Ad Fraud

Ad Fraud in 2021 – Expert Tips for the Straight-shooting Publisher

Anything that is in huge demand but short supply gets faked and sold for slightly lower prices than the real thing. This is true for the counterfeit product sellers in the real world and fake inventory/traffic sellers in the digital world.

We have said this before: Ad fraud doesn’t just hurt buyers. Buyers lose ad spend. But good publishers stand to lose their source of income and their audience’s trust – even from fraud they didn’t commit.

Ad verification vendors don’t always help the matter either. In a previous post, we discussed how each vendor’s unique fraud detection technology – necessary to keep bots from figuring out how to walk around them – can create space for a different sort of trap. What one ad verification vendor (and the ad networks which use it to monitor ad fraud) categorizes as ‘bot-traffic’ may not raise flags on others. 

Source: How Bad Measurements Hurt Good Publishers (Slideshare)

In this post, we are taking a look at the types of attacks publishers face on their ad inventory and revenue in 2018, and some actionable tips on defending against them.

1. 3rd Party Trackers and Session-Replay Scripts

Both the trackers and session-replay scripts are analytics tools. Nothing wrong with that in principle, but here’s why publishers should be extremely wary of 3rd party code that loads on their pages.

Session Replay Scripts that Record Form-field information

Publishers use session-replay scripts to understand how the users interact with their site. However, these scripts are not supposed to keep records of information that the users share with the website – information like usernames, passwords, email addresses, physical addresses, credit card, etc.

But that’s what happens. In November 2017, Princeton’s research center (Center for Information Technology Policy) published their study findings and data on over 8,000 sites on which third-party session replay scripts were found to be recording highly personal user data.

As one case study of these 8,000 sites, we found health conditions and prescription data being exfiltrated from walgreens.com. These are considered Protected Health Information under HIPAA.

– Freedom to Tinker, November 2017 (Source)

Ad Trackers that Steal User Data from Browser

In part 2 of the same study, the researchers found ad trackers loaded by fraudulent networks that exploited browser’s password manager feature on more than a thousand sites.

We examined two third-party scripts which exploit a vulnerability in browsers’ built-in password managers to exfiltrate user identities. One web developer was unable to determine how the script was loaded and asked us for help. We pointed out that their site loaded an ad network (media-clic.com), which in turn loaded “themoneytizer.com”, which finally loaded the offending script from Audience Insights.

These chains of redirects are ubiquitous on the web, and might involve half a dozen third parties. On some websites the majority of third parties have no direct relationship with the publisher.

 – Freedom to Tinker, November 2017 (Source)

This was happening with and without publisher knowledge. It goes without saying that ignorance is not going to fly under GDPR. The onus is on publishers to protect users’ personal information from unauthorized collection/misuse.

How to fix this: Dr. Fou advises publishers to cut down the number of 3rd party scripts to the bare minimum. Use tools like Ghostery to find out who is running scripts on each page load. Remove what is not necessary.

As a bonus, doing this can improve page load speed and lag; since there’s a lot less to-and-forth going on behind the screen with packets of data (between the script and some third-party server somewhere).

Note: Publishers who did their homework thoroughly when they were working on GDPR-compliance will find that they have already got a handle on these vulnerabilities.

2. Malicious Ad Code

The security of 0.5 percent of all ad impressions sold programmatically is compromised. – Confiant (via Digiday)

In Q4 2017, a lot of publishers began seeing an upsurge in forced redirects on their sites. The issue itself is not new – it’s caused by malicious javascript within the ad creative that gets loaded when the highest bidder for the impression is a fraudulent party.

Their aim varies from getting forced views, clicks, or malware-laden app installs. According to Dr. Fou, “This was a sustained attack that started in Q4 2017 and continues till now. Malicious javascript in the ad can break out of the ad slot and take over the page, or redirect the user to another site – typically a malware site or fake tech support scam site.”

These ads can come from anywhere – even through biggest most fraud-free exchanges like Google AdX. Last year alone, Google ended up deleting 3.2 billion ‘bad ads’ from its advertising platforms. A year before that, this number was 1.7 billion.

The amount of care that the malvertiser takes to obfuscate where the ad is coming from is another reason why these attacks are so persistent.

The bad actors forcing the redirects are careful to not ruin user experience too often. There is a fine balance that the bad guys must maintain to keep their operation profitable; but not painful enough that it prompts the industry to crack down on it completely. (via Digiday)

Dr. Fou advises publishers to “sandbox” the ad iframes and only allow user-initiated actions (such as a click) to take place on the ad to keep the javascript from breaking out of the slot.

To monitor the situation, set up Charles Proxy, a server that will help your developers to keep an eye on all the code that a device exchanges with the internet.

Additionally, price floors can be used to keep out bad ads, as we’ve discussed before. Raising them across the board by a few cents should do the trick.

3. ‘Fraudulent Traffic’ Red Flags (When You Don’t Source Traffic)

This can be a huge pain for publishers of all scales.

For the most part, programmatic advertisers are not buying space on your site to market to “your audience” (especially through open auctions, as is the system in AdSense).

Your audience just happens to be the kind of human they want to target their messages to. This is called ad targeting and it is done via a vendor who drops a cookie on this person and reads/updates it continuously.

Bots become sophisticated by pretending that they’re the human audience that advertisers want to target. This they do by mimicking a human’s online browsing activity and gathering those sweet ad tech cookies.

So when a lot of bots begin visiting, let’s say, XYZ.com for the purpose of appearing to be human, it raises the site’s IVT (Invalid Traffic) levels. Before the publisher knows it, their ad network will begin deducting dollars from the ad revenue on each payment cycle. This is because ad network is registering that publisher’s traffic is fraudulent and they have to offer refunds to buyers. All major ad networks, including AdSense, do this.

To fix this: Dr. Fou advises publishers to filter for bots. “If you see obvious data center bots and bots that say their name honestly, let the page load but block ad calls. If the ad request isn’t sent, then the vendors on publisher’s site don’t drop tracking cookies on the bot. The bot cannot get retargeted later.” This post has some actionable tips on filtering bot traffic for affiliate marketers, which you can try on your sites.

The Upshot

Advertisers today want to be aware of where their ad dollars end up and how well their media performed. With 3rd party data going out of style (thanks to GDPR), straight-shooting small and medium publishers have a great opportunity to scale up – by proving the worth of their inventory and human audiences.

Keep following the tips listed above to sell authentic inventory that drives results for the advertisers. Implement ads.txt. And whatever you do, don’t source traffic. Just see the trouble Newsweek ended up in to remember that short-term profits are not worth sacrificing long-term goals over.

Source: State of Digital Ad Fraud Q2 2018 by Dr. Augustine Fou (link)