Demystifying ad fraud

In the digital marketing ecosystem, every advertiser measures the return on investment or performance of their campaign on the basis of impressions served. Now, what is an impression, In terms of digital marketing lingo. An impression can constitute a video view, click through rates on an ad banner, mobile app installs, web traffic, and social media engagements like likes, shares, comments, and accounts created.

Digital marketers develop tools to measure these impressions on diverse platforms (website and applications) that make up the ecosystem for digital marketing.

A typical transaction chain is when the advertiser uploads their creative on an advertising platform, where he can control where, when, to whom the ad is served. Based the preferences input by the advertiser, the platform then picks the most suitable publisher to showcase the creative.

An advertiser might go directly to the publisher to place the ad skipping the middleman altogether. Seeing how fragmented the digital ecosystem is, doing so could be time consuming.

The tools that ad serving platforms use to measure impressions change from platform to platform. Thus, depending on the way they measure an impression they might be able to serve a high quality or a low-quality impression.

A high-quality impression would take multiple data points into consideration to ensure that the ad would be seen by the viewer in its entirety. A poor-quality impression only takes into consideration surface metrics like click through rates and video views, but does not consider engagement metrics such as time-on-site, bounce rate (visiting several pages in quick succession), average session duration, etc.

On the basis on the quality of impression served the advertiser is charged a cost-per-impression (CPM) by the advertising platform.

Fraudsters exploit gaps in the measurement of impressions on advertising platforms to either create bogus impressions or exaggerate the number of impressions generated at the expense of the advertiser.

One has to understand that it is the browser that records an impression that is collected by the advertising platform. So, ad fraud normally begins at the last mile user. The most common kind of ad fraud tries to manipulate the data that is collected by advertising platforms to measure performance.

How are fake impressions created? When a user downloads an unverified application, browser extensions, or gives access or permission to malicious software, the fraudster is able to manipulate the data generated from the user end of the value chain. Valid impressions are created by injecting ads into real and credible websites with the use of a toolbar or browser extension which are able to dupe the advertising platform that collects this data.

Toolbars like EverydayLookup mimic a Google-like interface, but are actually malicious software extensions which intend to manipulate or access your data.

Most of it happens through bot traffic, which is malicious software developed by hackers that hijack devices and artificially inflate statistics. Bots are capable of mimicking human browsing behaviour. Since the browser can’t tell the difference, an impression can easily be registered. This is what is called ‘invalid traffic’.

The single largest ad fraud was committed by a single botnet, Methbot, that bled the digital advertising industry by $3-5 million a day or $2 billion a year. This fraud was a combination of domain spoofing and impression fraud.

First, the fraudsters created 6,000 domains and more than 2 lakh distinct URLs whose name parodied big name publishers. Then they tricked algorithms on ad serving platforms to choose their platform to serve their video ads.

They had these promotional videos viewed millions of times a day by artificially created bot farms (servers that hosted these programs). Every single impression served came at the expense of the advertiser.

Domain spoofing is an example of ad fraud that does not require manipulation of the last mile user. Here the fraudsters portray themselves as a premium website. These websites might parody the names of publishers or even official government websites to confuse Internet users. When you access these websites, they request information that is normally shared on the legitimate sites.

This malicious practice robs the publishers of their hard work as it snatches away a website’s good global rank that is made with a lot of time and effort. The other consequence is that it diverts potential visitors of the verified publisher to fake sites that may try to phish data or inject malicious software into the users system.

One such example is of a company called Zirconium that launched several fake domains that claimed to be affiliate marketing websites. They named their ad network 'MyAdsBro' complete with social media handles and marketing lingo like “Try to get the eventual user in online marketing” or “The main thing in online marketing is to have a progress report” according to a report by security company, Confiant.

Basically, Zirconium created phony advertising agencies to sell fake ads. As per the Confiant's report, the ads published by 'MyAdsBro' were seen 1 billion times last year.