John presented the ins and outs of digital advertising fraud in his article: “You’re infected, and probably don’t even know it”. These are his take on the types of ad fraud out there.
1. Impression (CPM) Ad Fraud
Impression ad fraud has several parts:
- Hidden ad impressions
- Fake sites
- Video ad fraud
- Paid traffic fraud
- Ad re-targeting fraud
HIDDEN AD IMPRESSIONS: Hidden ad impressions (also called ad stuffing or ad stacking) come from fraudsters either placing teeny one-pixel-by-one-pixel windows throughout a web page and serving ads into those virtually invisible ad spaces, or stacking layers of ads one on top of the other in the same space but only the top ad is visible. Some pages observed in a study by the Association of National Advertisers (ANA) and digital security firm WhiteOps found 85 ads on a single page where few if any ads were actually visible. Video ads can also be stuffed into 1×1 spaces or continuously looped in stacks so no user ever sees it.
The result is a huge ad inventory (tens of millions a day) on ad exchanges, all of which can be sold but few or none of which are never seen. For example, an AdAge investigation found two examples of massive fraud: One fraudulent site (modernbaby.com) offered 19 million impressions per day on one exchange while another fraudulent site (interiorcomplex.com) offered 30 million ad impressions per day on another exchange.
FAKE SITES: Fraudsters create fake sites containing only ad slots and either no content or generic content often repeated from one fake page to the next. None of these sites draws huge traffic (to avoid creating suspicion) but networks of fake sites sold on programmatic ad exchanges can generate millions in revenues taken together.
VIDEO AD FRAUD: The explosion in the popularity of online video has drawn the attention of fraudsters. Fraudulent video ads are also as much as ten times more lucrative than banner ads thanks to higher CPMs. Fraudulent video ads are often stacked, invisible (the 1×1 windows), or played in the background (where the consumer can’t see them).
PAID TRAFFIC FRAUD: Publishers buy “traffic” from third parties to generate more unique visitors to their sites. the ANA/WhiteOps study found that 52 per cent of that traffic is from bots, and occurs most often between midnight and 7 AM.
RETARGETING FRAUD: Bots can be programmed to mimic specific and highly desirable consumers’ online behaviour, such as home- or car-buyers. The bot goes to relevant websites and acts like a consumer interested in making a purchase, researching topics and clicking on ads, but not necessarily actually making a purchase. That behaviour triggers a campaign of re-targeted ads hoping to convince the “hot prospect” to make the purchase … but those prospects are really just bots. Nonetheless, the fraudulent ad targeting company makes money.
2. Search (CPC) Ad Fraud
Fraudsters select the most expensive keywords — the ones with the highest cost per click (CPC). They then build their own websites and load them up with the high CPC keywords to generate search ads. The whole process is automated and the sites are generated by algorithm at a dizzying pace to maximize potential revenue. Brands looking to advertise against those popular keywords buy inventory on the fake sites. When the fraudster’s bots click on the real ads, the advertiser gets a report that makes it look like the click came from a real, respected website.
3. Affiliate (CPA) Ad Fraud (AKA Cookie Stuffing)
Affiliate marketing programs reward websites for getting visitors to complete an action such as filling out a form or making a purchase. Affiliate or Cost Per Action (CPA) fraud consists of a fraudster manufacturing fake actions by using bots to direct qualifying traffic to affiliate sites or stuff a consumer’s computer with fraudulent cookies so that if that user goes to the affiliate’s site, the fraudster collects the referral or commission payment. Often, the stuffed cookies will override any legitimate cookies and rob the legitimate referrer of earned income.
4. Lead (CPL) Ad Fraud (AKA Conversion Fraud)
This is the type of fraud most publishers believe is impossible. Computers can’t possibly fill out forms, right?
What started with the bad guys employing small armies of people in under-developed countries to fraudulently fill out forms for pennies each has rapidly morphed into a completely automated fraud industry where bots can fill out thousands of forms in the blink of an eye in a way that fools most publishers’ rudimentary anti-fraud systems.
5. Ad Injection and AdWare Fraud
Not too long ago, a Target ad ran right in the middle of walmart.com. Walmart did not sell the ad, but there it was, big as day, promoting a Walmart competitor on Walmart’s own site.
The culprit was the latest in digital advertising fraud: Ad Injection.
Perpetrators of this line of fraud offer consumers what appears to be an innocent incentive, usually a web browser tool bar or extension. Secretly embedded in the tool bar or extension, however, is software that injects onto unsuspecting sites advertisements that deliver no revenue to the site itself but to the tool bar creator.
The fraudsters who create these tools do not tell the consumer about this feature of the toolbar or extension. And they certainly do not pay the publishers or brands on whose site the ad is injected. But the fraudsters do list the inventory on programmatic ad exchanges as being on that legitimate publisher’s or brand’s site (but they never get the publisher’s or brand’s permission).
Some of the biggest brands and most reputable publishers in the world have been victims of this type of fraud, including Walmart, Home Depot, Macy’s, Dell, Samsung, Yahoo, MSN, weather.com, YouTube, and Yelp, according to AdAge.
While there are some commercial ad injection operations (e.g., RightApps and 215 Apps) who insist that this is a legitimate practice, the publishers and brands on whose sites are being hijacked rightfully disagree.
In a test by AdAge, the magazine observed instances of ad injection, including YouTube “hosting” big ads from the likes of Subaru, Dick’s, Target, Lion King, Harvard Business School, and Nissan. But YouTube was not paid.
The ANA/WhiteOps study also found rampant injection fraud, including one publisher whose site was hit with 500,000 injected ads every day for the duration of the two-month study.
The study also found injected ads “on sites which are well known as user-funded or subscription-based sites that do not permit ads.”
Unauthorized ad injection causes targeted websites to load more slowly. Worse, injected ads potentially can damage both the advertiser’s and publisher’s reputation, devalue the legitimate advertising on the site, and deplete the advertiser’s digital ad inventory budget.
One of the companies engaging in ad injection, RightAction, serves up 1.5 billion ads a day, according to AdAge. RightAction co-founder Stephen Gill told the magazine that his company “decided that not all toolbar and plugin inventory is bad.”
According to Gill’s logic, the publishes and advertisers who “hosted” RightAction’s 10.5 billion injected ads last week alone really don’t mind giving up that revenue. Yeah, right.
Ad injectors are trading on brand’s reputations and high-quality content which they did not pay to build or maintain. That smells to us like fraud. Or theft. Or both.
In addition to ad injection, there are other forms of “black-hat” adware or malware.
The ANA/WhiteOps study did not intend to include malware in its bot-focused study, but researchers ran into so much malware fraud, they felt they had to include it.
Malware behaves similarly to bots but malware creates a “pop-under” window visible to the user until the user closes the pop-under, at which point the malware continues to operate in the background without the user’s knowledge, according to the study.
For example, one study participant’s video ad campaign garnered nearly 90 million impressions but only 7 per cent were seen by real human beings. Malware that hosted the other 93 per cent of the impressions was installed unknowingly by consumers.
That malware ran the video ads continuously in a browser in the background of users’ computers, mostly hidden from the user and with the audio volume automatically reduced to zero while playing the video (but, to avoid suspicion, it left the audio for the computer’s other programs untouched!). Even after the users restarted their computers, the adware automatically played the video ads, even if the user did not reopen the adware site or application, according to the ANA/WhiteOps study.
6. Domain Spoofing or Laundered Ad Impression Fraud
Domain spoofing fraud may be the most insidious and most difficult to detect and prevent, and most lucrative for the bad guys.
With a simple line of code, fraudsters can change the URL of sites, even sites on white lists and private ad exchanges, to make advertisers think fake or piracy or porn sites are really the sites of reputable publishers.
Because advertisers assume that premium publishers are the best places for their campaigns, they put those publishers’ sites on their whitelists. Whitelists are presumed not only to be the best sites with the best audiences, but also to be a safe defensive bulwark against ad fraud. As a result, premium whitelisted sites command top bid prices on exchanges.
Ironically, whitelists by their very nature attract fraudsters.
The potential for inordinately high CPMs with little risk of discovery has prompted fraudsters to find ways to develop code that enables them to mask their fake, piracy or porn sites as one of the sites on the whitelists.
Domain spoofing comes in two varieties.
The first involves malware consumers accidentally install on their personal computers. The malware actually injects ads windows onto websites the consumer is viewing. In a nanosecond, the fraudster is able to offer that space on what looks like a premium publisher’s site out for bidding on an exchange. The price the fraudster commands reflects an incredible discount for such a desirable site. The money for the ad flows to the fraudster, not the premium publisher. This type of fraud is hard to detect because the user really is on the premium publisher’s site.
The second approach to domain spoofing involves fraudsters modifying codes in the ad tags that identify the domain a user is viewing. The managers and users of ad exchanges must be able to assume that the ad markup codes are always accurate. Sadly, such is not the case. Fraudsters can easily delete the markup code and replace it with code that enables them to impersonate any premium site they choose.
7. CMS Fraud
In this approach, bad guys hack into a publisher’s content management system (CMS) and create their own pages using perfectly legitimate domains. Then they put those pages on ad exchanges with the premium publisher’s markup code, but the advertiser who purchases those positions gets pages with no premium content and pays the fraudster instead of the publisher.
8. Re-Targeting Fraud
As discussed earlier, fraudulent operators can program bots to imitate very specific, very desirable types of consumers, from sports fans and home-buyers to tech geeks and grandmothers. Those bots then browse relevant websites in a way that makes them look like a qualified sales prospect, including clicking on ads and filling out forms.
These actions create very valuable cookies that advertisers covet because the target appears ready to make a purchase.
9. Traffic Fraud or Audience Extension Fraud
Sometimes publishers need to drive more traffic to their sites, most often to fulfill a promised number of impressions for advertisers but also sometimes to boost the number of unique visitors.
“A publisher might book a million dollar ad campaign with an advertiser, but for whatever reason, they have shortfall of (impression) supply,” Casale Media vice president Andrew Casale told FIPP. “So they will buy programmatic media with the advertiser’s budget to fill shortfall. Publishers go out and buy the traffic from sites they believe to be similar to their own, but third-party sites have the highest percentage of fraudulent traffic.
“The advertiser awarded the ad budget to the publisher at a high CPM because the impressions would be appearing on a trusted brand site,” said Casale. “But if the publisher betrays that trust and buys traffic on sites not of the same quality, and that get back to the buyer, you’ve harmed your brand and your relationship. Those publishers are effectively feeding the problem, they are trying to solve.”
John Wilpers is currently editing the 2015 edition of FIPP’s Innovation in Magazine Media World Report which will be launched at the FIPP/VDZ/eMediaSf Digital Innovators Summit in Berlin, 21-24 March 2015 . This will be the 6th edition of the Innovation Report which he has co-authored as consultant with Innovation International Media Consulting . John consults with media companies around the world focusing on multi-platform innovation, organizational integration, and customer-driven editorial management to deliver multimedia content 24-7 across all platforms. He is currently working with the University of Virginia on their print and digital publications after finishing projects with a Czech magazine and newspaper publishing company in Prague, a Washington, DC B2B magazine company, and a Norwegian newspaper group.
Subscribe to FIPP’s monthly Innovation newsletter (free). Further information from Helen Bland at FIPP.