Low-Cost, No-Tech Ways to Fight Fraud vMiMA

Low-Cost, No-Tech Ways to Fight Digital Ad Fraud

February 2017

Augustine Fou, PhD.

[email protected]

212. 203 .7239

mailto:[email protected]

Ad Fraud is VERY Lucrative, VERY Scalable

February 2017 / Page 2marketing.scienceconsulting group, inc.

linkedin.com/in/augustinefou

How profitable is ad fraud? EXTREMELY

Source: https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

“the profit margin is 99% … [especially with pay-for-use cloud services ]…”

Source: Digital Citizens Alliance Study, Feb 2014

“highly lucrative, and profitable… with

margins from 80% to as high as 94%…”

https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

https://media.gractions.com/314A5A5A9ABBBBC5E3BD824CF47C46EF4B9D3A76/4af7db7f-03e7-49cb-aeb8-ad0671a4e1c7.pdf



How scalable are fraud operations? MASSIVELYCash out sites are massively scalable

131 ads on pageX

100 iframes=

13,100 ads /page

One visit redirected dozens of times

Known blackhat technique to hide real referrer and replace with faked referrer.

Example how-to:http://www.blackhatworld.com/blackhat-seo/cloaking-content-generators/36830-cloaking-redirect-referer.html

Thousands of requests per pageSingle mobile app calling 10k impressions

Source: Forensiq



AppNexus cleaned up 92% of impressions

Increased CPM prices by 800%

Decreased impression volume by 92%

Source: http://adexchanger.com/ad-exchange-news/6-months-after-fraud-cleanup-appnexus-shares-effect-on-its-exchange/

260 billion

20 billion

> $1.60

< 20 cents

“pity those advertisers who bought before the cleanup”



Methbot eats $1 in $6 of $10B video ad spend

Source: Dec 2016 Whiteops Discloses Methbot Research

“the largest ad fraud discovered to date, a singlebotnet, Methbot, steals $2 billion annualized.”

1. Targets video ads$13 average CPM, 10X higher than display ads

2. Disguised as good publishersPretending to be good publishers to cover tracks

3. Simulated human actionsActively faked clicks, page scrolling, mouse movements

4. Obfuscated data center originsData center bots pretended to be from residential IP addresses

http://www.whiteops.com/METHBOT



Ad fraud is now the largest form of crime

$20 billion

CounterfeitGoods U.S.

$18 billion

Somalipirates

44% of digital ad

spend

$70B 2016ESource: IAB H1

2016

Bank robberies

$38 million

$31 billionU.S. alone

$1 billion

ATM Malware

Payment Card Fraud 2015

$22 billion

Source: NilsonReport Dec 2016

Source: ICC, U.S. DHS, et. al

Source: World Bank Study 2013

Source: Kaspersky 2015

$7 in $100$3 in $100

“this is a PER YEAR number”

https://www.nilsonreport.com/

https://en.wikipedia.org/wiki/Counterfeit_consumer_goods

http://www.cnn.com/2013/04/12/business/piracy-economy-world-bank/

http://www.securityweek.com/hackers-hit-100-banks-unprecedented-1-billion-cyber-attack-kaspersky-lab

Where is Ad Fraud Concentrated?



CPM/CPC buckets (91% of spend) is most targeted

Impressions(CPM/CPV)

Clicks(CPC)

Search27%

91% digital spend

Display10%

Video7%

Mobile47%

Leads(CPL)

Sales(CPA)

Lead Gen$2.0B

Other$5.0B

• classifieds• sponsorship• rich media

(89% in 2015)

Source: IAB 1H 2016 Report

(86% in 2014)



Two key ingredients of CPM and CPC Fraud

Impression(CPM) Fraud

(includes mobile display, video ads)

1. Put up fake websites and load tons of display ads on the pages

Search Click (CPC) Fraud

(includes mobile search ads)

2. Use fake users (bots) to repeatedly load pages to generate fake ad impressions

1. Put up fake websites and participate in search networks

2. Use fake users (bots) to type keywords and click on them to generate the CPC revenue

screen shots of fake sites

Fake Websites(cash-out sites)



Websites – spectrum from bad to good

Ad Fraud Sites

Click Fraud Sites

100% bot

mostly human

Piracy Sites

Premium Publishers

Sites w/ Sourced Traffic

“fraud sites” “sites w/ questionable practices” “good guys”

“real content that real humans want to read”



Identical sites – fraud sites made by template

100% bot



Countless fraud domains used to commit ad fraudhttp://analyzecanceradvice.comhttp://analyzecancerhelp.comhttp://bestcanceropinion.comhttp://bestcancerproducts.comhttp://bestcancerresults.comhttp://besthealthopinion.comhttp://bettercanceradvice.comhttp://bettercancerhelp.comhttp://betterhealthopinion.comhttp://findcanceropinion.comhttp://findcancerresource.comhttp://findcancertopics.comhttp://findhealthopinion.comhttp://finestcanceradvice.comhttp://finestcancerhelp.comhttp://finestcancerresults.comhttp://getcancerproducts.com

100M+ more

sites like these, designed to profit from high value display, video, and mobile ads

Fake Visitors(bots)



Bots are automated browsers used for ad fraud

Headless BrowsersSeleniumPhantomJSZombie.jsSlimerJS

Mobile Simulators35 listed

Bots are made from malware compromised PCs or headless browsers (no screen) in datacenters.

Bots

http://www.mobilexweb.com/emulators



Bots range in sophistication, and therefore cost

Javascript installed on webpage

Malware on PCsData Center BotsOn-Page Bots

Headless browsers in data centers

Malware installed on humans’ devices

Less sophisticated Most sophisticated

Source: AdAge/Augustine Fou, Mar 2014 Source: Forensiq Source: Augustine Fou, Oct 2015

“the official industry lists of bots catch NONE of these bots, not one.”

1 cent CPMsLoad pages, click

10 cent CPMsFake scroll, mouse movement, click

1 dollar CPMsReplay human-like mouse movements, clone cookies

http://adage.com/article/digital/bots-scam-advertisers-pretending-human/293428/

http://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem



Any device with chip/connectivity can be used as a bot

Traffic cameras used as botnet (Engadget, Oct 2015)

mobile devices

connected traffic lights

connected cars

thermostat connected fridge

Security cams used as DDoS botnet (Engadget, Jun 2016)

(TechTimes, Sep 2016)

“The equation of ad fraud is simple: buy traffic for $1 CPMs, sell ads for $10 CPMs; pocket $9 of pure profit.”



How Ad Fraud Harms

Advertisers



How many clicks/sessions/views do you want?

click on links

load webpages tune bounce rate

tune pages/visit

“bad guys’ bots are advanced enough to fake most metrics”



What click through rates are you shooting for?Programmatic display

(18-45% clicks from advanced bots)Premium publishers(0% clicks from bots)

0.13% CTR(18% of clicks by bots)



Campaign KPI: CTRs



Want 100% viewability? 0% NHT (bots)?

Bad guys cheat and stack ALL ads above the fold to make 100% viewability.

“100% viewability? Sure, no problem.”

AD

• IAS filtered traffic, • DV filtered traffic• Pixalate filtered traffic, • MOAT filtered traffic, • Forensiq filtered traffic

“0% NHT? Sure, no problem.”

Source: Shailin Dhar

Current State of NHT Detection



Fraud bots are NOT on any list

10,000bots observed

in the wild

user-agents.org

bad guys’ bots3%

Dstillery“findings from two independent third parties,

Integral Ad Science and White Ops”

3.7%Rocket Fuel

“Forensiq results confirmed that ... only 3.72% of impressions categorized as high risk.”

2 - 3%comScore

“most campaigns have far less; more in the 2% to 3% range.”

bot list-matching

“not on any list”disguised as popular browsers – Internet Explorer; constantly

adapting to avoid detection



Three main places for NHT detection

In-Ad(ad iframes)

On-Site(publishers’ sites)

• Used by advertisersto measure ad impressions

• Limitations – tag is in foreign iframe, severe limits on detection

ad tag / pixel(in-ad measurement)

javascript embed(on-site measurement)

In-Network(ad exchange)

• Used by publishers to

measure visitors to pages

• Limitations – most detailed and complete analysis of visitors

• Used by exchanges to

screen bid requests

• Limitations – relies on blacklists or probabilistic algorithms, least info

ad served

bot

human

fraud site

good site



5% bots doesn’t mean 95% humans

good publishers

ad exchanges/networks

volume bars (green)

Stacked percentBlue (human)Red (bots)

red v blue trendlines

“Having fraud DETECTION is not the same as having fraud PROTECTION.”

Case Examples



Differences in quality, arrivals, conversionsMeasure Ads Measure

ArrivalsMeasure Conversions

good publishers

ad exchanges/networks

346

1743

5

156



Stepwise improvement using our data

Period 1 Period 3Period 2

Initial baseline measurement

Measurement after first optimization

Eliminating several “problematic” networks



More accurate analytics when data is clean

7% conversion rate 13% conversion rateartificially low actually correct



Best Practices of Savvy Advertisers/Agencies

• Challenge all assumptions – don’t assume someone else “took care of it.” Verify, by demanding line-item detailed reports, because fraud hides easily in averages

• Check your Google Analytics - question anything that looks suspicious; more details that can reveal fraud and waste

• Corroborate measurements – measure different parameters together and see if they still make sense together; reduce false positives or negatives

• Use conversion metrics – CPG client uses click-and-print digital coupons; pharma client uses doctor finder zip code searches, plus clicks to doctor pages; retailers use sales

Bot Fraud Game Show



Where would you prefer to place your ads?

A

B



Which chart shows real human traffic surges?

A

B



Traffic surges caused by bots vs real humans

Caused by bots

Caused by humans

A

B



Which chart shows fake/sourced traffic?

A

B



Which chart shows fake/sourced traffic?

A

B



Which chart shows human segment?

A B

ON-SITE measurement• Scroll: 57%• Mouse: 67%• Click: 56%




Which chart shows human segment?

A B





Which chart shows fraudulent mobile apps?

A B



Which chart shows fraudulent mobile apps?

A B



What’s wrong with this picture (chart)?



What’s wrong with this picture (chart)?



Would you buy more media from this site?

102,231 sessions

0 sessions

goal events

YES NO



Would you buy more media on this site? NO!

102,231 sessions

0 sessions

goal event – no change



Would you continue search ad placements?

Line item details

Overall average 9.4% CTR

“fraud hides easily in averages”



Your ads on .xyz domains, these mobile apps?

.xyz domains suspicious mobile apps



Mix and Match – which goes with which?

A

B

C

video entertainment

sports info site

investment info site

“Let’s go fight some bad guys

together!”



About the Author

February 2017

Augustine Fou, PhD.

[email protected]

212. 203 .7239

mailto:[email protected]



Dr. Augustine Fou – Independent Ad Fraud Researcher

2013

2014

Follow me on LinkedIn (click) and on Twitter @acfou (click)

Further reading:http://www.slideshare.net/augustinefou/presentationshttps://www.linkedin.com/today/author/augustinefou

2016

2015

http://www.linkedin.com/today/author/augustinefou

http://twitter.com/acfou

http://www.slideshare.net/augustinefou/presentations

https://www.linkedin.com/today/author/augustinefou



Harvard Business Review – October 2015

Excerpt:

Hunting the Bots

Fou, a prodigy who earned a Ph.D. from MIT at 23, belongs to the generation that witnessed the rise of digital marketers, having crafted his trade at American Express, one of the most successful American consumer brands, and at Omnicom, one of the largest global advertising agencies. Eventually stepping away from corporate life, Fou started his own practice, focusing on digital marketing fraud investigation.

Fou’s experiment proved that fake traffic is unproductive traffic. The fake visitors inflated the traffic statistics but contributed nothing to conversions, which stayed steady even after the traffic plummeted (bottom chart). Fake traffic is generated by “bad-guy bots.” A bot is computer code that runs automated tasks.

Marketing

Low-Cost, No-Tech Ways to Fight Fraud vMiMA