“In addition to the ad fraud itself, bad guys make money by selling the “picks and shovels” too – e.g. bots, traffic, clicks, malware, fake apps, etc. They have an entire ecosystem to extract value. What follows are just a few examples, scratching the surface.”
2. “In addition to the ad fraud itself, bad
guys make money by selling the
“picks and shovels” too
– e.g. bots, traffic, clicks, malware,
fake apps, etc.
They have an entire ecosystem to
extract value. What follows are just a
few examples, scratching the surface.”
3. June 2018 / Page 2
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
From 2015 - Fraud Ecosystem Overview
Source: https://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem
4. June 2018 / Page 3
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Ad fraud is simple, scalable
1. set up
FAKE SITES
2. buy
FAKE TRAFFIC
3. sell
FAKE ADS
6. June 2018 / Page 5
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Websites - random
• No content or content
that is assembled (i.e.
plagiarized)
• Content not human
readable
• Stuffed with large
numbers of ads
• Page auto-reloads
• Large abrupt traffic
changes
Get paid to make fake websites for ad fraud
7. June 2018 / Page 6
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Websites - template
• Identical wordpress
templates; no content
or customization
8. June 2018 / Page 7
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Sites with Only Ads
1
2
3
4
5
6
7
8
9
10
• Pages are auto generated by script to
optimize for high value search
keywords and content
• 10 – 15 display ads per page plus text
ads and videos ads, in rotation
• Advertisers should minimize ad dollars
spent on impression (CPM) basis and
focus on paying only when they get
the click (CPC)
• They also auto-refresh pages to load
another 10 – 15 ads
• Many other examples of display ads
shown next to unsavory content
Source: http://www.satelliteguys.us/archive/t-232266.html
10. June 2018 / Page 9
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Network of “arcade” sites
Same traffic, same shape, same pages/visit, same bounce
arcadesilver.com
arcadewow.com
remotearcade.com yourchoicegames.com titaniumplay.com
arcadetsunami.com
antarcade.com
airarcade.com
arcadeearth.com
arcadefancy.com
arcadebreak.com
arcadeamazing.com
arcadecore.com
arcadeturbo.com arcadepatriot.com
arcadepatriot.com
Source: SimilarWeb
11. June 2018 / Page 10
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Network of “highlight” sites
Same traffic, same shape, same pages/visit, same bounce
dotahighlight.org cshighlights.org clubesport.com sc2highlight.com
hearthstonehighlight.org leagueoflegendshighlight.info dota2highlight.org hshighlight.com
heroeshighlights.org hearthstonehighlight.com
Source: SimilarWeb
12. June 2018 / Page 11
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Sites are auto-generated
Source: SimilarWeb
13. June 2018 / Page 12
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Content – made by bot
Augustine Fou
- 12 -
Characteristics
• Auto-generated by
bots, stuffed with
search keywords
• Attract organic
search traffic
• Not human
readable
• Stuffed with
affiliate links and
ads
14. June 2018 / Page 13
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Plagiarized content, fact-checks
Google search on entire phrase in
quotes: http://bit.ly/16H9Gk5
Source: Buzzfeed, June 2018
15. June 2018 / Page 14
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
$23
(outside Google/Facebook)
There’s 160X more “sites with ads”
Good Publishers “sites with ads”
Source: Verisign, Q4 2016
329M
domains
est. 164 million
“sites that carry ads”
“sites you’ve heard of”
WSJ
ESPN
NYTimes
Economist
Reuters
Elle
0.3%
no ads
carry ads
160X more
78%
programmatic
est. 1 million
17. June 2018 / Page 16
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake users (headless browsers)
Headless Browsers
Selenium
PhantomJS
Zombie.js
SlimerJS
Mobile Simulators
35 listed
Bots are made from
malware compromised
PCs or headless browsers
(no screen) in datacenters.
18. June 2018 / Page 17
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Any device with chip/connectivity
Traffic cameras
turned into
botnet (Engadget,
Oct 2015)
mobile devices
webcams
connected
traffic lights
connected cars
thermostat
connected fridge
Security cams
used as 400
Gbps DDoS
botnet (Engadget,
Jun 2016)
…can be used as a bot
19. June 2018 / Page 18
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Tricking measurement beacons
Source: AdWeek, 2013
Measurement beacons were routinely tricked to count higher traffic
Phantom Sites multiply traffic
20. June 2018 / Page 19
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Infinite page auto-redirects
How much does it cost?
How much is available?
a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”
21. June 2018 / Page 20
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Feed traffic to other sites
% traffic share from 15+ referring
sites is TOO SIMILAR (~ 2% )
Advertisers
impacted
22. June 2018 / Page 21
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fraud apps loading webpages
“fraud sites’ traffic comes from apps that load hidden webpages”
24. June 2018 / Page 23
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
“Naked Ad Calls” (load ad, not page)
Why load entire webpage when you can just load
the ad (save bandwidth) and still get paid?
Pass fake data
via query strings
25. June 2018 / Page 24
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
“Naked Ad Calls” are rampant
“just call the ad, and not the webpage, to save bandwidth”
Good Publishers
Exchange Media
Bottom of Barrel
47% avg
77% avg
11% avg
26. June 2018 / Page 25
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Oooh baby, that’s a lot …
Highlighted
domains are
interspersed with
large sites that
you know many
humans go to.
These are DAILY
quantities of
impressions.
Notice the large
quantities; some
are larger than
mainstream sites.
27. June 2018 / Page 26
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Video Ads in Display Slots
Source: Mediapost, March 2018
“arbitrage cheap low
demand 300×250 ad units
with high-demand expensive
video ads.
buys a static 300×250
banner ad for $2 CPM adds a
video player and then resells
it as a $9 CPM video ad
unit.”
30. June 2018 / Page 29
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake audiences for retargeting
“cookie matching”
Bots pretend to be oncologists
by visiting sites, collecting cookie
Attract ad dollars to fake
sites when retargeted
31. June 2018 / Page 30
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake segments for targeting
Bots browse different items by season to attract higher retargeting CPMs
Source: DataXu/DoubleVerify Webinar, April 2015
“look at backpacks in back-to-school season – to get retargeted”
32. June 2018 / Page 31
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Segment: purchasers - no difference
“Frequent Buyers” “Heavy Buyers”
“Recent Purchaser - Books”
Control: No Targeting
+$1.00 data CPM
+$1.00 data CPM
+$1.75 data CPM
33. June 2018 / Page 32
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
(2018) Lotame purges 400M
“[LOTAME] purged 400
million of its over 4
billion profiles after
identifying them as
bots or otherwise
fraudulent accounts.
Lotame CEO Andy
Monfried estimated
that 40 percent of all
web traffic is fictional.”
Adweek, Feb 2018
35. June 2018 / Page 34
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Facebook profiles
Sell “likes”; now used to simulate user engagement/audiences
36. June 2018 / Page 35
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
(2018) Facebook purges 1.3 billion
“It was barely a year ago that
Facebook proudly declared it had
more than 2.2 billion monthly
users. But on Tuesday, the social
media giant revealed
some stunning data, including
that during the six months ending
in March, Facebook disabled a
total of almost 1.3 billion fake
accounts.
During the first quarter of 2018,
Facebook says it deleted 865
million posts, the vast majority of
it for being spammy, and the
remainder for containing graphic
violence, sexual activity or nudity,
terrorism or hate speech.
Source: Inc. May 2018
37. June 2018 / Page 36
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake LinkedIn Profiles
bot generated content
stock photo
Used to simulate “user engagement” (ad clicks), audiences
38. June 2018 / Page 37
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Twitter Accounts
Used for “follower” fraud when marketers paid for more followers
39. June 2018 / Page 38
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake influencers - uncovered
Source: Adweek, Jun 2018
Fake influencers bought followers to appear to be influential
“an array of entertainers, entrepreneurs,
athletes and media figures, … bought Twitter
followers or artificial engagement. A New
York Times article on Saturday describing a
vast trade in fake followers and fraudulent
engagement on Twitter and other social
media sites, often using personal
information taken from real users.
40. June 2018 / Page 39
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
(2018) Twitter purges fake accounts
Source: Engadget Mar 2018 Source: NYTimes Jan 2018
41. June 2018 / Page 40
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake YouTube Videos
http://www.youtube.com /watch?v=xnkM9RrDzhM
Banned Celebrity Sex Tapes
bannedsextapes .com
For driving fake referral traffic to sites, attribution fraud
42. June 2018 / Page 41
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake video views - purchased
http://www.youtube.com/watch?v=iP6XpLQM2Cs
Actual interest
Straight line
– purchased views
43. June 2018 / Page 42
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Youtube views on blank page
44. June 2018 / Page 43
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake YouTube Videos for SEO
http://www.youtube.com /watch?v=upSOCzlSoHk
http://www.youtube.com/
watch?v=lhbDGpqCmZQ
http://www.youtube.com/
watch?v=UcdiM4uD6fM
http://www.youtube.com
/watch?v=an6xRpQ5Wh8
Duplicated videos
Keyword-stuffed for video SEO for fake sites (free traffic)
Some carry ads to
generate ad revenue
45. June 2018 / Page 44
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Sweepstakes
To steal users’ email addresses and other personal information
46. June 2018 / Page 45
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Personality Quizzes
Used to harvest personal info, meta data for later use in hacking
Source: The Atlantic, Jul 2017
Harvesting self-selected face photos
(can be used to unlock FaceID)
48. June 2018 / Page 47
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
You can’t scale physical devices
May 26 Forbes “Judy Malware”
• 36 million fake devices to
load bad apps
• e.g. 30 ads per device /minute
• 30 ads per minute = 1 billion
fraud impressions per minute
Source: June 2017 “Chinese click
fraud gang in Thailand arrested”
300 real devices
used for click fraud
millions of mobile
simulators for ad fraud
49. June 2018 / Page 48
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake devices (mobile simulators)
Download and Install Apps
Launch and Interact
50. June 2018 / Page 49
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Installs / Attribution
Install Fraud
“fake devices installing legit
apps, get paid on CPI”
App install spend $6B (2017E)
Source: BusinessInsider, June 2016
Source: AdAge, Sept 2017
51. June 2018 / Page 50
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake downloads, boost rank
Download/purchase own apps with bots to get to top 25 list
52. June 2018 / Page 51
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake devices, loading pages
Repeated hits by same device/browser, same ip address
53. June 2018 / Page 52
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake IDFAs on real devices
Source: Cinarra Systems
Rotating faked IDFAs allow mobile devices to defeat frequency caps
54. June 2018 / Page 53
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake apps compromise humans
Source: The Inquirer Oct 2017
Source: Daily Mail May 2015
https://www.inc.com/minda-
zetlin/fake-whatsapp-app-on-
google-play-store-fooled-1-
million-into-downloading-it-
did-you.html
55. June 2018 / Page 54
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake apps absorb all budget
com.jiubang com.flashlight com.latininput
com.dxnxbgj.mkridqxviiqaogw
com.obugniljhe.fptvznqwhmcjm
com.bpo.ksuhpsdkgvbtlsw
com.rlcznwgouw.vvtexstbfttngc
com.kasbgf.sbzwtgpcbjexi
com.bprlgbl.vbze
com.zka.lzhsoueilo
com.alxsavx.mizzucnlb
com.jxknvk.lrwfdfirdzpsw
com.tvwvqbt.wbshaguqy
com.iwnxtpahcu.leyuehdwdbb
Fake apps
Top 5 apps = 100% of imps
56. June 2018 / Page 55
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Faked geolocation, higher CPM
Not Normal – in both campaigns
1. 100% mobile apps; 100% Android; same top 15 apps in both markets
2. 100% of impressions generated between 4a – 5a local time
3. 100% fake devices; 15 unique devices generated top 95% impressions
57. June 2018 / Page 56
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
App cloning, free adware SDKs
Apps are cloned
thousands of times;
some didn’t even
bother to change the
colors or cover
graphics.
Bad guys accidentally
cloned apps that
already had detection
SDK in it – from 312, to
750, to 1,330 copies.
Source: CNBC, Aug 2017
58. June 2018 / Page 57
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Apps’ primary revenue is ads
In-App
Advertising
App Store
Source: SensorTower
59. June 2018 / Page 58
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Top mobile apps by ad revenue
Top mobile apps
by ad revenue
Are entirely
different than
ones humans
spend the most
time with
60. June 2018 / Page 59
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake apps compromise devices
Source: Independent, Jun 2018
Source: Fortune, July 2016
61. June 2018 / Page 60
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
$23
(outside Google/Facebook)
700X more
There’s 700X more fake apps
7M
apps
Source: Statista, March 2017
6.99 million
96% “apps that carry ads”
10,000
“apps you’ve heard of”
Facebook
Spotify
Pandora
Zynga
Pokemon
YouTube
Facebook, 2015
Users use 8 – 15 apps on
their phones.
Spotify, 2016
People have 25 apps on their
phones, use 5-8 regularly
Forrester Research, May 2017
Humans “use 9 apps per day,
30 per month”
78%
programmatic
62. June 2018 / Page 61
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
(2015) Going on for long time
Source: BusinessInsider, July 2015
“A user downloads an app
from the official app store
— which may look
legitimate and have
hundreds of positive reviews
— which then runs in the
background, serving
hundreds of ads at a rate as
high as 20 ads per minute”
Known and documented
for years – now mobile is
majority of digital spend
63. June 2018 / Page 62
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Got 100M credit card numbers?
Amateur Criminals
Buy HDTV at Walmart
with stolen credit card;
get caught, card is
deactivated.
Pro Criminals
Automate millions of $0.99 in-
game purchases of “power-
ups, shields, virtual goods” to
fully launder the plunder.
65. June 2018 / Page 64
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Luminati
Geosurf
Residential ips
Proxy services, free VPNs
Rent out residential IPs for disguising bots
66. June 2018 / Page 65
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Methbot, Hyphbot (video fraud)
Source: Dec 2016 WhiteOps
Discloses Methbot Research
“Methbot, steals $2 billion
annualized; and it avoided
detection for years.”
• Targeted video ad inventory
$13 average CPM, 10X higher
than display ads
• Disguised as residential
bots pretended to be from
residential IP addresses
2016
Source: Adform, Nov 2017
“Hyphbot, targeted video
ad inventory avoided
detection.”
2017
• active through at least 14
different exchanges and SSPs
• generating up to 1.5 billion
requests per day
• generated fake traffic on
more than 34,000 different
domains, 600k IP addresses
67. June 2018 / Page 66
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Tech tools to randomize data
Source: Ratko Vidakovic
68. June 2018 / Page 67
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Faked Google Analytics
Source: https://youtu.be/6_F-NAvr39o
Demo of how Google Analytics can be faked to show traffic that doesn’t exist
69. June 2018 / Page 68
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Faked mouse moves/clicks
Source: https://youtu.be/HeGYr3jwubY
Demo of fake mousemovements and clicks using javascript
70. June 2018 / Page 69
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Click spamming
Click injection
Click flooding
Faked attribution, clicks
Attribution urls or SDKs can be called to create fake clicks
https://www.slideshare.net/inmobi/a-cure-for-
adfraud-turning-fraud-detection-into-fraud-prevention
Source: Method Media Intelligence
71. June 2018 / Page 70
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Criteo vs Steelhouse Suit
Source: BusinessInsider June 2016
“Both Criteo and SteelHouse use
a pay-per-click pricing model,
which means they only generate
revenue when users click on the
ads they have served.
Criteo alleges in the suit that
SteelHouse ‘counterfeited clicks
to trick e-tailers into attributing
sales to SteelHouse that should
have been attributed to Criteo,
other competitors and partners,
or direct traffic.’"
72. June 2018 / Page 71
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake ad agencies to buy ads
Source: Confiant, Jan 2018
“Beginads was only briefly used to
establish relationships with ad
platforms as a fake ad agency.
Zirconium established a well thought-
out organization to maximize both
Supply (user traffic) and Demand
(landing pages).
Supply is brought in by the fake
agencies, establishing relationships
with legitimate ad platforms, and
buying traffic. Having multiple
relationships makes the operation
more robust (in case an agency gets
caught) and stealthier — as each
agency poses as a long-tail small
business agency and buys small
amounts at a time.”
73. June 2018 / Page 72
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Affiliate Fraud – Cookie Stuffing
“eBay paid Hogan a staggering $28
million in affiliate marketing sales
commissions over the years,
according to court papers.”
Source: http://www.businessinsider.com/eb
ay-the-fbi-shawn-hogan-and-brian-dunning-
2013-4#ixzz34WHjnefM
Source:
http://articles.latimes.com/2013/apr/19/b
usiness/la-fi-mo-cookie-stuffing-ebay-
20130419
“Laguna Niguel man pleads guilty
in 'cookie stuffing' scam against
Ebay. The online auctioneer paid
Dunning’s company about $5.2
million in 2006 and 2007, the U.S.
Attorney said.”
Keywords: cookie stuffing
Many more case studies published by Ben Edelman
http://www.benedelman.org/
75. June 2018 / Page 74
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Browser toolbars/extensions
Source: Ars Technica Jan 2018 Source: Shailin Dhar 2016
Toolbars/extensions to create traffic, fake clicks, log keystrokes
76. June 2018 / Page 75
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake ad blockers load more ads
Source: Engadget, April 2018
Thought you blocked ads? No, even more loaded in background
77. June 2018 / Page 76
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Pop-unders on porn sites
Source: Digiday Feb 2017 Source: BuzzFeed Dec 2017
Porn sites have real humans; pop-unders load continuous ads
78. June 2018 / Page 77
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Auto-redirects – hidden iframe
Source: GeoEdge, Jan 2018
“Hidden Auto-Redirects,
… opens invisible
iframes, and
unbeknownst to the
user, goes on its own
delivery path, serving
and clicking on ads
automatically.”
79. June 2018 / Page 78
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Apps load ads in background
Source: ImpScore.io - https://www.youtube.com/watch?v=w-i-ue8fPCc
“fake apps or fraud apps (real apps that misbehave) continuously
load display ad impressions in the background, inflate revenue”
80. June 2018 / Page 79
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Bots load ads in background
Source: https://www.youtube.com/watch?v=IiVZC8eM_xE
Continuous loading of ads in the background and randomizing
page loads
81. June 2018 / Page 80
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Pages load ads in background
“dark processes” are continuous loading of ads, in background
https://youtu.be/utoN_VlxtE0
(demo video of page continuously
loading ads in the background)
82. June 2018 / Page 81
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Dark pages – hidden pages for ads
“dark pages” are NOT seen when sites are manually checked
Pages you can see, navigate to Dark Pages you cannot navigate to
(look normal, low # of ads) More ads, trackers, auto-refresh
Normal Dark Pages
84. June 2018 / Page 83
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Malware makes money via ads
2017 Checkpoint “Fireball”
• 250 million infected devices
• primary use = ad fraud
• 4 ads /pageview (2s load time)
• fraudulent impressions at the
rate of 30 billion per minute
“Fireball has two main
functionalities: the ability of
running any code on victim
computers–downloading any file
or malware, and hijacking and
manipulating infected users’ web-
traffic to generate ad-revenue”
Source: Check Point, 2017 Source: BitDefender Labs, 2018
“The main goal of Zacinlo is to
deliver adware, displaying
adverts developed by the
attackers in webpages the user
visits and to secretly click
through to them in order to
generate ad revenue.
85. June 2018 / Page 84
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Malvertising / Ransomware
Source: ZDNet, March 2017 Source: TechRepublic, June 2017
86. June 2018 / Page 85
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Drive-by Malware/Cryptomining
Source: Malwarebytes, Feb 2018
Source: ComputerWeekly March 2016
87. June 2018 / Page 86
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Pre-installed malware/adware
Source: TheVerge, Jul 2017 Source: CNN, Feb 2015
88. June 2018 / Page 87
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Hacked Wordpress/Drupal Sites
Source: Wordfence, Apr 2016 Source: TechCrunch, April 2018
Compromised to deliver malware to unsuspecting visitors
89. June 2018 / Page 88
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake VPN – malware/ads
Source: PC Magazine, Jun 2018
“The free programs are merely
a guise for a notorious adware
strain, dubbed Zacinlo, that's
been harassing Windows PCs
since 2012.
Once installed, the apps can
secretly download other
programs on your computer,
take screen shots from the
desktop, and inject ads into
your web browser, security firm
Bitdefender said in a
Monday report.”
90. June 2018 / Page 89
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Google Safebrowsing Report
Source: https://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem
We are at HISTORIC highs for malware and phishing
92. June 2018 / Page 91
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Countless big data breaches
Harvesting personal info for use in various forms of attacks later
93. June 2018 / Page 92
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Compromised databases
Source: Hacker News, Jun 2018 Source: compsec, Jan 2017
94. June 2018 / Page 93
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake Leads (Lead Fraud)
Fake leads
• Previously filled out by hand
• Now, fully automated with
bots using databases of real
postal addresses, etc. (that
trick verification engines)
Use personal data from prior breaches to complete forms
95. June 2018 / Page 94
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
3rd party trackers leak user info
96. June 2018 / Page 95
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
(2017) User data exfiltration
“Emails, usernames,
passwords -- exfiltration
of personal data by
session-replay scripts; and
recording of user actions
on the site.”
Source: Freedom to Tinker, Nov 2017
97. June 2018 / Page 96
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Compromised apps to steal info
Source: Gadgets 360, June 2018
Source: ZDNet March 2018
98. June 2018 / Page 97
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Piracy sites’ specialized tasks
• Malware on humans’ PCs
are used to make botnets
• Real human’s cookies
used for retargeting
Piracy Sites
Specialty
• CPM on served ads
• Get paid to plant malware
Revenue
Fraud Types • Malware / Toolbar / Virus
• Sourced Traffic
• Fake Ad Impressions
Since there are real humans going
to piracy sites and navigating them,
their mouse movements and
keystrokes can be recorded for
replay attacks later.
99. June 2018 / Page 98
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Ad Blocking / GPDR
Source: CNBC, June 2018
Humans block ads and DON’T give consent; ads are served to bots
“Humans block ads; bots want ads to
load – so after ad blocking, most of
the remaining ads are shown to bots.
101. June 2018 / Page 100
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Bad Measurement of IVT
Incorrect IVT Measurement
Source 3 - in ad iframe, badly sampled
Sources 1 and 2
corroborate
One agency insists on
one fraud detection
company (that is owned
by same holding
company), despite
proven errors in IVT
measurement (due to
sampling and tag being in
ad iframe).
Agency uses high IVT
numbers to get refunds,
which agency keeps as
profit for themselves.
102. June 2018 / Page 101
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Opposite results from tag placement
In-Ad
(in foreign iframe)
On-Site
(on page)
window sizes detected
as 0x0 or 0x8 pixels correct window sizes
for ads detected
0% humans
60% bots
60% humans
3% bots
“fraud measurements could be entirely wrong, depending
on where the tag is placed – in-ad versus on-site.”
103. June 2018 / Page 102
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Legit sites wrongly blacklisted
Domain (spoofed) % SIVT
esquire.com 77%
travelchannel.com 76%
foodnetwork.com 76%
popularmechanics.com 74%
latimes.com 72%
reuters.com 71%
bid request
fakesite123.com
esquire.com
passes blacklist
passes whitelist
✅
✅
declared
1. fakesite123.com has to pretend
to be esquire.com to get bids;
2. fraud measurement shows high
IVT b/c it is measuring the fake
site with fake traffic
3. Fake esquire.com gets mixed with
real so average fraud rates
appear high.
4. Real esquire.com gets backlisted;
bad guy moves on to another
domain.
104. June 2018 / Page 103
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
declared to be:
Brand safety tech doesn’t work
Pre-scanned Domain List
In-ad tag
Ad tags that are in the foreign
iframe (different domain) cannot
look outside the iframe – i.e.
cannot read content on the site
to determine brand safety.
bad word
porn
terrorism
hate
badsite123.com
badsite123.com
badsite123.com
badsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
Domain Placement Reports
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
goodsite123.com
FAILS because it is not directly
measured; relies on domain placement
reports which have declared data.
105. June 2018 / Page 104
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fraud filter no better than blacklist
1.Fraud filters are no better than manual blacklists
2.In some cases, there’s MORE fraud when filter is on
3.Using fraud filters adds 20 – 24% to costs; manual
blacklists are free
106. June 2018 / Page 105
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
“Verified” no different than control
“Verified Bots”
“Verified Humans”
Control: No Targeting
+$0.25 data CPM
+$0.25 data CPM
“verified bots” and “verified
humans” showed no difference in
quality to each other – AND both
were no different than the
control where no targeting
was used.
107. June 2018 / Page 106
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Bad guys trick measurement
SDK Spoofing— code in an app that sends simulated ad
clicks and engagement signals to the attribution provider
… [to] fool an advertiser into paying for fraudulent
impressions/views.
Attribution Fraud— code that executes clicks (click
spamming, click injection) so fraudster can claim credit
for downstream conversions.
Detection Tag Blocking— fake or fraudulent apps
can selectively block fraud detection tags or
manipulate analytics data.
108. June 2018 / Page 107
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Simple code to trick viewability
“This code manipulated
data to ensure that
otherwise unviewable
ads showed up in
measurement systems
as valid impressions,
which resulted in
payment being made
for the ad.”
Buzzfeed, March 2018
109. June 2018 / Page 108
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Bots easily trick AI/ML algorithms
“Humans (blue) are hard to predict …
… but bots give you beautiful signals – 1 or 0.”
Source: Claudia Perlich, PhD.
Data Scientist
110. June 2018 / Page 109
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake or plagiarized ads.txt
Source: MediaMath
Fake sites rushed to put ads.txt files in place, to continue to sell
“the company will only
buy … from publishers
who have an ads.txt file
in place.”
“completely useless…
… fake and fraud sites just
put ads.txt files in place
or plagiarized content
from other publishers to
stick in their own files.”
111. June 2018 / Page 110
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Fake botnet for PR
“used highly sophisticated techniques
to fraudulently load ads on the
affected sites without the site
owners' consent, leveraging a new
methodology that allows it to
monetize inventory on premium
domains.”
“none of this actually happened; it was completely
fabricated for the press release announcing their
new algo – ‘dramatic improvements to its automated
traffic detection .. primarily through …machine
learning methodologies’. The failure was due to their
analyzing only pre-bid data, which was faked. There
were no ads injected into any of the sites they
named in the press release. This was confirmed by
each of the good publishers, falsely accused.”
112. June 2018 / Page 111
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Discrepancies – won vs served
DSP says Adserver says
Why actually serve the
ad if you already get paid
based on the number of
impressions won?
From the data, the more
fraudulent the site, the
greater the discrepancy
– e.g. 80 – 100%
113. June 2018 / Page 112
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
“He said, she said” stalemate
Marketer/Buyer Publisher/Seller
Selects fraud verification
Vendor A that consistently finds
higher IVT – so they can get
bigger refunds on their media
buys (use it like discounts).
Selects fraud verification
Vendor B that finds lower
IVT to help them defend
against false accusations of
fraud and refund requests.
Vendor A Vendor B
MRC Accredited
MRC Accredited
“high IVT” “low IVT”
“it comes down to negotiation or relative power; so it is
no better than if NO fraud detection were used at all.”
115. “Ad fraud is at ALL TIME HIGHS
both in RATE and in DOLLARS…
… and what’s worse is fraud
detection is not catching it, so
people have a false sense of security.”
Source: https://www.slideshare.net/augustinefou/state-of-digital-ad-fraud-q2-2018
116. June 2018 / Page 115
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Two main kinds of ad fraud
“Everything else is a derivative of (e.g.
cost-per-install fraud), or in support of (e.g.
tricking measurement, attribution, covering
tracks) the above 2 forms of ad fraud.”
Impression Fraud
(CPM) Fraud
(includes mobile display, video ads)
Click Fraud
(CPC) Fraud
(includes mobile search ads)
117. June 2018 / Page 116
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Why? Largest buckets of spend
Leads
(CPL)
Sales
(CPA)
Lead Gen
$2.0B
Other
$5.0B
• classifieds
• sponsorship
• rich media
Impressions
(CPM/CPV)
Clicks
(CPC)
Search 46%
Display 31%
Video 14%
91% digital ad spend Source: IAB FY 2017 Report
9% spend
118. June 2018 / Page 117
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Digital Ad Fraud is At All Time Highs
Digital Ad Spend
($ billions)
Actuals Projected
Digital Ad Fraud
($ billions)
119. June 2018 / Page 118
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
F*********************k
DDoS attacks overwhelm with traffic; now use traffic to make ad revenue
Google Digital Attack Map
120. June 2018 / Page 119
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Only way to tell – pause or cut
“Once we got transparency, it
illuminated what reality was,” said
Mr. Pritchard. P&G then took matters
into its owns hands and voted with
its dollars, he said.”
“As we all chased the Holy Grail of
digital, self-included, we were
relinquishing too much control—
blinded by shiny objects,
overwhelmed by big data, and ceding
power to algorithms,” Mr. Pritchard
said.
Source: WSJ, March 2018
P&G: cut $200M, no impact
121. June 2018 / Page 120
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
So what?
• Tried and true attacks/techniques continue to be used –
they are just more automated now and scalable in digital
• Assume everything is compromised (all personal details)
and look for tell-tale signs and anything suspicious, dig in.
• “Don’t trust, and always verify” and definitely don’t trust
the verification numbers where no supporting details are
provided; how would you know if it is right or not?
• Run experiments to test hypotheses and check hunches; for
example pause or cut spending to see if any business
outcomes go down?
• Use your common sense to solve fraud and run real digital
marketing campaigns that yield real business outcomes.
122. June 2018 / Page 121
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com
212. 203 .7239
123. June 2018 / Page 122
marketing.science
consulting group, inc.
linkedin.com/in/augustinefou
Dr. Augustine Fou – Independent Ad Fraud Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017