Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile display fraud is rampant beyond belief

1,932 views

Published on

There are 2 main forms of mobile fraud - display ad fraud and install fraud. This deck focuses on the far more lucrative and larger form - mobile display fraud.

Published in: Mobile
  • Be the first to comment

Mobile display fraud is rampant beyond belief

  1. 1. Mobile Display Fraud is Rampant Beyond Belief June 2018 Augustine Fou, PhD. acfou [at] mktsci.com 212. 203 .7239
  2. 2. June 2018 / Page 1marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Mobile is 57% of digital spend Source: IAB Full-year 2017 Digital Advertising Report
  3. 3. June 2018 / Page 2marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou "Fraud in mobile advertising is more tricky than just fake impressions, clicks, or installs. App advertisers can check when a user actually takes an action with their app after install to check legitimacy. The issue becomes which ad- network supplier gets credit for delivering that install. So attribution fraud is the major concern: where advertisers pay ad-networks, based on attribution vendor reporting, for installs that happened organically or by different marketing methods." -- Shailin Dhar, Method Media Intelligence
  4. 4. June 2018 / Page 3marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Main forms of mobile fraud Install FraudImpression Fraud “fake devices installing legit apps, get paid on CPI” “fake or fraud apps load display ads, get paid CPM” Mobile display spend $25B (2017) Source: eMarketer, April 2017 App install spend $6B (2017E) Source: BusinessInsider, June 2016
  5. 5. This deck focuses on mobile display fraud
  6. 6. June 2018 / Page 5marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Which is easiest for bad guys? Fake Apps on Fake Devices Adware SDK in Real Apps Malware On Real Devices Limitation Wait until unsuspecting humans accidentally downloads malware on real mobile devices Limitation Wait until app developers install SDK into their real apps and humans to download and use apps. Limitation No limits - apps are easily cloned, and mobile emulators are easily “spun up” in data centers
  7. 7. June 2018 / Page 6marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Half of humans download 0 apps/mo
  8. 8. June 2018 / Page 7marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Apps’ primary revenue is ads In-App Advertising App Store Source: SensorTower
  9. 9. June 2018 / Page 8marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou 75% mobile revenue from games Source: SensorTower
  10. 10. June 2018 / Page 9marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Top mobile apps by ad revenue Top mobile apps by ad revenue Are entirely different than ones humans spend the most time with
  11. 11. June 2018 / Page 10marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Massive, scalable display fraud “Judy Malware” • 40 bad apps to load ads • 36 million fake devices to load bad apps that load display ads • e.g. 30 ads per device /minute • 30 ads per minute = 1 billion fraud impressions per minute “Fireball Malware” • 250 million infected computers • primary use = traffic for ad fraud • 4 ads /pageview (2s load time) • fraudulent impressions at the rate of 30 billion per minute Source: Forbes, May 2017 Source: Checkpoint
  12. 12. June 2018 / Page 11marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2015) Apps doing ad fraud Source: BusinessInsider, July 2015 “A user downloads an app from the official app store — which may look legitimate and have hundreds of positive reviews — which then runs in the background, serving hundreds of ads at a rate as high as 20 ads per minute” Known and documented for years – now mobile is majority of digital spend
  13. 13. June 2018 / Page 12marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) Handful of bad apps 1 (52% of impressions) 2 (48% of impr) 66% avg fraud 18% avg fraud 1. 9% of the apps caused 52% of impressions; 66% outright fraud 2. Remaining 91% of apps caused 48% of impressions, 18% outright fraud • 1 billion mobile display impressions • Nearly 1,000 apps cross referenced with SDK Source: https://www.slideshare.net/augustinefou/mobile-display-fraud-case-study
  14. 14. June 2018 / Page 13marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fraud apps load impressions Source: ImpScore.io - https://www.youtube.com/watch?v=w-i-ue8fPCc “fake apps or fraud apps (real apps that misbehave) continuously load display ad impressions in the background, inflate revenue”
  15. 15. June 2018 / Page 14marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou App cloning, free adware SDKs Apps are cloned thousands of times; some didn’t even bother to change the colors or cover graphics. Bad guys accidentally cloned apps that already had detection SDK in it – from 312, to 750, to 1,330 copies. Source: CNBC, Aug 2017
  16. 16. June 2018 / Page 15marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake apps from real campaigns com.obpmirzste.ldsjpv com.zmm.shmxvjxnsagndui com.nqzwr.leusrmpmsq com.rced.zcdsglptpdlwpu com.kerms.ehlsgnc com.cmia.iabhheltm com.skggynmtx.tyyjnwpefvqtll com.kgdtltnuv.hayvfhob com.ztzsiqg.dyojlxdscxws com.xlwuqe.ddrdhsuosbn com.rkrhmzee.wjcoznxu com.ebhzb.hbzvomzpcctovj com.dxnxbgj.mkridqxviiqaogw com.obugniljhe.fptvznqwhmcjm com.bpo.ksuhpsdkgvbtlsw com.rlcznwgouw.vvtexstbfttngc com.kasbgf.sbzwtgpcbjexi com.bprlgbl.vbze com.zka.lzhsoueilo com.alxsavx.mizzucnlb com.jxknvk.lrwfdfirdzpsw com.tvwvqbt.wbshaguqy com.iwnxtpahcu.leyuehdwdbb com.okf.rhvemtykfibzpxj
  17. 17. June 2018 / Page 16marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou “Naked Ad Calls” (load ad, not page) Why load the entire webpage when you can just load the ad (save bandwidth) and get paid? Pass fake data via query strings
  18. 18. June 2018 / Page 17marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Apps load webpages “fraud apps sell traffic; use hidden webview browser to load pages”
  19. 19. June 2018 / Page 18marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake app traffic – real dataRepeatedly load webpages (e.g. galleries) in sequence or random
  20. 20. June 2018 / Page 19marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Apps load webpages, disguise “fraud sites’ traffic from apps that also pass fake HTTP headers” Source: SimilarWeb
  21. 21. June 2018 / Page 20marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake devices (mobile simulators) Download and Install Apps Launch and Interact
  22. 22. June 2018 / Page 21marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake mobile devices – real data Repeated hits by same device/browser, same ip address
  23. 23. June 2018 / Page 22marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake devices pass fake location Houston, TX Bozeman, MT Fake devices declare fake locations to absorb higher ad spend
  24. 24. June 2018 / Page 23marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou 90-99% of geolocation bad or faked Source: Placed, Sept 2017 Source: SafeGraph
  25. 25. June 2018 / Page 24marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Bad guys trick measurement SDK Spoofing— code in an app that sends simulated ad clicks and engagement signals to the attribution provider … [to] fool an advertiser into paying for fraudulent impressions/views. Attribution Fraud— code that executes clicks (click spamming, click injection) so fraudster can claim credit for downstream conversions. Detection Tag Blocking— fake or fraudulent apps can selectively block fraud detection tags or manipulate analytics data.
  26. 26. June 2018 / Page 25marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Mobile fraud is not caught Source: https://mumbrella.com.au/iabs- first-australian-figures-claim-just-4- of-digital-ads-fraudulent-429776 IAB: mobile fraud is “almost non-existent” “it’s NOT non-existent”
  27. 27. June 2018 / Page 26marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Any device with chip/connectivity Traffic cameras turned into botnet (Engadget, Oct 2015) mobile devices webcams connected traffic lights connected cars thermostat connected fridge Security cams used as 400 Gbps DDoS botnet (Engadget, Jun 2016) …can be used as a bot
  28. 28. June 2018 / Page 27marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Economics of botnets explained Source: MIT Tech Review, May 2018 “distributed denial-of-service attacks using a network of 30,000 bots can generate around $26,000 a month. Spam advertising with 10,000 bots generates around $300,000 a month, and bank fraud with 30,000 bots can generate over $18 million per month. But the most profitable undertaking is click fraud, which generates well over $20 million a month of profit.” Botnets can be used for a variety of things
  29. 29. June 2018 / Page 28marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou About the Author Augustine Fou, PhD. acfou [@] mktsci.com 212. 203 .7239
  30. 30. June 2018 / Page 29marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Dr. Augustine Fou – Independent Ad Fraud Researcher 2013 2014 Published slide decks and posts: http://www.slideshare.net/augustinefou/presentations https://www.linkedin.com/today/author/augustinefou 2016 2015 2017

×