Digital Ad Fraud is Not Illegal Yet, But Should Be

March 2019 / Page 0marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Digital Ad Fraud is Not
Illegal Yet, But Should Be
March 2019
Augustine Fou, PhD.
acfou [at] mktsci.com

Why, what is it like?

Counterfeit goods
Just like fake watches and handbags, fake digital ads

Computer crimesMany of the tech/actions that support ad fraud are computer crimes
“computer crimes such as breaking into computers or computer
networks. Computer crime can be broadly defined as criminal activity
involving information technology infrastructure, including illegal
access (unauthorized access), illegal interception (by technical means
of non-public transmissions of computer data to, from or within a
computer system), data interference (unauthorized damaging,
deletion, deterioration, alteration or suppression of computer data),
systems interference (interfering with the functioning of a computer
system by inputting, transmitting, damaging, deleting, deteriorating,
altering or suppressing computer data), misuse of devices, forgery (or
identity theft) and electronic fraud.
https://en.wikipedia.org/wiki/List_of_computer_criminals

Illegal Access / Breaches
Harvesting personal info, ecommerce transactions, other data
BreachesIllegal Access
https://www.csoonline.com/article/2130
877/data-breach/the-biggest-data-
breaches-of-the-21st-century.html

Illegal Interception
Keystroke logging to collect logins, passwords, other personal info
Source: Freedom to Tinker, Nov 2017
https://www.thedailybeast.com/california-passes-landmark-
privacy-bill-to-restrict-data-harvesting

Data interference
Alteration or suppression of computer data
Buzzfeed, March 2018
Source:
http://articles.latimes.com/2013/apr/19/business/la-
fi-mo-cookie-stuffing-ebay-20130419
“Laguna Niguel man pleads
guilty in 'cookie stuffing' scam
against Ebay. The online
auctioneer paid Dunning’s
company about $5.2 million in
2006 and 2007, the U.S. Attorney
said.”

Misuse of Devices
Ransomware and malicious cryptomining using humans’ devices
https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/https://www.zdnet.com/article/ransomware-not-dead-just-getting-a-lot-sneakier/

Forgery, falsified profiles
Unverifiable lookalike audiences contain fake profiles/preferences
Bots pretend to be
oncologists by visiting
oncology related sites.
“[LOTAME] purged 400 million
of its over 4 billion profiles after
identifying them as bots.”
Adweek, Feb 2018

Criminal impersonation
Bad guys pretend to be politicians, celebrities to trick consumers

Copyright infringement
Entire pages copied to thousands of other sites, to get free traffic
Google search on entire phrase in quotes:
http://bit.ly/16H9Gk5
Source: Buzzfeed, March 2019

Copyright/Trademark Laws
Multiple forms of fraud, violating different laws
Quote from Doc Searls,
1. “All four ads are flat-out frauds, in up to
four ways apiece: All are lies (Tiger isn’t
gone from Golf, Trump isn’t disqualified,
Kaepernick is still with the Niners, Tom
Brady is still playing), violating Truth in
Advertising law.
2. They were surely not placed by ESPN and
CNN. This is fraud.
3. All four of them violate copyright or
trademark laws by using another
company’s name or logo. (One falsely
uses another’s logo. Three falsely use
another company’s Web address.)
4. All four stories are bait-and-switch scams,
which are also illegal. (Both of mine were
actually ads for diet supplements.)”

Piracy/Mass Infringement
Large numbers of cloned sites containing 100% pirated content
Mass infringement
sites use pirated
content to attract
human visitors
- Show ads
- Attempt to hack
them or track them

DDoS traffic for ad revenueDDoS attacks overwhelm with traffic; now use traffic to make ad revenue
Google Digital Attack Map

Ad dollars fund child abuse sites
“Using a variety of sophisticated techniques to avoid detection,
offenders are exploiting online advertising networks to monetise their
distribution of child sexual abuse material.”
Source: The Drum Nov 6, 2018
Source: CNN, Feb 2019

Ad dollars fund piracy, porn sites
Source: Adweek, 2013 Source: BusinessInsider, 2014

Identity theft scenarios
Stolen personal info can be sold, and also later used in hacking
https://www.experian.com/blogs/ask-experian/heres-how-much-
your-personal-information-is-selling-for-on-the-dark-web/
Data Prices on the Dark Web
https://www.cnn.com/2019/03/09/tech/fac
ebook-ukraine-hackers/index.html

Money laundering scenario
Dollars are laundered as digital media ad spend on “cash out” sites
1. Buy digital media via ad exchanges on sites
directly or indirectly owned by the same entities
2. Pay “ad tech tax” (cut to middlemen)
3. Collect dollars from “cash out” sites, fully
laundered

Credit card fraud scenario
Tiny transactions automated on millions of stolen card numbers
Amateur Criminals
Buy HDTV at Walmart
with stolen credit card;
get caught, card is
deactivated.
Pro Criminals
Automate millions of 99 cent in-
game purchases of “power-ups,
shields, virtual goods” to
harvest dollars, fully laundered.

Wire fraud scenarios
Knowingly misrepresenting the capabilities of the … technology
“Allegedly engaged in a multi-million dollar
scheme to defraud investors, as well as a
doctors and patients. charged with two counts
of conspiracy to commit wire fraud and nine
counts of wire fraud.
Holmes and Balwani are charged with two
counts of conspiracy to commit wire fraud and
nine counts of wire fraud.
Holmes and Balwani were accused of knowingly
misrepresenting the capabilities of Theranos'
proprietary blood testing technology. The two
allegedly knew there were "accuracy and
reliability problems," and that it "could not
compete with existing, more conventional
machines," the US Attorney's office said.”
http://money.cnn.com/2018/06/15/technology/elizabeth-
holmes-indicted-theranos/index.html

Securities fraud scenarios
Deceptive practice of inducing investors with false information
• Revenues derived from illegal activities
• Inflating revenue, profits through ad fraud
• Overstating subscribers, active users, ARPU
• Selling counterfeit services and products
• Misrepresenting the capabilities of services, products

Ad fraud is “cash out”
for criminal activities

The most profitable criminal activity
2,500 - 4,100% returns
11% returns1% interest
digital ad fraud
stock marketbank interest
“where else can I get multi-
thousands percent returns on
my money? Right. Nowhere.”

“Ad fraud is at ALL TIME HIGHS
both in RATE and in DOLLARS…
… and what’s worse is fraud
detection is not catching it, so
people have a false sense of security.”
Source: https://www.slideshare.net/augustinefou/state-of-digital-ad-fraud-q2-2018

#defendthespend
“solving ad fraud will reduce the
flow of dollars to what amounts to
‘major economic crimes.’
Then, and only then, will we get
back to REAL digital marketing.”

What can each
party do?

Marketers
• Cut or pause digital ad spend to observe if there are
changes to real business outcomes. If not, keep cutting until
you see a change. Anything else was not driving results
anyway, no matter if it was marked “fraud free” or not.
• Always ask why or how? Don’t assume summary reports are
accurate or that other parties are doing what’s right for you.
• Get detailed “line item” reports (e.g. sellerID based
placement reports, not just domain based reports); choose
reliable metrics and avoid easily fakable quantity metrics.
• Rely on your common sense and check your own analytics
for signs of fraud; reduce fraud by turning off sites and
exchanges that exhibit consistent patterns of cheating.

Example: P&G cut $200M
No business impact after cut; plans more cuts, up to half a billion
“Once we got transparency, it
illuminated what reality was,” said
Mr. Pritchard. P&G then took matters
into its owns hands and voted with
its dollars, he said.”
“As we all chased the Holy Grail of
digital, self-included, we were
relinquishing too much control—
blinded by shiny objects,
overwhelmed by big data, and ceding
power to algorithms,” Mr. Pritchard
said.
Source: WSJ, March 2018
P&G: cut $200M, no impact

Ad Networks/DSPs/SSPs
• Update policies to outlaw the most common forms of
abuses that support ad fraud – duplicate content, phantom
sites, auto-refreshing of pages and ad slots, naked ad calls
• Establish simple “3 strikes” policy to notify offenders and
provide paths to remediation and correction of violations
• Provide detailed reports to clients, specifically sellerID
based reports so all parties can “follow the money trail” and
help identify bad actors

Example: model citizen SSP
• “Strictly enforce ads.txt compliance. This goes beyond just verifying
that an ads.txt is in place (which, as you note, is no barrier). Rather, it
ensures that the domain sending the traffic must be tie back to a
payee that is authorized by the site owner. This ensures that bad
actors won't be paid for spoofed traffic.
• Ban 300x250 video and other commonly arbitraged ad units.
• Operate off a whitelist of partners, domains, and apps. There should
be no chance of inventory going live without human review.
• Scan all creatives for malware and other malicious code.
• Have earned TAG Certification in all relevant programs (e.g. Certified
Against Fraud, Certified Against Malware, Inventory Quality
Guidelines) validated by a 3rd party. TAG certification [requires]
thorough documentation and disclosures, which many bad actors may
not be willing or able to complete.”

Publishers
• Don’t source traffic (outright buying of hits to your site or
app); this exposes you to ad fraud. This is different from
paid/social media marketing, real content discovery.
• Protect your buyers - filter obvious bots (GIVT – named bots
and data centers) so ad calls are not made; this also reduces
the chances of your getting accused of high invalid traffic
• Protect your website visitors by reducing third party
trackers and carefully vetting the ones that remain; reduce
your own risk of privacy violations and non-compliance

Example: publisher filters bots
Good publishers filter (GIVT) data center traffic, obvious bots
Bots coming to site
(on-site measurement)
Bots filtered out
(in-ad measurement)
11% red
-9% (filtered GIVT
and data centers)
2% red

Consumers
• Use ad blockers, use malware protection software on all
devices. Limit your exposure to high risk categories of sites
– e.g. piracy sites.
• Use common sense – DON’T click it, even if it appears to be
from a friend or family member. Contact them on a
different channel to ask if they meant to send it.
• Be vigilant – assume that there will be even more hacking
attempts and more malicious malware/malvertising to
come as hackers step up their tech and attacks
• Always monitor for your own personal info, photos, and
other meta data that may be compromised already and
used to trick and compromise you.

Example: ad blocking, VPNs

Government
• Introduce new laws against digital ad fraud and related
fraudulent business practices
• Review government spending (taxpayer dollars) on digital
ads that have proven to be completely ineffective
• Subpoena analytics and reports for details which show
actual performance, hidden in summary reports or averages
• Subpoena financial records to see the money flows (fraud is
very evident when you “follow the money”) and investigate
money laundering and tax evasion

About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com

“It’s easier to fool people than
to convince them that they have
been fooled.”
Mark Twain

Dr. Augustine Fou – Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017
20192018

Digital Ad Fraud is Not Illegal Yet, But Should Be

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Digital Ad Fraud is Not Illegal Yet, But Should Be

Ähnlich wie Digital Ad Fraud is Not Illegal Yet, But Should Be (20)

Mehr von Dr. Augustine Fou - Independent Ad Fraud Researcher

Mehr von Dr. Augustine Fou - Independent Ad Fraud Researcher (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Digital Ad Fraud is Not Illegal Yet, But Should Be