Fake Everything 2019 Update

1. May 2019 / Page 0marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Everything Fake 2019 Update May 2019 Augustine Fou, PhD. acfou [at] mktsci.com 212. 203 .7239

2. May 2019 / Page 1marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2013) Everything Fake https://www.slideshare.net/augustinefou/everything-fake-click-fraud-fake-pages-botnets-ad-waste-reduction “fake since (at least) 2013”

3. May 2019 / Page 2marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake sites - programmatic Using software to create thousands of sites automatically Source: SimilarWeb

4. May 2019 / Page 3marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Websites - random Get paid to make fake websites (“cash-out” sites) for ad fraud • No content or content that is assembled (i.e. plagiarized) • Content not human readable • Stuffed with large numbers of ads • Page auto-reloads • Large abrupt traffic changes

5. May 2019 / Page 4marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Content – made by bot Pages stuffed with search keywords to attract free organic traffic Characteristics • Auto-generated by bots, stuffed with search keywords • Stuffed with affiliate links and ads “More news is being written by robots than you think.” Souce: Singularity Hub March 2014 Mr. Johansson's program scrubs databases and other digital sources for information, and then packages it into an article. On a good day, he says his "Lsjbot" creates up to 10,000 new entries (PER DAY) Source: WSJ July 2014

6. May 2019 / Page 5marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Videos – referral links For driving fake referral traffic to sites, attribution fraud http://www.youtube.com /watch?v=xnkM9RrDzhM Banned Celebrity Sex Tapes Banned sex tapes .com

7. May 2019 / Page 6marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake YouTube Videos - SEO Keyword-stuffed for video SEO for fake sites (free traffic) http://www.youtube.com /watch?v=upSOCzlSoHk http://www.youtube.com/ watch?v=lhbDGpqCmZQ http://www.youtube.com/ watch?v=UcdiM4uD6fM http://www.youtube.com /watch?v=an6xRpQ5Wh8 Duplicated videos Some carry ads to generate ad revenue

8. May 2019 / Page 7marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake video views - purchased Straight line in video views – same quantity added per time period http://www.youtube.com/watch?v=iP6XpLQM2Cs Actual interest Straight line – purchased views

9. May 2019 / Page 8marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Sites / Apps 1221e236c3f8703.com 62b70ac32d4614b.com a6f845e6c37b2833148.com da60995df247712.com d869381a42af33b.com a1b1ea8f418ca02ad4e.com 1de10ecf04779.com 2c0dad36bdb9eb859f0.com a6be07586bc4a7.com fe95a992e6afb.com 42eed1a0d9c129.com da6fda11b2b0ba.com afa9bdfa63bf7.com 739c49a8c68917.com baa2e174884c9c0460e.com d602196786e42d.com 153105c2f9564.com 8761f9f83613.com 20a840a14a0ef7d6.com 31a5610ce3a8a2.com 5726303d87522d05.com 3ac901bf5793b0fccff.com b014381c95cb.com 2137dc12f9d8.com 06f09b1008ae993a5a.com fbfd396918c60838.com 97ff623306ff4c26996.com b1f6fe5e3f0c3c8ba6.com 23205523023daea6.com 6068a17eed25.com b1fe8a95ae27823.com f4906b7c15ba.com eac0823ca94e3c07.com 1f7de8569ea97f0614.com 21c9a53484951.com 24ad89fc2690ed9369.com efd3b86a5fbddda.com 34c2f22e9503ace.com 0926a687679d337e9d.com 6a40194bef976cc.com 33ae985c0ea917.com 02aa19117f396e9.com f8260adbf8558d6.com 9376ec23d50b1.com pushedwebnews.com a0675c1160de6c6.com 0f461325bf56c3e1b9.com 850a54dbd2398a2.com com.dxnxbgj.mkridqxviiqaogw com.obugniljhe.fptvznqwhmcjm com.bpo.ksuhpsdkgvbtlsw com.rlcznwgouw.vvtexstbfttngc com.kasbgf.sbzwtgpcbjexi com.bprlgbl.vbze com.zka.lzhsoueilo com.alxsavx.mizzucnlb com.jxknvk.lrwfdfirdzpsw com.tvwvqbt.wbshaguqy com.iwnxtpahcu.leyuehdwdbb com.okf.rhvemtykfibzpxj com.obpmirzste.ldsjpv com.zmm.shmxvjxnsagndui com.nqzwr.leusrmpmsq com.rced.zcdsglptpdlwpu com.kerms.ehlsgnc com.cmia.iabhheltm com.skggynmtx.tyyjnwpefvqtll com.kgdtltnuv.hayvfhob com.ztzsiqg.dyojlxdscxws com.xlwuqe.ddrdhsuosbn com.rkrhmzee.wjcoznxu com.ebhzb.hbzvomzpcctovj Fake sites Fake sites Fake apps

10. May 2019 / Page 9marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Apps for loading ads Hundreds of fake or cloned apps, make money via ads

11. May 2019 / Page 10marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Cloned apps, adware SDKs Apps are easily cloned; free software development kits given away Apps are cloned thousands of times; some didn’t even bother to change the colors or cover graphics. Bad guys accidentally cloned apps that already had detection SDK in it – from 312, to 750, to 1,330 copies. Source: CNBC, Aug 2017

12. May 2019 / Page 11marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Antivirus Apps Fake apps that get lots of permissions on user device https://www.zdnet.com/article/two-thirds- of-all-android-antivirus-apps-are-frauds/ https://www.techspot.com/news/79226-more- than-two-thirds-all-android-antivirus-apps.html

13. May 2019 / Page 12marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake App Installs, Re-installs Fake mobile devices install legit apps, get paid cost-per-install (CPI) “Machine has analysed over 22.4 million app installs, 56% of which we detected as fraudulent. Of these 88 ad networks, only a single one delivered less than 10% fraudulent app installs. The rest fell somewhere between 15% and 100% fraudulent. Five of the networks delivered 100% fraudulent installs.” https://www.tune.com/blog/install-or-reinstall-42-of-mobile-app- installs-are-actually-reinstalls-and-in-some-categories-its-75/ 34 mobile networks were >50% fraud 42% Installs were Actually Re-Installs https://www.linkedin.com/pulse/machine-report-10-gary-danks/

14. May 2019 / Page 13marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake downloads, boost rank Download/purchase own apps with bots to get to top 25 list

15. May 2019 / Page 14marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake IDFAs on real devices Bad apps rotate faked/copied device IDs to defeat frequency caps Source: Cinarra Systems

16. May 2019 / Page 15marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou tOLKnMEzcnARvLTvChnt tOLKnMEzcnARvLTvChnt tOLKnMEzcnARvLTvChnt tOLKnMEzcnARvLTvChnt tOLKnMEzcnARvLTvChnt tOLKnMEzcnARvLTvChnt tOLKnMEzcnARvLTvChnt tOLKnMEzcnARvLTvChnt Random vs Replayed DeviceIDs Techniques to defeat fraud detection and frequency caps RANDOM deviceIDs lXvBEeRXPURtcKILYFYE IdUkQeWgqshMmfMdzlAx INIjBzHJHywhgRsMdQPe tiAnxwuKBNCjoMetZaPN UjtRbuUTvYUwmABhmPGH MDSUUgkENQkQDztavzfl iljoJEXUcLCEFwSdrwZn APbLSRUvlrIoofIchhLg NZXVVKCbymRYBSStNRYz UiSBmuDpYLkNvsHBKcri tOLKnMEzcnARvLTvChnt LZyhgblHtMIMaAliHWYB vKFknsnhGouIucYgxmdu • If fraud detection hasn’t seen a device before, the default action is to let the ad serve • Frequency caps based on deviceIDs are defeated, each device appears as new • Valid deviceIDs are harvested from real devices and sent to fake devices or apps to replay • Replayed deviceIDs are used by fraudulent apps to defeat fraud detection REPLAYED deviceIDs tOLKnMEzcnARvLTvChnt validated deviceID harvested

17. May 2019 / Page 16marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake apps to infect devices Fake versions of popular apps are used to infect humans’ devices Source: Independent, Jun 2018Source: Fortune, July 2016

18. May 2019 / Page 17marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake VPN – malware/adware Fake “free VPNs” track users’ browsing history, serve more ads Source: PC Magazine, Jun 2018 Source: ZDNet, May 2015 Source: TechCrunch, Feb 2019

19. May 2019 / Page 18marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Faked Google Analytics Manipulate Google analytics to show traffic that is non-existent Source: https://youtu.be/6_F-NAvr39o https://www.youtube.com/watch?v=ztiBQASKld8

20. May 2019 / Page 19marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Faked mouse moves/clicks Create fake mouse movements and clicks on ads using javascript Source: https://youtu.be/HeGYr3jwubY

21. May 2019 / Page 20marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake clicks – attribution scams Directly loading attribution urls and SDKs are to show fake clicks Source: Method Media Intelligence

22. May 2019 / Page 21marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake data Software tool to rotate referrer, browser agent, IP address Source: Ratko Vidakovic

23. May 2019 / Page 22marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Geolocation Houston, TX 5am local time Bozeman, MT 4am local time Same set of 15 apps calling ads from both locations, at times when humans are not awake yet

24. May 2019 / Page 23marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Agencies Out of the 28 fake ad agencies, only 20 ever had any activity in advertising markets. We believe Zirconium was progressively rolling out their agencies to overcome occasional bans, as they progressively got caught. We observed a pace of 1 to 3 releases per month. Since the majority of agencies were created around February 2017, the dormant ones progressively built precious reputation (mostly history, and social media following) to pose as established companies and maximize their potential of striking deals with more ad platforms. Source: Confiant, 2017

25. May 2019 / Page 24marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake traffic, laundered Fake sites don’t sell ads directly; they feed traffic to other sites Advertisers impacted

26. May 2019 / Page 25marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake pageviews – auto-redirect Webpages auto-redirect to other pages/sites in infinite loops How much does it cost?How much is available? a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”

27. May 2019 / Page 26marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Traffic sellers’ “high quality traffic” Many sources to buy “traffic,” tune “quality” level, host bots Google “buy real human traffic” Select vendor and “traffic quality level” Host your own bots (cost $3.99/mo)

28. May 2019 / Page 27marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Luminati[.]io Oxylabs[.]io Smartproxy[.]com Residential Proxies Use: to disguise data center bots to appear to come from residential IP addresses, avoid detection 40 million IP addresses 10 million IP addresses 30 million IP addresses

29. May 2019 / Page 28marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake or plagiarized ads.txt Source: MediaMath Fake sites rushed to put ads.txt files in place, to continue to sell “the company will only buy … from publishers who have an ads.txt file in place.” “completely useless… … fake and fraud sites just put ads.txt files in place so they can continue to sell inventory.”

30. May 2019 / Page 29marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake domains, bids Fake sites disguise themselves as good domains to sell inventory publisherA.com PublisherA does NOT sell ads on open exchanges! 100% spoofed inventory “In “domain spoofing,” bad actors intentionally disguise the nature of the ad space they’re selling. That inventory is made available via automated marketplaces run by ad tech companies such as the ones the FT highlighted. In the end, a marketer might believe they’re paying for ads on FT.com, but their ads may actually appear on other sites with questionable content and unknown ownership.” https://www.wsj.com/articles/financial- times-finds-counterfeit-ad-space-was- offered-by-at-least-six-companies- 1507563713

31. May 2019 / Page 30marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake GDPR consent strings Humans don’t give consent; bots consent to be shown more ads Source: CNBC, July 2018 • Humans don’t give consent to ad tech companies they have never heard of. • Bots give consent so more ads can be delivered to them • Forged consent flags that are not verifiable are used to continue programmatic ad trading

32. May 2019 / Page 31marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake ad impressions “dark processes” are continuous loading of ads, in background https://youtu.be/utoN_VlxtE0 (demo video of page continuously loading ads in the background)

33. May 2019 / Page 32marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake mobile display ads May 26 Forbes “Judy Malware” • 40 bad apps to load ads • 36 million fake devices to load bad apps • e.g. 30 ads per device /minute • 30 ads per minute = 1 billion fraud impressions per minute June 1 Checkpoint “Fireball” • 250 million infected computers • primary use = traffic for ad fraud • 4 ads /pageview (2s load time) • fraudulent impressions at the rate of 30 billion per minuteSource: June 2017 “Chinese click fraud gang in Thailand arrested” 300 real devices used for click fraud

34. May 2019 / Page 33marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake ads - malvertising Ransomware can be delivered through ads with malicious code Source: ZDNet, March 2017 Source: TechRepublic, June 2017

35. May 2019 / Page 34marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake mobile traffic - apps Fraud apps repeatedly loading webpages, w/ hidden browsers Gallery urls repeatedly loaded By same apps, in the same ratios

36. May 2019 / Page 35marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Traffic - pop-unders Porn sites have humans; click play, spawn pop-under, load ads Source: Digiday Feb 2017 Source: BuzzFeed Dec 2017

37. May 2019 / Page 36marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Pages auto-load other pages Code causes pages to auto-load other pages repeatedly Source: https://youtu.be/KluP64UI9Jg

38. May 2019 / Page 37marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake ad blockers – more ads Instead of blocking, fake ad blockers load more ads and track users Source: Engadget, April 2018

39. May 2019 / Page 38marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake profiles “[LOTAME] purged 400 million of its over 4 billion profiles after identifying them as bots or otherwise fraudulent accounts. Lotame CEO Andy Monfried estimated that 40 percent of all web traffic is fictional.” Source: Adweek, Feb 2018

40. May 2019 / Page 39marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake LinkedIn Profiles Used to simulate “user engagement” (ad clicks), audiences bot generated content stock photo

41. May 2019 / Page 40marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Facebook purges 1.3 billion fake “It was barely a year ago that Facebook proudly declared it had more than 2.2 billion monthly users. But on Tuesday, the social media giant revealed some stunning data, including that during the six months ending in March, Facebook disabled a total of almost 1.3 billion fake accounts. During the first quarter of 2018, Facebook says it deleted 865 million posts, the vast majority of it for being spammy, and the remainder for containing graphic violence, sexual activity or nudity, terrorism or hate speech. Source: Inc. May 2018

42. May 2019 / Page 41marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Twitter accounts - bots Used to sell fake followers, likes, retweets, ad views and clicks https://www.cnbc.com/2017/03/10/nearly-48-million-twitter-accounts- could-be-bots-says-study.html “A big chunk of those "likes," "retweets," and "followers" lighting up your Twitter account may not be coming from human hands. According to new research from the University of Southern California and Indiana University. Since Twitter currently has 319 million monthly active users, that translates to nearly 48 million bot accounts.”

43. May 2019 / Page 42marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake influencers Fake influencers bought followers to appear to be influential Source: Adweek, Jun 2018 “an array of entertainers, entrepreneurs, athletes and media figures, … bought Twitter followers or artificial engagement. A New York Times article on Saturday describing a vast trade in fake followers and fraudulent engagement on Twitter and other social media sites, often using personal information taken from real users. https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html NY Times: The Follower Factory

44. May 2019 / Page 43marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake segments - seasonality Bots browse items by season to attract higher retargeting CPMs Source: DataXu/DoubleVerify Webinar, April 2015 “look at backpacks in back-to-school season”

45. May 2019 / Page 44marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake behaviors Bots visit collections of sites to make themselves look attractive “cookie matching” Bots pretend to be oncologists by visiting sites, collecting cookie Attract ad dollars to fake sites when retargeted

46. May 2019 / Page 45marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Personality Quizzes Used to harvest personal info, meta data for later use in hacking http://www.businessinsider.com/nametestscom-may-have- exposed-facebook-data-of-120-million-users-2018-6 https://www.wired.com/story/facebook-exposed-87- million-users-to-cambridge-analytica/

47. May 2019 / Page 46marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Celebrity Lookalike Collect self-selected face photos for later use in hacking Users self-select face pictures to use for “which celebrity do you look like” quizzes. These are harvested for later use in hacking.

48. May 2019 / Page 47marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake tech support scams Designed to trick panicked consumers into downloading or calling https://arstechnica.com/information-technology/2018/07/tech-support- scammers-revive-bug-that-sends-chrome-users-into-a-panic/ https://twitter.com/robleathern/status/1014883138684661761

49. May 2019 / Page 48marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Sweepstakes/PrizesUsed to steal users’ email addresses and other personal information

50. May 2019 / Page 49marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Preinstalled adware/spyware Companies get paid to pre-install adware/spyware on devices Source: TheVerge, Jul 2017 Source: CNN, Feb 2015

51. May 2019 / Page 50marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake botnet for publicity PRESS RELEASE: “used highly sophisticated techniques to fraudulently load ads on the affected sites without the site owners' consent, leveraging a new methodology that allows it to monetize inventory on premium domains.” “The botnet was completely fabricated for the press release announcing their new algo. None of this actually happened; no ads were injected into any of the sites they named in the press release. This was confirmed by direct measurement on the good publishers’ sites. They were falsely accused and their reputation was harmed by this publicity stunt. The failure of the fraud detection was due to their analyzing only pre-bid data, and using big data and machine learning approaches, without an understanding of actual ad serving tech, javascript, and how browsers work.”

52. May 2019 / Page 51marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake Leads (Lead Fraud) Real data collected from breaches create leads that appear valid Fake leads • Previously filled out by hand • Now, fully automated with bots using databases of real postal addresses, etc. (that trick verification engines)

53. May 2019 / Page 52marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou #defendthespend “marketers can (and should) reduce the flow of dollars to cybercriminals that are committing ‘major economic crimes’.” Then, and only then, will we get back to REAL digital marketing.”

54. May 2019 / Page 53marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Digital Marketing circa 2018

55. May 2019 / Page 54marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou About the Author Augustine Fou, PhD. acfou [@] mktsci.com 212. 203 .7239

56. May 2019 / Page 55marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Dr. Augustine Fou – Researcher 2013 2014 Published slide decks and posts: http://www.slideshare.net/augustinefou/presentations https://www.linkedin.com/today/author/augustinefou 2016 2015 2017 20192018

Fake Everything 2019 Update

Dr. Augustine Fou - Independent Ad Fraud Researcher

Fake Everything 2019 Update