state of ad fraud #rampup17

State of Digital Ad Fraud#RampUp17 Publisher Update

March 2017Augustine Fou, [email protected] 212. 203 .7239

mailto:[email protected]

Ad Fraud is VERYProfitable and Scalable

March 2017 / marketing.scienceconsulting group, inc.

linkedin.com/in/augustinefou

How profitable is ad fraud? EXTREMELY

Source: https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

“the profit margin is 99% … [especially with pay-for-use cloud services ]…”

Source: Digital Citizens Alliance Study, Feb 2014

“highly lucrative, and profitable… with margins from 80% to as high as 94%…”

https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

https://media.gractions.com/314A5A5A9ABBBBC5E3BD824CF47C46EF4B9D3A76/4af7db7f-03e7-49cb-aeb8-ad0671a4e1c7.pdf



How scalable are fraud operations? MASSIVELYCash out sites are massively scalable

131 ads on pageX

100 iframes=

13,100 ads /page

One visit redirected dozens of timesKnown blackhat technique to hide real referrer and replace with faked referrer.

Example how-to:http://www.blackhatworld.com/blackhat-seo/cloaking-content-generators/36830-cloaking-redirect-referer.html

Thousands of requests per pageSingle mobile app calling 10k impressions

Source: Forensiq



Example – AppNexus cleaned up 92% of impressions

Increased CPM prices by 800%

Decreased impression volume by 92%

Source: http://adexchanger.com/ad-exchange-news/6-months-after-fraud-cleanup-appnexus-shares-effect-on-its-exchange/

260 billion

20 billion

> $1.60

< 20 cents



Ad fraud is now the largest form of crime

$20 billion

CounterfeitGoods U.S.

$18 billion

Somalipirates

$70B 2016E Digital Ad Spending

Bank robberies

$38 million

$31 billionU.S. alone

$1 billion

ATM Malware

Payment Card Fraud 2015

$22 billion

Source: Nilson Report Dec 2016

Source: ICC, U.S. DHS, et.

al

Source: World Bank Study 2013

Source: Kaspersky 2015

$7 in $100$3 in $100

“this is a PER YEAR number”

Digital Ad Fraud

Source: IAB H1 2016

$44 in $100

https://www.nilsonreport.com/

https://www.nilsonreport.com/

https://en.wikipedia.org/wiki/Counterfeit_consumer_goods

http://www.cnn.com/2013/04/12/business/piracy-economy-world-bank/

http://www.cnn.com/2013/04/12/business/piracy-economy-world-bank/

http://www.securityweek.com/hackers-hit-100-banks-unprecedented-1-billion-cyber-attack-kaspersky-lab



Methbot eats $1 in $6 of $10B video ad spend

Source: Dec 2016 WhiteOps Discloses Methbot Research

“the largest ad fraud discovered to date, a single botnet, Methbot, steals $3 - $5 million per day, $2 billion annualized.”

1. Targets video ad inventory$13 average CPM, 10X higher than display ads

2. Disguised as good publishersPretending to be good publishers to cover tracks

3. Simulated human actionsActively faked clicks, mouse movements, page scrolling

4. Obfuscated data center originsData center bots pretended to be from residential IP addresses

http://www.whiteops.com/METHBOT





Where is Ad Fraud Concentrated?



CPM/CPC buckets (91% of spend) is most targeted

Impressions(CPM/CPV)

Clicks(CPC)

Search27%

91% digital spend

Display10%

Video7%

Mobile47%

Leads(CPL)

Sales(CPA)

Lead Gen$2.0B

Other$5.0B

• classifieds• sponsorship• rich media

(89% in 2015)Source: IAB 1H 2016 Report

(86% in 2014)



Two key ingredients of CPM and CPC FraudImpression (CPM) Fraud

(includes mobile display, video ads)

1. Put up fake websites and load tons of display ads on the pages

Search Click (CPC) Fraud

(includes mobile search ads)

2. Use fake users (bots) to repeatedly load pages to generate fake ad impressions

1. Put up fake websites and participate in search networks

2. Use fake users (bots) to type keywords and click on them to generate the CPC revenue

screen shots of fake sites

Fake Websites(cash-out sites)



Websites – spectrum from bad to good

Ad Fraud Sites

Click Fraud Sites

100% bot

mostly human

Piracy Sites

Premium Publishers

Sites w/ Sourced Traffic

“fraud sites” “sites w/ questionable practices” “good guys”

“real content that real humans want to read”



Countless fraud sites made by template

100% bot

Fake Visitors(bots)



Bots are automated browsers used for ad fraud

Headless BrowsersSeleniumPhantomJSZombie.jsSlimerJS

Mobile Simulators35 listed

Bots are made from malware compromised PCs or headless browsers (no screen) in datacenters.

Bots

http://www.mobilexweb.com/emulators



Bots range in sophistication, and therefore cost

Javascript installed on webpage

Malware on PCsData Center BotsOn-Page BotsHeadless browsers

in data centersMalware installed on

humans’ devices

Less sophisticated Most sophisticated

Source: AdAge/Augustine Fou, Mar 2014 Source: Forensiq Source: Augustine Fou, Oct 2015

“the official industry lists of bots catch NONE of these bots, not one.”

1 cent CPMsLoad pages, click

10 cent CPMsFake scroll, mouse movement, click

1 dollar CPMsReplay human-like mouse movements, clone cookies

http://adage.com/article/digital/bots-scam-advertisers-pretending-human/293428/

http://adage.com/article/digital/bots-scam-advertisers-pretending-human/293428/

http://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem

“The equation of ad fraud is simple: buy traffic for $1 CPMs, sell ads for $10 CPMs; pocket $9 of pure profit.”



How Ad Fraud HarmsGood Publishers



What I heard from Publishers

“Ad fraud doesn’t affect us”

“I wasn’t really aware of bots and fraud”

“Our SSP has an anti-fraud vendor”

“we checked, we have very low bots”



Top-line ad revenue stolen

1. Bot visits good publisher site to collect “cookie”

2. Bot then visits fake sites to cause ad impressions to load there; those sites make the ad revenue

www.nejm.org healthsiteproductionalways.com

FOR EXAMPLE ONLY



Bottom-line profit margin squeezedwww.nejm.org healthsiteproductionalways.com

$100 CPMs $0.10 CPMsvs

“Media agencies will buy more of the low-cost stuff to lower their average costs.”

FOR EXAMPLE ONLY



http://www.olay.com/skin-care-products/OlayPro-X?utm_source=msn&utm_medium=cpc&utm_campaign=Olay_Search_Desktop

Reputations at-risk, bad guys cover tracks

Click thru URL passes fake source “utm_source=msn”

buy eye cream online(expensive CPC keyword)

1. Fake site that carries search ads

Olay.com ad in #1 position

2. search ad served, fake click

Destination pagefake source declared

3. Click through to destination page

http://www.olay.com/skin-care-products/OlayPro-X?utm_source=msn&utm_medium=cpc&utm_campaign=Olay_Search_Desktop_Category+Interest+Product.Phrase&utm_term=eye%20cream&utm_content=TZsrSzFz_eye%20cream_p_2990456911









Premium audiences stolen by cookie matching

specialized audience:oncologists

jco.ascopubs.org

specialized audience can be targeted elsewhere

“cookie matching”(by placing javascript on your site)

FOR EXAMPLE ONLY



Bad measurements wrongly accuse publishers

Publisher does not have 90% bots and never had

“you have low viewability”

“you have 90% bots”• We want a refund• We won’t pay• We want make-goods



In-ad JS measurements could be entirely wrong

Publisher Webpagepublisher.com

Foreign Ad iFramesadserver.com

Cross-domain (XSS) security restrictions mean iframe cannot:• read content in parent frame• detect actions in parent frame• see where it is on the page

(above- or below- fold)• detect characteristics of the

parent page

1x1 pixeljs ad tags ride along

inside iframe

incorrectly reported as 100% viewable

parent frameforeign iframes



Unfair fight because bad guys cheat“Bad guys have higher (fake) viewability”

AD

Bad guys cheat by stacking all ads above the fold to fake 100% viewability

Good guys have to array ads on the page – e.g. lower average viewability.



Cybersecurity risks and audience info stolen

Source: https://www.exchangewire.com/blog/2016/05/19/%E2%80%8Bon-site-javascript-trackers-open-gaping-security-holes/



How Ad Fraud HarmsAdvertisers



Messes up your analytics

click on links

load webpages tune bounce rate

tune pages/visit

“bad guys’ bots are advanced enough to fake most metrics”



Messes up your KPIsProgrammatic display

(18-45% clicks from advanced bots)Premium publishers(0% clicks from bots)

0.13% CTR(18% of clicks by bots)



Campaign KPI: CTRs



Want 100% viewability? 0% NHT (bots)?

Bad guys cheat and stack ALL ads above the fold to make 100% viewability.

“100% viewability? Sure, no problem.”

AD • IAS filtered traffic, • DV filtered traffic• Pixalate filtered traffic, • MOAT filtered traffic, • Forensiq filtered traffic

“0% NHT? Sure, no problem.”

Current State of NHT Detection



Fraud bots are NOT on any list

user-agents.org

bad guys’ bots

2% and “on the wane”Source: GroupM, Feb 2017

bot list-matching

4% Source: IAB Australia, Mar 2017

400 bot names in list

“not on any list”disguised as popular browsers – Internet Explorer; constantly

adapting to avoid detection

10,000bots observed

in the wild

http://www.mediapost.com/publications/article/294527/groupm-marketers-ignore-ai-at-their-peril-ad-fra.html

http://www.mediapost.com/publications/article/294527/groupm-marketers-ignore-ai-at-their-peril-ad-fra.html

https://mumbrella.com.au/ad-fraud-real-problem-publishers-brands-agencies-tell-iab-429978



Three main places for NHT detectionIn-Ad

(ad iframes)On-Site

(publishers’ sites)

• Used by advertisers to measure ad impressions

• Limitations – tag is in foreign iframe, severe limits on detection

ad tag / pixel(in-ad measurement)

javascript embed(on-site measurement)

In-Network (ad exchange)

• Used by publishers to measure visitors to pages

• Limitations – most detailed and complete analysis of visitors

• Used by exchanges to screen bid requests

• Limitations – relies on blacklists or probabilistic algorithms, least info

ad served

bot

human

fraud site

good site



5% bots doesn’t mean 95% humans

good publishers

ad exchanges/networks

volume bars (green)

Stacked percentBlue (human)Red (bots)

red v blue trendlines

“Having fraud DETECTION is not the same as having fraud PROTECTION.”

Case Examples



Example of publishers taking action to reduce bots

Publisher 1 – stopped buying traffic

Publisher 2 – filtered data center traffic



Publishers filtering bots – on-site vs in-ad

On-Site measurement, bots are still coming

In-Ad measurement, bots and data centers filtered

10% red

-7%

3%



About the Author

March 2017Augustine Fou, [email protected] 212. 203 .7239

mailto:[email protected]



Dr. Augustine Fou – Independent Ad Fraud Researcher2013

2014

Follow me on LinkedIn (click) and on Twitter @acfou (click)

Further reading:http://www.slideshare.net/augustinefou/presentationshttps://www.linkedin.com/today/author/augustinefou

2016

2015

http://www.linkedin.com/today/author/augustinefou

http://twitter.com/acfou

http://twitter.com/acfou

http://www.slideshare.net/augustinefou/presentations

https://www.linkedin.com/today/author/augustinefou



Harvard Business Review – October 2015

Excerpt:

Hunting the Bots

Fou, a prodigy who earned a Ph.D. from MIT at 23, belongs to the generation that witnessed the rise of digital marketers, having crafted his trade at American Express, one of the most successful American consumer brands, and at Omnicom, one of the largest global advertising agencies. Eventually stepping away from corporate life, Fou started his own practice, focusing on digital marketing fraud investigation.

Fou’s experiment proved that fake traffic is unproductive traffic. The fake visitors inflated the traffic statistics but contributed nothing to conversions, which stayed steady even after the traffic plummeted (bottom chart). Fake traffic is generated by “bad-guy bots.” A bot is computer code that runs automated tasks.

state of ad fraud #rampup17

Marketing