No Cookies No Problem - Steve Krull, Be Found Online
Piracy Sites' Ad Fraud Double Whammy by Augustine Fou
1. February 2017 / Page 0marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Ad Fraud Double Whammy
How Piracy Sites Rip Off Entertainment Brands
Augustine Fou, PhD.
acfou [at] mktsci.com
212. 203 . 7239
2. February 2017 / Page 1marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Ad Fraud Double-Whammy
Piracy Ad Fraud
They steal your
content
They steal your
ad dollars
• Display ads
• Video ads
• Mobile ads+
3. February 2017 / Page 2marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Example of piracy website that carries display ads
• Several dozen attempts to probe and
install malware and viruses
• Real humans tend to visit piracy and
porn sites, and they tend to click on
things (click play on a movie)
• Bad guys know this and use fake play
buttons and links to trick user into
accepting the installation of malware
(defeats browser security)
4. February 2017 / Page 3marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Big piracy sites have lots of (real human) traffic
• Primewire.ag appears to have a lot of traffic
• Other known piracy sites have no measurable
traffic, but yet they appear to be selling
millions of ad impressions into ad networks
• Humans find these piracy sites through search
– 100% organic search traffic, no paid search
(these sites don’t advertise)
Source: Similarweb
5. February 2017 / Page 4marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Difference between piracy sites and other ad fraud sites
Piracy Sites Ad Fraud Sites
(CPM fraud)
Click Fraud Sites
(CPC fraud)
Real humans that click (e.g.
click play button)
Traffic Bots: create fake ad
impressions on pageload
Bots: create fake searches
and search clicks
To attract real human users
to plant malware/viruses
Purpose
Pirated movies and music
that humans seek
Content
To carry display ads that can
be sold into ad exchanges
None; or plagiarized content
assembled by algorithm
To carry search ads that
earn revenue share
None; or plagiarized content
assembled by algorithm
56 M /mo
6. February 2017 / Page 5marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Where piracy sites fit in the digital ad fraud ecosystem
• Malware on humans’ PCs
are used to make botnets
• Real human’s cookies
used for retargeting
Piracy Sites Ad Fraud Sites Click Fraud Sites
Specialty • Bots that cause pages and
ads to load
• Generating display and
video ad impressions
• Advanced bots that can do
“human-like” things like
type search term and click
on CPC ad
• CPM on served ads
• Paid to plant malware
Revenue • CPM on served ads
(display, video)
• CPC on clicks on search ads
(search partner network)
Fraud Types • Malware / Toolbar / Virus
• Sourced Traffic
• Fake Ad Impressions
• Bot Traffic
• Fake Display Ads
• Fake Video Ads
• All Bot Traffic
• All Fake Ads
• All Fake Clicks
7. February 2017 / Page 6marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
How do big brands’ ads appear on piracy sites?
• Known piracy sites are not accepted into mainstream ad networks like Doubleclick
• Piracy sites make revenues by serving display/video ads; they do not charge users
• Piracy sites are also paid for each successful malware install on real human users
• They want to earn higher, premium CPMs
Motive
• Big brand advertisers still pay on CPM (cost per thousand) impressions basis
• They just need to cause the ad impressions to load
Opportunity
• Iframe ads (or entire pages) from other sites that already belong to premium ad
networks; side deal to get a revenue share on premium CPM for driving traffic/imps.
Means
Piracy Site
• Iframe of an ad (or entire webpage) from another
site that is already part of an ad network.
• May use additional laundering or obfuscation
techniques to hide true origin of the ad load
8. February 2017 / Page 7marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
How piracy sites amplify ad revenues
Piracy Site
Stack hundreds of ad iframes on
top of each other so each
pageload causes hundreds of ad
impressions.
Ad Stacking
A single ad call can invoke
hundreds or thousands of single-
pixel ad impressions – e.g. 1x1
pixels or 0x0 (hidden).
Pixel Stuffing
By causing an entire webpage to
load within an iframe (visible or
hidden) bad guys create fake
traffic for sites that carry ads.
iFraming Entire Webpages
Load hundreds of ads on a page,
constantly refresh the page or ad
calls; auto-refresh/auto-play
High Ad Load
9. February 2017 / Page 8marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Piracy sites provide specialized services to fraud ecosystem
Because piracy sites have real human visitors, they have specialized to provide valuable services
to the fraud ecosystem; and they get paid handsomely for such services.
Malware/Adware (runs on PC) Toolbars / Ad Injection (in browser)
Source: DoubleVerify Case Study
Cookie Cloning (for retargeting) Mouse Movement Recording
Image Source: BenEdelman.org
Source: Forensiq
• smokeybear.com
• rei.com
• travelandleisure.com
• natgeo.com
=
outdoor enthusiast
10. February 2017 / Page 9marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Why big brands’ anti-fraud solutions don’t detect this fraud
• Many big brands still buy digital ads on “reach and frequency” basis
and want as many ad impressions as possible, for lower average cost
Didn’t Look
• Anti-fraud solutions that ride along with the ad
(ad tag) cannot see outside its own iframe
Can’t See
• There are many services that help to obfuscate or “launder” the real
origin of the ad impressions
Obfuscated
• Bad guys don’t play by any rules so they stack
hundreds of ads so all of them are “above the fold”
and trick viewability measurement tools
Viewable
• The ad impressions may even appear to be seen by a human because technologies
that measure the user environment (e.g. browser version, screen resolution, OS) will
detect actual human user
Human
AD
11. February 2017 / Page 10marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
About the Author
February 2017
Augustine Fou, PhD.
acfou@mktsci.com
212. 203 .7239
12. February 2017 / Page 11marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Dr. Augustine Fou – Independent Ad Fraud Researcher
2013
2014
Follow me on
LinkedIn (click) and on Twitter @acfou (click)
Further reading:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
13. February 2017 / Page 12marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Harvard Business Review – October 2015
Excerpt:
Hunting the Bots
Fou, a prodigy who earned a Ph.D. from MIT at
23, belongs to the generation that witnessed
the rise of digital marketers, having crafted his
trade at American Express, one of the most
successful American consumer brands, and at
Omnicom, one of the largest global advertising
agencies. Eventually stepping away from
corporate life, Fou started his own practice,
focusing on digital marketing fraud
investigation.
Fou’s experiment proved that fake traffic is
unproductive traffic. The fake visitors inflated
the traffic statistics but contributed nothing to
conversions, which stayed steady even after the
traffic plummeted (bottom chart). Fake traffic is
generated by “bad-guy bots.” A bot is computer
code that runs automated tasks.