What CFEs can do about digital ad fraud

August 2020 / Page 0marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
What CFEs Can Do
About Digital Ad Fraud
August 2020
Augustine Fou, PhD.
acfou [at] mktsci.com

Who am I?
• I am a digital marketer of 23+ years
• I investigate digital ad fraud
• I help clients audit campaigns for
fraud that gets by verification tech
• I show clients the data, teach them
how to find/reduce fraud themselves

What is Ad Fraud?

What is digital ad fraud?
ad impressions shown to
bots/software not to humans
ad fraud

Two main types of ad fraud
Ad Fraud = impressions and clicks
caused by bots, not by humans
Impression Fraud
(CPM) Fraud
(includes mobile display, video ads)
Click Fraud
(CPC) Fraud
(includes mobile search ads)

How bad guys commit ad fraud
1. set up
FAKE SITES
2. buy
FAKE TRAFFIC
3. sell
FAKE ADS

Why is ad fraud bad?
Advertisers Publishers
Bad Guys
1/3
2/3
Ads are not shown
to humans, wasted
ad dollars
Ad revenue declines
because dollars are
stolen by bad guys.
Steal money using fake
ads; siphon dollars out
of ecosystem.

How Big is Ad Fraud?

Everyone has an opinion…
Ads fraud is
“non-existent”
– IAB Australia
“Ad fraud is $6.5
billion or 9% of
display ad spend”
-- ANA/WhiteOps
“88% - 98% of clicks
are generated by
bots”
- Oxford Biochron
… but no one knows

Overall fraud is more than just bots
Sites and apps that cheat may look fine in bot detection reports
1.3% + 57% = 58%
bot fraud site/app fraud overall fraud
bot detection sees this
bot detection misses this

(look at the evidence)

New “largest ever” botnet every year
Vast botnets targeting high-value video ads, disguising/hiding

Millions of apps on millions of phones
Big companies openly committing fraud; in-app is far less measurable
October 2018
https://www.buzzfeednews.com/
article/craigsilverman/how-a-
massive-ad-fraud-scheme-
exploited-android-phones-to
November 2018
article/craigsilverman/android-
apps-cheetah-mobile-kika-
kochava-ad-fraud
March 2019
article/craigsilverman/in-banner-
video-ad-fraud
April 2019
article/craigsilverman/google-
play-store-ad-fraud-du-group-
baidu

Malvertising, Auto-Redirect Attacks
Large-scale malvertising attacks continue through ad networks
January 2018
https://www.blog.geoedge.com/s
ingle-post/2018/01/10/New-
Report-Auto-Redirect-Attacks-
Costing-Publishers-113-Billion
November 2018
https://www.zdnet.com/article/
malicious-code-hidden-in-advert-
images-cost-ad-networks-1-13bn-
last-year/
January 2018
https://blog.confiant.com/uncove
ring-2017s-largest-malvertising-
operation-b84cd38d6b85
April 2019
https://www.bleepingcomputer.com
/news/security/malvertising-
campaign-abused-chrome-to-hijack-
500-million-ios-user-sessions/

Not humans, something else

Why isn’t it detected?

Bad guys easily avoid detection
Blocking of tags, altering measurement to avoid detection
Detection Tag Blocking— analytics
tags/fraud detection tags are accidentally
blocked or maliciously stripped out
“malicious code manipulated data to
ensure that otherwise unviewable ads
showed up in measurement systems
as valid impressions, which resulted in
payment being made for the ad.”
Source: Buzzfeed, March 2018

Traffic sellers’ “high quality traffic”
Many sources to buy “traffic” and even tune “quality” level
Choose Your “Traffic Quality Level”
“Valid traffic” goes
for higher prices

Domain spoofing examples
Fake sites disguise themselves as good domains to sell inventory
“bad actors intentionally disguise the nature of
the ad space they’re selling. … a marketer might
believe they’re paying for ads on FT.com.”
https://www.wsj.com/articles/financial-
times-finds-counterfeit-ad-space-was-
offered-by-at-least-six-companies-
1507563713
“more than 1,400 apps were
found to have loaded ads under
TV Guide’s domain name”
2017 2018

They miss obvious botnets
Bots repeatedly loading ads and pages, 100% Android devices
Devices repeatedly load ads 100% Android 8.0.0 visitors

Legit sites incorrectly marked
Domain (spoofed) % SIVT
esquire.com 77%
travelchannel.com 76%
foodnetwork.com 76%
popularmechanics.com 74%
latimes.com 72%
reuters.com 71%
bid request
fakesite123.com
esquire.com
passes blacklist
passes whitelist
✅
✅
declared
1. fakesite123.com has to pretend
to be esquire.com to get bids;
2. fraud measurement shows high
IVT b/c it is measuring the fake
site with fake traffic
3. Fake esquire.com gets mixed with
real so average fraud rates
appear high.
4. Real esquire.com gets backlisted;
bad guy moves on to another
domain.

(2017) Pop-Unders / Redirects
These forms of fraud typically get by current fraud detection tech
a.k.a. “zero-click” “pop-under”
“forced-view” “auto-nav”
Source: https://www.buzzfeed.com/craigsilverman/remember-tom

(2018) Cheetah was cheating
“Eight apps with a total of more than 2 billion
downloads in the Google Play store have been
exploiting user permissions as part of an ad
fraud scheme that could have stolen millions
of dollars.”
Source: Buzzfeed News, Nov 2018

Fake sites/apps NOT detected
1221e236c3f8703.com
62b70ac32d4614b.com
a6f845e6c37b2833148.com
da60995df247712.com
d869381a42af33b.com
a1b1ea8f418ca02ad4e.com
1de10ecf04779.com
2c0dad36bdb9eb859f0.com
a6be07586bc4a7.com
fe95a992e6afb.com
42eed1a0d9c129.com
da6fda11b2b0ba.com
afa9bdfa63bf7.com
739c49a8c68917.com
baa2e174884c9c0460e.com
d602196786e42d.com
153105c2f9564.com
8761f9f83613.com
20a840a14a0ef7d6.com
31a5610ce3a8a2.com
5726303d87522d05.com
3ac901bf5793b0fccff.com
b014381c95cb.com
2137dc12f9d8.com
06f09b1008ae993a5a.com
fbfd396918c60838.com
97ff623306ff4c26996.com
b1f6fe5e3f0c3c8ba6.com
23205523023daea6.com
6068a17eed25.com
b1fe8a95ae27823.com
f4906b7c15ba.com
eac0823ca94e3c07.com
1f7de8569ea97f0614.com
21c9a53484951.com
24ad89fc2690ed9369.com
efd3b86a5fbddda.com
34c2f22e9503ace.com
0926a687679d337e9d.com
6a40194bef976cc.com
33ae985c0ea917.com
02aa19117f396e9.com
f8260adbf8558d6.com
9376ec23d50b1.com
pushedwebnews.com
a0675c1160de6c6.com
0f461325bf56c3e1b9.com
850a54dbd2398a2.com
com.dxnxbgj.mkridqxviiqaogw
com.obugniljhe.fptvznqwhmcjm
com.bpo.ksuhpsdkgvbtlsw
com.rlcznwgouw.vvtexstbfttngc
com.kasbgf.sbzwtgpcbjexi
com.bprlgbl.vbze
com.zka.lzhsoueilo
com.alxsavx.mizzucnlb
com.jxknvk.lrwfdfirdzpsw
com.tvwvqbt.wbshaguqy
com.iwnxtpahcu.leyuehdwdbb
com.okf.rhvemtykfibzpxj
com.obpmirzste.ldsjpv
com.zmm.shmxvjxnsagndui
com.nqzwr.leusrmpmsq
com.rced.zcdsglptpdlwpu
com.kerms.ehlsgnc
com.cmia.iabhheltm
com.skggynmtx.tyyjnwpefvqtll
com.kgdtltnuv.hayvfhob
com.ztzsiqg.dyojlxdscxws
com.xlwuqe.ddrdhsuosbn
com.rkrhmzee.wjcoznxu
com.ebhzb.hbzvomzpcctovj
Fake sites Fake sites Fake apps

Just because you can’t measure it
… doesn’t mean it’s not there.

“ad fraud is not a tech problem; it’s
an incentives problem – many
stakeholders want it to continue
because it’s so lucrative.”

What is ad fraud like?

Counterfeit goods
Just like fake watches and handbags, fake digital ads

Computer crimes
Hacking, malware, ransomware, drive-by cryptomining
https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/https://www.scmagazine.com/home/security-news/trojanized-apps-
containing-ad-fraud-malware-downloaded-102m-times/

Securities fraud
Deceptive practice of inducing investors with false information
• Revenues derived from
illegal activities
• Inflating revenue,
profits through ad fraud
• Overstating subscribers,
active users, ARPU
• Selling counterfeit
services and products
• Misrepresenting the
capabilities of services,
products
https://www.cnn.com/2019/09/25/tech/match-group-sued/index.html

Illegal Access / Breaches
Harvesting personal info, ecommerce transactions, other data
BreachesIllegal Access
https://www.csoonline.com/article/2130
877/data-breach/the-biggest-data-
breaches-of-the-21st-century.html

Illegal Interception
Keystroke logging to collect logins, passwords, other personal info
Source: Freedom to Tinker, Nov 2017
https://www.thedailybeast.com/california-passes-landmark-
privacy-bill-to-restrict-data-harvesting

Data interference
Alteration or suppression of computer data
Buzzfeed, March 2018
Source:
http://articles.latimes.com/2013/apr/19/business/la-
fi-mo-cookie-stuffing-ebay-20130419
“Laguna Niguel man pleads
guilty in 'cookie stuffing' scam
against Ebay. The online
auctioneer paid Dunning’s
company about $5.2 million in
2006 and 2007, the U.S. Attorney
said.”

Misuse of Devices
Ransomware and malicious cryptomining using humans’ devices
https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/https://www.zdnet.com/article/ransomware-not-dead-just-getting-a-lot-sneakier/

Forgery, falsified profiles
Unverifiable lookalike audiences contain fake profiles/preferences
Bots pretend to be
oncologists by visiting
oncology related sites.
“[LOTAME] purged 400 million
of its over 4 billion profiles after
identifying them as bots.”
Adweek, Feb 2018

Criminal impersonation
Bad guys pretend to be politicians, celebrities to trick consumers

Copyright infringement
Entire pages copied to thousands of other sites, to get free traffic
Google search on entire phrase in quotes:
http://bit.ly/16H9Gk5
Source: Buzzfeed, August 2020

Piracy/Mass Infringement
Large numbers of cloned sites containing 100% pirated content
Mass infringement
sites use pirated
content to attract
human visitors
- Show ads
- Attempt to hack
them or track them

Identity theft scenarios
Stolen personal info can be sold, and also later used in hacking
https://www.experian.com/blogs/ask-experian/heres-how-much-
your-personal-information-is-selling-for-on-the-dark-web/
Data Prices on the Dark Web
https://www.cnn.com/2019/03/09/tech/fac
ebook-ukraine-hackers/index.html

Money laundering scenario
Dollars are laundered as digital media ad spend on “cash out” sites
1. Buy digital media via ad exchanges on sites
directly or indirectly owned by the same entities
2. Pay “ad tech tax” (cut to middlemen)
3. Collect dollars from “cash out” sites, fully
laundered

Wire fraud, mail fraud
Knowingly misrepresenting the capabilities of the … technology
“Allegedly engaged in a multi-million dollar
scheme to defraud investors, as well as a
doctors and patients. charged with two counts
of conspiracy to commit wire fraud and nine
counts of wire fraud.
Holmes and Balwani were accused of knowingly
misrepresenting the capabilities of Theranos'
proprietary blood testing technology. The two
allegedly knew there were "accuracy and
reliability problems," and that it "could not
compete with existing, more conventional
machines," the US Attorney's office said.”
http://money.cnn.com/2018/06/15/technology/elizabeth-
holmes-indicted-theranos/index.html
https://www.slideshare.net/augustinefou/why-fraud-
detection-doesnt-work
https://www.linkedin.com/pulse/brand-safety-
detection-tech-over-representing-what/

Ads fund piracy, porn, hate sites
Source: Adweek, 2013 Source: BusinessInsider, 2014 Source: New York Times 2018

Ad fraud is criminals’
favorite “cash out” activity.

The most profitable criminal activity
2,500 - 4,100% returns
11% returns1% interest
digital ad fraud
stock marketbank interest
“where else can I get multi-
thousands percent returns on
my money? Right. Nowhere.”

“Ad fraud is at ALL TIME HIGHS
both in RATE and in DOLLARS…
… and what’s worse is fraud
detection is not catching it, so
people have a false sense of security.”
Source: https://www.slideshare.net/augustinefou/state-of-digital-ad-fraud-q2-2018

Digital Marketing circa 2018

About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com

Dr. Augustine Fou – Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017
20192018

What CFEs can do about digital ad fraud

More Related Content

What's hot

Similar to What CFEs can do about digital ad fraud

More from Dr. Augustine Fou - Independent Ad Fraud Researcher

What CFEs can do about digital ad fraud