fbpx
Home » Gaping Security Loopholes—Why Marketers Should Care

Gaping Security Loopholes—Why Marketers Should Care

0 comments 498 views

I’ve written before about the gaping security loopholes that you open up when you put third party javascript on your site. The javascript can record keystrokes, which is especially bad news for banking websites, password manager sites with access to all your passwords, and pretty much every other website. Do you know what data that third party javascript is exfiltrating?

Aside from the obvious cyber security risks, javascript code can be used for other devious things to help fraudsters make more money more efficiently. For example, Newsweek was caught using javascript to alter viewability measurements so that all the ads on their site were marked “viewable” and therefore sellable in programmatic exchanges to buyers that insisted on buying “only viewable” impressions. They were tricking the measurement so that their “rotten apples” (non-viewable impressions) could be sold as if they were “fresh apples” (viewable impressions) by deception. In CTV fraud, software programs (bots) can pretend to be Roku sticks; fraudsters can remotely download and install apps onto devices without users’ knowledge; and launch the app and stream for hours. And get this, they can even pass signals about how far into the video ad the user watched (which quartile), by tricking the reporting.

Affiliate Companies Claiming Credit for Sales

The above is similar to affiliates tricking the measurement to claim credit for driving sales and earn the revenue shares, when they didn’t do anything to deserve it. They used deceptive means like cookie stuffing to make it appear that the user visited their site and clicked an affiliate link when the user did not click anything. This deception can be done in a number of ways, including loading affiliate webpages in hidden iframes, invisible windows, pop-unders, etc. or by using javascript to click a specially crafted url that contained the fraudsters’ own affiliate ID (so they get paid). This is the security issue I discussed in this article Attribution—The Weakest Link In All Digital Marketing. The attribution urls are all plain text and all the parameters and variables are also in-the-clear. This means that anyone can copy it, alter it, and repeatedly “click” on it.

In the case of cookie stuffing, the human users didn’t click any affiliate link. The link was “clicked” by deceptive means and the cookies were planted without the users’ knowledge. When they complete a purchase later, an affiliate revenue share is paid to the fraudster. This increases the cost to the ecommerce merchant, because they are paying for something they didn’t need to. In 2013, two of eBay’s super-affiliates were arrested and convicted of stealing millions of dollars in affiliate revenue shares from eBay, using these methods.

A parallel example in a different channel is where mobile exchanges claim credit for app installs they didn’t drive. They used deceptive means to trick the attribution platforms into recording clicks and installs so they could get paid the CPI (cost per install). Sometimes, the clicks never occurred, the installs never occurred, or the ads never even ran. This is the basis of Uber’s second lawsuit. Uber is suing 100 mobile exchanges for wire fraud. These mobile exchanges falsified reports to make it appear that ads ran on legitimate sites, were clicked, and led to more installs of the Uber app. Other mobile networks fabricated the reports out of thin air – to make it appear that ads ran, when no ads were even run.

Uber found out about the deception when it turned off $120 million of their $150 million in paid app install spending. To their surprise, the app installs kept happening. These installs of the Uber app were “organic” which means the users installed it because they wanted to, not because they saw an ad and clicked on it. The mobile exchanges were doing “organic stealing” which means they were taking credit for app installs that would have happened anyway. They falsified the analytics to show that clicks happened before an app install even though the human users didn’t click anything.

Location Companies Claiming Credit for “Foot-fall”

You can probably sense a…

Read The Full Article

related posts

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept