State of Digital Ad Fraud Q2 2018

State of Ad Fraud
Q2 2018
May 2018
Augustine Fou, PhD.
acfou [at] mktsci.com
212. 203 .7239

“Ad fraud is at ALL TIME HIGHS
both in RATE and in DOLLARS…
… and what’s worse is fraud
detection is not catching it, so
people have a false sense of security.”
It’s not fine.

May 2018 / Page 2marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Simple, high profits, low risk
1. set up
FAKE SITES
2. buy
FAKE TRAFFIC
3. sell
FAKE ADS

Simple “arb” (arbitrage)
Ads sold through“buy low”
$1 CPM
“sell high”
$5 - $10 CPMs
Marketers duped
Source: Basis
Source: SimilarWeb

Countless more fake sites/apps
1221e236c3f8703.com
62b70ac32d4614b.com
a6f845e6c37b2833148.com
da60995df247712.com
d869381a42af33b.com
a1b1ea8f418ca02ad4e.com
1de10ecf04779.com
2c0dad36bdb9eb859f0.com
a6be07586bc4a7.com
fe95a992e6afb.com
42eed1a0d9c129.com
da6fda11b2b0ba.com
afa9bdfa63bf7.com
739c49a8c68917.com
baa2e174884c9c0460e.com
d602196786e42d.com
153105c2f9564.com
8761f9f83613.com
20a840a14a0ef7d6.com
31a5610ce3a8a2.com
5726303d87522d05.com
3ac901bf5793b0fccff.com
b014381c95cb.com
2137dc12f9d8.com
06f09b1008ae993a5a.com
fbfd396918c60838.com
97ff623306ff4c26996.com
b1f6fe5e3f0c3c8ba6.com
23205523023daea6.com
6068a17eed25.com
b1fe8a95ae27823.com
f4906b7c15ba.com
eac0823ca94e3c07.com
1f7de8569ea97f0614.com
21c9a53484951.com
24ad89fc2690ed9369.com
efd3b86a5fbddda.com
34c2f22e9503ace.com
0926a687679d337e9d.com
6a40194bef976cc.com
33ae985c0ea917.com
02aa19117f396e9.com
f8260adbf8558d6.com
9376ec23d50b1.com
pushedwebnews.com
a0675c1160de6c6.com
0f461325bf56c3e1b9.com
850a54dbd2398a2.com
com.dxnxbgj.mkridqxviiqaogw
com.obugniljhe.fptvznqwhmcjm
com.bpo.ksuhpsdkgvbtlsw
com.rlcznwgouw.vvtexstbfttngc
com.kasbgf.sbzwtgpcbjexi
com.bprlgbl.vbze
com.zka.lzhsoueilo
com.alxsavx.mizzucnlb
com.jxknvk.lrwfdfirdzpsw
com.tvwvqbt.wbshaguqy
com.iwnxtpahcu.leyuehdwdbb
com.okf.rhvemtykfibzpxj
com.obpmirzste.ldsjpv
com.zmm.shmxvjxnsagndui
com.nqzwr.leusrmpmsq
com.rced.zcdsglptpdlwpu
com.kerms.ehlsgnc
com.cmia.iabhheltm
com.skggynmtx.tyyjnwpefvqtll
com.kgdtltnuv.hayvfhob
com.ztzsiqg.dyojlxdscxws
com.xlwuqe.ddrdhsuosbn
com.rkrhmzee.wjcoznxu
com.ebhzb.hbzvomzpcctovj
Fake sites Fake sites Fake apps

Insane profits from ad fraud
Sample Campaign 1
• Amount spent to buy traffic – $183,000
• Traffic purchased – 37 million pageviews ($4.99 CPM)
• Clicks successfully sold – 3.8 million (passed all fraud filters)
• CPC earned $1.20, at 10% click through rate
$4.6 million payout
25X return
$15.9 billion
annualized fraud
Sample Campaign 2
• Amount spent to buy traffic – $24,000
• Traffic purchased – 23 million pageviews ($1.03 CPM)
• Clicks successfully sold – 2.5 million (passed all fraud filters)
• CPC earned $0.39, at 11% click through rate
$982k payout
41X return
$5.5 billion
annualized fraud

The most profitable criminal activity
2,500 - 4,100% returns
11% returns1% interest
digital ad fraud
stock marketbank interest
“where else can I get multi-
thousands percent returns on
my money? Right. Nowhere.”

Pairs of Slides
a) Fraud technique
b) (Year) Documented Case

“I’ve written about the forms of fraud
mentioned below over the years…
… and when each was subsequently
documented by others, the fraud had
gone on for years even though fraud
detection was already in use
(but failed to catch it)”

Faked residential IP addresses

(2016) Methbot avoided detection
Source: Dec 2016 WhiteOps Discloses Methbot Research
“Methbot, steals $2 billion annualized;
and it avoided detection for years.”
1. Targeted video ad inventory
$13 average CPM, 10X
higher than display ads
2. Disguised as good publishers
Pretending to be good
publishers to cover tracks
3. Simulated human actions
Actively faked clicks, mouse
movements, page scrolling
4. Obfuscated data center origins
Data center bots pretended to be
from residential IP addresses

Fake mobile apps – not detected
Top mobile apps
by ad revenue …
… are entirely
different than
ones humans
use most.

(2017) mobile display ad fraud
May 26 Forbes “Judy Malware”
• 40 bad apps to load ads
• 36 million fake devices to load
bad apps
• e.g. 30 ads per device /minute
• 30 ads per minute = 1 billion
fraud impressions per minute
June 1 Checkpoint “Fireball”
• 250 million infected computers
• primary use = traffic for ad
fraud
• 4 ads /pageview (2s load time)
• fraudulent impressions at the
rate of 30 billion per minute

Fake mobile devices – not detected
Download and Install Apps
Launch and Interact

(2017) mobile app install fraudSource: June 2017, Tune
average 20% fraud
100% fraud
> 50% fraud

Fake geolocation – not detected
Not Normal – in both campaigns
1. 100% mobile apps; 100% Android; same top 15 apps in both markets
2. 100% of impressions generated between 4a – 5a local time
3. 100% fake devices; 15 unique devices generated top 95% impressions
4. 100% data center traffic, randomized through residential proxies

(2017) bad/fake/stale geolocation
Source: Placed
Source: SafeGraph
99% faked/bad
90% stale/incorrect

Bad guys spoof good domains
bid request
fakesite123.com cookie
blacklist
whitelist
✅
✅
bid
ad impression
Pre-bid filters
FRAUD DETECTION
In-ad
declared
FAILS
because domains in bid
request are declared
FAILS
because placement
reports show declared
domains
esquire.com

(2017) FT spoofed by bad guys
Digiday, November 2017MobileMarketing, Sept, 2017

Redirect traffic – not detected
“this is bigger than
ALL of the monthly
pageviews of good
publishers combined.”
How much is available?
a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”

(2017) Video ad fraud scheme
Buzzfeed, October 2017

Third party JS – security loopholes
42 trackers
24.3s load time
8 trackers
1.3s load time
“minimize 3rd party javascript trackers on pages”

(2017) User data exfiltration
“Emails, usernames,
passwords -- exfiltration
of personal data by
session-replay scripts; and
recording of user actions
on the site.”
Source: Freedom to Tinker, Nov 2017

Sandboxing ad iframes
Malicious javascript can break out of ad iframe and
take over the page, redirect user to another site.
Source: Digiday, Dec 2017
Source: https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/iframe

(2018) Malvertising redirects
Source: Confiant, Jan 2018 Source: GeoEdge, Jan 2018

Fake audiences – not detected
Journal of Clinical Oncology “cookie matching”
Bots pretend to be oncologists
by visiting sites, collecting cookie
Attract ad dollars to fake
sites when retargeted

(2018) Lotame purges bot profiles
“[LOTAME] purged 400
million of its over 4
billion profiles after
identifying them as
bots or otherwise
fraudulent accounts.
Lotame CEO Andy
Monfried estimated
that 40 percent of all
web traffic is fictional.”
Adweek, Feb 2018

Bad guys actively trick measurement
FAKE 100% viewability
AD
Stack ads all above the fold
to trick detection
FAKE 0% NHT
Buy traffic that passes
specific fraud filters

(2018) Code to trick measurement
“the [malicious] code
used by NMG is designed
to interfere with the
ability of third-party
measurement systems to
determine how much of a
digital ad was viewable
during a browsing
session.
This code manipulated
data to ensure that
otherwise unviewable
ads showed up in
measurement systems as
valid impressions, which
resulted in payment being
made for the ad.”
Buzzfeed, March 2018

Fake traffic from “social”
Source: Alexa
488M impressions per day (14.9B /mo)
Alexa shows 17M pageviews per month
Source: SimilarWeb

(2018) Facebook purges 1.3 billion
“It was barely a year ago that
Facebook proudly declared it had
more than 2.2 billion monthly
users. But on Tuesday, the social
media giant revealed
some stunning data, including
that during the six months ending
in March, Facebook disabled a
total of almost 1.3 billion fake
accounts.
During the first quarter of 2018,
Facebook says it deleted 865
million posts, the vast majority of
it for being spammy, and the
remainder for containing graphic
violence, sexual activity or nudity,
terrorism or hate speech.
Source: Inc. May 2018

IAB: fraud is “almost non-existent”
Source:
https://mumbrella.com.au/iabs-
first-australian-figures-claim-just-4-
of-digital-ads-fraudulent-429776
“Interactive Advertising Bureau
of Australia’s first report on the
local market claims that more
than 96% of ads served to
desktops and mobiles are served
to real users.
… just 3.7% of traffic delivered to
desktops was fraudulent and
3.8% on mobiles.”

ANA/WhiteOps: “lower than feared”
Source:
https://adexchanger.com/ad-
exchange-news/anawhite-ops-ad-
fraud-will-actually-go-2017-7-2-
billion-6-5-billion/
“The global monetary impact of ad
fraud is expected to go down this
year, the amount of mobile fraud
happening in the ecosystem is much
lower than feared.
Fraud represents less than 2% of all
app and mobile web display buys
because mobile CPMs are lower and
because fraudsters need to get users
to install their fake apps. ”

TAG/614: “we caused 83% reduction”
Source:
https://www.tagtoday
.net/pressreleases/stu
dy_shows_ad_fraud_
cut_by_83_percent
Except that they didn’t – they compared
non-optimized (12%) to “optimized” (fraud
low on good publishers anyway) (1.5%) and
claimed credit for “a monumental
breakthrough.”

“Does anyone still think ad
fraud is 9% and going lower?”
Measure your own campaigns;
don’t assume the fraud detection
you’re using now is catching
everything (or anything at all).”

Brands still being ripped off
Source: Social Puncher

Myths, Misconceptions
and Conflicts of Interest

Fraud detection works - myth
• Fraud detection is used to serve specific interests -- e.g.
1. if party A wanted to find less fraud (to defend against
refund requests), they would select a vendor that showed
them less fraud (and never question the measurement)
2. If party B wanted to find more fraud (to get bigger
refunds), they select a vendor that found more fraud (and
never question the measurement)
• Fraud detection is used for CYA (“cover your ass”) – so the
party that paid for it can say “well, they said there was no
fraud, so that’s why we continued to buy it.”
• Fraud detection relies on fraud to continue so they can
continue to make money (they don’t want to solve fraud).

Fraud filters reduce fraud - myth
1. Fraud filters are no better
than manual blacklists
2. In some cases, there’s MORE
fraud when filter is on
3. Using fraud filters adds 20 –
24% to costs; manual
blacklists are free

Fraud detection is accurate - no
Tag in ad iframe Tag on page
window sizes detected
as 0x0 or 0x8 pixels correct window sizes
for ads detected
0% humans
60% bots
60% humans
3% bots
“if they don’t have different tags for on-page versus in-ad measurement,
they are most certainly wrong; fraud measurements yield different numbers
or could be entirely wrong, depending on where the tag is placed.”

Measure for bots, but not humans
volume bars (green)
Stacked percent
Blue (human)
White (not measurable)
Red (bots)
red v blue trendlines
“Fraud detection that only reports NHT/IVT is not correct”
10% bots does NOT mean 90% humans

Pre-bid filtering reduces fraud - no
“sounds nice, but doesn’t
work, because…
• All HTTP headers are declared and
fakable (regularly faked); at the
pre-bid level you only have
headers to work with
• Once a bot cookie is caught and no
longer makes money, they dump it
and get a new one, so filtering
won’t recognize it/filter it.
• This technique is so intensive
computationally that it is flawed
and unnecessary when you can
just turn off the sites that commit
fraud in the first place.
Pre-bid filters
FAILS
because domains in bid
request are declared
FAILS
because bad bots dump
cookies and get new
ones (so filter would
never have seen it
before)

Audiences have lower fraud - no
“Verified Bots”
“Verified Humans”
Control: No Targeting
+$0.25 data CPM
+$0.25 data CPM
“verified bots” and “verified
humans” showed no difference in
quality to each other – AND both
were no different than the
control where no targeting
was used.

Brand safety detection works - myth
In-ad tag
ad iframeBad word
Bad content
Bad word
Bad content
Basic browser security (no cross-domain)…
… means tracking tags, riding along with the
ad (in ad iframe) cannot read content on the
page to do brand-safety measurements.

More reach in programmatic - myth
$1 CPM
Top 10 sites = 66% of imps
$5 CPM
$0.50 CPM
$10 CPM
Top 5-10 fraud sites eat most of your budget

My ads are reaching humans - myth
Most of budget wasted
between 12a – 4a; to bots
98% impressions blown
between midnight - 1a
Few impressions left for “waking hours” when humans are actually online.

Walled gardens have more fraud - no
Google
Search
Facebook
DisplayGDN FBX
less bots | more humans
first-party IDs | logged-in environment | people-based marketing
facebook.comgoogle.com
facebook app
“not on the main sites; bots can’t
make money when ads load here”

Blockchain reduces fraud - myth
“blockchain does not solve fraud because the ad tech
middlemen who need to adopt it actually prefer to
have LESS transparency not more.”
“if you wanted all the details of the bid and impression
(supply chain transparency), you can store those details in
a database; you don’t need to store it in a blockchain.”
-- Marc Guldimann, CEO ParsecMedia
“the idea of a secure, distributed ledger fits advertising’s
transparency imperative nicely, but it’s not a magic bullet. Anyone
suggesting blockchain will solve the ad industry’s problems is
promulgating a false sense of security. It’s a flu shot for an immuno-
compromised patient.” -- Ted McConnell

Ads.txt doesn’t work - myth
Publishers Marketers
Step 1
Publishers put ads.txt files on
their sites to show which
exchanges are authorized to
sell their inventory.
Step 2
Marketers need to check the
ads.txt file and reconcile that the
sellerID that got paid is the
correct sellerID of the domain
specified in placement reports
• Ads.txt has not reduced ad fraud (yet), because step 2 has not
been done by most marketers (their agencies) yet
• Beware of faked ads.txt – just having an ads.txt file doesn’t
mean the contents are accurate (they could be plagiarized/fake)
Insist on sellerID based placement reports, with line item details

Good publishers have high IVT - no
Domain (spoofed) % SIVT
esquire.com 77%
travelchannel.com 76%
foodnetwork.com 76%
popularmechanics.com 74%
latimes.com 72%
reuters.com 71%
bid request
fakesite123.com
esquire.com
passes blacklist
passes whitelist
✅
✅
declared
1. fakesite123.com has to pretend
to be esquire.com to get bids;
2. fraud measurement shows high
IVT b/c it is measuring the fake
site with fake traffic
3. Fake esquire.com gets mixed with
real so average fraud rates
appear high.
4. Real esquire.com gets backlisted;
bad guy moves on to another
domain.

Conflict, Bad Measurement
Incorrect IVT Measurement
Source 3 - in ad iframe, badly sampled
Sources 1 and 2
corroborate
One agency sticks to
fraud measurement
company (that is owned
by same agency holding
company), despite
proven errors in IVT
measurement (due to
sampling and tag being in
ad iframe).
Uses high IVT numbers to
get refunds, which
agency keeps as profit.

Chase: -99% reach, no impact
“JPMorgan had already decided
last year to oversee its own
programmatic buying operation.
Advertisements for JPMorgan
Chase were appearing on about
400,000 websites a month. [But]
only 12,000, or 3 percent, led to
activity beyond an impression.
[Then, Chase] limited its display
ads to about 5,000 websites. We
haven’t seen any deterioration on
our performance metrics,” Ms.
Lemkau said.”
“99% reduction in ‘reach’ … Same Results.”
Source: NYTimes, March 29, 2017
(because it wasn’t real, human reach)

P&G: cut $200M, no impact
“Once we got transparency, it
illuminated what reality was,” said
Mr. Pritchard. P&G then took matters
into its owns hands and voted with
its dollars, he said.”
“As we all chased the Holy Grail of
digital, self-included, we were
relinquishing too much control—
blinded by shiny objects,
overwhelmed by big data, and ceding
power to algorithms,” Mr. Pritchard
said.
Source: WSJ, March 2018

Small businesses found/killed fraud
“Both of these small businesses used their own analytics and gut
instinct; they resolved ad fraud without using any expensive tech.”
Small Business A
• Noticed a 118,600% increase in Android devices hitting her site
during campaign – AND no additional goal completions
• Compiled additional data that corroborated it was fraud;
presented to ad network and got refund for entire campaign
Small Business B
• Year over year, marketer noticed the discrepancy between counts
reported by ad network versus his own Google Analytics shot up
dramatically (even though cost-per-action remained similar).
• Conversions also dropped dramatically. With deeper digging, he
found the ratio of audience network inventory grew from 5% to
65% of total impressions. Solved by turning off audience network.

“First and foremost …
… don’t incentivize your agencies
to just buy more (quantity of
impressions) at lower average
CPM; otherwise YOU are
continuing to support ad fraud.”

Measure every point of the funnel
Measure
Ads
Measure
Arrivals
Measure
Conversions
346
1743
5
156
A
B
30X more human
conversion events
• More arrivals
• Better quality
more humans (blue)
good publishers
low-cost media,
ad exchanges

Compare relative quality of sources
Marketer 1
• Blue means humans
• Red means bots Marketer 2
“increase spend on sources driving more humans
(blue); reduce spend on sources with more bots (red)”

Display 4
2,036 humans
human conversion rate
Focus on conversions/outcomes
Site Traffic Conversions
8,482 818
4,216 humans
5%
14,539 193
225 humans
9%
2,248 23
168 humans
5%
1,527 9
Display 3
Display 2
Display 1
Humans
40%

Fight fraud w/ your own analytics
top 4 referrers – same exact pattern/data

Turn off obvious fraud sites
Turn off the fraud at
the beginning of the
campaign; then you
won’t have to try to
fight to get your
money back later.

“fight ad fraud with
common sense”
- stop wasting money on tech that
doesn’t work
- insist on detailed data and look at
the analytics yourself

About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com
212. 203 .7239

Dr. Augustine Fou – Independent Ad Fraud Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017

State of Digital Ad Fraud Q2 2018

More Related Content

Similar to State of Digital Ad Fraud Q2 2018

More from Dr. Augustine Fou - Independent Ad Fraud Researcher

Recently uploaded

State of Digital Ad Fraud Q2 2018