How scammers made ad fraud a billion-dollar criminal industry
Whoever came up with “thieves rob banks because that’s where all the money is” needs to add “digital advertising” to the updated version of the adage.
Criminals simply don’t need to go through all the trouble of stealing money from well-fortified financial institutions when they can just trick advertisers into directly lining their pockets. With internet ad revenue totaling more than $100 billion in 2018, scammers are following that line of money: ad fraud is set to cost the industry as much as $44 billion annually by 2022.
But the problem has ramifications for more than just the digital advertising market.
Digital ad revenue provides much of the financial underpinning of e-commerce and online-based businesses. Media agencies suffer when their analytics tools report a substantial amount of web traffic, but the amount of revenue doesn’t support the number of visitors tracked by their systems.
Online ad fraud has become so profitable that malware creators and botnet masters are developing new programs and theft techniques in order to keep making a profit, according to Michael Tiffany, president and co-founder of the bot detection company White Ops.
“To make money, the bad guys make it look like there are more people looking at ads than there really are,” he said. “This is a big deal because other crimes leave evidence. You might have missed a ransomware infection, but someone asks for bitcoin. … Ad fraud succeeds by going unnoticed.”
Scams works in myriad of ways, though every method depends on advertising ecosystem’s inherent complexity. There could be as many as nine different companies involved in the chain of serving one web user with a single ad, and every one of those transactions presents an opportunity for scammers to get involved, said Amy King, vice president of product marketing for Pixalate, an ad technology company.
One technique, called ad spoofing, exploits advertisers’ inability to directly place ads on the websites with audiences they are trying to reach. Advertisers buy ad space in a real-time auction for sites that look like known, trusted media outlets, but in fact are set up by scammers. A site that may look like ESPN or the New York Times, for example, might in fact be a much less reputable page that receives hardly any traffic.
It’s also common for fraudsters to inflate ad numbers via pixel stuffing, when an ad is hidden in a picture. Then there’s ad stacking, which occurs when multiple ads are hidden under a single banner or display.
These are just a sample of the perhaps dozens of techniques scammers have developed over the past decade, and more methods are in the works now.
But ad fraud has become the most profitable form of cybercrime today mostly because of the way scammers leverage botnets.
How it’s done
One common technique works like this: A web user clicks on a malicious link in a phishing email, unwittingly infecting their computer with malware. The hackers who control that malware use it to call up an invisible web browser on that user’s machine without their knowledge, and visit junk websites or click on advertisements.
That hacked computer is one of perhaps millions of legitimate machines controlled as part of a botnet that scammers use to inflate web traffic and ad impressions, meaning advertisers are paying for access to humans who don’t exist.
Scammers, impersonating legitimate companies, also sell their fake traffic to real publishers trying to attract as many engaged visitors as possible — in order to satisfy advertisers. Meanwhile fraudsters are cashing in from both sides.
“Some percentage of total industry spend goes to that imaginary world,” said Sam Tingleff, chief technology officer of the tech lab at the Interactive Advertising Bureau. “As [publishers] know, you’re not directly confronting this on a daily basis but it does mean your income is smaller…than it would be if there was zero fraud.”
“In most cases, the fraud is included in their overall budget and they may or may not have a guess to how much of that goes to fraudulent destinations,” he said.
Take the Methbot and 3ve syndicates as an example.
A 13-count indictment made public by the U.S. Department of Justice last year detailed how the two related ad fraud conspiracies used invalid bot traffic and fake websites to defraud advertisers. By allegedly programming their botnet of roughly 1.7 million hacked computers to visit fake websites, conspirators charged real marketers more than $30 million from 2014 to October 2018.
Both the Methbot and 3ve botnets were shut down in November, though others have emerged to try to monetize other advertising vectors. CenturyLink researchers revealed TheMoon botnet in January, another complex ad fraud tool capable of sending requests to 19,000 different URLs within six hours.
Thieves are able to scale this type of crime because, by exploiting computers used by real humans, they’re able to camouflage themselves using human behavior. Anti-fraud technology stops ad scammers by checking visiting IP addresses for their cookies. Connections without cookies or other identifiers are suspicious, but when fraudsters load legitimate data from hacked victims they can slip past the gate.
“The bot doesn’t have to replicate human behavior when it can just reload those cookies and appear to be human,” Tiffany said. “That’s how you beat Google and Facebook. Bot traffic mixes with human visitors to a website, so there’s no way to distinguish between a bot and real person as they come through the door.”
Google’s glaring issue
Unchecked internet fraud isn’t just a problem for advertisers and publishers, it also represents an “existential” threat to Google, said Per Bjorke, a senior product manager who leads Google’s ad traffic quality team. A large portion of the company’s business relies on advertising revenue and, if clients cease to trust the advertising ecosystem, that spells trouble for Google’s short and long term plans, Bjorke said.
“It’s very simple,” he said. “The future growth of Google and other companies hinges on the fact that online advertising is trusted, and that there will be a return on investment on ad budgets … It’s very important for us [because] people could stop investing in advertisements.”
In a 2004 letter to the Securities and Exchange Commission announcing their intent to file for an initial public offering, Google executives said fraud would hurt its profitability and negatively affect its brand reputation. More than a decade later, in 2017, the Wall Street Journal reported that Google informed hundreds of marketers about invalid traffic, issuing refunds to companies who were victimized.
Now, more than 100 people are working on the issue at Google, Bjorke said, as ad fraudsters explore ways to capitalize on mobile traffic and other emerging technology.
“For us, it’s an ongoing battle,” he said.
The same is true for publishers and the ad industry overall. Some solutions are available, though there’s no single way to stop scammers from skimming off the top. For now, perhaps the most popular security measure is ads.txt, an anti-spoofing protocol that gives desktop ad buyers more visibility into which companies they’re doing business with. But as internet users increasingly search the web using their smartphone, mobile anti-fraud technology is still evolving.
Scammers’ shift to mobile could already be underway. Research published last week by White Ops and the Association of National Advertisers predicts fraud losses will decrease by nearly a billion dollars this year. It’s too soon to tell, however, if that dip is the result of stronger security, or criminals experimenting with techniques that avoid detection.
“The question that will play out over the next 12 months will be: Are we truly turning the tide, or is this a blip?” asked Michael Tiffany. “Among criminals, the fantasy crime model is taking a couple pennies from every transaction…This is that.”
