Ellen Pao was right. I have seen and documented the fake stuff since at least 2013. In digital, virtually unlimited fake accounts, fake traffic, fake users, fake ad impressions, etc. can be created. How many of the 50 slides in this deck were you familiar with?
1. May 2019 / Page 0marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Everything Fake
2019 Update
May 2019
Augustine Fou, PhD.
acfou [at] mktsci.com
212. 203 .7239
2. May 2019 / Page 1marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2013) Everything Fake
https://www.slideshare.net/augustinefou/everything-fake-click-fraud-fake-pages-botnets-ad-waste-reduction
“fake since (at least) 2013”
3. May 2019 / Page 2marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake sites - programmatic
Using software to create thousands of sites automatically
Source: SimilarWeb
4. May 2019 / Page 3marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Websites - random
Get paid to make fake websites (“cash-out” sites) for ad fraud
• No content or
content that is
assembled (i.e.
plagiarized)
• Content not human
readable
• Stuffed with large
numbers of ads
• Page auto-reloads
• Large abrupt traffic
changes
5. May 2019 / Page 4marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Content – made by bot
Pages stuffed with search keywords to attract free organic traffic
Characteristics
• Auto-generated by bots, stuffed with
search keywords
• Stuffed with affiliate links and ads
“More news is
being written
by robots than
you think.”
Souce:
Singularity Hub
March 2014
Mr. Johansson's program
scrubs databases and
other digital sources for
information, and then
packages it into an article.
On a good day, he says his
"Lsjbot" creates up to
10,000 new entries (PER
DAY)
Source: WSJ July 2014
6. May 2019 / Page 5marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Videos – referral links
For driving fake referral traffic to sites, attribution fraud
http://www.youtube.com /watch?v=xnkM9RrDzhM
Banned Celebrity Sex Tapes
Banned sex tapes .com
7. May 2019 / Page 6marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake YouTube Videos - SEO
Keyword-stuffed for video SEO for fake sites (free traffic)
http://www.youtube.com /watch?v=upSOCzlSoHk
http://www.youtube.com/
watch?v=lhbDGpqCmZQ
http://www.youtube.com/
watch?v=UcdiM4uD6fM
http://www.youtube.com
/watch?v=an6xRpQ5Wh8
Duplicated videos
Some carry ads to
generate ad revenue
8. May 2019 / Page 7marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake video views - purchased
Straight line in video views – same quantity added per time period
http://www.youtube.com/watch?v=iP6XpLQM2Cs
Actual interest
Straight line
– purchased views
10. May 2019 / Page 9marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Apps for loading ads
Hundreds of fake or cloned apps, make money via ads
11. May 2019 / Page 10marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Cloned apps, adware SDKs
Apps are easily cloned; free software development kits given away
Apps are cloned
thousands of times;
some didn’t even
bother to change the
colors or cover
graphics.
Bad guys accidentally
cloned apps that
already had detection
SDK in it – from 312, to
750, to 1,330 copies.
Source: CNBC, Aug 2017
12. May 2019 / Page 11marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Antivirus Apps
Fake apps that get lots of permissions on user device
https://www.zdnet.com/article/two-thirds-
of-all-android-antivirus-apps-are-frauds/
https://www.techspot.com/news/79226-more-
than-two-thirds-all-android-antivirus-apps.html
13. May 2019 / Page 12marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake App Installs, Re-installs
Fake mobile devices install legit apps, get paid cost-per-install (CPI)
“Machine has analysed over 22.4 million app installs,
56% of which we detected as fraudulent.
Of these 88 ad networks, only a single one delivered
less than 10% fraudulent app installs. The rest fell
somewhere between 15% and 100% fraudulent. Five
of the networks delivered 100% fraudulent installs.”
https://www.tune.com/blog/install-or-reinstall-42-of-mobile-app-
installs-are-actually-reinstalls-and-in-some-categories-its-75/
34 mobile networks were >50% fraud
42% Installs were Actually Re-Installs
https://www.linkedin.com/pulse/machine-report-10-gary-danks/
14. May 2019 / Page 13marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake downloads, boost rank
Download/purchase own apps with bots to get to top 25 list
15. May 2019 / Page 14marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake IDFAs on real devices
Bad apps rotate faked/copied device IDs to defeat frequency caps
Source: Cinarra Systems
16. May 2019 / Page 15marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
tOLKnMEzcnARvLTvChnt
tOLKnMEzcnARvLTvChnt
tOLKnMEzcnARvLTvChnt
tOLKnMEzcnARvLTvChnt
tOLKnMEzcnARvLTvChnt
tOLKnMEzcnARvLTvChnt
tOLKnMEzcnARvLTvChnt
tOLKnMEzcnARvLTvChnt
Random vs Replayed DeviceIDs
Techniques to defeat fraud detection and frequency caps
RANDOM deviceIDs
lXvBEeRXPURtcKILYFYE
IdUkQeWgqshMmfMdzlAx
INIjBzHJHywhgRsMdQPe
tiAnxwuKBNCjoMetZaPN
UjtRbuUTvYUwmABhmPGH
MDSUUgkENQkQDztavzfl
iljoJEXUcLCEFwSdrwZn
APbLSRUvlrIoofIchhLg
NZXVVKCbymRYBSStNRYz
UiSBmuDpYLkNvsHBKcri
tOLKnMEzcnARvLTvChnt
LZyhgblHtMIMaAliHWYB
vKFknsnhGouIucYgxmdu
• If fraud detection hasn’t seen a device
before, the default action is to let the ad
serve
• Frequency caps based on deviceIDs are
defeated, each device appears as new
• Valid deviceIDs are harvested from real
devices and sent to fake devices or apps to
replay
• Replayed deviceIDs are used by fraudulent
apps to defeat fraud detection
REPLAYED deviceIDs
tOLKnMEzcnARvLTvChnt
validated deviceID harvested
17. May 2019 / Page 16marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake apps to infect devices
Fake versions of popular apps are used to infect humans’ devices
Source: Independent, Jun 2018Source: Fortune, July 2016
18. May 2019 / Page 17marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake VPN – malware/adware
Fake “free VPNs” track users’ browsing history, serve more ads
Source: PC Magazine, Jun 2018 Source: ZDNet, May 2015 Source: TechCrunch, Feb 2019
19. May 2019 / Page 18marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Faked Google Analytics
Manipulate Google analytics to show traffic that is non-existent
Source: https://youtu.be/6_F-NAvr39o
https://www.youtube.com/watch?v=ztiBQASKld8
20. May 2019 / Page 19marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Faked mouse moves/clicks
Create fake mouse movements and clicks on ads using javascript
Source: https://youtu.be/HeGYr3jwubY
21. May 2019 / Page 20marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake clicks – attribution scams
Directly loading attribution urls and SDKs are to show fake clicks
Source: Method Media Intelligence
22. May 2019 / Page 21marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake data
Software tool to rotate referrer, browser agent, IP address
Source: Ratko Vidakovic
23. May 2019 / Page 22marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Geolocation
Houston, TX
5am local time
Bozeman, MT
4am local time
Same set of 15 apps calling ads from both locations, at times when humans are not awake yet
24. May 2019 / Page 23marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Agencies
Out of the 28 fake ad agencies, only
20 ever had any activity in advertising
markets. We believe Zirconium was
progressively rolling out their agencies
to overcome occasional bans, as they
progressively got caught. We observed
a pace of 1 to 3 releases per month.
Since the majority of agencies were
created around February 2017, the
dormant ones progressively built
precious reputation (mostly history,
and social media following) to pose as
established companies and maximize
their potential of striking deals with
more ad platforms.
Source: Confiant, 2017
25. May 2019 / Page 24marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake traffic, laundered
Fake sites don’t sell ads directly; they feed traffic to other sites
Advertisers
impacted
26. May 2019 / Page 25marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake pageviews – auto-redirect
Webpages auto-redirect to other pages/sites in infinite loops
How much does it cost?How much is available?
a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”
27. May 2019 / Page 26marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Traffic sellers’ “high quality traffic”
Many sources to buy “traffic,” tune “quality” level, host bots
Google
“buy real human traffic”
Select vendor and
“traffic quality level”
Host your own bots
(cost $3.99/mo)
28. May 2019 / Page 27marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Luminati[.]io Oxylabs[.]io Smartproxy[.]com
Residential Proxies
Use: to disguise data center bots to appear to come from
residential IP addresses, avoid detection
40 million
IP addresses
10 million
IP addresses
30 million
IP addresses
29. May 2019 / Page 28marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake or plagiarized ads.txt
Source: MediaMath
Fake sites rushed to put ads.txt files in place, to continue to sell
“the company will only buy
… from publishers who have
an ads.txt file in place.”
“completely useless…
… fake and fraud sites just
put ads.txt files in place so
they can continue to sell
inventory.”
30. May 2019 / Page 29marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake domains, bids
Fake sites disguise themselves as good domains to sell inventory
publisherA.com
PublisherA does
NOT sell ads on
open exchanges!
100% spoofed inventory
“In “domain spoofing,” bad actors intentionally disguise the
nature of the ad space they’re selling. That inventory is
made available via automated marketplaces run by ad tech
companies such as the ones the FT highlighted. In the end, a
marketer might believe they’re paying for ads on FT.com,
but their ads may actually appear on other sites with
questionable content and unknown ownership.”
https://www.wsj.com/articles/financial-
times-finds-counterfeit-ad-space-was-
offered-by-at-least-six-companies-
1507563713
31. May 2019 / Page 30marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake GDPR consent strings
Humans don’t give consent; bots consent to be shown more ads
Source: CNBC, July 2018
• Humans don’t give consent
to ad tech companies they
have never heard of.
• Bots give consent so more
ads can be delivered to
them
• Forged consent flags that
are not verifiable are used
to continue programmatic
ad trading
32. May 2019 / Page 31marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake ad impressions
“dark processes” are continuous loading of ads, in background
https://youtu.be/utoN_VlxtE0
(demo video of page continuously
loading ads in the background)
33. May 2019 / Page 32marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake mobile display ads
May 26 Forbes “Judy Malware”
• 40 bad apps to load ads
• 36 million fake devices to load
bad apps
• e.g. 30 ads per device /minute
• 30 ads per minute = 1 billion
fraud impressions per minute
June 1 Checkpoint “Fireball”
• 250 million infected computers
• primary use = traffic for ad
fraud
• 4 ads /pageview (2s load time)
• fraudulent impressions at the
rate of 30 billion per minuteSource: June 2017 “Chinese click
fraud gang in Thailand arrested”
300 real devices
used for click fraud
34. May 2019 / Page 33marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake ads - malvertising
Ransomware can be delivered through ads with malicious code
Source: ZDNet, March 2017 Source: TechRepublic, June 2017
35. May 2019 / Page 34marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake mobile traffic - apps
Fraud apps repeatedly loading webpages, w/ hidden browsers
Gallery urls repeatedly loaded
By same apps, in the same ratios
36. May 2019 / Page 35marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Traffic - pop-unders
Porn sites have humans; click play, spawn pop-under, load ads
Source: Digiday Feb 2017 Source: BuzzFeed Dec 2017
37. May 2019 / Page 36marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Pages auto-load other pages
Code causes pages to auto-load other pages repeatedly
Source: https://youtu.be/KluP64UI9Jg
38. May 2019 / Page 37marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake ad blockers – more ads
Instead of blocking, fake ad blockers load more ads and track users
Source: Engadget, April 2018
39. May 2019 / Page 38marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake profiles
“[LOTAME] purged 400
million of its over 4
billion profiles after
identifying them as
bots or otherwise
fraudulent accounts.
Lotame CEO Andy
Monfried estimated
that 40 percent of all
web traffic is fictional.”
Source: Adweek, Feb 2018
40. May 2019 / Page 39marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake LinkedIn Profiles
Used to simulate “user engagement” (ad clicks), audiences
bot generated content
stock photo
41. May 2019 / Page 40marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Facebook purges 1.3 billion fake
“It was barely a year ago that
Facebook proudly declared it had
more than 2.2 billion monthly
users. But on Tuesday, the social
media giant revealed
some stunning data, including
that during the six months ending
in March, Facebook disabled a
total of almost 1.3 billion fake
accounts.
During the first quarter of 2018,
Facebook says it deleted 865
million posts, the vast majority of
it for being spammy, and the
remainder for containing graphic
violence, sexual activity or nudity,
terrorism or hate speech.
Source: Inc. May 2018
42. May 2019 / Page 41marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Twitter accounts - bots
Used to sell fake followers, likes, retweets, ad views and clicks
https://www.cnbc.com/2017/03/10/nearly-48-million-twitter-accounts-
could-be-bots-says-study.html
“A big chunk of those "likes," "retweets," and
"followers" lighting up your Twitter account
may not be coming from human hands.
According to new research from the
University of Southern California and Indiana
University.
Since Twitter currently has 319 million
monthly active users, that translates to nearly
48 million bot accounts.”
43. May 2019 / Page 42marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake influencers
Fake influencers bought followers to appear to be influential
Source: Adweek, Jun 2018
“an array of entertainers, entrepreneurs,
athletes and media figures, … bought Twitter
followers or artificial engagement. A New York
Times article on Saturday describing a vast trade
in fake followers and fraudulent engagement on
Twitter and other social media sites, often using
personal information taken from real users.
https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html
NY Times: The Follower Factory
44. May 2019 / Page 43marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake segments - seasonality
Bots browse items by season to attract higher retargeting CPMs
Source: DataXu/DoubleVerify Webinar, April 2015
“look at backpacks in back-to-school season”
45. May 2019 / Page 44marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake behaviors
Bots visit collections of sites to make themselves look attractive
“cookie matching”
Bots pretend to be oncologists
by visiting sites, collecting cookie
Attract ad dollars to fake
sites when retargeted
46. May 2019 / Page 45marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Personality Quizzes
Used to harvest personal info, meta data for later use in hacking
http://www.businessinsider.com/nametestscom-may-have-
exposed-facebook-data-of-120-million-users-2018-6
https://www.wired.com/story/facebook-exposed-87-
million-users-to-cambridge-analytica/
47. May 2019 / Page 46marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Celebrity Lookalike
Collect self-selected face photos for later use in hacking
Users self-select face
pictures to use for
“which celebrity do you
look like” quizzes. These
are harvested for later
use in hacking.
48. May 2019 / Page 47marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake tech support scams
Designed to trick panicked consumers into downloading or calling
https://arstechnica.com/information-technology/2018/07/tech-support-
scammers-revive-bug-that-sends-chrome-users-into-a-panic/
https://twitter.com/robleathern/status/1014883138684661761
49. May 2019 / Page 48marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Sweepstakes/PrizesUsed to steal users’ email addresses and other personal information
50. May 2019 / Page 49marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Preinstalled adware/spyware
Companies get paid to pre-install adware/spyware on devices
Source: TheVerge, Jul 2017 Source: CNN, Feb 2015
51. May 2019 / Page 50marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake botnet for publicity
PRESS RELEASE:
“used highly sophisticated techniques to
fraudulently load ads on the affected sites
without the site owners' consent, leveraging
a new methodology that allows it to
monetize inventory on premium domains.”
“The botnet was completely fabricated for the press
release announcing their new algo. None of this
actually happened; no ads were injected into any of
the sites they named in the press release. This was
confirmed by direct measurement on the good
publishers’ sites. They were falsely accused and their
reputation was harmed by this publicity stunt.
The failure of the fraud detection was due to their
analyzing only pre-bid data, and using big data and
machine learning approaches, without an
understanding of actual ad serving tech, javascript,
and how browsers work.”
52. May 2019 / Page 51marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake Leads (Lead Fraud)
Real data collected from breaches create leads that appear valid
Fake leads
• Previously filled out by hand
• Now, fully automated with
bots using databases of real
postal addresses, etc. (that
trick verification engines)
53. May 2019 / Page 52marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
#defendthespend
“marketers can (and should) reduce the
flow of dollars to cybercriminals that are
committing ‘major economic crimes’.”
Then, and only then, will we get
back to REAL digital marketing.”
54. May 2019 / Page 53marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Digital Marketing circa 2018
55. May 2019 / Page 54marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com
212. 203 .7239
56. May 2019 / Page 55marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Dr. Augustine Fou – Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017
20192018