally and therefore those with a weaker vendor will absorb more of the advertiser costs of ad fraud than their competing advertisers, ” he told Which-50.
“The same cannot be said for publishers who are in the unfortunate position of sharing their revenues with the cybercriminals. On the publisher side, the quantity of fraudulent traffic matters; 100% of the fraud on the publisher’s site will impact on the publisher’s revenue and perceived integrity by advertisers who could pull future budgets.”
According to Ratko Vidakovic, founder of AdProfs — an adtech consultancy focused on education, research, and advisory services — there are two general scenarios the company has encountered during ad fraud audits.
He said click fraud is fairly common in cases where advertisers are buying through Google Display Network, especially using CPC pricing.
“There are simply too many long-tail sites,” he says. “Each site takes a dollar here and there, and all of a sudden tens of thousands of dollars disappear across these long-tail sites, with no actual performance to show for it. It’s basically death by a thousand cuts.”
“Even though marketers love the (perceived) lower risk of buying on CPC, the simplest way to mitigate against click fraud is to switch to cost-per-thousand (CPM) pricing.”
He said the second scenario involves campaigns executed through demand-side platforms (DSPs), where a sizeable portion of budgets are spent on very long-tail sites that don’t deliver any performance.
“The same pattern emerges,” he says. “On some DSPs these long-tail sites show up in reports as a single bundle of domains, making it impossible to drill down and scrutinise the exact domains.”
Vidakovic says buying against a tightly curated ‘whitelist’ of domains is a typical way to mitigate against this type of fraud.
“And now with the strong adoption of Ads.txt in the market, the effectiveness of using whitelists is much greater than it was a year ago, which is a promising development,” he says.
Dr Fou, meanwhile, says that CPM and CPC models represent 91 of digital ad spend, therefore the largest buckets from which ‘the bad guys’ can steal.
“Considering that digital spend is expected to surpass $100 billion in the US this year, that is a huge bucket to steal from,” Dr Fou says.
“Brands ‘mitigate’ fraud by using fraud detection companies. But unfortunately, this does not mitigate the fraud,” he says. “In fact, most of it still gets by — because the bad guys have specifically tuned their technologies and techniques to circumvent fraud detection,” cautions Dr Fou.
“Paying for expensive fraud detection not only doesn’t work; it also creates a false sense of security, so more action, and vigilance is not actually taken,” he says. “This allows the fraud to easily continue.”
Needless to say, that is not a view shared by everybody.
Integral Ad Science is a global market leader in brand safety and one of the first companies brands often turn to to protect their investments from ad fraud. CEO Scott Knoll told Which-50, “Fraud, in particular, is a difficult problem and not just because the bad guys are super sophisticated and it is an easy thing to get into. There is a lot of money [to be made] and not a lot of downside risk and penalties.”
“There is no ground truth — no one knows what the true amount of fraud is and there is always a balance to be found between false positives and false negatives.”
Knoll is also critical of some of the ad fraud consultants. “There’s a lot of consultants who try to poke holes and find missed fraud, but then again no one knows if that’s real or not. It’s just their word against someone else’s.”
According to Knoll, it is one thing to try to find fraud on a specific campaign, but another to do it on billions and billions of impressions.
“One of the advantages we have with fraud is that we are on so much inventory so we can see patterns that other people can’t. That helps us determine whether something that looks like an anomaly in a small sample is really a problem or not.”
Mobile advertising is the new frontier for ad fraud, and it is growing quickly. Indeed it has doubled in the last year, according to measurement company Adjust.
In a whitepaper called The Bad, the Ugly and the Truth about Mobile Ad Fraud, Adjust identifies five common fraudulent practices:
- SDK spoofing (also known as ‘replay attacks’) — A type of fraud that generates legitimate-looking installs without any real installs occurring, in order to steal from an advertiser’s user-acquisition budget;
- Click injections — Fraudsters can hijack a user’s device to detect when other apps are installed on a device, then they can trigger a click right after the install completes, and then receive the credit for (usually organic) installs;
- Click spam — Fraudsters capture organic traffic and then claim the credit for the user later, which has a few profound effects on an advertiser — the most obvious of which is that they pay for a user who was actually installed organically;
- Fake installs — A broad term that describes when a fraudster tricks an attribution partner into tracking an install that hasn’t taken place on a real device, attributing it to a paid source. To accomplish it, fraudsters use emulation software to fake installs in an effort to claim advertising revenue. Fake installs defraud everyone along the advertising chain, taking money away from advertisers, publishers and networks. On a traffic flow sample of over 400m installs over 17 days, we estimated that $1.7m worth of installs were being paid to fraudsters faking installs;
- Fake in-app purchases (IAP) — An in-app purchase is made but no revenue exchanged. Adjust figures suggest that 30 per cent of attempted IAP spends on iOS are fake — a sample based on millions of iOS devices. The main concern from developers about fake IAP has been about how much potential revenue they’re missing out on. However, the impact on a business isn’t just monetary. It’s also about how fake purchases (and the people who make them) damage the successful operation of a free-to-play app.
Mobile ad fraud will only grow in scale following the mass migration of eyeballs from desktop to mobile devices. In the US, more than 57 per cent of digital spend is now on mobile.
Dr Fou says there are really simple things fraudsters developing mobile apps can do to avoid bot detection.
“Rogue apps can load thousands of ads in the background even when the app is not in use. None of which involves a lot of bots hitting web pages. This gets by all fraud detection that is tuned to look for bots hitting web pages,” he says.
Those damn bots
The focus on bots is a big problem, say the consultants, and leads to a serious miscalculation as to the extent of the problem.
Shailin Dhar is the co-founder of Method Media Intelligence. “When you study actual bot traffic in isolation as well as in live ad exchanges, you realise quickly that the truth can be described best as ‘take the industry estimates of the financial impact of fraud and multiply by ten.’”
This is not news that marketers want to hear or particularly discuss. “When interacting with marketers and executives at brands, you realise they love the view they get when their heads are under the sand. It is much more simple than above ground. If you take publicly available information and establish a ‘knowledge baseline’ of ad fraud, reduce that by a factor of ten you get to where marketers and brands understand the scale of the problem.”
Another form of fraud that has been around for a long time is pop-unders and page redirects, where the web sites themselves misbehave and redirect to other pages in infinite loops.
“This also does not involve a tonne of bots hitting web pages and is therefore often missed by bot detection companies.”
Dr Fou recently published details on Linkedin of a traffic redirect service proudly selling 125 billion page redirects (equivalent to pageviews) per month. “That is larger than all the mainstream publishers’ sites page views per month put together,” he says. “Talk about ad dollars being stolen out of the digital ad ecosystem!”
There are any number of signals that ad fraud consultants look for to detect fraud.
Oliker’s company, for instance, collects sensor data such as mouse movements and touch events and uses machine learning on verified human datasets. “This is an order of magnitude harder for even the most sophisticated bot developer to simulate real human behavioural biometrics on a consistent basis.”
Dhar describes the experience of analysing log files for 15 different advertisers over the past year that spent over $1 million per month each in digital advertising.
He says often the first sign of trouble is not technical, but behavioural. “The initial sign of suspicion is generally when their DSP either refuses to share or comes up with excuses of why they cannot share log files of what their clients paid them to purchase.
“Once we do get the log files, there are several signs that are blatant red flags — for instance when we see thousands or millions of ads shown to the same IP or UniqueUser in one month.”
Other red flags include randomly generated domain names that are not actually registered domains (for example mokasdf8a88adsf78023r.net), or when you find hypothetical ad-tag placement names being used as the site URL. “This is meant to confuse a buyer that it is just a data reporting error,” he suggests.
Change the model
Criminals, like everyone else in an economy, respond to incentives and pricing signals. We asked the ad fraud consultants whether they believed the adoption of new pricing models, or increasing the ‘cost’ of committing fraud, could contribute to mitigation.
Oliker is an optimist. “I believe fraud can be eliminated entirely by employing machine learning and flipping the economic scales in favour of the brands. Brands that adopt fraud fighting as part of their culture will see significantly improved results across analytics, product and monetisation metrics. Brands that do not will suffer double as the fraudsters will seek them out with renewed vigour.”
Ratko Vidakovic says, “Unfortunately, there is little incentive for vendors to address the fraud. If anything, pricing models have created an incentive for vendors to turn a blind eye. It’s only when advertisers and marketers start demanding action that they do anything.”
“Adtech players and even agencies make just as much revenue from fraudulent impressions as from legitimate ones, so there is no urgency to fight against fraud,” Vidakovic says. “The business model for most vendors in the adtech space is based on a percentage of the ad spend. This applies almost across the board: agencies, DSPs, and exchanges for example.
“The incentive for volume opens the doors to a tremendous amount of ad fraud, which deteriorates the quality of the adtech ecosystem. As a result,” he says, “many adtech companies turn a blind eye and pursue scale by any means necessary — even when it hurts advertisers and, ultimately, themselves.”
This article first appeared in www.linkedin.com
Guest Author: Andrew Birmingham, Managing Director and editor-in-chief at Which-50 Media