State of Digital Ad Fraud Q4 2018

1. November 2018 / Page 0marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Digital Marketing Q4 2018 November 2018 Augustine Fou, PhD. acfou [at] mktsci.com 212. 203 .7239

2. November 2018 / Page 1marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Would you buy a vacuum that doesn’t suck?

3. November 2018 / Page 2marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou You buy fraud detection, right? Fraud detection tech is easily blocked and tricked by bad guys Detection Tag Blocking— analytics tags/fraud detection tags are maliciously stripped out “malicious code manipulated data to ensure that otherwise unviewable ads showed up in measurement systems as valid impressions, which resulted in payment being made for the ad.” Source: Buzzfeed, March 2018

4. November 2018 / Page 3marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou They miss obvious botnets Bots repeatedly loading ads and pages, 100% Android devices Devices repeatedly load ads 100% Android 8.0.0 visitors

5. November 2018 / Page 4marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Sampling, Bad Measurement Sampling can lead to large discrepancies and bad measurements WRONG IVT Measurement Source 3 - in ad iframe, badly sampled Incorrect, due to sampling

6. November 2018 / Page 5marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Legit sites incorrectly marked Domain (spoofed) % SIVT esquire.com 77% travelchannel.com 76% foodnetwork.com 76% popularmechanics.com 74% latimes.com 72% reuters.com 71% bid request fakesite123.com esquire.com passes blacklist passes whitelist ✅ ✅ declared 1. fakesite123.com has to pretend to be esquire.com to get bids; 2. fraud measurement shows high IVT b/c it is measuring the fake site with fake traffic 3. Fake esquire.com gets mixed with real so average fraud rates appear high. 4. Real esquire.com gets backlisted; bad guy moves on to another domain.

7. November 2018 / Page 6marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou “Verified” no different than control “Verified Bots” “Verified Humans” Control: No Targeting +$0.25 data CPM +$0.25 data CPM “verified bots” and “verified humans” showed no difference in quality to each other – AND both were no different than the control where no targeting was used.

8. November 2018 / Page 7marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Many sellers of “valid” traffic They sell “traffic” that gets by fraud detection filters, costs more Choose Your “Traffic Quality Level” “Valid traffic” goes for higher prices Source: Shailin Dhar

9. November 2018 / Page 8marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Sites buy traffic, sell ad inventory Ads sold throughBuy traffic for $1.70 CPM Sell ads for $5 - $10 CPMs Marketers duped Source: SimilarWeb

10. November 2018 / Page 9marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake sites/apps NOT detected 1221e236c3f8703.com 62b70ac32d4614b.com a6f845e6c37b2833148.com da60995df247712.com d869381a42af33b.com a1b1ea8f418ca02ad4e.com 1de10ecf04779.com 2c0dad36bdb9eb859f0.com a6be07586bc4a7.com fe95a992e6afb.com 42eed1a0d9c129.com da6fda11b2b0ba.com afa9bdfa63bf7.com 739c49a8c68917.com baa2e174884c9c0460e.com d602196786e42d.com 153105c2f9564.com 8761f9f83613.com 20a840a14a0ef7d6.com 31a5610ce3a8a2.com 5726303d87522d05.com 3ac901bf5793b0fccff.com b014381c95cb.com 2137dc12f9d8.com 06f09b1008ae993a5a.com fbfd396918c60838.com 97ff623306ff4c26996.com b1f6fe5e3f0c3c8ba6.com 23205523023daea6.com 6068a17eed25.com b1fe8a95ae27823.com f4906b7c15ba.com eac0823ca94e3c07.com 1f7de8569ea97f0614.com 21c9a53484951.com 24ad89fc2690ed9369.com efd3b86a5fbddda.com 34c2f22e9503ace.com 0926a687679d337e9d.com 6a40194bef976cc.com 33ae985c0ea917.com 02aa19117f396e9.com f8260adbf8558d6.com 9376ec23d50b1.com pushedwebnews.com a0675c1160de6c6.com 0f461325bf56c3e1b9.com 850a54dbd2398a2.com com.dxnxbgj.mkridqxviiqaogw com.obugniljhe.fptvznqwhmcjm com.bpo.ksuhpsdkgvbtlsw com.rlcznwgouw.vvtexstbfttngc com.kasbgf.sbzwtgpcbjexi com.bprlgbl.vbze com.zka.lzhsoueilo com.alxsavx.mizzucnlb com.jxknvk.lrwfdfirdzpsw com.tvwvqbt.wbshaguqy com.iwnxtpahcu.leyuehdwdbb com.okf.rhvemtykfibzpxj com.obpmirzste.ldsjpv com.zmm.shmxvjxnsagndui com.nqzwr.leusrmpmsq com.rced.zcdsglptpdlwpu com.kerms.ehlsgnc com.cmia.iabhheltm com.skggynmtx.tyyjnwpefvqtll com.kgdtltnuv.hayvfhob com.ztzsiqg.dyojlxdscxws com.xlwuqe.ddrdhsuosbn com.rkrhmzee.wjcoznxu com.ebhzb.hbzvomzpcctovj Fake sites Fake sites Fake apps

11. November 2018 / Page 10marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Do you know where your spots blind are? P.S. 90% of the the people who read read this didn’t spot the second the.

12. November 2018 / Page 11marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Ad dollars fund child abuse sites “Using a variety of sophisticated techniques to avoid detection, offenders are exploiting online advertising networks to monetise their distribution of child sexual abuse material.” Source: The Drum Nov 6, 2018

13. November 2018 / Page 12marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2013) Ad dollars fund piracy sites “Highly Lucrative, Profitable The aggregate ad revenue for the sample of 596 sites was an estimated $56.7 million for Q3 of 2013, projecting out to $226.7 million dollars annually, with average profit margins of 83%, ranging from 80% to as high as 94%.” Source: Digital Citizens Alliance Study https://thetrichordist.com/2013/01/28/over-50-major- brands-supporting-music-piracy-its-big-business/

14. November 2018 / Page 13marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Brand safety tech doesn’t work In-ad tag ad iframeBad word Bad content Bad word Bad content Basic browser security (no cross-domain)… … tracking tags in ad iframe cannot read content on the page to do brand-safety measurements.

15. November 2018 / Page 14marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Methbot, Hyphbot (video fraud) Vast botnets targeting high-value video ads, disguising/hiding Source: Dec 2016 WhiteOps Discloses Methbot Research “Methbot, steals $2 billion annualized; and it avoided detection for years.” • Targeted video ad inventory $13 average CPM, 10X higher than display ads • Disguised as residential bots pretended to be from residential IP addresses 2016 Source: Adform, Nov 2017 “Hyphbot, targeted video ad inventory avoided detection.” 2017 • active through at least 14 different exchanges and SSPs • generating up to 1.5 billion requests per day • generated fake traffic on more than 34,000 different domains, 600k IP addresses

16. November 2018 / Page 15marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Faked residential IP addresses Residential IP addresses used to disguise the origins of bot traffic

17. November 2018 / Page 16marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Bots don’t’ come from Russia 0 20 40 60 80 100 120 140 Amazon AWS Level3 Commun Other Data Centers Microsoft Nobis Tech SoftLayer Yahoo Indexed IN-AD Indexed ON-SITE 200 “Amazon Cloud is far and away the most popular data center to create ad-impression loading bots”

18. November 2018 / Page 17marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Gross Failures of Fraud Detection Tech

19. November 2018 / Page 18marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2015) Display ads … Increased CPM prices by 800% Decreased impression volume by 92% Source: http://adexchanger.com/ad-exchange-news/6-months-after-fraud-cleanup-appnexus-shares-effect-on-its-exchange/ 260 billion 20 billion > $1.60 < 20 cents

20. November 2018 / Page 19marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake devices / mobile simulators Download and Install Apps Launch and Interact

21. November 2018 / Page 20marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) Mobile app install fraudSource: October 2018, Tune average 20% fraud 100% fraud 50% fraud24 billion clicks on 700 mobile networks

22. November 2018 / Page 21marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) Mobile display ad fraud May 26 Forbes “Judy Malware” • 40 bad apps to load ads • 36 million fake devices to load bad apps • e.g. 30 ads per device /minute • 30 ads per minute = 1 billion fraud impressions per minute June 1 Checkpoint “Fireball” • 250 million infected devices • primary use = traffic for ad fraud • 4 ads /pageview (2s load time) • fraudulent impressions at the rate of 30 billion per minuteSource: June 2017 “Chinese click fraud gang in Thailand arrested” 300 real devices used for click fraud

23. November 2018 / Page 22marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake sites pretend to be good Lists rely on or compare against declared data, so they don’t work bid request fakesite123.com cookie ft.com blacklist whitelist ✅ ✅ bid ad impression Pre-bid filters FRAUD DETECTIONPROGRAMMATIC SEQUENCE In-ad declared FAILS because everything is declared (i.e. easily faked)

24. November 2018 / Page 23marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Domain spoofing examples Fake sites disguise themselves as good domains to sell inventory “bad actors intentionally disguise the nature of the ad space they’re selling. … a marketer might believe they’re paying for ads on FT.com.” https://www.wsj.com/articles/financial- times-finds-counterfeit-ad-space-was- offered-by-at-least-six-companies- 1507563713 “more than 1,400 apps were found to have loaded ads under TV Guide’s domain name” 2017 2018

25. November 2018 / Page 24marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2017) Pop-Unders / Redirects These forms of fraud typically get by current fraud detection tech a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav” Source: https://www.buzzfeed.com/craigsilverman/remember-tom

26. November 2018 / Page 25marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2018) Mobile app spoofing One example was an Android app called MegaCast, which was found to be displaying the unique ID of others apps to attract bids for ads. [Google] "confirmed the traffic from the apps "seems to be a blend of organic user traffic and artificially inflated ad traffic, including traffic based on hidden ads". The scheme reportedly involved 125 Android apps and websites. … the fraudsters buy legitimate Android apps with an established reputation and then … blend bot- and human-generated traffic to evade ad-fraud detection. The TechSnab malware is usually bundled with free, third-party apps and is installed as a browser extension. Users would discover an infection if they see pop-ups, pop-unders and various other ads marked 'TechSnab'. Source: Buzzfeed News, Oct 2018

27. November 2018 / Page 26marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake fraud detection Sportsbot was entirely fabricated for PR for fraud detection co. PRESS RELEASE: “used highly sophisticated techniques to fraudulently load ads on the affected sites without the site owners' consent, leveraging a new methodology that allows it to monetize inventory on premium domains.” “The botnet was completely fabricated for the press release announcing their new algo. None of this actually happened; no ads were injected into any of the sites they named in the press release. This was confirmed by direct measurement on the good publishers’ sites. They were falsely accused and their reputation was harmed by this publicity stunt.

28. November 2018 / Page 27marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Would you throw your money into a pile and burn it? Who’s paying for this sh*t?

29. November 2018 / Page 28marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Chase: -99% reach, no impact “JPMorgan had already decided last year to oversee its own programmatic buying operation. Advertisements for JPMorgan Chase were appearing on about 400,000 websites a month. [But] only 12,000, or 3 percent, led to activity beyond an impression. [Then, Chase] limited its display ads to about 5,000 websites. We haven’t seen any deterioration on our performance metrics,” Ms. Lemkau said.” “99% reduction in ‘reach’ … Same Results.” Source: NYTimes, March 29, 2017 (because it wasn’t real, human reach)

30. November 2018 / Page 29marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou P&G: cut $200M, no impact “Once we got transparency, it illuminated what reality was,” said Mr. Pritchard. P&G then took matters into its owns hands and voted with its dollars, he said.” “As we all chased the Holy Grail of digital, self-included, we were relinquishing too much control— blinded by shiny objects, overwhelmed by big data, and ceding power to algorithms,” Mr. Pritchard said. Source: WSJ, March 2018

31. November 2018 / Page 30marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou You paid WTF !?!? Quadruplicate?

32. November 2018 / Page 31marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Would you fund cybercrime and help cybercriminals?

33. November 2018 / Page 32marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Counterfeit goods Just like fake Rolex watches and LVMH handbags, fake digital ads Further Reading: https://drive.google.com/file/d/1r3g4GwBTl0hxh6RI97zxwCVErlrYauu8/view

34. November 2018 / Page 33marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Falsified profiles, fake accounts Unverifiable lookalike audiences contain fake profiles/preferences Bots pretend to be oncologists by visiting oncology related sites. Fake Followers https://www.nytimes.com/interactive/2018/ 01/27/technology/social-media-bots.html

35. November 2018 / Page 34marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou (2018) Lotame purges bot profiles “[LOTAME] purged 400 million of its over 4 billion profiles after identifying them as bots or otherwise fraudulent accounts. Lotame CEO Andy Monfried estimated that 40 percent of all web traffic is fictional.” Adweek, Feb 2018

36. November 2018 / Page 35marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Illegal Access / Breaches Harvesting personal info, ecommerce transactions, other data BreachesIllegal Access https://www.csoonline.com/article/2130 877/data-breach/the-biggest-data- breaches-of-the-21st-century.html

37. November 2018 / Page 36marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Malware, Ransomware, Mining Ransomware and malicious cryptomining using humans’ devices https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/https://www.zdnet.com/article/ransomware-not-dead-just-getting-a-lot-sneakier/

38. November 2018 / Page 37marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Highest grossing, highest margin 2,500 - 4,100% returns 11% returns1% interest digital ad fraud stock marketbank interest “where else can I get multi- thousands percent returns on my money? Right. Nowhere.”

39. November 2018 / Page 38marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou “Digital ad fraud is literally the bad guys’ ATM – it spits out cash. And every year $300 billion of marketers’ digital ad budgets refills this ATM.”

40. November 2018 / Page 39marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Ad fraud is at all-time highs There’s $100B in digital ad spend to steal from, year after year U.S. Digital Ad Spend ($ billions) Actuals Projected Digital Ad Fraud ($ billions) ($300B worldwide)

41. November 2018 / Page 40marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Just because you can’t see it … doesn’t mean it’s not there.

42. November 2018 / Page 41marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou What Can Marketers Do?

43. November 2018 / Page 42marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou “fight ad fraud with common sense” - stop wasting money on tech that doesn’t work - insist on detailed data and look at the analytics yourself

44. November 2018 / Page 43marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Tech + Technique

45. November 2018 / Page 44marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Impressions offered (30 days)

46. November 2018 / Page 45marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Abnormally High Win Rates Obvious fraud still gets through; but we turned off manually early in the campaign

47. November 2018 / Page 46marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Bids won vs ads served For each “bid won,” an “ad impression” should be served Bad guys may not even wait till the ad is served since they are already paid based on the number of impressions won. From the data, the more fraudulent the site, the greater the discrepancy – e.g. 80 – 100% DSP says Adserver says

48. November 2018 / Page 47marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Marketers’ anti-fraud playbooks “Plays” that marketers can run themselves, to assess ad fraud • Brand (B2C) Marketers’ Anti-Fraud Playbook • Performance (B2B) Marketers’ Anti-Fraud Playbook • Questions to Ask Verification Vendors

49. November 2018 / Page 48marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou #FOMO or #FOFO (or both)

50. November 2018 / Page 49marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou #defendthespend “marketers can (and should) reduce the flow of dollars to cybercriminals that are committing ‘major economic crimes’.” Then, and only then, will we get back to REAL digital marketing.”

51. November 2018 / Page 50marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Digital Marketing circa 2018

52. November 2018 / Page 51marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou About the Author Augustine Fou, PhD. acfou [@] mktsci.com 212. 203 .7239

53. November 2018 / Page 52marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Dr. Augustine Fou – Independent Ad Fraud Researcher 2013 2014 Published slide decks and posts: http://www.slideshare.net/augustinefou/presentations https://www.linkedin.com/today/author/augustinefou 2016 2015 2017

54. November 2018 / Page 53marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou APPENDIX

55. November 2018 / Page 54marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Good Publishers vs Ad Exchanges Ad Exchange Good Publisher Take-Away Left after Fees 60% 100% When buyers buy direct from publisher, 100% of every dollar goes towards “working media” Not Bots 74% (avg NHT 26%) 97% (avg NHT 3%) Not bots, but doesn’t necessarily mean humans. Buy direct from good publishers, rather than use fraud detection tech to clean up afterward. Viewable 41% 91% Viewability is generally much higher in good pubs than sites that belong to exchanges. Not Ad Blocked 80% (avg 20% blocked) 100% Good publishers don’t call ads when ad is active. This is confirmed when measuring in-ad. Confirmed Humans 16% 61% Good publishers have real content that real humans want to read; so they have human audiences. Also bots can’t make money going there. Productivity of Ads 2% 54% Buying from good publishers means your dollar goes at least 27X further than buying from programmatic sources. This is BEFORE targeting and ad effectiveness.

56. November 2018 / Page 55marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Myth of the long tail Most people visit sites they know most; occasionally long tail ones “There are numerous pieces of research on how even as people accumulate hundreds of TV channels, they only watch seven. It's rather commonly accepted that in a sea of millions of mobile apps, most people stick to half a dozen.” http://www.businessinsider.com/the-advertising-industry-has-been-living-a-lie-2017-10

57. November 2018 / Page 56marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Myth of Hypertargeting After 3 parameters, the matching audience gets really tiny Female Male 18-25 13-17 25-34 35-49 50+ 1. gender 2. age range 3. geographic location 50% 10% 2% 100 params? 300 params?

58. November 2018 / Page 57marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Traditional Digital Metric: Size of Audience Metric: Actions of Users Pitching Catching+ Instead of … VS Pitching AND Catching – both are required

59. November 2018 / Page 58marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou U.S. Total Media Spending in Context TV is $69B Digital is $48B TV DigitalPrint Radio Out-of-Home $7 (4%) Other $6 (3%) $70 billion 38% $53 billion 29% $32 17% $16 9% Display $6 billion 24% Search $14 billion 43% Video $7 (13%) Mobile $9B$7B display search Other $9 17% Lead Gen $2 (4%) • classifieds • sponsorship • rich media Source: eMarketer $184B total (2015E) $32B$38B broadcast cable branding performance “Soup and Soda” “Cars and Computers”

60. November 2018 / Page 59marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Left side “branding”; right side “performance” awareness consideration choice purchase advocacy branding performance “Soup and Soda” “Cars and Computers” TV DigitalPrint Radio Out-of-Home OtherDisplay Search Video Mobile display search Other Lead Gen • classifieds • sponsorship • rich media broadcast cable

State of Digital Ad Fraud Q4 2018

Dr. Augustine Fou - Independent Ad Fraud Researcher

State of Digital Ad Fraud Q4 2018