Entire ecosystem supporting ad fraud 2018

1. Entire Ecosystem Supporting Ad Fraud June 2018 Augustine Fou, PhD. acfou [at] mktsci.com 212. 203 .7239

2. “In addition to the ad fraud itself, bad guys make money by selling the “picks and shovels” too – e.g. bots, traffic, clicks, malware, fake apps, etc. They have an entire ecosystem to extract value. What follows are just a few examples, scratching the surface.”

3. June 2018 / Page 2 marketing.science consulting group, inc. linkedin.com/in/augustinefou From 2015 - Fraud Ecosystem Overview Source: https://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem

4. June 2018 / Page 3 marketing.science consulting group, inc. linkedin.com/in/augustinefou Ad fraud is simple, scalable 1. set up FAKE SITES 2. buy FAKE TRAFFIC 3. sell FAKE ADS

5. Fake Sites Get paid for every fake site created

6. June 2018 / Page 5 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Websites - random • No content or content that is assembled (i.e. plagiarized) • Content not human readable • Stuffed with large numbers of ads • Page auto-reloads • Large abrupt traffic changes Get paid to make fake websites for ad fraud

7. June 2018 / Page 6 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Websites - template • Identical wordpress templates; no content or customization

8. June 2018 / Page 7 marketing.science consulting group, inc. linkedin.com/in/augustinefou Sites with Only Ads 1 2 3 4 5 6 7 8 9 10 • Pages are auto generated by script to optimize for high value search keywords and content • 10 – 15 display ads per page plus text ads and videos ads, in rotation • Advertisers should minimize ad dollars spent on impression (CPM) basis and focus on paying only when they get the click (CPC) • They also auto-refresh pages to load another 10 – 15 ads • Many other examples of display ads shown next to unsavory content Source: http://www.satelliteguys.us/archive/t-232266.html

9. June 2018 / Page 8 marketing.science consulting group, inc. linkedin.com/in/augustinefou More examples of fake sites analyzecanceradvice.com analyzecancerhelp.com bestcanceropinion.com bestcancerproducts.com bestcancerresults.com besthealthopinion.com bettercanceradvice.com bettercancerhelp.com betterhealthopinion.com findcanceropinion.com findcancerresource.com findcancertopics.com findhealthopinion.com finestcanceradvice.com finestcancerhelp.com finestcancerresults.com getcancerproducts.com 06f09b1008ae993a5a.com fbfd396918c60838.com 97ff623306ff4c26996.com b1f6fe5e3f0c3c8ba6.com 23205523023daea6.com 6068a17eed25.com b1fe8a95ae27823.com f4906b7c15ba.com eac0823ca94e3c07.com 1f7de8569ea97f0614.com 21c9a53484951.com 24ad89fc2690ed9369.com efd3b86a5fbddda.com 34c2f22e9503ace.com 0926a687679d337e9d.com 6a40194bef976cc.com Fake sites Fake sites 02aa19117f396e9.com f8260adbf8558d6.com 9376ec23d50b1.com pushedwebnews.com a0675c1160de6c6.com 0f461325bf56c3e1b9.com 850a54dbd2398a2.com 8761f9f83613.com 20a840a14a0ef7d6.com 31a5610ce3a8a2.com 5726303d87522d05.com 3ac901bf5793b0fccff.com b014381c95cb.com 2137dc12f9d8.com 33ae985c0ea917.com 153105c2f9564.com Fake sites

10. June 2018 / Page 9 marketing.science consulting group, inc. linkedin.com/in/augustinefou Network of “arcade” sites Same traffic, same shape, same pages/visit, same bounce arcadesilver.com arcadewow.com remotearcade.com yourchoicegames.com titaniumplay.com arcadetsunami.com antarcade.com airarcade.com arcadeearth.com arcadefancy.com arcadebreak.com arcadeamazing.com arcadecore.com arcadeturbo.com arcadepatriot.com arcadepatriot.com Source: SimilarWeb

11. June 2018 / Page 10 marketing.science consulting group, inc. linkedin.com/in/augustinefou Network of “highlight” sites Same traffic, same shape, same pages/visit, same bounce dotahighlight.org cshighlights.org clubesport.com sc2highlight.com hearthstonehighlight.org leagueoflegendshighlight.info dota2highlight.org hshighlight.com heroeshighlights.org hearthstonehighlight.com Source: SimilarWeb

12. June 2018 / Page 11 marketing.science consulting group, inc. linkedin.com/in/augustinefou Sites are auto-generated Source: SimilarWeb

13. June 2018 / Page 12 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Content – made by bot Augustine Fou - 12 - Characteristics • Auto-generated by bots, stuffed with search keywords • Attract organic search traffic • Not human readable • Stuffed with affiliate links and ads

14. June 2018 / Page 13 marketing.science consulting group, inc. linkedin.com/in/augustinefou Plagiarized content, fact-checks Google search on entire phrase in quotes: http://bit.ly/16H9Gk5 Source: Buzzfeed, June 2018

15. June 2018 / Page 14 marketing.science consulting group, inc. linkedin.com/in/augustinefou $23 (outside Google/Facebook) There’s 160X more “sites with ads” Good Publishers “sites with ads” Source: Verisign, Q4 2016 329M domains est. 164 million “sites that carry ads” “sites you’ve heard of” WSJ ESPN NYTimes Economist Reuters Elle 0.3% no ads carry ads 160X more 78% programmatic est. 1 million

16. Fake Traffic/Users Get paid selling traffic to sites / apps

17. June 2018 / Page 16 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake users (headless browsers) Headless Browsers Selenium PhantomJS Zombie.js SlimerJS Mobile Simulators 35 listed Bots are made from malware compromised PCs or headless browsers (no screen) in datacenters.

18. June 2018 / Page 17 marketing.science consulting group, inc. linkedin.com/in/augustinefou Any device with chip/connectivity Traffic cameras turned into botnet (Engadget, Oct 2015) mobile devices webcams connected traffic lights connected cars thermostat connected fridge Security cams used as 400 Gbps DDoS botnet (Engadget, Jun 2016) …can be used as a bot

19. June 2018 / Page 18 marketing.science consulting group, inc. linkedin.com/in/augustinefou Tricking measurement beacons Source: AdWeek, 2013 Measurement beacons were routinely tricked to count higher traffic Phantom Sites multiply traffic

20. June 2018 / Page 19 marketing.science consulting group, inc. linkedin.com/in/augustinefou Infinite page auto-redirects How much does it cost? How much is available? a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”

21. June 2018 / Page 20 marketing.science consulting group, inc. linkedin.com/in/augustinefou Feed traffic to other sites % traffic share from 15+ referring sites is TOO SIMILAR (~ 2% ) Advertisers impacted

22. June 2018 / Page 21 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fraud apps loading webpages “fraud sites’ traffic comes from apps that load hidden webpages”

23. Fake Ads

24. June 2018 / Page 23 marketing.science consulting group, inc. linkedin.com/in/augustinefou “Naked Ad Calls” (load ad, not page) Why load entire webpage when you can just load the ad (save bandwidth) and still get paid? Pass fake data via query strings

25. June 2018 / Page 24 marketing.science consulting group, inc. linkedin.com/in/augustinefou “Naked Ad Calls” are rampant “just call the ad, and not the webpage, to save bandwidth” Good Publishers Exchange Media Bottom of Barrel 47% avg 77% avg 11% avg

26. June 2018 / Page 25 marketing.science consulting group, inc. linkedin.com/in/augustinefou Oooh baby, that’s a lot … Highlighted domains are interspersed with large sites that you know many humans go to. These are DAILY quantities of impressions. Notice the large quantities; some are larger than mainstream sites.

27. June 2018 / Page 26 marketing.science consulting group, inc. linkedin.com/in/augustinefou Video Ads in Display Slots Source: Mediapost, March 2018 “arbitrage cheap low demand 300×250 ad units with high-demand expensive video ads. buys a static 300×250 banner ad for $2 CPM adds a video player and then resells it as a $9 CPM video ad unit.”

28. Beyond ad fraud … Tools and techniques of the trade

29. Fake Audiences Make money charging data CPMs

30. June 2018 / Page 29 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake audiences for retargeting “cookie matching” Bots pretend to be oncologists by visiting sites, collecting cookie Attract ad dollars to fake sites when retargeted

31. June 2018 / Page 30 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake segments for targeting Bots browse different items by season to attract higher retargeting CPMs Source: DataXu/DoubleVerify Webinar, April 2015 “look at backpacks in back-to-school season – to get retargeted”

32. June 2018 / Page 31 marketing.science consulting group, inc. linkedin.com/in/augustinefou Segment: purchasers - no difference “Frequent Buyers” “Heavy Buyers” “Recent Purchaser - Books” Control: No Targeting +$1.00 data CPM +$1.00 data CPM +$1.75 data CPM

33. June 2018 / Page 32 marketing.science consulting group, inc. linkedin.com/in/augustinefou (2018) Lotame purges 400M “[LOTAME] purged 400 million of its over 4 billion profiles after identifying them as bots or otherwise fraudulent accounts. Lotame CEO Andy Monfried estimated that 40 percent of all web traffic is fictional.” Adweek, Feb 2018

34. Fake Accounts Make money setting up fake accounts

35. June 2018 / Page 34 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Facebook profiles Sell “likes”; now used to simulate user engagement/audiences

36. June 2018 / Page 35 marketing.science consulting group, inc. linkedin.com/in/augustinefou (2018) Facebook purges 1.3 billion “It was barely a year ago that Facebook proudly declared it had more than 2.2 billion monthly users. But on Tuesday, the social media giant revealed some stunning data, including that during the six months ending in March, Facebook disabled a total of almost 1.3 billion fake accounts. During the first quarter of 2018, Facebook says it deleted 865 million posts, the vast majority of it for being spammy, and the remainder for containing graphic violence, sexual activity or nudity, terrorism or hate speech. Source: Inc. May 2018

37. June 2018 / Page 36 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake LinkedIn Profiles bot generated content stock photo Used to simulate “user engagement” (ad clicks), audiences

38. June 2018 / Page 37 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Twitter Accounts Used for “follower” fraud when marketers paid for more followers

39. June 2018 / Page 38 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake influencers - uncovered Source: Adweek, Jun 2018 Fake influencers bought followers to appear to be influential “an array of entertainers, entrepreneurs, athletes and media figures, … bought Twitter followers or artificial engagement. A New York Times article on Saturday describing a vast trade in fake followers and fraudulent engagement on Twitter and other social media sites, often using personal information taken from real users.

40. June 2018 / Page 39 marketing.science consulting group, inc. linkedin.com/in/augustinefou (2018) Twitter purges fake accounts Source: Engadget Mar 2018 Source: NYTimes Jan 2018

41. June 2018 / Page 40 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake YouTube Videos http://www.youtube.com /watch?v=xnkM9RrDzhM Banned Celebrity Sex Tapes bannedsextapes .com For driving fake referral traffic to sites, attribution fraud

42. June 2018 / Page 41 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake video views - purchased http://www.youtube.com/watch?v=iP6XpLQM2Cs Actual interest Straight line – purchased views

43. June 2018 / Page 42 marketing.science consulting group, inc. linkedin.com/in/augustinefou Youtube views on blank page

44. June 2018 / Page 43 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake YouTube Videos for SEO http://www.youtube.com /watch?v=upSOCzlSoHk http://www.youtube.com/ watch?v=lhbDGpqCmZQ http://www.youtube.com/ watch?v=UcdiM4uD6fM http://www.youtube.com /watch?v=an6xRpQ5Wh8 Duplicated videos Keyword-stuffed for video SEO for fake sites (free traffic) Some carry ads to generate ad revenue

45. June 2018 / Page 44 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Sweepstakes To steal users’ email addresses and other personal information

46. June 2018 / Page 45 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Personality Quizzes Used to harvest personal info, meta data for later use in hacking Source: The Atlantic, Jul 2017 Harvesting self-selected face photos (can be used to unlock FaceID)

47. Fake Mobile Rent out fake mobile device “botnets”

48. June 2018 / Page 47 marketing.science consulting group, inc. linkedin.com/in/augustinefou You can’t scale physical devices May 26 Forbes “Judy Malware” • 36 million fake devices to load bad apps • e.g. 30 ads per device /minute • 30 ads per minute = 1 billion fraud impressions per minute Source: June 2017 “Chinese click fraud gang in Thailand arrested” 300 real devices used for click fraud millions of mobile simulators for ad fraud

49. June 2018 / Page 48 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake devices (mobile simulators) Download and Install Apps Launch and Interact

50. June 2018 / Page 49 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Installs / Attribution Install Fraud “fake devices installing legit apps, get paid on CPI” App install spend $6B (2017E) Source: BusinessInsider, June 2016 Source: AdAge, Sept 2017

51. June 2018 / Page 50 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake downloads, boost rank Download/purchase own apps with bots to get to top 25 list

52. June 2018 / Page 51 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake devices, loading pages Repeated hits by same device/browser, same ip address

53. June 2018 / Page 52 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake IDFAs on real devices Source: Cinarra Systems Rotating faked IDFAs allow mobile devices to defeat frequency caps

54. June 2018 / Page 53 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake apps compromise humans Source: The Inquirer Oct 2017 Source: Daily Mail May 2015 https://www.inc.com/minda- zetlin/fake-whatsapp-app-on- google-play-store-fooled-1- million-into-downloading-it- did-you.html

55. June 2018 / Page 54 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake apps absorb all budget com.jiubang com.flashlight com.latininput com.dxnxbgj.mkridqxviiqaogw com.obugniljhe.fptvznqwhmcjm com.bpo.ksuhpsdkgvbtlsw com.rlcznwgouw.vvtexstbfttngc com.kasbgf.sbzwtgpcbjexi com.bprlgbl.vbze com.zka.lzhsoueilo com.alxsavx.mizzucnlb com.jxknvk.lrwfdfirdzpsw com.tvwvqbt.wbshaguqy com.iwnxtpahcu.leyuehdwdbb Fake apps Top 5 apps = 100% of imps

56. June 2018 / Page 55 marketing.science consulting group, inc. linkedin.com/in/augustinefou Faked geolocation, higher CPM Not Normal – in both campaigns 1. 100% mobile apps; 100% Android; same top 15 apps in both markets 2. 100% of impressions generated between 4a – 5a local time 3. 100% fake devices; 15 unique devices generated top 95% impressions

57. June 2018 / Page 56 marketing.science consulting group, inc. linkedin.com/in/augustinefou App cloning, free adware SDKs Apps are cloned thousands of times; some didn’t even bother to change the colors or cover graphics. Bad guys accidentally cloned apps that already had detection SDK in it – from 312, to 750, to 1,330 copies. Source: CNBC, Aug 2017

58. June 2018 / Page 57 marketing.science consulting group, inc. linkedin.com/in/augustinefou Apps’ primary revenue is ads In-App Advertising App Store Source: SensorTower

59. June 2018 / Page 58 marketing.science consulting group, inc. linkedin.com/in/augustinefou Top mobile apps by ad revenue Top mobile apps by ad revenue Are entirely different than ones humans spend the most time with

60. June 2018 / Page 59 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake apps compromise devices Source: Independent, Jun 2018 Source: Fortune, July 2016

61. June 2018 / Page 60 marketing.science consulting group, inc. linkedin.com/in/augustinefou $23 (outside Google/Facebook) 700X more There’s 700X more fake apps 7M apps Source: Statista, March 2017 6.99 million 96% “apps that carry ads” 10,000 “apps you’ve heard of” Facebook Spotify Pandora Zynga Pokemon YouTube Facebook, 2015 Users use 8 – 15 apps on their phones. Spotify, 2016 People have 25 apps on their phones, use 5-8 regularly Forrester Research, May 2017 Humans “use 9 apps per day, 30 per month” 78% programmatic

62. June 2018 / Page 61 marketing.science consulting group, inc. linkedin.com/in/augustinefou (2015) Going on for long time Source: BusinessInsider, July 2015 “A user downloads an app from the official app store — which may look legitimate and have hundreds of positive reviews — which then runs in the background, serving hundreds of ads at a rate as high as 20 ads per minute” Known and documented for years – now mobile is majority of digital spend

63. June 2018 / Page 62 marketing.science consulting group, inc. linkedin.com/in/augustinefou Got 100M credit card numbers? Amateur Criminals Buy HDTV at Walmart with stolen credit card; get caught, card is deactivated. Pro Criminals Automate millions of $0.99 in- game purchases of “power- ups, shields, virtual goods” to fully launder the plunder.

64. Tools for disguising, laundering

65. June 2018 / Page 64 marketing.science consulting group, inc. linkedin.com/in/augustinefou Luminati Geosurf Residential ips Proxy services, free VPNs Rent out residential IPs for disguising bots

66. June 2018 / Page 65 marketing.science consulting group, inc. linkedin.com/in/augustinefou Methbot, Hyphbot (video fraud) Source: Dec 2016 WhiteOps Discloses Methbot Research “Methbot, steals $2 billion annualized; and it avoided detection for years.” • Targeted video ad inventory $13 average CPM, 10X higher than display ads • Disguised as residential bots pretended to be from residential IP addresses 2016 Source: Adform, Nov 2017 “Hyphbot, targeted video ad inventory avoided detection.” 2017 • active through at least 14 different exchanges and SSPs • generating up to 1.5 billion requests per day • generated fake traffic on more than 34,000 different domains, 600k IP addresses

67. June 2018 / Page 66 marketing.science consulting group, inc. linkedin.com/in/augustinefou Tech tools to randomize data Source: Ratko Vidakovic

68. June 2018 / Page 67 marketing.science consulting group, inc. linkedin.com/in/augustinefou Faked Google Analytics Source: https://youtu.be/6_F-NAvr39o Demo of how Google Analytics can be faked to show traffic that doesn’t exist

69. June 2018 / Page 68 marketing.science consulting group, inc. linkedin.com/in/augustinefou Faked mouse moves/clicks Source: https://youtu.be/HeGYr3jwubY Demo of fake mousemovements and clicks using javascript

70. June 2018 / Page 69 marketing.science consulting group, inc. linkedin.com/in/augustinefou Click spamming Click injection Click flooding Faked attribution, clicks Attribution urls or SDKs can be called to create fake clicks https://www.slideshare.net/inmobi/a-cure-for- adfraud-turning-fraud-detection-into-fraud-prevention Source: Method Media Intelligence

71. June 2018 / Page 70 marketing.science consulting group, inc. linkedin.com/in/augustinefou Criteo vs Steelhouse Suit Source: BusinessInsider June 2016 “Both Criteo and SteelHouse use a pay-per-click pricing model, which means they only generate revenue when users click on the ads they have served. Criteo alleges in the suit that SteelHouse ‘counterfeited clicks to trick e-tailers into attributing sales to SteelHouse that should have been attributed to Criteo, other competitors and partners, or direct traffic.’"

72. June 2018 / Page 71 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake ad agencies to buy ads Source: Confiant, Jan 2018 “Beginads was only briefly used to establish relationships with ad platforms as a fake ad agency. Zirconium established a well thought- out organization to maximize both Supply (user traffic) and Demand (landing pages). Supply is brought in by the fake agencies, establishing relationships with legitimate ad platforms, and buying traffic. Having multiple relationships makes the operation more robust (in case an agency gets caught) and stealthier — as each agency poses as a long-tail small business agency and buys small amounts at a time.”

73. June 2018 / Page 72 marketing.science consulting group, inc. linkedin.com/in/augustinefou Affiliate Fraud – Cookie Stuffing “eBay paid Hogan a staggering $28 million in affiliate marketing sales commissions over the years, according to court papers.” Source: http://www.businessinsider.com/eb ay-the-fbi-shawn-hogan-and-brian-dunning- 2013-4#ixzz34WHjnefM Source: http://articles.latimes.com/2013/apr/19/b usiness/la-fi-mo-cookie-stuffing-ebay- 20130419 “Laguna Niguel man pleads guilty in 'cookie stuffing' scam against Ebay. The online auctioneer paid Dunning’s company about $5.2 million in 2006 and 2007, the U.S. Attorney said.” Keywords: cookie stuffing Many more case studies published by Ben Edelman http://www.benedelman.org/

74. Creating / multiplying “inventory”

75. June 2018 / Page 74 marketing.science consulting group, inc. linkedin.com/in/augustinefou Browser toolbars/extensions Source: Ars Technica Jan 2018 Source: Shailin Dhar 2016 Toolbars/extensions to create traffic, fake clicks, log keystrokes

76. June 2018 / Page 75 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake ad blockers load more ads Source: Engadget, April 2018 Thought you blocked ads? No, even more loaded in background

77. June 2018 / Page 76 marketing.science consulting group, inc. linkedin.com/in/augustinefou Pop-unders on porn sites Source: Digiday Feb 2017 Source: BuzzFeed Dec 2017 Porn sites have real humans; pop-unders load continuous ads

78. June 2018 / Page 77 marketing.science consulting group, inc. linkedin.com/in/augustinefou Auto-redirects – hidden iframe Source: GeoEdge, Jan 2018 “Hidden Auto-Redirects, … opens invisible iframes, and unbeknownst to the user, goes on its own delivery path, serving and clicking on ads automatically.”

79. June 2018 / Page 78 marketing.science consulting group, inc. linkedin.com/in/augustinefou Apps load ads in background Source: ImpScore.io - https://www.youtube.com/watch?v=w-i-ue8fPCc “fake apps or fraud apps (real apps that misbehave) continuously load display ad impressions in the background, inflate revenue”

80. June 2018 / Page 79 marketing.science consulting group, inc. linkedin.com/in/augustinefou Bots load ads in background Source: https://www.youtube.com/watch?v=IiVZC8eM_xE Continuous loading of ads in the background and randomizing page loads

81. June 2018 / Page 80 marketing.science consulting group, inc. linkedin.com/in/augustinefou Pages load ads in background “dark processes” are continuous loading of ads, in background https://youtu.be/utoN_VlxtE0 (demo video of page continuously loading ads in the background)

82. June 2018 / Page 81 marketing.science consulting group, inc. linkedin.com/in/augustinefou Dark pages – hidden pages for ads “dark pages” are NOT seen when sites are manually checked Pages you can see, navigate to Dark Pages you cannot navigate to (look normal, low # of ads) More ads, trackers, auto-refresh Normal Dark Pages

83. Malware / Adware Compromise more devices for botnet

84. June 2018 / Page 83 marketing.science consulting group, inc. linkedin.com/in/augustinefou Malware makes money via ads 2017 Checkpoint “Fireball” • 250 million infected devices • primary use = ad fraud • 4 ads /pageview (2s load time) • fraudulent impressions at the rate of 30 billion per minute “Fireball has two main functionalities: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web- traffic to generate ad-revenue” Source: Check Point, 2017 Source: BitDefender Labs, 2018 “The main goal of Zacinlo is to deliver adware, displaying adverts developed by the attackers in webpages the user visits and to secretly click through to them in order to generate ad revenue.

85. June 2018 / Page 84 marketing.science consulting group, inc. linkedin.com/in/augustinefou Malvertising / Ransomware Source: ZDNet, March 2017 Source: TechRepublic, June 2017

86. June 2018 / Page 85 marketing.science consulting group, inc. linkedin.com/in/augustinefou Drive-by Malware/Cryptomining Source: Malwarebytes, Feb 2018 Source: ComputerWeekly March 2016

87. June 2018 / Page 86 marketing.science consulting group, inc. linkedin.com/in/augustinefou Pre-installed malware/adware Source: TheVerge, Jul 2017 Source: CNN, Feb 2015

88. June 2018 / Page 87 marketing.science consulting group, inc. linkedin.com/in/augustinefou Hacked Wordpress/Drupal Sites Source: Wordfence, Apr 2016 Source: TechCrunch, April 2018 Compromised to deliver malware to unsuspecting visitors

89. June 2018 / Page 88 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake VPN – malware/ads Source: PC Magazine, Jun 2018 “The free programs are merely a guise for a notorious adware strain, dubbed Zacinlo, that's been harassing Windows PCs since 2012. Once installed, the apps can secretly download other programs on your computer, take screen shots from the desktop, and inject ads into your web browser, security firm Bitdefender said in a Monday report.”

90. June 2018 / Page 89 marketing.science consulting group, inc. linkedin.com/in/augustinefou Google Safebrowsing Report Source: https://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem We are at HISTORIC highs for malware and phishing

91. Stealing/Harvesting personal info

92. June 2018 / Page 91 marketing.science consulting group, inc. linkedin.com/in/augustinefou Countless big data breaches Harvesting personal info for use in various forms of attacks later

93. June 2018 / Page 92 marketing.science consulting group, inc. linkedin.com/in/augustinefou Compromised databases Source: Hacker News, Jun 2018 Source: compsec, Jan 2017

94. June 2018 / Page 93 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake Leads (Lead Fraud) Fake leads • Previously filled out by hand • Now, fully automated with bots using databases of real postal addresses, etc. (that trick verification engines) Use personal data from prior breaches to complete forms

95. June 2018 / Page 94 marketing.science consulting group, inc. linkedin.com/in/augustinefou 3rd party trackers leak user info

96. June 2018 / Page 95 marketing.science consulting group, inc. linkedin.com/in/augustinefou (2017) User data exfiltration “Emails, usernames, passwords -- exfiltration of personal data by session-replay scripts; and recording of user actions on the site.” Source: Freedom to Tinker, Nov 2017

97. June 2018 / Page 96 marketing.science consulting group, inc. linkedin.com/in/augustinefou Compromised apps to steal info Source: Gadgets 360, June 2018 Source: ZDNet March 2018

98. June 2018 / Page 97 marketing.science consulting group, inc. linkedin.com/in/augustinefou Piracy sites’ specialized tasks • Malware on humans’ PCs are used to make botnets • Real human’s cookies used for retargeting Piracy Sites Specialty • CPM on served ads • Get paid to plant malware Revenue Fraud Types • Malware / Toolbar / Virus • Sourced Traffic • Fake Ad Impressions Since there are real humans going to piracy sites and navigating them, their mouse movements and keystrokes can be recorded for replay attacks later.

99. June 2018 / Page 98 marketing.science consulting group, inc. linkedin.com/in/augustinefou Ad Blocking / GPDR Source: CNBC, June 2018 Humans block ads and DON’T give consent; ads are served to bots “Humans block ads; bots want ads to load – so after ad blocking, most of the remaining ads are shown to bots.

100. Bad Measurement and Faked Analytics

101. June 2018 / Page 100 marketing.science consulting group, inc. linkedin.com/in/augustinefou Bad Measurement of IVT Incorrect IVT Measurement Source 3 - in ad iframe, badly sampled Sources 1 and 2 corroborate One agency insists on one fraud detection company (that is owned by same holding company), despite proven errors in IVT measurement (due to sampling and tag being in ad iframe). Agency uses high IVT numbers to get refunds, which agency keeps as profit for themselves.

102. June 2018 / Page 101 marketing.science consulting group, inc. linkedin.com/in/augustinefou Opposite results from tag placement In-Ad (in foreign iframe) On-Site (on page) window sizes detected as 0x0 or 0x8 pixels correct window sizes for ads detected 0% humans 60% bots 60% humans 3% bots “fraud measurements could be entirely wrong, depending on where the tag is placed – in-ad versus on-site.”

103. June 2018 / Page 102 marketing.science consulting group, inc. linkedin.com/in/augustinefou Legit sites wrongly blacklisted Domain (spoofed) % SIVT esquire.com 77% travelchannel.com 76% foodnetwork.com 76% popularmechanics.com 74% latimes.com 72% reuters.com 71% bid request fakesite123.com esquire.com passes blacklist passes whitelist ✅ ✅ declared 1. fakesite123.com has to pretend to be esquire.com to get bids; 2. fraud measurement shows high IVT b/c it is measuring the fake site with fake traffic 3. Fake esquire.com gets mixed with real so average fraud rates appear high. 4. Real esquire.com gets backlisted; bad guy moves on to another domain.

104. June 2018 / Page 103 marketing.science consulting group, inc. linkedin.com/in/augustinefou declared to be: Brand safety tech doesn’t work Pre-scanned Domain List In-ad tag Ad tags that are in the foreign iframe (different domain) cannot look outside the iframe – i.e. cannot read content on the site to determine brand safety. bad word porn terrorism hate badsite123.com badsite123.com badsite123.com badsite123.com goodsite123.com goodsite123.com goodsite123.com Domain Placement Reports goodsite123.com goodsite123.com goodsite123.com goodsite123.com goodsite123.com goodsite123.com goodsite123.com FAILS because it is not directly measured; relies on domain placement reports which have declared data.

105. June 2018 / Page 104 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fraud filter no better than blacklist 1.Fraud filters are no better than manual blacklists 2.In some cases, there’s MORE fraud when filter is on 3.Using fraud filters adds 20 – 24% to costs; manual blacklists are free

106. June 2018 / Page 105 marketing.science consulting group, inc. linkedin.com/in/augustinefou “Verified” no different than control “Verified Bots” “Verified Humans” Control: No Targeting +$0.25 data CPM +$0.25 data CPM “verified bots” and “verified humans” showed no difference in quality to each other – AND both were no different than the control where no targeting was used.

107. June 2018 / Page 106 marketing.science consulting group, inc. linkedin.com/in/augustinefou Bad guys trick measurement SDK Spoofing— code in an app that sends simulated ad clicks and engagement signals to the attribution provider … [to] fool an advertiser into paying for fraudulent impressions/views. Attribution Fraud— code that executes clicks (click spamming, click injection) so fraudster can claim credit for downstream conversions. Detection Tag Blocking— fake or fraudulent apps can selectively block fraud detection tags or manipulate analytics data.

108. June 2018 / Page 107 marketing.science consulting group, inc. linkedin.com/in/augustinefou Simple code to trick viewability “This code manipulated data to ensure that otherwise unviewable ads showed up in measurement systems as valid impressions, which resulted in payment being made for the ad.” Buzzfeed, March 2018

109. June 2018 / Page 108 marketing.science consulting group, inc. linkedin.com/in/augustinefou Bots easily trick AI/ML algorithms “Humans (blue) are hard to predict … … but bots give you beautiful signals – 1 or 0.” Source: Claudia Perlich, PhD. Data Scientist

110. June 2018 / Page 109 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake or plagiarized ads.txt Source: MediaMath Fake sites rushed to put ads.txt files in place, to continue to sell “the company will only buy … from publishers who have an ads.txt file in place.” “completely useless… … fake and fraud sites just put ads.txt files in place or plagiarized content from other publishers to stick in their own files.”

111. June 2018 / Page 110 marketing.science consulting group, inc. linkedin.com/in/augustinefou Fake botnet for PR “used highly sophisticated techniques to fraudulently load ads on the affected sites without the site owners' consent, leveraging a new methodology that allows it to monetize inventory on premium domains.” “none of this actually happened; it was completely fabricated for the press release announcing their new algo – ‘dramatic improvements to its automated traffic detection .. primarily through …machine learning methodologies’. The failure was due to their analyzing only pre-bid data, which was faked. There were no ads injected into any of the sites they named in the press release. This was confirmed by each of the good publishers, falsely accused.”

112. June 2018 / Page 111 marketing.science consulting group, inc. linkedin.com/in/augustinefou Discrepancies – won vs served DSP says Adserver says Why actually serve the ad if you already get paid based on the number of impressions won? From the data, the more fraudulent the site, the greater the discrepancy – e.g. 80 – 100%

113. June 2018 / Page 112 marketing.science consulting group, inc. linkedin.com/in/augustinefou “He said, she said” stalemate Marketer/Buyer Publisher/Seller Selects fraud verification Vendor A that consistently finds higher IVT – so they can get bigger refunds on their media buys (use it like discounts). Selects fraud verification Vendor B that finds lower IVT to help them defend against false accusations of fraud and refund requests. Vendor A Vendor B MRC Accredited MRC Accredited “high IVT” “low IVT” “it comes down to negotiation or relative power; so it is no better than if NO fraud detection were used at all.”

114. With all this “support,” no wonder …

115. “Ad fraud is at ALL TIME HIGHS both in RATE and in DOLLARS… … and what’s worse is fraud detection is not catching it, so people have a false sense of security.” Source: https://www.slideshare.net/augustinefou/state-of-digital-ad-fraud-q2-2018

116. June 2018 / Page 115 marketing.science consulting group, inc. linkedin.com/in/augustinefou Two main kinds of ad fraud “Everything else is a derivative of (e.g. cost-per-install fraud), or in support of (e.g. tricking measurement, attribution, covering tracks) the above 2 forms of ad fraud.” Impression Fraud (CPM) Fraud (includes mobile display, video ads) Click Fraud (CPC) Fraud (includes mobile search ads)

117. June 2018 / Page 116 marketing.science consulting group, inc. linkedin.com/in/augustinefou Why? Largest buckets of spend Leads (CPL) Sales (CPA) Lead Gen $2.0B Other $5.0B • classifieds • sponsorship • rich media Impressions (CPM/CPV) Clicks (CPC) Search 46% Display 31% Video 14% 91% digital ad spend Source: IAB FY 2017 Report 9% spend

118. June 2018 / Page 117 marketing.science consulting group, inc. linkedin.com/in/augustinefou Digital Ad Fraud is At All Time Highs Digital Ad Spend ($ billions) Actuals Projected Digital Ad Fraud ($ billions)

119. June 2018 / Page 118 marketing.science consulting group, inc. linkedin.com/in/augustinefou F*********************k DDoS attacks overwhelm with traffic; now use traffic to make ad revenue Google Digital Attack Map

120. June 2018 / Page 119 marketing.science consulting group, inc. linkedin.com/in/augustinefou Only way to tell – pause or cut “Once we got transparency, it illuminated what reality was,” said Mr. Pritchard. P&G then took matters into its owns hands and voted with its dollars, he said.” “As we all chased the Holy Grail of digital, self-included, we were relinquishing too much control— blinded by shiny objects, overwhelmed by big data, and ceding power to algorithms,” Mr. Pritchard said. Source: WSJ, March 2018 P&G: cut $200M, no impact

121. June 2018 / Page 120 marketing.science consulting group, inc. linkedin.com/in/augustinefou So what? • Tried and true attacks/techniques continue to be used – they are just more automated now and scalable in digital • Assume everything is compromised (all personal details) and look for tell-tale signs and anything suspicious, dig in. • “Don’t trust, and always verify” and definitely don’t trust the verification numbers where no supporting details are provided; how would you know if it is right or not? • Run experiments to test hypotheses and check hunches; for example pause or cut spending to see if any business outcomes go down? • Use your common sense to solve fraud and run real digital marketing campaigns that yield real business outcomes.

122. June 2018 / Page 121 marketing.science consulting group, inc. linkedin.com/in/augustinefou About the Author Augustine Fou, PhD. acfou [@] mktsci.com 212. 203 .7239

123. June 2018 / Page 122 marketing.science consulting group, inc. linkedin.com/in/augustinefou Dr. Augustine Fou – Independent Ad Fraud Researcher 2013 2014 Published slide decks and posts: http://www.slideshare.net/augustinefou/presentations https://www.linkedin.com/today/author/augustinefou 2016 2015 2017

Entire ecosystem supporting ad fraud 2018

Related Books

Free with a 30 day trial from Scribd

Related Audiobooks

Free with a 30 day trial from Scribd

Entire ecosystem supporting ad fraud 2018