State of Digital Ad Fraud Q2 2018

1. State of Ad Fraud Q2 2018 May 2018 Augustine Fou, PhD. acfou [at] mktsci.com 212. 203 .7239

2. “Ad fraud is at ALL TIME HIGHS both in RATE and in DOLLARS… … and what’s worse is fraud detection is not catching it, so people have a false sense of security.” It’s not fine.

3. May 2018 / Page 2marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Simple, high profits, low risk 1. set up FAKE SITES 2. buy FAKE TRAFFIC 3. sell FAKE ADS

4. May 2018 / Page 3marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Simple “arb” (arbitrage) Ads sold through“buy low” $1 CPM “sell high” $5 - $10 CPMs Marketers duped Source: Basis Source: SimilarWeb

5. May 2018 / Page 4marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Countless more fake sites/apps 1221e236c3f8703.com 62b70ac32d4614b.com a6f845e6c37b2833148.com da60995df247712.com d869381a42af33b.com a1b1ea8f418ca02ad4e.com 1de10ecf04779.com 2c0dad36bdb9eb859f0.com a6be07586bc4a7.com fe95a992e6afb.com 42eed1a0d9c129.com da6fda11b2b0ba.com afa9bdfa63bf7.com 739c49a8c68917.com baa2e174884c9c0460e.com d602196786e42d.com 153105c2f9564.com 8761f9f83613.com 20a840a14a0ef7d6.com 31a5610ce3a8a2.com 5726303d87522d05.com 3ac901bf5793b0fccff.com b014381c95cb.com 2137dc12f9d8.com 06f09b1008ae993a5a.com fbfd396918c60838.com 97ff623306ff4c26996.com b1f6fe5e3f0c3c8ba6.com 23205523023daea6.com 6068a17eed25.com b1fe8a95ae27823.com f4906b7c15ba.com eac0823ca94e3c07.com 1f7de8569ea97f0614.com 21c9a53484951.com 24ad89fc2690ed9369.com efd3b86a5fbddda.com 34c2f22e9503ace.com 0926a687679d337e9d.com 6a40194bef976cc.com 33ae985c0ea917.com 02aa19117f396e9.com f8260adbf8558d6.com 9376ec23d50b1.com pushedwebnews.com a0675c1160de6c6.com 0f461325bf56c3e1b9.com 850a54dbd2398a2.com com.dxnxbgj.mkridqxviiqaogw com.obugniljhe.fptvznqwhmcjm com.bpo.ksuhpsdkgvbtlsw com.rlcznwgouw.vvtexstbfttngc com.kasbgf.sbzwtgpcbjexi com.bprlgbl.vbze com.zka.lzhsoueilo com.alxsavx.mizzucnlb com.jxknvk.lrwfdfirdzpsw com.tvwvqbt.wbshaguqy com.iwnxtpahcu.leyuehdwdbb com.okf.rhvemtykfibzpxj com.obpmirzste.ldsjpv com.zmm.shmxvjxnsagndui com.nqzwr.leusrmpmsq com.rced.zcdsglptpdlwpu com.kerms.ehlsgnc com.cmia.iabhheltm com.skggynmtx.tyyjnwpefvqtll com.kgdtltnuv.hayvfhob com.ztzsiqg.dyojlxdscxws com.xlwuqe.ddrdhsuosbn com.rkrhmzee.wjcoznxu com.ebhzb.hbzvomzpcctovj Fake sites Fake sites Fake apps

6. May 2018 / Page 5marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Insane profits from ad fraud Sample Campaign 1 • Amount spent to buy traffic – $183,000 • Traffic purchased – 37 million pageviews ($4.99 CPM) • Clicks successfully sold – 3.8 million (passed all fraud filters) • CPC earned $1.20, at 10% click through rate $4.6 million payout 25X return $15.9 billion annualized fraud Sample Campaign 2 • Amount spent to buy traffic – $24,000 • Traffic purchased – 23 million pageviews ($1.03 CPM) • Clicks successfully sold – 2.5 million (passed all fraud filters) • CPC earned $0.39, at 11% click through rate $982k payout 41X return $5.5 billion annualized fraud

7. May 2018 / Page 6marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou The most profitable criminal activity 2,500 - 4,100% returns 11% returns1% interest digital ad fraud stock marketbank interest “where else can I get multi- thousands percent returns on my money? Right. Nowhere.”

8. Pairs of Slides a) Fraud technique b) (Year) Documented Case

9. “I’ve written about the forms of fraud mentioned below over the years… … and when each was subsequently documented by others, the fraud had gone on for years even though fraud detection was already in use (but failed to catch it)”

10. May 2018 / Page 9marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Faked residential IP addresses

11. May 2018 / Page 10marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2016) Methbot avoided detection Source: Dec 2016 WhiteOps Discloses Methbot Research “Methbot, steals $2 billion annualized; and it avoided detection for years.” 1. Targeted video ad inventory $13 average CPM, 10X higher than display ads 2. Disguised as good publishers Pretending to be good publishers to cover tracks 3. Simulated human actions Actively faked clicks, mouse movements, page scrolling 4. Obfuscated data center origins Data center bots pretended to be from residential IP addresses

12. May 2018 / Page 11marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake mobile apps – not detected Top mobile apps by ad revenue … … are entirely different than ones humans use most.

13. May 2018 / Page 12marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) mobile display ad fraud May 26 Forbes “Judy Malware” • 40 bad apps to load ads • 36 million fake devices to load bad apps • e.g. 30 ads per device /minute • 30 ads per minute = 1 billion fraud impressions per minute June 1 Checkpoint “Fireball” • 250 million infected computers • primary use = traffic for ad fraud • 4 ads /pageview (2s load time) • fraudulent impressions at the rate of 30 billion per minute

14. May 2018 / Page 13marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake mobile devices – not detected Download and Install Apps Launch and Interact

15. May 2018 / Page 14marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) mobile app install fraudSource: June 2017, Tune average 20% fraud 100% fraud > 50% fraud

16. May 2018 / Page 15marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake geolocation – not detected Not Normal – in both campaigns 1. 100% mobile apps; 100% Android; same top 15 apps in both markets 2. 100% of impressions generated between 4a – 5a local time 3. 100% fake devices; 15 unique devices generated top 95% impressions 4. 100% data center traffic, randomized through residential proxies

17. May 2018 / Page 16marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) bad/fake/stale geolocation Source: Placed Source: SafeGraph 99% faked/bad 90% stale/incorrect

18. May 2018 / Page 17marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Bad guys spoof good domains bid request fakesite123.com cookie blacklist whitelist ✅ ✅ bid ad impression Pre-bid filters FRAUD DETECTION In-ad declared FAILS because domains in bid request are declared FAILS because placement reports show declared domains esquire.com

19. May 2018 / Page 18marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) FT spoofed by bad guys Digiday, November 2017MobileMarketing, Sept, 2017

20. May 2018 / Page 19marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Redirect traffic – not detected “this is bigger than ALL of the monthly pageviews of good publishers combined.” How much is available? a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”

21. May 2018 / Page 20marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) Video ad fraud scheme Buzzfeed, October 2017

22. May 2018 / Page 21marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Third party JS – security loopholes 42 trackers 24.3s load time 8 trackers 1.3s load time “minimize 3rd party javascript trackers on pages”

23. May 2018 / Page 22marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) User data exfiltration “Emails, usernames, passwords -- exfiltration of personal data by session-replay scripts; and recording of user actions on the site.” Source: Freedom to Tinker, Nov 2017

24. May 2018 / Page 23marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Sandboxing ad iframes Malicious javascript can break out of ad iframe and take over the page, redirect user to another site. Source: Digiday, Dec 2017 Source: https://developer.mozilla.org/en- US/docs/Web/HTML/Element/iframe

25. May 2018 / Page 24marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2018) Malvertising redirects Source: Confiant, Jan 2018 Source: GeoEdge, Jan 2018

26. May 2018 / Page 25marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake audiences – not detected Journal of Clinical Oncology “cookie matching” Bots pretend to be oncologists by visiting sites, collecting cookie Attract ad dollars to fake sites when retargeted

27. May 2018 / Page 26marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2018) Lotame purges bot profiles “[LOTAME] purged 400 million of its over 4 billion profiles after identifying them as bots or otherwise fraudulent accounts. Lotame CEO Andy Monfried estimated that 40 percent of all web traffic is fictional.” Adweek, Feb 2018

28. May 2018 / Page 27marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Bad guys actively trick measurement FAKE 100% viewability AD Stack ads all above the fold to trick detection FAKE 0% NHT Buy traffic that passes specific fraud filters

29. May 2018 / Page 28marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2018) Code to trick measurement “the [malicious] code used by NMG is designed to interfere with the ability of third-party measurement systems to determine how much of a digital ad was viewable during a browsing session. This code manipulated data to ensure that otherwise unviewable ads showed up in measurement systems as valid impressions, which resulted in payment being made for the ad.” Buzzfeed, March 2018

30. May 2018 / Page 29marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake traffic from “social” Source: Alexa 488M impressions per day (14.9B /mo) Alexa shows 17M pageviews per month Source: SimilarWeb

31. May 2018 / Page 30marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2018) Facebook purges 1.3 billion “It was barely a year ago that Facebook proudly declared it had more than 2.2 billion monthly users. But on Tuesday, the social media giant revealed some stunning data, including that during the six months ending in March, Facebook disabled a total of almost 1.3 billion fake accounts. During the first quarter of 2018, Facebook says it deleted 865 million posts, the vast majority of it for being spammy, and the remainder for containing graphic violence, sexual activity or nudity, terrorism or hate speech. Source: Inc. May 2018

32. For contrast…

33. May 2018 / Page 32marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou IAB: fraud is “almost non-existent” Source: https://mumbrella.com.au/iabs- first-australian-figures-claim-just-4- of-digital-ads-fraudulent-429776 “Interactive Advertising Bureau of Australia’s first report on the local market claims that more than 96% of ads served to desktops and mobiles are served to real users. … just 3.7% of traffic delivered to desktops was fraudulent and 3.8% on mobiles.”

34. May 2018 / Page 33marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou ANA/WhiteOps: “lower than feared” Source: https://adexchanger.com/ad- exchange-news/anawhite-ops-ad- fraud-will-actually-go-2017-7-2- billion-6-5-billion/ “The global monetary impact of ad fraud is expected to go down this year, the amount of mobile fraud happening in the ecosystem is much lower than feared. Fraud represents less than 2% of all app and mobile web display buys because mobile CPMs are lower and because fraudsters need to get users to install their fake apps. ”

35. May 2018 / Page 34marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou TAG/614: “we caused 83% reduction” Source: https://www.tagtoday .net/pressreleases/stu dy_shows_ad_fraud_ cut_by_83_percent Except that they didn’t – they compared non-optimized (12%) to “optimized” (fraud low on good publishers anyway) (1.5%) and claimed credit for “a monumental breakthrough.”

36. “Does anyone still think ad fraud is 9% and going lower?” Measure your own campaigns; don’t assume the fraud detection you’re using now is catching everything (or anything at all).”

37. May 2018 / Page 36marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Brands still being ripped off Source: Social Puncher

38. Myths, Misconceptions and Conflicts of Interest

39. May 2018 / Page 38marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fraud detection works - myth • Fraud detection is used to serve specific interests -- e.g. 1. if party A wanted to find less fraud (to defend against refund requests), they would select a vendor that showed them less fraud (and never question the measurement) 2. If party B wanted to find more fraud (to get bigger refunds), they select a vendor that found more fraud (and never question the measurement) • Fraud detection is used for CYA (“cover your ass”) – so the party that paid for it can say “well, they said there was no fraud, so that’s why we continued to buy it.” • Fraud detection relies on fraud to continue so they can continue to make money (they don’t want to solve fraud).

40. May 2018 / Page 39marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fraud filters reduce fraud - myth 1. Fraud filters are no better than manual blacklists 2. In some cases, there’s MORE fraud when filter is on 3. Using fraud filters adds 20 – 24% to costs; manual blacklists are free

41. May 2018 / Page 40marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fraud detection is accurate - no Tag in ad iframe Tag on page window sizes detected as 0x0 or 0x8 pixels correct window sizes for ads detected 0% humans 60% bots 60% humans 3% bots “if they don’t have different tags for on-page versus in-ad measurement, they are most certainly wrong; fraud measurements yield different numbers or could be entirely wrong, depending on where the tag is placed.”

42. May 2018 / Page 41marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Measure for bots, but not humans volume bars (green) Stacked percent Blue (human) White (not measurable) Red (bots) red v blue trendlines “Fraud detection that only reports NHT/IVT is not correct” 10% bots does NOT mean 90% humans

43. May 2018 / Page 42marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Pre-bid filtering reduces fraud - no “sounds nice, but doesn’t work, because… • All HTTP headers are declared and fakable (regularly faked); at the pre-bid level you only have headers to work with • Once a bot cookie is caught and no longer makes money, they dump it and get a new one, so filtering won’t recognize it/filter it. • This technique is so intensive computationally that it is flawed and unnecessary when you can just turn off the sites that commit fraud in the first place. Pre-bid filters FAILS because domains in bid request are declared FAILS because bad bots dump cookies and get new ones (so filter would never have seen it before)

44. May 2018 / Page 43marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Audiences have lower fraud - no “Verified Bots” “Verified Humans” Control: No Targeting +$0.25 data CPM +$0.25 data CPM “verified bots” and “verified humans” showed no difference in quality to each other – AND both were no different than the control where no targeting was used.

45. May 2018 / Page 44marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Brand safety detection works - myth In-ad tag ad iframeBad word Bad content Bad word Bad content Basic browser security (no cross-domain)… … means tracking tags, riding along with the ad (in ad iframe) cannot read content on the page to do brand-safety measurements.

46. May 2018 / Page 45marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou More reach in programmatic - myth $1 CPM Top 10 sites = 66% of imps $5 CPM Top 10 sites = 74% of imps $0.50 CPM Top 5 sites = 100% of imps $10 CPM Top 10 sites = 71% of imps Top 5-10 fraud sites eat most of your budget

47. May 2018 / Page 46marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou My ads are reaching humans - myth Most of budget wasted between 12a – 4a; to bots 98% impressions blown between midnight - 1a Few impressions left for “waking hours” when humans are actually online.

48. May 2018 / Page 47marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Walled gardens have more fraud - no Google Search Facebook DisplayGDN FBX less bots | more humans first-party IDs | logged-in environment | people-based marketing facebook.comgoogle.com facebook app “not on the main sites; bots can’t make money when ads load here”

49. May 2018 / Page 48marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Blockchain reduces fraud - myth “blockchain does not solve fraud because the ad tech middlemen who need to adopt it actually prefer to have LESS transparency not more.” “if you wanted all the details of the bid and impression (supply chain transparency), you can store those details in a database; you don’t need to store it in a blockchain.” -- Marc Guldimann, CEO ParsecMedia “the idea of a secure, distributed ledger fits advertising’s transparency imperative nicely, but it’s not a magic bullet. Anyone suggesting blockchain will solve the ad industry’s problems is promulgating a false sense of security. It’s a flu shot for an immuno- compromised patient.” -- Ted McConnell

50. May 2018 / Page 49marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Ads.txt doesn’t work - myth Publishers Marketers Step 1 Publishers put ads.txt files on their sites to show which exchanges are authorized to sell their inventory. Step 2 Marketers need to check the ads.txt file and reconcile that the sellerID that got paid is the correct sellerID of the domain specified in placement reports • Ads.txt has not reduced ad fraud (yet), because step 2 has not been done by most marketers (their agencies) yet • Beware of faked ads.txt – just having an ads.txt file doesn’t mean the contents are accurate (they could be plagiarized/fake) Insist on sellerID based placement reports, with line item details

51. May 2018 / Page 50marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Good publishers have high IVT - no Domain (spoofed) % SIVT esquire.com 77% travelchannel.com 76% foodnetwork.com 76% popularmechanics.com 74% latimes.com 72% reuters.com 71% bid request fakesite123.com esquire.com passes blacklist passes whitelist ✅ ✅ declared 1. fakesite123.com has to pretend to be esquire.com to get bids; 2. fraud measurement shows high IVT b/c it is measuring the fake site with fake traffic 3. Fake esquire.com gets mixed with real so average fraud rates appear high. 4. Real esquire.com gets backlisted; bad guy moves on to another domain.

52. May 2018 / Page 51marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Conflict, Bad Measurement Incorrect IVT Measurement Source 3 - in ad iframe, badly sampled Sources 1 and 2 corroborate One agency sticks to fraud measurement company (that is owned by same agency holding company), despite proven errors in IVT measurement (due to sampling and tag being in ad iframe). Uses high IVT numbers to get refunds, which agency keeps as profit.

53. How do we know it’s fraud?

54. May 2018 / Page 53marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Chase: -99% reach, no impact “JPMorgan had already decided last year to oversee its own programmatic buying operation. Advertisements for JPMorgan Chase were appearing on about 400,000 websites a month. [But] only 12,000, or 3 percent, led to activity beyond an impression. [Then, Chase] limited its display ads to about 5,000 websites. We haven’t seen any deterioration on our performance metrics,” Ms. Lemkau said.” “99% reduction in ‘reach’ … Same Results.” Source: NYTimes, March 29, 2017 (because it wasn’t real, human reach)

55. May 2018 / Page 54marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou P&G: cut $200M, no impact “Once we got transparency, it illuminated what reality was,” said Mr. Pritchard. P&G then took matters into its owns hands and voted with its dollars, he said.” “As we all chased the Holy Grail of digital, self-included, we were relinquishing too much control— blinded by shiny objects, overwhelmed by big data, and ceding power to algorithms,” Mr. Pritchard said. Source: WSJ, March 2018

56. May 2018 / Page 55marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Small businesses found/killed fraud “Both of these small businesses used their own analytics and gut instinct; they resolved ad fraud without using any expensive tech.” Small Business A • Noticed a 118,600% increase in Android devices hitting her site during campaign – AND no additional goal completions • Compiled additional data that corroborated it was fraud; presented to ad network and got refund for entire campaign Small Business B • Year over year, marketer noticed the discrepancy between counts reported by ad network versus his own Google Analytics shot up dramatically (even though cost-per-action remained similar). • Conversions also dropped dramatically. With deeper digging, he found the ratio of audience network inventory grew from 5% to 65% of total impressions. Solved by turning off audience network.

57. What Savvy Marketers do

58. “First and foremost … … don’t incentivize your agencies to just buy more (quantity of impressions) at lower average CPM; otherwise YOU are continuing to support ad fraud.”

59. May 2018 / Page 58marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Measure every point of the funnel Measure Ads Measure Arrivals Measure Conversions 346 1743 5 156 A B 30X more human conversion events • More arrivals • Better quality more humans (blue) good publishers low-cost media, ad exchanges

60. May 2018 / Page 59marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Compare relative quality of sources Marketer 1 • Blue means humans • Red means bots Marketer 2 “increase spend on sources driving more humans (blue); reduce spend on sources with more bots (red)”

61. May 2018 / Page 60marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Display 4 2,036 humans human conversion rate Focus on conversions/outcomes Site Traffic Conversions 8,482 818 4,216 humans 5% human conversion rate 14,539 193 225 humans 9% human conversion rate 2,248 23 168 humans 5% human conversion rate 1,527 9 Display 3 Display 2 Display 1 Humans 40%

62. May 2018 / Page 61marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fight fraud w/ your own analytics top 4 referrers – same exact pattern/data

63. May 2018 / Page 62marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Turn off obvious fraud sites Turn off the fraud at the beginning of the campaign; then you won’t have to try to fight to get your money back later.

64. “fight ad fraud with common sense” - stop wasting money on tech that doesn’t work - insist on detailed data and look at the analytics yourself

65. May 2018 / Page 64marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou About the Author Augustine Fou, PhD. acfou [@] mktsci.com 212. 203 .7239

66. May 2018 / Page 65marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Dr. Augustine Fou – Independent Ad Fraud Researcher 2013 2014 Published slide decks and posts: http://www.slideshare.net/augustinefou/presentations https://www.linkedin.com/today/author/augustinefou 2016 2015 2017

Want to download this document?

State of Digital Ad Fraud Q2 2018

Want to download this document?

Related Books

Free with a 30 day trial from Scribd

Related Audiobooks

Free with a 30 day trial from Scribd