Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Entire ecosystem supporting ad fraud 2018

“In addition to the ad fraud itself, bad guys make money by selling the “picks and shovels” too – e.g. bots, traffic, clicks, malware, fake apps, etc. They have an entire ecosystem to extract value. What follows are just a few examples, scratching the surface.”

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Entire ecosystem supporting ad fraud 2018

  1. 1. Entire Ecosystem Supporting Ad Fraud June 2018 Augustine Fou, PhD. acfou [at] 212. 203 .7239
  2. 2. “In addition to the ad fraud itself, bad guys make money by selling the “picks and shovels” too – e.g. bots, traffic, clicks, malware, fake apps, etc. They have an entire ecosystem to extract value. What follows are just a few examples, scratching the surface.”
  3. 3. June 2018 / Page 2 consulting group, inc. From 2015 - Fraud Ecosystem Overview Source:
  4. 4. June 2018 / Page 3 consulting group, inc. Ad fraud is simple, scalable 1. set up FAKE SITES 2. buy FAKE TRAFFIC 3. sell FAKE ADS
  5. 5. Fake Sites Get paid for every fake site created
  6. 6. June 2018 / Page 5 consulting group, inc. Fake Websites - random • No content or content that is assembled (i.e. plagiarized) • Content not human readable • Stuffed with large numbers of ads • Page auto-reloads • Large abrupt traffic changes Get paid to make fake websites for ad fraud
  7. 7. June 2018 / Page 6 consulting group, inc. Fake Websites - template • Identical wordpress templates; no content or customization
  8. 8. June 2018 / Page 7 consulting group, inc. Sites with Only Ads 1 2 3 4 5 6 7 8 9 10 • Pages are auto generated by script to optimize for high value search keywords and content • 10 – 15 display ads per page plus text ads and videos ads, in rotation • Advertisers should minimize ad dollars spent on impression (CPM) basis and focus on paying only when they get the click (CPC) • They also auto-refresh pages to load another 10 – 15 ads • Many other examples of display ads shown next to unsavory content Source:
  9. 9. June 2018 / Page 8 consulting group, inc. More examples of fake sites Fake sites Fake sites Fake sites
  10. 10. June 2018 / Page 9 consulting group, inc. Network of “arcade” sites Same traffic, same shape, same pages/visit, same bounce Source: SimilarWeb
  11. 11. June 2018 / Page 10 consulting group, inc. Network of “highlight” sites Same traffic, same shape, same pages/visit, same bounce Source: SimilarWeb
  12. 12. June 2018 / Page 11 consulting group, inc. Sites are auto-generated Source: SimilarWeb
  13. 13. June 2018 / Page 12 consulting group, inc. Fake Content – made by bot Augustine Fou - 12 - Characteristics • Auto-generated by bots, stuffed with search keywords • Attract organic search traffic • Not human readable • Stuffed with affiliate links and ads
  14. 14. June 2018 / Page 13 consulting group, inc. Plagiarized content, fact-checks Google search on entire phrase in quotes: Source: Buzzfeed, June 2018
  15. 15. June 2018 / Page 14 consulting group, inc. $23 (outside Google/Facebook) There’s 160X more “sites with ads” Good Publishers “sites with ads” Source: Verisign, Q4 2016 329M domains est. 164 million “sites that carry ads” “sites you’ve heard of” WSJ ESPN NYTimes Economist Reuters Elle 0.3% no ads carry ads 160X more 78% programmatic est. 1 million
  16. 16. Fake Traffic/Users Get paid selling traffic to sites / apps
  17. 17. June 2018 / Page 16 consulting group, inc. Fake users (headless browsers) Headless Browsers Selenium PhantomJS Zombie.js SlimerJS Mobile Simulators 35 listed Bots are made from malware compromised PCs or headless browsers (no screen) in datacenters.
  18. 18. June 2018 / Page 17 consulting group, inc. Any device with chip/connectivity Traffic cameras turned into botnet (Engadget, Oct 2015) mobile devices webcams connected traffic lights connected cars thermostat connected fridge Security cams used as 400 Gbps DDoS botnet (Engadget, Jun 2016) …can be used as a bot
  19. 19. June 2018 / Page 18 consulting group, inc. Tricking measurement beacons Source: AdWeek, 2013 Measurement beacons were routinely tricked to count higher traffic Phantom Sites multiply traffic
  20. 20. June 2018 / Page 19 consulting group, inc. Infinite page auto-redirects How much does it cost? How much is available? a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”
  21. 21. June 2018 / Page 20 consulting group, inc. Feed traffic to other sites % traffic share from 15+ referring sites is TOO SIMILAR (~ 2% ) Advertisers impacted
  22. 22. June 2018 / Page 21 consulting group, inc. Fraud apps loading webpages “fraud sites’ traffic comes from apps that load hidden webpages”
  23. 23. Fake Ads
  24. 24. June 2018 / Page 23 consulting group, inc. “Naked Ad Calls” (load ad, not page) Why load entire webpage when you can just load the ad (save bandwidth) and still get paid? Pass fake data via query strings
  25. 25. June 2018 / Page 24 consulting group, inc. “Naked Ad Calls” are rampant “just call the ad, and not the webpage, to save bandwidth” Good Publishers Exchange Media Bottom of Barrel 47% avg 77% avg 11% avg
  26. 26. June 2018 / Page 25 consulting group, inc. Oooh baby, that’s a lot … Highlighted domains are interspersed with large sites that you know many humans go to. These are DAILY quantities of impressions. Notice the large quantities; some are larger than mainstream sites.
  27. 27. June 2018 / Page 26 consulting group, inc. Video Ads in Display Slots Source: Mediapost, March 2018 “arbitrage cheap low demand 300×250 ad units with high-demand expensive video ads. buys a static 300×250 banner ad for $2 CPM adds a video player and then resells it as a $9 CPM video ad unit.”
  28. 28. Beyond ad fraud … Tools and techniques of the trade
  29. 29. Fake Audiences Make money charging data CPMs
  30. 30. June 2018 / Page 29 consulting group, inc. Fake audiences for retargeting “cookie matching” Bots pretend to be oncologists by visiting sites, collecting cookie Attract ad dollars to fake sites when retargeted
  31. 31. June 2018 / Page 30 consulting group, inc. Fake segments for targeting Bots browse different items by season to attract higher retargeting CPMs Source: DataXu/DoubleVerify Webinar, April 2015 “look at backpacks in back-to-school season – to get retargeted”
  32. 32. June 2018 / Page 31 consulting group, inc. Segment: purchasers - no difference “Frequent Buyers” “Heavy Buyers” “Recent Purchaser - Books” Control: No Targeting +$1.00 data CPM +$1.00 data CPM +$1.75 data CPM
  33. 33. June 2018 / Page 32 consulting group, inc. (2018) Lotame purges 400M “[LOTAME] purged 400 million of its over 4 billion profiles after identifying them as bots or otherwise fraudulent accounts. Lotame CEO Andy Monfried estimated that 40 percent of all web traffic is fictional.” Adweek, Feb 2018
  34. 34. Fake Accounts Make money setting up fake accounts
  35. 35. June 2018 / Page 34 consulting group, inc. Fake Facebook profiles Sell “likes”; now used to simulate user engagement/audiences
  36. 36. June 2018 / Page 35 consulting group, inc. (2018) Facebook purges 1.3 billion “It was barely a year ago that Facebook proudly declared it had more than 2.2 billion monthly users. But on Tuesday, the social media giant revealed some stunning data, including that during the six months ending in March, Facebook disabled a total of almost 1.3 billion fake accounts. During the first quarter of 2018, Facebook says it deleted 865 million posts, the vast majority of it for being spammy, and the remainder for containing graphic violence, sexual activity or nudity, terrorism or hate speech. Source: Inc. May 2018
  37. 37. June 2018 / Page 36 consulting group, inc. Fake LinkedIn Profiles bot generated content stock photo Used to simulate “user engagement” (ad clicks), audiences
  38. 38. June 2018 / Page 37 consulting group, inc. Fake Twitter Accounts Used for “follower” fraud when marketers paid for more followers
  39. 39. June 2018 / Page 38 consulting group, inc. Fake influencers - uncovered Source: Adweek, Jun 2018 Fake influencers bought followers to appear to be influential “an array of entertainers, entrepreneurs, athletes and media figures, … bought Twitter followers or artificial engagement. A New York Times article on Saturday describing a vast trade in fake followers and fraudulent engagement on Twitter and other social media sites, often using personal information taken from real users.
  40. 40. June 2018 / Page 39 consulting group, inc. (2018) Twitter purges fake accounts Source: Engadget Mar 2018 Source: NYTimes Jan 2018
  41. 41. June 2018 / Page 40 consulting group, inc. Fake YouTube Videos /watch?v=xnkM9RrDzhM Banned Celebrity Sex Tapes bannedsextapes .com For driving fake referral traffic to sites, attribution fraud
  42. 42. June 2018 / Page 41 consulting group, inc. Fake video views - purchased Actual interest Straight line – purchased views
  43. 43. June 2018 / Page 42 consulting group, inc. Youtube views on blank page
  44. 44. June 2018 / Page 43 consulting group, inc. Fake YouTube Videos for SEO /watch?v=upSOCzlSoHk watch?v=lhbDGpqCmZQ watch?v=UcdiM4uD6fM /watch?v=an6xRpQ5Wh8 Duplicated videos Keyword-stuffed for video SEO for fake sites (free traffic) Some carry ads to generate ad revenue
  45. 45. June 2018 / Page 44 consulting group, inc. Fake Sweepstakes To steal users’ email addresses and other personal information
  46. 46. June 2018 / Page 45 consulting group, inc. Fake Personality Quizzes Used to harvest personal info, meta data for later use in hacking Source: The Atlantic, Jul 2017 Harvesting self-selected face photos (can be used to unlock FaceID)
  47. 47. Fake Mobile Rent out fake mobile device “botnets”
  48. 48. June 2018 / Page 47 consulting group, inc. You can’t scale physical devices May 26 Forbes “Judy Malware” • 36 million fake devices to load bad apps • e.g. 30 ads per device /minute • 30 ads per minute = 1 billion fraud impressions per minute Source: June 2017 “Chinese click fraud gang in Thailand arrested” 300 real devices used for click fraud millions of mobile simulators for ad fraud
  49. 49. June 2018 / Page 48 consulting group, inc. Fake devices (mobile simulators) Download and Install Apps Launch and Interact
  50. 50. June 2018 / Page 49 consulting group, inc. Fake Installs / Attribution Install Fraud “fake devices installing legit apps, get paid on CPI” App install spend $6B (2017E) Source: BusinessInsider, June 2016 Source: AdAge, Sept 2017
  51. 51. June 2018 / Page 50 consulting group, inc. Fake downloads, boost rank Download/purchase own apps with bots to get to top 25 list
  52. 52. June 2018 / Page 51 consulting group, inc. Fake devices, loading pages Repeated hits by same device/browser, same ip address
  53. 53. June 2018 / Page 52 consulting group, inc. Fake IDFAs on real devices Source: Cinarra Systems Rotating faked IDFAs allow mobile devices to defeat frequency caps
  54. 54. June 2018 / Page 53 consulting group, inc. Fake apps compromise humans Source: The Inquirer Oct 2017 Source: Daily Mail May 2015 zetlin/fake-whatsapp-app-on- google-play-store-fooled-1- million-into-downloading-it- did-you.html
  55. 55. June 2018 / Page 54 consulting group, inc. Fake apps absorb all budget com.jiubang com.flashlight com.latininput com.dxnxbgj.mkridqxviiqaogw com.obugniljhe.fptvznqwhmcjm com.bpo.ksuhpsdkgvbtlsw com.rlcznwgouw.vvtexstbfttngc com.kasbgf.sbzwtgpcbjexi com.bprlgbl.vbze com.zka.lzhsoueilo com.alxsavx.mizzucnlb com.jxknvk.lrwfdfirdzpsw com.tvwvqbt.wbshaguqy com.iwnxtpahcu.leyuehdwdbb Fake apps Top 5 apps = 100% of imps
  56. 56. June 2018 / Page 55 consulting group, inc. Faked geolocation, higher CPM Not Normal – in both campaigns 1. 100% mobile apps; 100% Android; same top 15 apps in both markets 2. 100% of impressions generated between 4a – 5a local time 3. 100% fake devices; 15 unique devices generated top 95% impressions
  57. 57. June 2018 / Page 56 consulting group, inc. App cloning, free adware SDKs Apps are cloned thousands of times; some didn’t even bother to change the colors or cover graphics. Bad guys accidentally cloned apps that already had detection SDK in it – from 312, to 750, to 1,330 copies. Source: CNBC, Aug 2017
  58. 58. June 2018 / Page 57 consulting group, inc. Apps’ primary revenue is ads In-App Advertising App Store Source: SensorTower
  59. 59. June 2018 / Page 58 consulting group, inc. Top mobile apps by ad revenue Top mobile apps by ad revenue Are entirely different than ones humans spend the most time with
  60. 60. June 2018 / Page 59 consulting group, inc. Fake apps compromise devices Source: Independent, Jun 2018 Source: Fortune, July 2016
  61. 61. June 2018 / Page 60 consulting group, inc. $23 (outside Google/Facebook) 700X more There’s 700X more fake apps 7M apps Source: Statista, March 2017 6.99 million 96% “apps that carry ads” 10,000 “apps you’ve heard of” Facebook Spotify Pandora Zynga Pokemon YouTube Facebook, 2015 Users use 8 – 15 apps on their phones. Spotify, 2016 People have 25 apps on their phones, use 5-8 regularly Forrester Research, May 2017 Humans “use 9 apps per day, 30 per month” 78% programmatic
  62. 62. June 2018 / Page 61 consulting group, inc. (2015) Going on for long time Source: BusinessInsider, July 2015 “A user downloads an app from the official app store — which may look legitimate and have hundreds of positive reviews — which then runs in the background, serving hundreds of ads at a rate as high as 20 ads per minute” Known and documented for years – now mobile is majority of digital spend
  63. 63. June 2018 / Page 62 consulting group, inc. Got 100M credit card numbers? Amateur Criminals Buy HDTV at Walmart with stolen credit card; get caught, card is deactivated. Pro Criminals Automate millions of $0.99 in- game purchases of “power- ups, shields, virtual goods” to fully launder the plunder.
  64. 64. Tools for disguising, laundering
  65. 65. June 2018 / Page 64 consulting group, inc. Luminati Geosurf Residential ips Proxy services, free VPNs Rent out residential IPs for disguising bots
  66. 66. June 2018 / Page 65 consulting group, inc. Methbot, Hyphbot (video fraud) Source: Dec 2016 WhiteOps Discloses Methbot Research “Methbot, steals $2 billion annualized; and it avoided detection for years.” • Targeted video ad inventory $13 average CPM, 10X higher than display ads • Disguised as residential bots pretended to be from residential IP addresses 2016 Source: Adform, Nov 2017 “Hyphbot, targeted video ad inventory avoided detection.” 2017 • active through at least 14 different exchanges and SSPs • generating up to 1.5 billion requests per day • generated fake traffic on more than 34,000 different domains, 600k IP addresses
  67. 67. June 2018 / Page 66 consulting group, inc. Tech tools to randomize data Source: Ratko Vidakovic
  68. 68. June 2018 / Page 67 consulting group, inc. Faked Google Analytics Source: Demo of how Google Analytics can be faked to show traffic that doesn’t exist
  69. 69. June 2018 / Page 68 consulting group, inc. Faked mouse moves/clicks Source: Demo of fake mousemovements and clicks using javascript
  70. 70. June 2018 / Page 69 consulting group, inc. Click spamming Click injection Click flooding Faked attribution, clicks Attribution urls or SDKs can be called to create fake clicks adfraud-turning-fraud-detection-into-fraud-prevention Source: Method Media Intelligence
  71. 71. June 2018 / Page 70 consulting group, inc. Criteo vs Steelhouse Suit Source: BusinessInsider June 2016 “Both Criteo and SteelHouse use a pay-per-click pricing model, which means they only generate revenue when users click on the ads they have served. Criteo alleges in the suit that SteelHouse ‘counterfeited clicks to trick e-tailers into attributing sales to SteelHouse that should have been attributed to Criteo, other competitors and partners, or direct traffic.’"
  72. 72. June 2018 / Page 71 consulting group, inc. Fake ad agencies to buy ads Source: Confiant, Jan 2018 “Beginads was only briefly used to establish relationships with ad platforms as a fake ad agency. Zirconium established a well thought- out organization to maximize both Supply (user traffic) and Demand (landing pages). Supply is brought in by the fake agencies, establishing relationships with legitimate ad platforms, and buying traffic. Having multiple relationships makes the operation more robust (in case an agency gets caught) and stealthier — as each agency poses as a long-tail small business agency and buys small amounts at a time.”
  73. 73. June 2018 / Page 72 consulting group, inc. Affiliate Fraud – Cookie Stuffing “eBay paid Hogan a staggering $28 million in affiliate marketing sales commissions over the years, according to court papers.” Source: ay-the-fbi-shawn-hogan-and-brian-dunning- 2013-4#ixzz34WHjnefM Source: usiness/la-fi-mo-cookie-stuffing-ebay- 20130419 “Laguna Niguel man pleads guilty in 'cookie stuffing' scam against Ebay. The online auctioneer paid Dunning’s company about $5.2 million in 2006 and 2007, the U.S. Attorney said.” Keywords: cookie stuffing Many more case studies published by Ben Edelman
  74. 74. Creating / multiplying “inventory”
  75. 75. June 2018 / Page 74 consulting group, inc. Browser toolbars/extensions Source: Ars Technica Jan 2018 Source: Shailin Dhar 2016 Toolbars/extensions to create traffic, fake clicks, log keystrokes
  76. 76. June 2018 / Page 75 consulting group, inc. Fake ad blockers load more ads Source: Engadget, April 2018 Thought you blocked ads? No, even more loaded in background
  77. 77. June 2018 / Page 76 consulting group, inc. Pop-unders on porn sites Source: Digiday Feb 2017 Source: BuzzFeed Dec 2017 Porn sites have real humans; pop-unders load continuous ads
  78. 78. June 2018 / Page 77 consulting group, inc. Auto-redirects – hidden iframe Source: GeoEdge, Jan 2018 “Hidden Auto-Redirects, … opens invisible iframes, and unbeknownst to the user, goes on its own delivery path, serving and clicking on ads automatically.”
  79. 79. June 2018 / Page 78 consulting group, inc. Apps load ads in background Source: - “fake apps or fraud apps (real apps that misbehave) continuously load display ad impressions in the background, inflate revenue”
  80. 80. June 2018 / Page 79 consulting group, inc. Bots load ads in background Source: Continuous loading of ads in the background and randomizing page loads
  81. 81. June 2018 / Page 80 consulting group, inc. Pages load ads in background “dark processes” are continuous loading of ads, in background (demo video of page continuously loading ads in the background)
  82. 82. June 2018 / Page 81 consulting group, inc. Dark pages – hidden pages for ads “dark pages” are NOT seen when sites are manually checked Pages you can see, navigate to Dark Pages you cannot navigate to (look normal, low # of ads) More ads, trackers, auto-refresh Normal Dark Pages
  83. 83. Malware / Adware Compromise more devices for botnet
  84. 84. June 2018 / Page 83 consulting group, inc. Malware makes money via ads 2017 Checkpoint “Fireball” • 250 million infected devices • primary use = ad fraud • 4 ads /pageview (2s load time) • fraudulent impressions at the rate of 30 billion per minute “Fireball has two main functionalities: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web- traffic to generate ad-revenue” Source: Check Point, 2017 Source: BitDefender Labs, 2018 “The main goal of Zacinlo is to deliver adware, displaying adverts developed by the attackers in webpages the user visits and to secretly click through to them in order to generate ad revenue.
  85. 85. June 2018 / Page 84 consulting group, inc. Malvertising / Ransomware Source: ZDNet, March 2017 Source: TechRepublic, June 2017
  86. 86. June 2018 / Page 85 consulting group, inc. Drive-by Malware/Cryptomining Source: Malwarebytes, Feb 2018 Source: ComputerWeekly March 2016
  87. 87. June 2018 / Page 86 consulting group, inc. Pre-installed malware/adware Source: TheVerge, Jul 2017 Source: CNN, Feb 2015
  88. 88. June 2018 / Page 87 consulting group, inc. Hacked Wordpress/Drupal Sites Source: Wordfence, Apr 2016 Source: TechCrunch, April 2018 Compromised to deliver malware to unsuspecting visitors
  89. 89. June 2018 / Page 88 consulting group, inc. Fake VPN – malware/ads Source: PC Magazine, Jun 2018 “The free programs are merely a guise for a notorious adware strain, dubbed Zacinlo, that's been harassing Windows PCs since 2012. Once installed, the apps can secretly download other programs on your computer, take screen shots from the desktop, and inject ads into your web browser, security firm Bitdefender said in a Monday report.”
  90. 90. June 2018 / Page 89 consulting group, inc. Google Safebrowsing Report Source: We are at HISTORIC highs for malware and phishing
  91. 91. Stealing/Harvesting personal info
  92. 92. June 2018 / Page 91 consulting group, inc. Countless big data breaches Harvesting personal info for use in various forms of attacks later
  93. 93. June 2018 / Page 92 consulting group, inc. Compromised databases Source: Hacker News, Jun 2018 Source: compsec, Jan 2017
  94. 94. June 2018 / Page 93 consulting group, inc. Fake Leads (Lead Fraud) Fake leads • Previously filled out by hand • Now, fully automated with bots using databases of real postal addresses, etc. (that trick verification engines) Use personal data from prior breaches to complete forms
  95. 95. June 2018 / Page 94 consulting group, inc. 3rd party trackers leak user info
  96. 96. June 2018 / Page 95 consulting group, inc. (2017) User data exfiltration “Emails, usernames, passwords -- exfiltration of personal data by session-replay scripts; and recording of user actions on the site.” Source: Freedom to Tinker, Nov 2017
  97. 97. June 2018 / Page 96 consulting group, inc. Compromised apps to steal info Source: Gadgets 360, June 2018 Source: ZDNet March 2018
  98. 98. June 2018 / Page 97 consulting group, inc. Piracy sites’ specialized tasks • Malware on humans’ PCs are used to make botnets • Real human’s cookies used for retargeting Piracy Sites Specialty • CPM on served ads • Get paid to plant malware Revenue Fraud Types • Malware / Toolbar / Virus • Sourced Traffic • Fake Ad Impressions Since there are real humans going to piracy sites and navigating them, their mouse movements and keystrokes can be recorded for replay attacks later.
  99. 99. June 2018 / Page 98 consulting group, inc. Ad Blocking / GPDR Source: CNBC, June 2018 Humans block ads and DON’T give consent; ads are served to bots “Humans block ads; bots want ads to load – so after ad blocking, most of the remaining ads are shown to bots.
  100. 100. Bad Measurement and Faked Analytics
  101. 101. June 2018 / Page 100 consulting group, inc. Bad Measurement of IVT Incorrect IVT Measurement Source 3 - in ad iframe, badly sampled Sources 1 and 2 corroborate One agency insists on one fraud detection company (that is owned by same holding company), despite proven errors in IVT measurement (due to sampling and tag being in ad iframe). Agency uses high IVT numbers to get refunds, which agency keeps as profit for themselves.
  102. 102. June 2018 / Page 101 consulting group, inc. Opposite results from tag placement In-Ad (in foreign iframe) On-Site (on page) window sizes detected as 0x0 or 0x8 pixels correct window sizes for ads detected 0% humans 60% bots 60% humans 3% bots “fraud measurements could be entirely wrong, depending on where the tag is placed – in-ad versus on-site.”
  103. 103. June 2018 / Page 102 consulting group, inc. Legit sites wrongly blacklisted Domain (spoofed) % SIVT 77% 76% 76% 74% 72% 71% bid request passes blacklist passes whitelist ✅ ✅ declared 1. has to pretend to be to get bids; 2. fraud measurement shows high IVT b/c it is measuring the fake site with fake traffic 3. Fake gets mixed with real so average fraud rates appear high. 4. Real gets backlisted; bad guy moves on to another domain.
  104. 104. June 2018 / Page 103 consulting group, inc. declared to be: Brand safety tech doesn’t work Pre-scanned Domain List In-ad tag Ad tags that are in the foreign iframe (different domain) cannot look outside the iframe – i.e. cannot read content on the site to determine brand safety. bad word porn terrorism hate Domain Placement Reports FAILS because it is not directly measured; relies on domain placement reports which have declared data.
  105. 105. June 2018 / Page 104 consulting group, inc. Fraud filter no better than blacklist 1.Fraud filters are no better than manual blacklists 2.In some cases, there’s MORE fraud when filter is on 3.Using fraud filters adds 20 – 24% to costs; manual blacklists are free
  106. 106. June 2018 / Page 105 consulting group, inc. “Verified” no different than control “Verified Bots” “Verified Humans” Control: No Targeting +$0.25 data CPM +$0.25 data CPM “verified bots” and “verified humans” showed no difference in quality to each other – AND both were no different than the control where no targeting was used.
  107. 107. June 2018 / Page 106 consulting group, inc. Bad guys trick measurement SDK Spoofing— code in an app that sends simulated ad clicks and engagement signals to the attribution provider … [to] fool an advertiser into paying for fraudulent impressions/views. Attribution Fraud— code that executes clicks (click spamming, click injection) so fraudster can claim credit for downstream conversions. Detection Tag Blocking— fake or fraudulent apps can selectively block fraud detection tags or manipulate analytics data.
  108. 108. June 2018 / Page 107 consulting group, inc. Simple code to trick viewability “This code manipulated data to ensure that otherwise unviewable ads showed up in measurement systems as valid impressions, which resulted in payment being made for the ad.” Buzzfeed, March 2018
  109. 109. June 2018 / Page 108 consulting group, inc. Bots easily trick AI/ML algorithms “Humans (blue) are hard to predict … … but bots give you beautiful signals – 1 or 0.” Source: Claudia Perlich, PhD. Data Scientist
  110. 110. June 2018 / Page 109 consulting group, inc. Fake or plagiarized ads.txt Source: MediaMath Fake sites rushed to put ads.txt files in place, to continue to sell “the company will only buy … from publishers who have an ads.txt file in place.” “completely useless… … fake and fraud sites just put ads.txt files in place or plagiarized content from other publishers to stick in their own files.”
  111. 111. June 2018 / Page 110 consulting group, inc. Fake botnet for PR “used highly sophisticated techniques to fraudulently load ads on the affected sites without the site owners' consent, leveraging a new methodology that allows it to monetize inventory on premium domains.” “none of this actually happened; it was completely fabricated for the press release announcing their new algo – ‘dramatic improvements to its automated traffic detection .. primarily through …machine learning methodologies’. The failure was due to their analyzing only pre-bid data, which was faked. There were no ads injected into any of the sites they named in the press release. This was confirmed by each of the good publishers, falsely accused.”
  112. 112. June 2018 / Page 111 consulting group, inc. Discrepancies – won vs served DSP says Adserver says Why actually serve the ad if you already get paid based on the number of impressions won? From the data, the more fraudulent the site, the greater the discrepancy – e.g. 80 – 100%
  113. 113. June 2018 / Page 112 consulting group, inc. “He said, she said” stalemate Marketer/Buyer Publisher/Seller Selects fraud verification Vendor A that consistently finds higher IVT – so they can get bigger refunds on their media buys (use it like discounts). Selects fraud verification Vendor B that finds lower IVT to help them defend against false accusations of fraud and refund requests. Vendor A Vendor B MRC Accredited MRC Accredited “high IVT” “low IVT” “it comes down to negotiation or relative power; so it is no better than if NO fraud detection were used at all.”
  114. 114. With all this “support,” no wonder …
  115. 115. “Ad fraud is at ALL TIME HIGHS both in RATE and in DOLLARS… … and what’s worse is fraud detection is not catching it, so people have a false sense of security.” Source:
  116. 116. June 2018 / Page 115 consulting group, inc. Two main kinds of ad fraud “Everything else is a derivative of (e.g. cost-per-install fraud), or in support of (e.g. tricking measurement, attribution, covering tracks) the above 2 forms of ad fraud.” Impression Fraud (CPM) Fraud (includes mobile display, video ads) Click Fraud (CPC) Fraud (includes mobile search ads)
  117. 117. June 2018 / Page 116 consulting group, inc. Why? Largest buckets of spend Leads (CPL) Sales (CPA) Lead Gen $2.0B Other $5.0B • classifieds • sponsorship • rich media Impressions (CPM/CPV) Clicks (CPC) Search 46% Display 31% Video 14% 91% digital ad spend Source: IAB FY 2017 Report 9% spend
  118. 118. June 2018 / Page 117 consulting group, inc. Digital Ad Fraud is At All Time Highs Digital Ad Spend ($ billions) Actuals Projected Digital Ad Fraud ($ billions)
  119. 119. June 2018 / Page 118 consulting group, inc. F*********************k DDoS attacks overwhelm with traffic; now use traffic to make ad revenue Google Digital Attack Map
  120. 120. June 2018 / Page 119 consulting group, inc. Only way to tell – pause or cut “Once we got transparency, it illuminated what reality was,” said Mr. Pritchard. P&G then took matters into its owns hands and voted with its dollars, he said.” “As we all chased the Holy Grail of digital, self-included, we were relinquishing too much control— blinded by shiny objects, overwhelmed by big data, and ceding power to algorithms,” Mr. Pritchard said. Source: WSJ, March 2018 P&G: cut $200M, no impact
  121. 121. June 2018 / Page 120 consulting group, inc. So what? • Tried and true attacks/techniques continue to be used – they are just more automated now and scalable in digital • Assume everything is compromised (all personal details) and look for tell-tale signs and anything suspicious, dig in. • “Don’t trust, and always verify” and definitely don’t trust the verification numbers where no supporting details are provided; how would you know if it is right or not? • Run experiments to test hypotheses and check hunches; for example pause or cut spending to see if any business outcomes go down? • Use your common sense to solve fraud and run real digital marketing campaigns that yield real business outcomes.
  122. 122. June 2018 / Page 121 consulting group, inc. About the Author Augustine Fou, PhD. acfou [@] 212. 203 .7239
  123. 123. June 2018 / Page 122 consulting group, inc. Dr. Augustine Fou – Independent Ad Fraud Researcher 2013 2014 Published slide decks and posts: 2016 2015 2017