I’ve written before about the gaping security loopholes that you open up when you put third party javascript on your site. The javascript can record keystrokes, which is especially bad news for banking websites, password manager sites with access to all your passwords, and pretty much every other website. Do you know what data that third party javascript is exfiltrating? Further, do you know what data that third party javascript is injecting?
Aside from the obvious cybersecurity risks, javascript code can be used for other devious things to help fraudsters make more money more efficiently. For example, Newsweek was caught using javascript to alter viewability measurements so that all the ads on their site were marked “viewable” and therefore sellable in programmatic exchanges to buyers that insisted on buying “only viewable” impressions. They were tricking the measurement so that their “rotten apples” (non-viewable impressions) could be sold as if they were “fresh apples” (viewable impressions) by deception.
In CTV fraud, software programs (bots) can pretend to be Roku sticks; fraudsters can use javascript commands to remotely download and install apps onto devices without users’ knowledge, then launch the app and stream for hours to generate more CTV ad impressions. They can even pass signals about how far into the video ad the user watched (which quartile), by tricking the reporting. And of course there are the classic examples of fraudsters just passing random geolocations (bids with locations make more money) or specific geolocations (to absorb ad budgets targeted at specific locations, like political ad spending). But enough of the obvious stuff.
Have a look at the following four examples of techniques bad guys use to make money. How many of these did you know?
