Whoever came up with “thieves rob banks because that’s where all the money is” needs to add “digital advertising” to the updated version of the adage. Criminals simply don’t need to go through all the trouble of stealing money from well-fortified financial institutions when they can just trick advertisers into directly lining their pockets. With internet ad revenue totaling more than $100 billion in 2018, scammers are following that line of money: ad fraud is set to cost the industry as much as $44 billion annually by 2022.
But the problem has ramifications for more than just the digital advertising market.
Digital ad revenue provides much of the financial underpinning of e-commerce and online-based businesses. Media agencies suffer when their analytics tools report a substantial amount of web traffic, but the amount of revenue doesn’t support the number of visitors tracked by their systems.
Online digital advertising fraud has become so profitable that malware creators and botnet masters are developing new programs and theft techniques in order to keep making a profit, according to Michael Tiffany, president and co-founder of the bot detection company White Ops.
“To make money, the bad guys make it look like there are more people looking at ads than there really are,” he said. “This is a big deal because other crimes leave evidence. You might have missed a ransomware infection, but someone asks for bitcoin. … Ad fraud succeeds by going unnoticed.”
Scams works in myriad of ways, though every method depends on the digital advertising ecosystem’s inherent complexity. There could be as many as nine different companies involved in the chain of serving one web user with a single ad, and every one of those transactions presents an opportunity for scammers to get involved, said Amy King, vice president of product marketing for Pixalate, an ad technology company.
One technique, called ad spoofing, exploits advertisers’ inability to directly place ads on the websites with audiences they are trying to reach. Advertisers buy ad space in a real-time auction for sites that look like known, trusted media outlets, but in fact are set up by scammers. A site that may look like ESPN or the New York Times, for example, might in fact be a much less reputable page that receives hardly any traffic.
It’s also common for fraudsters to inflate ad numbers via pixel stuffing, when an ad is hidden in a picture. Then there’s ad stacking, which occurs when multiple ads are hidden under a single banner or display.
These are just a sample of the perhaps dozens of techniques scammers have developed over the past decade, and more methods are in the works now.
But ad fraud has become the most profitable form of cybercrime today mostly because of the way scammers leverage botnets.
How it’s done
One common technique works like this: A web user clicks on a malicious link in a phishing email, unwittingly infecting their computer with malware. The hackers who control that malware use it to call up an invisible web browser on that user’s machine without their knowledge, and visit junk websites or click on advertisements.
That hacked computer is one of perhaps millions of legitimate machines controlled as part of a botnet that scammers use to inflate web traffic and ad impressions, meaning advertisers are paying for access to humans who don’t exist.
Scammers, impersonating legitimate companies, also sell their fake traffic to real publishers trying to attract as many engaged visitors as possible — in order to satisfy advertisers. Meanwhile fraudsters are cashing in from both sides.
“Some percentage of total industry spend goes to that imaginary world,” said Sam Tingleff, chief technology officer of the tech lab at the Interactive Advertising Bureau. “As [publishers] know, you’re not directly confronting this on a daily basis but it does mean your income is smaller…than it would be if there was zero fraud.”
“In most cases, the fraud is included in their overall budget and they may or may not have a guess to how much of that goes to fraudulent destinations,” he said.
Take the Methbot and 3ve syndicates as an example…
