State of digital ad fraud 2017 by augustine fou


Published on

Overview of digital ad fraud, state of the industry by Augustine Fou

Published in: Internet

State of digital ad fraud 2017 by augustine fou

  1. 1. State of Digital Ad Fraud January 1, 2017 Update January 2017 Augustine Fou, PhD. 212. 203 .7239
  2. 2. Ad Fraud is Very Lucrative and Scalable
  3. 3. January 2017 / Page 2marketing.scienceconsulting group, inc. How profitable is ad fraud? EXTREMELY Source: networks-continue-to-thrive “the profit margin is 99% … [especially with pay-for-use cloud services ]…” Source: Digital Citizens Alliance Study, Feb 2014 “highly lucrative, and profitable… with margins from 80% to as high as 94%…”
  4. 4. January 2017 / Page 3marketing.scienceconsulting group, inc. How scalable are fraud operations? MASSIVELY Cash out sites are massively scalable 131 ads on page X 100 iframes = 13,100 ads /page One visit redirected dozens of times Known blackhat technique to hide real referrer and replace with faked referrer. Example how-to: m/blackhat-seo/cloaking- content-generators/36830- cloaking-redirect-referer.html Thousands of requests per page Single mobile app calling 10k impressions Source: Forensiq
  5. 5. January 2017 / Page 4marketing.scienceconsulting group, inc. Example – AppNexus cleaned up 92% of impressions Increased CPM prices by 800% Decreased impression volume by 92% Source: 260 billion 20 billion > $1.60 < 20 cents “pity those advertisers who bought before the cleanup”
  6. 6. Ad Fraud Harms The Digital Ad Ecosystem
  7. 7. January 2017 / Page 6marketing.scienceconsulting group, inc. Ad fraud/ad spend are hitting all-time highs Digital ad FRAUD Digital ad SPEND Source: IAB 2016 F1H Report $ billions
  8. 8. January 2017 / Page 7marketing.scienceconsulting group, inc. Ad fraud is now the largest form of crime $20 billion Counterfeit Goods U.S. $18 billion Somali pirates 44% of digital ad spend ($70B 2016E) Source: IAB H1 2016 Bank robberies $38 million $31 billion U.S. alone $1 billion ATM Malware Payment Card Fraud 2015 $22 billion Source: Nilson Report Dec 2016 Source: ICC, U.S. DHS, et. al Source: World Bank Study 2013 Source: Kaspersky 2015 $7 in $100$3 in $100 “this is a PER YEAR number”
  9. 9. January 2017 / Page 8marketing.scienceconsulting group, inc. CPM/CPC buckets (91% of spend) is most targeted Impressions (CPM/CPV) Clicks (CPC) Search 27% 91% digital spend Display 10% Video 7% Mobile 47% Leads (CPL) Sales (CPA) Lead Gen $2.0B Other $5.0B • classifieds • sponsorship • rich media (89% in 2015) Source: IAB 1H 2016 Report (86% in 2014)
  10. 10. January 2017 / Page 9marketing.scienceconsulting group, inc. Two key ingredients of CPM and CPC Fraud Impression (CPM) Fraud (includes mobile display, video ads) 1. Put up fake websites and load tons of display ads on the pages Search Click (CPC) Fraud (includes mobile search ads) 2. Use fake users (bots) to repeatedly load pages to generate fake ad impressions 1. Put up fake websites and participate in search networks 2. Use fake users (bots) to type keywords and click on them to generate the CPC revenue screen shots of fake sites
  11. 11. Fake Websites (cash-out sites)
  12. 12. January 2017 / Page 11marketing.scienceconsulting group, inc. Websites – spectrum from bad to good Ad Fraud Sites Click Fraud Sites 100% bot mostly human Piracy Sites Premium Publishers Sites w/ Sourced Traffic “fraud sites” “sites w/ questionable practices” “good guys” “real content that real humans want to read”
  13. 13. January 2017 / Page 12marketing.scienceconsulting group, inc. Identical sites – fraud sites made by template 100% bot
  14. 14. January 2017 / Page 13marketing.scienceconsulting group, inc. Countless fraud domains used to commit ad fraud 100M+ more sites like these, designed to profit from high value display, video, and mobile ads
  15. 15. Fake Visitors (bots)
  16. 16. January 2017 / Page 15marketing.scienceconsulting group, inc. Bots are automated browsers used for ad fraud Headless Browsers Selenium PhantomJS Zombie.js SlimerJS Mobile Simulators 35 listed Bots are made from malware compromised PCs or headless browsers (no screen) in datacenters. Bots
  17. 17. January 2017 / Page 16marketing.scienceconsulting group, inc. Bots range in sophistication, and therefore cost Javascript installed on webpage Malware on PCsData Center BotsOn-Page Bots Headless browsers in data centers Malware installed on humans’ devices Less sophisticated Most sophisticated Source: AdAge/Augustine Fou, Mar 2014 Source: Forensiq Source: Augustine Fou, Oct 2015 “not many people know that the official industry lists of bots catch NONE of these bots, not one.” 1 cent CPMs Load pages, click 10 cent CPMs Fake scroll, mouse movement, click 1 dollar CPMs Replay human-like mouse movements, clone cookies
  18. 18. January 2017 / Page 17marketing.scienceconsulting group, inc. Any device with chip/connectivity can be used as a bot Traffic cameras used as botnet (Engadget, Oct 2015) mobile devices connected traffic lights connected cars thermostat connected fridge Security cams used as DDoS botnet (Engadget, Jun 2016) (TechTimes, Sep 2016)
  19. 19. Bot/Fraud Detection
  20. 20. January 2017 / Page 19marketing.scienceconsulting group, inc. Three main types of bot / fraud detection In-Ad (ad iframes) On-Site (publishers’ sites) • Used by advertisers to measure ad impressions • Limitations – tag is in foreign iframe, severe limits on detection ad tag / pixel (in-ad measurement) javascript embed (on-site measurement) In-Network (ad exchange) • Used by publishers to measure visitors to pages • Limitations – most detailed and complete analysis of visitors • Used by exchanges to screen bid requests • Limitations – relies on blacklists or probabilistic algorithms, least info ad served bot human fraud site good site
  21. 21. January 2017 / Page 20marketing.scienceconsulting group, inc. Fraud bots are NOT on any list 10,000 bots observed in the wild bad guys’ bots3% Dstillery “findings from two independent third parties, Integral Ad Science and White Ops” 3.7% Rocket Fuel “Forensiq results confirmed that ... only 3.72% of impressions categorized as high risk.” 2 - 3% comScore “most campaigns have far less; more in the 2% to 3% range.” bot list-matching “not on any list” disguised as popular browsers – Internet Explorer; constantly adapting to avoid detection
  22. 22. January 2017 / Page 21marketing.scienceconsulting group, inc. How Fraud Harms Good Publishers
  23. 23. January 2017 / Page 22marketing.scienceconsulting group, inc. Significant ad revenue stolen from publishers 1. Bots collect “cookie” 2. Bots cause ad impressions on fake sites.
  24. 24. January 2017 / Page 23marketing.scienceconsulting group, inc. m/skin-care- products/OlayPro- X?utm_source=msn &utm_medium=cpc &utm_campaign=Ol ay_Search_Desktop Bad guys pretend to be good publishers’ sites Click thru URL passes fake source “utm_source=msn” buy eye cream online (expensive CPC keyword) 1. Fake site that carries search ads ad in #1 position 2. search ad served, fake click Destination page fake source declared 3. Click through to destination page
  25. 25. January 2017 / Page 24marketing.scienceconsulting group, inc. Bad measurements wrongly accuse publishers Publisher clearly does not have 90% bots and never had “you have low viewability” “you have 90% bots” • We want a refund • We won’t pay • We want make-goods
  26. 26. January 2017 / Page 25marketing.scienceconsulting group, inc. Best Practices of Good Publishers 1. Reduce/eliminate shortcuts – mainstream publisher never sources traffic, never uses audience extension or other practices that artificially inflate impressions 2. Protect data and reputation – news publisher purged 30+ trackers from their sites to minimize “data leakage” and stopped selling remnant/unsold inventory on exchanges 3. Consistently prove ROI – specialty publisher limited ads to 3 per page, lazy loads all ads, filters all known bots by name; better business outcomes proven over time “hard work and consistency will pay off”
  27. 27. January 2017 / Page 26marketing.scienceconsulting group, inc. How Fraud Harms Advertisers
  28. 28. January 2017 / Page 27marketing.scienceconsulting group, inc. How many clicks/sessions/views do you want? click on links load webpages tune bounce rate tune pages/visit “bad guys’ bots are advanced enough to fake most metrics”
  29. 29. January 2017 / Page 28marketing.scienceconsulting group, inc. What click through rates are you shooting for? Programmatic display (18-45% clicks from advanced bots) Premium publishers (0% clicks from bots) 0.13% CTR (18% of clicks by bots) 1.32% CTR (23% of clicks by bots) 5.93% CTR (45% of clicks by bots) Campaign KPI: CTRs
  30. 30. January 2017 / Page 29marketing.scienceconsulting group, inc. Want 100% viewability? 0% NHT (bots)? Bad guys cheat and stack ALL ads above the fold to make 100% viewability. “100% viewability? Sure, no problem.” AD • IntegralAdScience filtered traffic, • Pixalate filtered traffic, • MOAT filtered traffic, “0% NHT? Sure, no problem.”
  31. 31. January 2017 / Page 30marketing.scienceconsulting group, inc. Best Practices of Savvy Advertisers “don’t assume your agency took care of it” • Challenge all assumptions – don’t assume someone else “took care of it.” Verify, by demanding line-item detailed reports, because fraud hides easily in averages • Check your Google Analytics - question anything that looks suspicious; more details that can reveal fraud and waste • Corroborate measurements – measure different parameters together and see if they still make sense together; reduce false positives or negatives • Use conversion metrics – CPG client uses click-and-print digital coupons; pharma client uses doctor finder zip code searches, plus clicks to doctor pages; retailers use sales
  32. 32. January 2017 / Page 31marketing.scienceconsulting group, inc. Ad Fraud Hits New All Time Highs
  33. 33. January 2017 / Page 32marketing.scienceconsulting group, inc. Methbot eats $1 in $6 of $10B video ad spend Source: Dec 2016 Whiteops Discloses Methbot Research “the largest ad fraud discovered to date, a single botnet, Methbot, steals $3 - $5 million per day, $1.5 - $1.8 billion annualized.” 1. Targets video ad inventory $13 average CPM, 10X higher than display ads 2. Disguised as good publishers Pretending to be good publishers to cover tracks 3. Simulated human actions Actively faked clicks, mouse movements, page scrolling 4. Obfuscated data center origins Data center bots pretended to be from residential IP addresses
  34. 34. January 2017 / Page 33marketing.scienceconsulting group, inc. Mobile fraud is much larger than detected “bad guys’ apps don’t install fraud detection SDKs; so the reported low rate of fraud is due to only good apps being measured.” Mobile app install fraud research (via mxpresso) • 50 – 70% mobile devices were fake • 40 – 50% of the app installs were fake • 10 – 20% were faked Play Store installs
  35. 35. January 2017 / Page 34marketing.scienceconsulting group, inc. Implications for Digital Media
  36. 36. January 2017 / Page 35marketing.scienceconsulting group, inc. Humans block ads; fraud bots don’t Comparing high human vs high bot samples 96% bots sample 42% ad blocked 1% ad blocked 93% human sample Comparing ad blocking vs non-ad blocking samples ad blocking ON ad blocking OFF
  37. 37. January 2017 / Page 36marketing.scienceconsulting group, inc. Ad impressions served mostly to bots, by far Total Human Users – 115 million Visitors (U.S. Only) U.S. Internet – 285 million Source: eMarketer 2016 estimate Source: Distil Networks 2015 Adblock Users (humans) – 45 million Source: PageFair / Adobe 2015 “subtracting adblocking humans, your open exchange ad impressions are being served to a population that is disproportionally non-human.” Non-Human Traffic (NHT) HUMAN VISITORS ads served “fraud sites” “sites w/ questionable practices” “good guys” Websites 3% IVT caught by industry lists 39%Ad blocking humans 71% 29%
  38. 38. January 2017 / Page 37marketing.scienceconsulting group, inc. No matter how much traffic, bots don’t convert 102,231 sessions 0 sessions goal events – no change bot traffic turned off bot traffic turned off
  39. 39. January 2017 / Page 38marketing.scienceconsulting group, inc. Other Hidden Dangers
  40. 40. January 2017 / Page 39marketing.scienceconsulting group, inc. Analytics are messed up by fake data 7% conversion rate 13% conversion rate artificially low actually correct
  41. 41. January 2017 / Page 40marketing.scienceconsulting group, inc. Real human audiences stolen from publishers specialized audience: human oncologists specialized audience can be targeted elsewhere “cookie matching” (by placing javascript on your site)
  42. 42. January 2017 / Page 41marketing.scienceconsulting group, inc. In-ad measurements could be entirely wrong Publisher Webpage Foreign Ad iFrames Cross-domain (XSS) security restrictions mean iframe cannot: • read content in parent frame • detect actions in parent frame • see where it is on the page (above- or below- fold) • detect characteristics of the parent page 1x1 pixel js ad tags ride along inside iframe incorrectly reported as 100% viewable
  43. 43. January 2017 / Page 42marketing.scienceconsulting group, inc. On-site Javascript poses gaping security risks Source:
  44. 44. January 2017 / Page 43marketing.scienceconsulting group, inc. From our First-hand Data
  45. 45. January 2017 / Page 44marketing.scienceconsulting group, inc. Visually show differences in quality / humanness good publishers ad exchanges/networks volume bars (green) Stacked percent Blue (human) Red (bots) red v blue trendlines
  46. 46. January 2017 / Page 45marketing.scienceconsulting group, inc. Traffic surges caused by bots vs real humans Caused by bots Caused by humans
  47. 47. January 2017 / Page 46marketing.scienceconsulting group, inc. Publishers taking action to reduce bots Publisher 1 – stopped buying traffic Publisher 2 – filtered data center traffic
  48. 48. January 2017 / Page 47marketing.scienceconsulting group, inc. Advertisers buying low vs high quality media Traffic to Site from Buying LOW quality media Traffic to Site from Buying HIGH quality media
  49. 49. January 2017 / Page 48marketing.scienceconsulting group, inc. About the Author January 2017 Augustine Fou, PhD. 212. 203 .7239
  50. 50. January 2017 / Page 49marketing.scienceconsulting group, inc. Dr. Augustine Fou – Recognized Expert on Ad Fraud 2013 2014 SPEAKING ENGAGEMENTS / PANELS 4A’s Webinar on Ad Fraud AdCouncil Webinar on Ad Fraud TelX Marketplace Live Panel on Cybersecurity ARF Audience Measurement / ReThink IAB Webinar on Ad Fraud / Botnets AdMonsters Publishers Forum / OPS DMA Webinar – Ad Fraud & Measurement 2016 2015
  51. 51. January 2017 / Page 50marketing.scienceconsulting group, inc. Harvard Business Review – October 2015 Excerpt: Hunting the Bots Fou, a prodigy who earned a Ph.D. from MIT at 23, belongs to the generation that witnessed the rise of digital marketers, having crafted his trade at American Express, one of the most successful American consumer brands, and at Omnicom, one of the largest global advertising agencies. Eventually stepping away from corporate life, Fou started his own practice, focusing on digital marketing fraud investigation. Fou’s experiment proved that fake traffic is unproductive traffic. The fake visitors inflated the traffic statistics but contributed nothing to conversions, which stayed steady even after the traffic plummeted (bottom chart). Fake traffic is generated by “bad-guy bots.” A bot is computer code that runs automated tasks.