The global digital ad market is expected to be valued at $225 billion by 2020, so it is no wonder fraudsters are trying to steal a piece of the pie. Advertisers will lose a projected $5.8 billion to $42 billion to fraudsters this year alone. Ad fraud’s prevalence is largely due to two factors: The lack of regulation and the sheer complexity and volume of online advertising. Both of these issues make it easy for fraudsters to execute and conceal their acts. Banks may process $1 million worth of credit card fraud requests in a day, but ad fraud detectors can face up to 20,000 requests every second.
Ad fraud is growing even worse due to the rise of real-time bidding (RTB), an advertising model in which advertisers automatically bid on ad placements as web pages are loaded. These bids are made, processed and chosen in a matter of milliseconds, meaning it is extremely easy for fraudsters to jump into the mix.
Ad fraud can take a variety of forms. Dishonest publishers may spoof clicks to force advertisers to pay additional fees, or hackers could hijack an advertising slot to generate revenue for themselves. A multitude of threats requires a multitude of solutions – and publishers, developers and advertisers are wielding plenty of tools to keep fraudsters at bay.
The Ever-Shifting Face of Ad Fraud
Ad fraud can wear many masks, but the most common types rely on bots, crawlers or other automated clicking methods. One type of bot-driven click fraud, known as click spamming, simulates an incredibly high number of clicks that appear to be from real devices. Another method is click injection, which generates fake clicks while apps are being installed.
One particularly elaborate click scheme, Methbot, was detected in 2016. The bot used an array of methods to commit fraud and cover its tracks, including fake clicks, fake social media logins, falsified geolocations and dedicated proxy servers to disguise its origin location. Experts speculate that it may have led to more than $36 million in stolen online ad dollars.
One of Methbot’s ringleaders was extradited from Bulgaria to the United States in January and indicted with 13 counts of wire fraud, money laundering and computer intrusion, but authorities are still coming to grips with the scale of the operation. The FBI filed a search warrant earlier this month to find email and LinkedIn communications between the hackers, underlining the level of coordination necessary for fraudsters to commit such crimes.
Some criminals choose to hijack legitimate users’ clicks rather than generate them with bots or device farms. Malware can redirect users who have clicked on ads to different websites, ones often infected with trojans or spyware. This effectively steals the impression from the advertiser. Click hijackers accomplish this either by compromising a visitor’s computer, spoofing the domain name system (DNS) on the user’s router or cracking the website itself to insert a redirect on the ad.
Ad fraud does not always come from outside hackers – sometimes it comes from unscrupulous publishers looking to charge advertisers for fraudulent traffic. Many of these dishonest webpages employ the same clickbot methods as outside hackers, but others rely on invisible or hidden ads. A publisher might charge for an ad that they then only display in a 1-by-1 pixel window, which is essentially invisible to a user. They may also stack multiple ads on top of each other so only one is visible to visitors. Some publishers even display the ads on fraudulent websites, then redirect ad calls so the advertiser sees legitimate sites rather than the illicit ones.
How Can Developers Fight Back?
There is a seemingly bottomless well of fraud methods and fraudsters using them, but developers and publishers are pushing back. Earlier this month, Facebook sued two app developers, Hong Kong-based LionMobi and Singapore-based JediMobi, for generating fraudulent revenue via click injection.
“The developers made apps available on the Google Play store to infect their users’ phones with malware,” Facebook’s Director of Platform Enforcement and Litigation Jessica Romero said in a blog post. “The malware created fake user clicks on Facebook ads that appeared on the users’ phones, giving the impression that the users had clicked on the ads.”
Other developers are taking more proactive approaches to fighting ad fraud. San Francisco-based marketing platform Singular recently released an ad fraud-fighting tool for Android developers specifically geared toward preventing fake app installations. The tool parses activity time stamps and communication with Google Play’s servers before making a call on the legitimacy of the installation. Singular claims this platform is the first of its kind for Android devices.
Ads can be a nuisance to users, but they are necessary in a free market where publishers bring content to the internet without charging users. The ads will go away if ad fraud is not stopped, but so will the content. Proactive and reactive approaches, like those of Singular and Facebook, will hopefully stop that from happening anytime soon.