Entire ecosystem supporting ad fraud 2018

Entire Ecosystem
Supporting Ad Fraud
June 2018
Augustine Fou, PhD.
acfou [at] mktsci.com
212. 203 .7239

“In addition to the ad fraud itself, bad
guys make money by selling the
“picks and shovels” too
– e.g. bots, traffic, clicks, malware,
fake apps, etc.
They have an entire ecosystem to
extract value. What follows are just a
few examples, scratching the surface.”

June 2018 / Page 2
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
From 2015 - Fraud Ecosystem Overview
Source: https://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem

June 2018 / Page 3
marketing.science
Ad fraud is simple, scalable
1. set up
FAKE SITES
2. buy
FAKE TRAFFIC
3. sell
FAKE ADS

Fake Sites
Get paid for every fake site created

June 2018 / Page 5
marketing.science
Fake Websites - random
• No content or content
that is assembled (i.e.
plagiarized)
• Content not human
readable
• Stuffed with large
numbers of ads
• Page auto-reloads
• Large abrupt traffic
changes
Get paid to make fake websites for ad fraud

June 2018 / Page 6
marketing.science
Fake Websites - template
• Identical wordpress
templates; no content
or customization

June 2018 / Page 7
marketing.science
Sites with Only Ads
1
2
3
4
5
6
7
8
9
10
• Pages are auto generated by script to
optimize for high value search
keywords and content
• 10 – 15 display ads per page plus text
ads and videos ads, in rotation
• Advertisers should minimize ad dollars
spent on impression (CPM) basis and
focus on paying only when they get
the click (CPC)
• They also auto-refresh pages to load
another 10 – 15 ads
• Many other examples of display ads
shown next to unsavory content
Source: http://www.satelliteguys.us/archive/t-232266.html

June 2018 / Page 8
marketing.science
More examples of fake sites
analyzecanceradvice.com
analyzecancerhelp.com
bestcanceropinion.com
bestcancerproducts.com
bestcancerresults.com
besthealthopinion.com
bettercanceradvice.com
bettercancerhelp.com
betterhealthopinion.com
findcanceropinion.com
findcancerresource.com
findcancertopics.com
findhealthopinion.com
finestcanceradvice.com
finestcancerhelp.com
finestcancerresults.com
getcancerproducts.com
06f09b1008ae993a5a.com
fbfd396918c60838.com
97ff623306ff4c26996.com
b1f6fe5e3f0c3c8ba6.com
23205523023daea6.com
6068a17eed25.com
b1fe8a95ae27823.com
f4906b7c15ba.com
eac0823ca94e3c07.com
1f7de8569ea97f0614.com
21c9a53484951.com
24ad89fc2690ed9369.com
efd3b86a5fbddda.com
34c2f22e9503ace.com
0926a687679d337e9d.com
6a40194bef976cc.com
Fake sites Fake sites
02aa19117f396e9.com
f8260adbf8558d6.com
9376ec23d50b1.com
pushedwebnews.com
a0675c1160de6c6.com
0f461325bf56c3e1b9.com
850a54dbd2398a2.com
8761f9f83613.com
20a840a14a0ef7d6.com
31a5610ce3a8a2.com
5726303d87522d05.com
3ac901bf5793b0fccff.com
b014381c95cb.com
2137dc12f9d8.com
33ae985c0ea917.com
153105c2f9564.com
Fake sites

June 2018 / Page 9
marketing.science
Network of “arcade” sites
Same traffic, same shape, same pages/visit, same bounce
arcadesilver.com
arcadewow.com
remotearcade.com yourchoicegames.com titaniumplay.com
arcadetsunami.com
antarcade.com
airarcade.com
arcadeearth.com
arcadefancy.com
arcadebreak.com
arcadeamazing.com
arcadecore.com
arcadeturbo.com arcadepatriot.com
arcadepatriot.com
Source: SimilarWeb

June 2018 / Page 10
marketing.science
Network of “highlight” sites
Same traffic, same shape, same pages/visit, same bounce
dotahighlight.org cshighlights.org clubesport.com sc2highlight.com
hearthstonehighlight.org leagueoflegendshighlight.info dota2highlight.org hshighlight.com
heroeshighlights.org hearthstonehighlight.com
Source: SimilarWeb

June 2018 / Page 11
marketing.science
Sites are auto-generated
Source: SimilarWeb

June 2018 / Page 12
marketing.science
Fake Content – made by bot
Augustine Fou
- 12 -
Characteristics
• Auto-generated by
bots, stuffed with
search keywords
• Attract organic
search traffic
• Not human
readable
• Stuffed with
affiliate links and
ads

June 2018 / Page 13
marketing.science
Plagiarized content, fact-checks
Google search on entire phrase in
quotes: http://bit.ly/16H9Gk5
Source: Buzzfeed, June 2018

June 2018 / Page 14
marketing.science
$23
(outside Google/Facebook)
There’s 160X more “sites with ads”
Good Publishers “sites with ads”
Source: Verisign, Q4 2016
329M
domains
est. 164 million
“sites that carry ads”
“sites you’ve heard of”
WSJ
ESPN
NYTimes
Economist
Reuters
Elle
0.3%
no ads
carry ads
160X more
78%
programmatic
est. 1 million

Fake Traffic/Users
Get paid selling traffic to sites / apps

June 2018 / Page 16
marketing.science
Fake users (headless browsers)
Headless Browsers
Selenium
PhantomJS
Zombie.js
SlimerJS
Mobile Simulators
35 listed
Bots are made from
malware compromised
PCs or headless browsers
(no screen) in datacenters.

June 2018 / Page 17
marketing.science
Any device with chip/connectivity
Traffic cameras
turned into
botnet (Engadget,
Oct 2015)
mobile devices
webcams
connected
traffic lights
connected cars
thermostat
connected fridge
Security cams
used as 400
Gbps DDoS
botnet (Engadget,
Jun 2016)
…can be used as a bot

June 2018 / Page 18
marketing.science
Tricking measurement beacons
Source: AdWeek, 2013
Measurement beacons were routinely tricked to count higher traffic
Phantom Sites multiply traffic

June 2018 / Page 19
marketing.science
Infinite page auto-redirects
How much does it cost?
How much is available?
a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”

June 2018 / Page 20
marketing.science
Feed traffic to other sites
% traffic share from 15+ referring
sites is TOO SIMILAR (~ 2% )
Advertisers
impacted

June 2018 / Page 21
marketing.science
Fraud apps loading webpages
“fraud sites’ traffic comes from apps that load hidden webpages”

June 2018 / Page 23
marketing.science
“Naked Ad Calls” (load ad, not page)
Why load entire webpage when you can just load
the ad (save bandwidth) and still get paid?
Pass fake data
via query strings

June 2018 / Page 24
marketing.science
“Naked Ad Calls” are rampant
“just call the ad, and not the webpage, to save bandwidth”
Good Publishers
Exchange Media
Bottom of Barrel
47% avg
77% avg
11% avg

June 2018 / Page 25
marketing.science
Oooh baby, that’s a lot …
Highlighted
domains are
interspersed with
large sites that
you know many
humans go to.
These are DAILY
quantities of
impressions.
Notice the large
quantities; some
are larger than
mainstream sites.

June 2018 / Page 26
marketing.science
Video Ads in Display Slots
Source: Mediapost, March 2018
“arbitrage cheap low
demand 300×250 ad units
with high-demand expensive
video ads.
buys a static 300×250
banner ad for $2 CPM adds a
video player and then resells
it as a $9 CPM video ad
unit.”

Beyond ad fraud …
Tools and techniques of the trade

Fake Audiences
Make money charging data CPMs

June 2018 / Page 29
marketing.science
Fake audiences for retargeting
“cookie matching”
Bots pretend to be oncologists
by visiting sites, collecting cookie
Attract ad dollars to fake
sites when retargeted

June 2018 / Page 30
marketing.science
Fake segments for targeting
Bots browse different items by season to attract higher retargeting CPMs
Source: DataXu/DoubleVerify Webinar, April 2015
“look at backpacks in back-to-school season – to get retargeted”

June 2018 / Page 31
marketing.science
Segment: purchasers - no difference
“Frequent Buyers” “Heavy Buyers”
“Recent Purchaser - Books”
Control: No Targeting
+$1.00 data CPM
+$1.00 data CPM
+$1.75 data CPM

June 2018 / Page 32
marketing.science
(2018) Lotame purges 400M
“[LOTAME] purged 400
million of its over 4
billion profiles after
identifying them as
bots or otherwise
fraudulent accounts.
Lotame CEO Andy
Monfried estimated
that 40 percent of all
web traffic is fictional.”
Adweek, Feb 2018

Fake Accounts
Make money setting up fake accounts

June 2018 / Page 34
marketing.science
Fake Facebook profiles
Sell “likes”; now used to simulate user engagement/audiences

June 2018 / Page 35
marketing.science
(2018) Facebook purges 1.3 billion
“It was barely a year ago that
Facebook proudly declared it had
more than 2.2 billion monthly
users. But on Tuesday, the social
media giant revealed
some stunning data, including
that during the six months ending
in March, Facebook disabled a
total of almost 1.3 billion fake
accounts.
During the first quarter of 2018,
Facebook says it deleted 865
million posts, the vast majority of
it for being spammy, and the
remainder for containing graphic
violence, sexual activity or nudity,
terrorism or hate speech.
Source: Inc. May 2018

June 2018 / Page 36
marketing.science
Fake LinkedIn Profiles
bot generated content
stock photo
Used to simulate “user engagement” (ad clicks), audiences

June 2018 / Page 37
marketing.science
Fake Twitter Accounts
Used for “follower” fraud when marketers paid for more followers

June 2018 / Page 38
marketing.science
Fake influencers - uncovered
Source: Adweek, Jun 2018
Fake influencers bought followers to appear to be influential
“an array of entertainers, entrepreneurs,
athletes and media figures, … bought Twitter
followers or artificial engagement. A New
York Times article on Saturday describing a
vast trade in fake followers and fraudulent
engagement on Twitter and other social
media sites, often using personal
information taken from real users.

June 2018 / Page 39
marketing.science
(2018) Twitter purges fake accounts
Source: Engadget Mar 2018 Source: NYTimes Jan 2018

June 2018 / Page 40
marketing.science
Fake YouTube Videos
http://www.youtube.com /watch?v=xnkM9RrDzhM
Banned Celebrity Sex Tapes
bannedsextapes .com
For driving fake referral traffic to sites, attribution fraud

June 2018 / Page 41
marketing.science
Fake video views - purchased
http://www.youtube.com/watch?v=iP6XpLQM2Cs
Actual interest
Straight line
– purchased views

June 2018 / Page 42
marketing.science
Youtube views on blank page

June 2018 / Page 43
marketing.science
Fake YouTube Videos for SEO
http://www.youtube.com /watch?v=upSOCzlSoHk
http://www.youtube.com/
watch?v=lhbDGpqCmZQ
http://www.youtube.com/
watch?v=UcdiM4uD6fM
http://www.youtube.com
/watch?v=an6xRpQ5Wh8
Duplicated videos
Keyword-stuffed for video SEO for fake sites (free traffic)
Some carry ads to
generate ad revenue

June 2018 / Page 44
marketing.science
Fake Sweepstakes
To steal users’ email addresses and other personal information

June 2018 / Page 45
marketing.science
Fake Personality Quizzes
Used to harvest personal info, meta data for later use in hacking
Source: The Atlantic, Jul 2017
Harvesting self-selected face photos
(can be used to unlock FaceID)

Fake Mobile
Rent out fake mobile device “botnets”

June 2018 / Page 47
marketing.science
You can’t scale physical devices
May 26 Forbes “Judy Malware”
• 36 million fake devices to
load bad apps
• e.g. 30 ads per device /minute
• 30 ads per minute = 1 billion
fraud impressions per minute
Source: June 2017 “Chinese click
fraud gang in Thailand arrested”
300 real devices
used for click fraud
millions of mobile
simulators for ad fraud

June 2018 / Page 48
marketing.science
Fake devices (mobile simulators)
Download and Install Apps
Launch and Interact

June 2018 / Page 49
marketing.science
Fake Installs / Attribution
Install Fraud
“fake devices installing legit
apps, get paid on CPI”
App install spend $6B (2017E)
Source: BusinessInsider, June 2016
Source: AdAge, Sept 2017

June 2018 / Page 50
marketing.science
Fake downloads, boost rank
Download/purchase own apps with bots to get to top 25 list

June 2018 / Page 51
marketing.science
Fake devices, loading pages
Repeated hits by same device/browser, same ip address

June 2018 / Page 52
marketing.science
Fake IDFAs on real devices
Source: Cinarra Systems
Rotating faked IDFAs allow mobile devices to defeat frequency caps

June 2018 / Page 53
marketing.science
Fake apps compromise humans
Source: The Inquirer Oct 2017
Source: Daily Mail May 2015
https://www.inc.com/minda-
zetlin/fake-whatsapp-app-on-
google-play-store-fooled-1-
million-into-downloading-it-
did-you.html

June 2018 / Page 54
marketing.science
Fake apps absorb all budget
com.jiubang com.flashlight com.latininput
com.dxnxbgj.mkridqxviiqaogw
com.obugniljhe.fptvznqwhmcjm
com.bpo.ksuhpsdkgvbtlsw
com.rlcznwgouw.vvtexstbfttngc
com.kasbgf.sbzwtgpcbjexi
com.bprlgbl.vbze
com.zka.lzhsoueilo
com.alxsavx.mizzucnlb
com.jxknvk.lrwfdfirdzpsw
com.tvwvqbt.wbshaguqy
com.iwnxtpahcu.leyuehdwdbb
Fake apps
Top 5 apps = 100% of imps

June 2018 / Page 55
marketing.science
Faked geolocation, higher CPM
Not Normal – in both campaigns
1. 100% mobile apps; 100% Android; same top 15 apps in both markets
2. 100% of impressions generated between 4a – 5a local time
3. 100% fake devices; 15 unique devices generated top 95% impressions

June 2018 / Page 56
marketing.science
App cloning, free adware SDKs
Apps are cloned
thousands of times;
some didn’t even
bother to change the
colors or cover
graphics.
Bad guys accidentally
cloned apps that
already had detection
SDK in it – from 312, to
750, to 1,330 copies.
Source: CNBC, Aug 2017

June 2018 / Page 57
marketing.science
Apps’ primary revenue is ads
In-App
Advertising
App Store
Source: SensorTower

June 2018 / Page 58
marketing.science
Top mobile apps by ad revenue
Top mobile apps
by ad revenue
Are entirely
different than
ones humans
spend the most
time with

June 2018 / Page 59
marketing.science
Fake apps compromise devices
Source: Independent, Jun 2018
Source: Fortune, July 2016

June 2018 / Page 60
marketing.science
$23
(outside Google/Facebook)
700X more
There’s 700X more fake apps
7M
apps
Source: Statista, March 2017
6.99 million
96% “apps that carry ads”
10,000
“apps you’ve heard of”
Facebook
Spotify
Pandora
Zynga
Pokemon
YouTube
Facebook, 2015
Users use 8 – 15 apps on
their phones.
Spotify, 2016
People have 25 apps on their
phones, use 5-8 regularly
Forrester Research, May 2017
Humans “use 9 apps per day,
30 per month”
78%
programmatic

June 2018 / Page 61
marketing.science
(2015) Going on for long time
Source: BusinessInsider, July 2015
“A user downloads an app
from the official app store
— which may look
legitimate and have
hundreds of positive reviews
— which then runs in the
background, serving
hundreds of ads at a rate as
high as 20 ads per minute”
Known and documented
for years – now mobile is
majority of digital spend

June 2018 / Page 62
marketing.science
Got 100M credit card numbers?
Amateur Criminals
Buy HDTV at Walmart
with stolen credit card;
get caught, card is
deactivated.
Pro Criminals
Automate millions of $0.99 in-
game purchases of “power-
ups, shields, virtual goods” to
fully launder the plunder.

Tools for disguising,
laundering

June 2018 / Page 64
marketing.science
Luminati
Geosurf
Residential ips
Proxy services, free VPNs
Rent out residential IPs for disguising bots

June 2018 / Page 65
marketing.science
Methbot, Hyphbot (video fraud)
Source: Dec 2016 WhiteOps
Discloses Methbot Research
“Methbot, steals $2 billion
annualized; and it avoided
detection for years.”
• Targeted video ad inventory
$13 average CPM, 10X higher
than display ads
• Disguised as residential
bots pretended to be from
residential IP addresses
2016
Source: Adform, Nov 2017
“Hyphbot, targeted video
ad inventory avoided
detection.”
2017
• active through at least 14
different exchanges and SSPs
• generating up to 1.5 billion
requests per day
• generated fake traffic on
more than 34,000 different
domains, 600k IP addresses

June 2018 / Page 66
marketing.science
Tech tools to randomize data
Source: Ratko Vidakovic

June 2018 / Page 67
marketing.science
Faked Google Analytics
Source: https://youtu.be/6_F-NAvr39o
Demo of how Google Analytics can be faked to show traffic that doesn’t exist

June 2018 / Page 68
marketing.science
Faked mouse moves/clicks
Source: https://youtu.be/HeGYr3jwubY
Demo of fake mousemovements and clicks using javascript

June 2018 / Page 69
marketing.science
Click spamming
Click injection
Click flooding
Faked attribution, clicks
Attribution urls or SDKs can be called to create fake clicks
https://www.slideshare.net/inmobi/a-cure-for-
adfraud-turning-fraud-detection-into-fraud-prevention
Source: Method Media Intelligence

June 2018 / Page 70
marketing.science
Criteo vs Steelhouse Suit
Source: BusinessInsider June 2016
“Both Criteo and SteelHouse use
a pay-per-click pricing model,
which means they only generate
revenue when users click on the
ads they have served.
Criteo alleges in the suit that
SteelHouse ‘counterfeited clicks
to trick e-tailers into attributing
sales to SteelHouse that should
have been attributed to Criteo,
other competitors and partners,
or direct traffic.’"

June 2018 / Page 71
marketing.science
Fake ad agencies to buy ads
Source: Confiant, Jan 2018
“Beginads was only briefly used to
establish relationships with ad
platforms as a fake ad agency.
Zirconium established a well thought-
out organization to maximize both
Supply (user traffic) and Demand
(landing pages).
Supply is brought in by the fake
agencies, establishing relationships
with legitimate ad platforms, and
buying traffic. Having multiple
relationships makes the operation
more robust (in case an agency gets
caught) and stealthier — as each
agency poses as a long-tail small
business agency and buys small
amounts at a time.”

June 2018 / Page 72
marketing.science
Affiliate Fraud – Cookie Stuffing
“eBay paid Hogan a staggering $28
million in affiliate marketing sales
commissions over the years,
according to court papers.”
Source: http://www.businessinsider.com/eb
ay-the-fbi-shawn-hogan-and-brian-dunning-
2013-4#ixzz34WHjnefM
Source:
http://articles.latimes.com/2013/apr/19/b
usiness/la-fi-mo-cookie-stuffing-ebay-
20130419
“Laguna Niguel man pleads guilty
in 'cookie stuffing' scam against
Ebay. The online auctioneer paid
Dunning’s company about $5.2
million in 2006 and 2007, the U.S.
Attorney said.”
Keywords: cookie stuffing
Many more case studies published by Ben Edelman
http://www.benedelman.org/

Creating / multiplying
“inventory”

June 2018 / Page 74
marketing.science
Browser toolbars/extensions
Source: Ars Technica Jan 2018 Source: Shailin Dhar 2016
Toolbars/extensions to create traffic, fake clicks, log keystrokes

June 2018 / Page 75
marketing.science
Fake ad blockers load more ads
Source: Engadget, April 2018
Thought you blocked ads? No, even more loaded in background

June 2018 / Page 76
marketing.science
Pop-unders on porn sites
Source: Digiday Feb 2017 Source: BuzzFeed Dec 2017
Porn sites have real humans; pop-unders load continuous ads

June 2018 / Page 77
marketing.science
Auto-redirects – hidden iframe
Source: GeoEdge, Jan 2018
“Hidden Auto-Redirects,
… opens invisible
iframes, and
unbeknownst to the
user, goes on its own
delivery path, serving
and clicking on ads
automatically.”

June 2018 / Page 78
marketing.science
Apps load ads in background
Source: ImpScore.io - https://www.youtube.com/watch?v=w-i-ue8fPCc
“fake apps or fraud apps (real apps that misbehave) continuously
load display ad impressions in the background, inflate revenue”

June 2018 / Page 79
marketing.science
Bots load ads in background
Source: https://www.youtube.com/watch?v=IiVZC8eM_xE
Continuous loading of ads in the background and randomizing
page loads

June 2018 / Page 80
marketing.science
Pages load ads in background
“dark processes” are continuous loading of ads, in background
https://youtu.be/utoN_VlxtE0
(demo video of page continuously
loading ads in the background)

June 2018 / Page 81
marketing.science
Dark pages – hidden pages for ads
“dark pages” are NOT seen when sites are manually checked
Pages you can see, navigate to Dark Pages you cannot navigate to
(look normal, low # of ads) More ads, trackers, auto-refresh
Normal Dark Pages

Malware / Adware
Compromise more devices for botnet

June 2018 / Page 83
marketing.science
Malware makes money via ads
2017 Checkpoint “Fireball”
• 250 million infected devices
• primary use = ad fraud
• 4 ads /pageview (2s load time)
• fraudulent impressions at the
rate of 30 billion per minute
“Fireball has two main
functionalities: the ability of
running any code on victim
computers–downloading any file
or malware, and hijacking and
manipulating infected users’ web-
traffic to generate ad-revenue”
Source: Check Point, 2017 Source: BitDefender Labs, 2018
“The main goal of Zacinlo is to
deliver adware, displaying
adverts developed by the
attackers in webpages the user
visits and to secretly click
through to them in order to
generate ad revenue.

June 2018 / Page 84
marketing.science
Malvertising / Ransomware
Source: ZDNet, March 2017 Source: TechRepublic, June 2017

June 2018 / Page 85
marketing.science
Drive-by Malware/Cryptomining
Source: Malwarebytes, Feb 2018
Source: ComputerWeekly March 2016

June 2018 / Page 86
marketing.science
Pre-installed malware/adware
Source: TheVerge, Jul 2017 Source: CNN, Feb 2015

June 2018 / Page 87
marketing.science
Hacked Wordpress/Drupal Sites
Source: Wordfence, Apr 2016 Source: TechCrunch, April 2018
Compromised to deliver malware to unsuspecting visitors

June 2018 / Page 88
marketing.science
Fake VPN – malware/ads
Source: PC Magazine, Jun 2018
“The free programs are merely
a guise for a notorious adware
strain, dubbed Zacinlo, that's
been harassing Windows PCs
since 2012.
Once installed, the apps can
secretly download other
programs on your computer,
take screen shots from the
desktop, and inject ads into
your web browser, security firm
Bitdefender said in a
Monday report.”

June 2018 / Page 89
marketing.science
Google Safebrowsing Report
Source: https://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem
We are at HISTORIC highs for malware and phishing

Stealing/Harvesting
personal info

June 2018 / Page 91
marketing.science
Countless big data breaches
Harvesting personal info for use in various forms of attacks later

June 2018 / Page 92
marketing.science
Compromised databases
Source: Hacker News, Jun 2018 Source: compsec, Jan 2017

June 2018 / Page 93
marketing.science
Fake Leads (Lead Fraud)
Fake leads
• Previously filled out by hand
• Now, fully automated with
bots using databases of real
postal addresses, etc. (that
trick verification engines)
Use personal data from prior breaches to complete forms

June 2018 / Page 94
marketing.science
3rd party trackers leak user info

June 2018 / Page 95
marketing.science
(2017) User data exfiltration
“Emails, usernames,
passwords -- exfiltration
of personal data by
session-replay scripts; and
recording of user actions
on the site.”
Source: Freedom to Tinker, Nov 2017

June 2018 / Page 96
marketing.science
Compromised apps to steal info
Source: Gadgets 360, June 2018
Source: ZDNet March 2018

June 2018 / Page 97
marketing.science
Piracy sites’ specialized tasks
• Malware on humans’ PCs
are used to make botnets
• Real human’s cookies
used for retargeting
Piracy Sites
Specialty
• CPM on served ads
• Get paid to plant malware
Revenue
Fraud Types • Malware / Toolbar / Virus
• Sourced Traffic
• Fake Ad Impressions
Since there are real humans going
to piracy sites and navigating them,
their mouse movements and
keystrokes can be recorded for
replay attacks later.

June 2018 / Page 98
marketing.science
Ad Blocking / GPDR
Source: CNBC, June 2018
Humans block ads and DON’T give consent; ads are served to bots
“Humans block ads; bots want ads to
load – so after ad blocking, most of
the remaining ads are shown to bots.

Bad Measurement
and Faked Analytics

June 2018 / Page 100
marketing.science
Bad Measurement of IVT
Incorrect IVT Measurement
Source 3 - in ad iframe, badly sampled
Sources 1 and 2
corroborate
One agency insists on
one fraud detection
company (that is owned
by same holding
company), despite
proven errors in IVT
measurement (due to
sampling and tag being in
ad iframe).
Agency uses high IVT
numbers to get refunds,
which agency keeps as
profit for themselves.

marketing.science
Opposite results from tag placement
In-Ad
(in foreign iframe)
On-Site
(on page)
window sizes detected
as 0x0 or 0x8 pixels correct window sizes
for ads detected
0% humans
60% bots
60% humans
3% bots
“fraud measurements could be entirely wrong, depending
on where the tag is placed – in-ad versus on-site.”

marketing.science
Legit sites wrongly blacklisted
Domain (spoofed) % SIVT
esquire.com 77%
travelchannel.com 76%
foodnetwork.com 76%
popularmechanics.com 74%
latimes.com 72%
reuters.com 71%
bid request
fakesite123.com
esquire.com
passes blacklist
passes whitelist
✅
✅
declared
1. fakesite123.com has to pretend
to be esquire.com to get bids;
2. fraud measurement shows high
IVT b/c it is measuring the fake
site with fake traffic
3. Fake esquire.com gets mixed with
real so average fraud rates
appear high.
4. Real esquire.com gets backlisted;
bad guy moves on to another
domain.

marketing.science
declared to be:
Brand safety tech doesn’t work
Pre-scanned Domain List
In-ad tag
Ad tags that are in the foreign
iframe (different domain) cannot
look outside the iframe – i.e.
cannot read content on the site
to determine brand safety.
bad word
porn
terrorism
hate
badsite123.com
badsite123.com
badsite123.com
badsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
Domain Placement Reports
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
FAILS because it is not directly
measured; relies on domain placement
reports which have declared data.

marketing.science
Fraud filter no better than blacklist
1.Fraud filters are no better than manual blacklists
2.In some cases, there’s MORE fraud when filter is on
3.Using fraud filters adds 20 – 24% to costs; manual
blacklists are free

marketing.science
“Verified” no different than control
“Verified Bots”
“Verified Humans”
Control: No Targeting
+$0.25 data CPM
+$0.25 data CPM
“verified bots” and “verified
humans” showed no difference in
quality to each other – AND both
were no different than the
control where no targeting
was used.

marketing.science
Bad guys trick measurement
SDK Spoofing— code in an app that sends simulated ad
clicks and engagement signals to the attribution provider
… [to] fool an advertiser into paying for fraudulent
impressions/views.
Attribution Fraud— code that executes clicks (click
spamming, click injection) so fraudster can claim credit
for downstream conversions.
Detection Tag Blocking— fake or fraudulent apps
can selectively block fraud detection tags or
manipulate analytics data.

marketing.science
Simple code to trick viewability
“This code manipulated
data to ensure that
otherwise unviewable
ads showed up in
measurement systems
as valid impressions,
which resulted in
payment being made
for the ad.”
Buzzfeed, March 2018

marketing.science
Bots easily trick AI/ML algorithms
“Humans (blue) are hard to predict …
… but bots give you beautiful signals – 1 or 0.”
Source: Claudia Perlich, PhD.
Data Scientist

marketing.science
Fake or plagiarized ads.txt
Source: MediaMath
Fake sites rushed to put ads.txt files in place, to continue to sell
“the company will only
buy … from publishers
who have an ads.txt file
in place.”
“completely useless…
… fake and fraud sites just
put ads.txt files in place
or plagiarized content
from other publishers to
stick in their own files.”

marketing.science
Fake botnet for PR
“used highly sophisticated techniques
to fraudulently load ads on the
affected sites without the site
owners' consent, leveraging a new
methodology that allows it to
monetize inventory on premium
domains.”
“none of this actually happened; it was completely
fabricated for the press release announcing their
new algo – ‘dramatic improvements to its automated
traffic detection .. primarily through …machine
learning methodologies’. The failure was due to their
analyzing only pre-bid data, which was faked. There
were no ads injected into any of the sites they
named in the press release. This was confirmed by
each of the good publishers, falsely accused.”

marketing.science
Discrepancies – won vs served
DSP says Adserver says
Why actually serve the
ad if you already get paid
based on the number of
impressions won?
From the data, the more
fraudulent the site, the
greater the discrepancy
– e.g. 80 – 100%

marketing.science
“He said, she said” stalemate
Marketer/Buyer Publisher/Seller
Selects fraud verification
Vendor A that consistently finds
higher IVT – so they can get
bigger refunds on their media
buys (use it like discounts).
Selects fraud verification
Vendor B that finds lower
IVT to help them defend
against false accusations of
fraud and refund requests.
Vendor A Vendor B
MRC Accredited
MRC Accredited
“high IVT” “low IVT”
“it comes down to negotiation or relative power; so it is
no better than if NO fraud detection were used at all.”

With all this “support,”
no wonder …

“Ad fraud is at ALL TIME HIGHS
both in RATE and in DOLLARS…
… and what’s worse is fraud
detection is not catching it, so
people have a false sense of security.”
Source: https://www.slideshare.net/augustinefou/state-of-digital-ad-fraud-q2-2018

marketing.science
Two main kinds of ad fraud
“Everything else is a derivative of (e.g.
cost-per-install fraud), or in support of (e.g.
tricking measurement, attribution, covering
tracks) the above 2 forms of ad fraud.”
Impression Fraud
(CPM) Fraud
(includes mobile display, video ads)
Click Fraud
(CPC) Fraud
(includes mobile search ads)

marketing.science
Why? Largest buckets of spend
Leads
(CPL)
Sales
(CPA)
Lead Gen
$2.0B
Other
$5.0B
• classifieds
• sponsorship
• rich media
Impressions
(CPM/CPV)
Clicks
(CPC)
Search 46%
Display 31%
Video 14%
91% digital ad spend Source: IAB FY 2017 Report
9% spend

marketing.science
Digital Ad Fraud is At All Time Highs
Digital Ad Spend
($ billions)
Actuals Projected
Digital Ad Fraud
($ billions)

marketing.science
F*********************k
DDoS attacks overwhelm with traffic; now use traffic to make ad revenue
Google Digital Attack Map

marketing.science
Only way to tell – pause or cut
“Once we got transparency, it
illuminated what reality was,” said
Mr. Pritchard. P&G then took matters
into its owns hands and voted with
its dollars, he said.”
“As we all chased the Holy Grail of
digital, self-included, we were
relinquishing too much control—
blinded by shiny objects,
overwhelmed by big data, and ceding
power to algorithms,” Mr. Pritchard
said.
Source: WSJ, March 2018
P&G: cut $200M, no impact

marketing.science
So what?
• Tried and true attacks/techniques continue to be used –
they are just more automated now and scalable in digital
• Assume everything is compromised (all personal details)
and look for tell-tale signs and anything suspicious, dig in.
• “Don’t trust, and always verify” and definitely don’t trust
the verification numbers where no supporting details are
provided; how would you know if it is right or not?
• Run experiments to test hypotheses and check hunches; for
example pause or cut spending to see if any business
outcomes go down?
• Use your common sense to solve fraud and run real digital
marketing campaigns that yield real business outcomes.

marketing.science
About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com
212. 203 .7239

marketing.science
Dr. Augustine Fou – Independent Ad Fraud Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017

Entire ecosystem supporting ad fraud 2018

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Entire ecosystem supporting ad fraud 2018

Ähnlich wie Entire ecosystem supporting ad fraud 2018 (20)

Mehr von Dr. Augustine Fou - Independent Ad Fraud Researcher

Mehr von Dr. Augustine Fou - Independent Ad Fraud Researcher (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Entire ecosystem supporting ad fraud 2018