Cybercrime continues to be a major problem, but to most people it involves stolen data like credit card numbers. A growing problem has been ad fraud, which is less well-known. However, it has reached a point where law enforcement is taking it seriously.
In November, the Department of Justice announced a 13-count indictment against eight men for various cybercrimes, including what the FBI has called the biggest-ever ad fraud investigation. The group, which has been dubbed 3ve (pronounced “eve”) include six Russian nationals and two Kazakhstani citizens.
The government alleged that the men stole tens of millions of dollars by using “sophisticated computer programming and infrastructure around the world to exploit the digital advertising industry through fraud.” This allowed the 3ve group to hijack more than 1.5 million IP addresses and redirect traffic to ISPs inside Russia or China.
While this has remained barely a blimp in the mainstream media, the FBI-led takedown force, White Ops, released a PSA on YouTube to help explain to the average user the dangers of ad fraud and its consequences.
Ad fraud has remained a serious problem because it can make it very difficult for publishers to generate revenue, while brands are cutting back on ad spending as they see little return on investment.
According to a report from Juniper Research published last year, advertisers lose an estimated $19 billion to fraudulent activities each year—equivalent to $51 million daily. More worrisome is that ad fraud could reach $44 billion by 2022. The bulk of the fraudulent ads affect video, but all content providers online, including newspaper publishers, are victims of ad fraud.
“The bad news is that ad fraud remains a challenge for publishers and brands because it’s obviously not helping advertisers reach consumers,” said Fran Wills, CEO of the Local Media Consortium, which represents 80 media companies and 2,200 news outlets across the United States and Canada. “The good news is that ad fraud and consumer transparency are a top priority for us.”
The problem has become so great that many brands are simply not investing the money in online ad campaigns.
“Procter & Gamble cut $200 million out of the digital ad budget and reported that it saw no change,” said Dr. Augustine Fou, an independent researcher who has studied ad fraud across multiple online platforms. “Fraudulent ads don’t drive any business outcomes, so the brands see no results.”
Addressing the Bad Actors
One of the biggest issues with ad fraud is that many publishers don’t fully even understand what it is or how it works. As with much of today’s cybercrime it isn’t simply one thing, but is instead a blanket term for numerous illicit activities. These can include bots that generate fake traffic to fraudulent ads that take users to potentially dangerous websites containing malware—all of this makes stopping it very difficult.
“People ask me all the time ‘What’s the best way to fight ad fraud?’ which is a bit like asking ‘What’s the best way to stop all crime?’” said Maggie Louie, CEO of DEVCON, an Atlanta-based startup that offers anti-ad fraud solutions to digital publishers. “The truth is that criminals are exploiting the online ad ecosystem, stealing billions from the pockets of advertisers and publishers in so many diverse ways that it is really impossible to only think of this as ad fraud. We need to be thinking of this as cyber attacks being deployed via ad tech.
“This is a crime and there are numerous types of different ad fraud going on; the most talked about are ‘attacks’ that involve bots that generate fake traffic or inflate numbers, and this results in ads that weren’t seen by actual people.
“However, those are just the tip of the iceberg in a world of obfuscated code exploits able to hide and deploy every kind of attack from RATs (remote access trojans), to crypto-jackers to ransomware, even enslaving a consumer machines to be the botnet,” she added. “These aren’t publisher or advertiser problems, these are cyber threats, and the publishers, the brands and the audiences are the victims.”
Ad fraud is now “lucrative” and easy to conduct, such that some cyber criminals have adopted it as an alternative to more traditional cybercrime such as stealing data. One reason is that unlike stolen credit card data from a security breach, it is unlikely to make the news.
“Outside of advertisers and publishers, few really feel the financial impact directly,” said Andrew Altersohn, CEO at AD/FIN. “Everyone in the middle still gets paid, but in the end it diminishes the impact of advertising so it hurts both brands and publishers.”
Executives at New York-based AD/FIN told E&P that the bad actors are now operating in Eastern Europe and often in the same circles of cyber criminals that had previously stolen and traded personal information including credit card data.
“It is hard to hold them accountable because governments aren’t seeing it as a threat, and until there is more of a financial cost little will be done to stop it,” said Matt DeLoca, AD/FIN chief revenue officer.
Problem with Programmatic
It isn’t just fake traffic generated by bots. One of the biggest segments of ad fraud has been “malvertising”—as in “malicious advertising”—and it includes both online advertising that spreads malware and the ads themselves, which direct visitors to fake sites or show fraudulent traffic.
According to Ian Trider, director of RTB operations at Centro, malvertising can enter an ecosystem when DSPs (demand side platform)—which are similar to AdWords in creating a digital ad campaign via a vendor-neutral RTB (real-time bidding) ecosystem—haven’t been properly vetted.
“To reduce malvertising on a network, publishers can do several things including working with only high end and reputable ad exchanges,” Trider said. “The risk of malware from creditable exchanges is low, but it can vary and the lower tier ones pose a serious threat for publishers.”
Programmatic advertising, which relies on digital platforms, can increase the chances of digital ad fraud.
“There are certain things we can control in our space, but the other digital silos including programmatic mean we have far less control,” said Nhan T. Ngo, senior manager for digital sales and operations at the Baltimore Sun Media Group. “In our own ad space we’re pretty tight, but once you are out of the O&O space, you have to rely on the ad suppliers, and they’re relying on their own upstream. We have to trust these partners, but more importantly, we have to monitor the ads far more closely.”
This isn’t to say that all programmatic advertising puts a publisher at risk, but as Ngo noted it is crucial that ads be monitored.
“Agencies and brands alike need to ensure their programmatic advertising is delivered to humans in brand safe environments like local media websites so they get the most out of their investment,” said LMC’s Wills. “Local publishers are definitely at the forefront of combating fraud by using the latest ad fraud technology and continuing to create credible content on trusted sites that deliver real audiences.”
The large publishers are also ensuring that they protect readers from fraud as well, and Jason Tollestrup, vice president of programmatic strategy and yield at the Washington Post, explained that this includes ensuring that real humans and not “bot traffic” are responding to ads.
“Bots are integral to the operation of the internet, but advertisers want to ensure their ads are only displayed in front of humans, and we work with our ad server to blacklist known bots so that ads do not show on pages crawled by bots,” Tollestrup said. “Advertisers don’t want to pay for ad impressions that display to a bot. Therefore, keeping our bot traffic low helps us to prevent this from happening.”
There are multiple factors in why ad fraud has grown so much, and one of the underlying reasons is that it is largely seen as a “victimless crime,” which it most certainly is not. Then, why have efforts to combat it been ignored?
“Historically any efforts to combat ad fraud were seen as a cost,” said Jed Williams, chief strategy officer at the Local Media Association. “Only now are publishers realizing the need to invest in technology to fight and correct it. This is a cultural challenge as stopping ad fraud doesn’t present a new source of income, and in the short term, it can cost money. In that way, it can be wrongly viewed as a cost center instead of a savings center.”
As newsrooms get smaller and budgets fall, only now is the impact great enough that publishers see the need to protect the revenue from advertising—especially as brands aren’t seeing that return on investment.
“Publishers weren’t sure how big a problem this was until recently,” Williams said. “Now the problem is being addressed, and today fewer people should be required to manage the technology to detect the fraud.”
This is where software such as that offered by DEVCON could fit in, which has already been described as the “Norton anti-virus for digital ads.”
“You need some level of anti-adware/anti-fraud software that is going to monitor and block these cyberattacks, as well as solutions to measure and block fake traffic,” DEVCON’s Louie said. “Another thing that will create defenses is greater consequences; i.e. prosecutions. Until recently, many people viewed ad fraud as a victimless crime, if they saw it as a crime at all. Any ‘script kiddie’ (or hacker) can engage in ad fraud. With more convictions, like the one we helped win in March of 2018, and the more recent 3ve case, there will come lasting change.”
Clearly, those DOJ indictments prove that many do know this is a crime—and sadly a lucrative one at that.
“We are seeing that ad fraud is something perpetrated by small hackers to nation state actors,” Louie said. “The result is that it has also reduced the value of digital ads, which have gone from dollars to dime and thus thinning out the newsroom.”
Another form of malvertising has been the influx of digital pop-up ads, which users find annoying and often lead to greater use of ad-blockers.
“There is a misconception that publishers want to use those pop-ups, but that has been proven to be ineffective,” Louie said. “Publishers don’t want the consumer to have a bad experience, but these get in the ecosystem from programmatic ads and ruin that experience. That results in ad blocking, which for publishing is a bad thing.”
Blockchain to Block Ad Fraud
With the rise in cryptocurrency (notably Bitcoin), there have been discussions on how a blockchain—the decentralized ledger that keeps track of every transaction utilizing a digital currency—could stop ad fraud. Because there is no central database and the transactions are spread across multiple computers, a blockchain is resistant to modification of data.
“Blockchain tech is good,” said Fou. “And it could solve some of the forms of fraud—e.g. domain spoofing—by bringing transparency. The problem is that the parties that need to adopt it are the very ones benefiting from fraud, so they don’t want to adopt”
However, even if it was widely adopted, blockchain may not be a miracle fix.
“We hear that blockchain could fit this, but we don’t think this is true,” said Ravi Patel, chief operating officer at AD/FIN. “In programmatic advertising, there are still billions of impressions and a blockchain isn’t fast enough to fix this in real time. It is far too reactive.”
While ad fraud utilizes technology, it shouldn’t be seen as a technology problem.
“It is an incentives problem, and middlemen like the fraud because it means more volume that runs through their systems,” said Fou. “Publishers like the fraud because it means more traffic and higher ad revenues. Even marketers like the fraud because it gives them more impressions to buy. If we solved fraud, it would mean less revenue and less to buy. So everyone is currently happy that the ad fraud detection companies tell them fraud is low and everything is fine, keep buying. Except that fraud is not low. It is just not detected or people don’t want to hear of it.”
A more simple solution could just be greater transparency.
“The good publishers are happy to show data,” Fou said. “The bad guys are using technology to make it look like they are free from fraud. So we need to separate the good publishers from the bad sites that try to skew the numbers.”
Marketers also need to understand how a good publisher won’t use traffic that isn’t real, and thus should avoid the sites that provide ads with unrealistic traffic numbers. If the numbers are too good to be true, it is because they are buying traffic that is coming from bots.