Ad Fraud: catch it if you can. Interview to a former fraudster

Disclaimer: the things you are about to read are reported during a face to face interview. If you are an hacker, please help us building a better digital ad world and fight against ad fraud.

Call it the dark side. The digital industry is worrying about ad fraud. Anyone investing a budget on digital advertising wants to prevent that their money are going into the fraudsters’ pockets. I have interviewed an actual hacker who has the potential to earn thousands of Euros a day just by placing strings of codes in expense of brands.

The problem of ad fraud, told by a former fraudster

I got impressed by an article on Forbes in 2016, saying that a Russian group made 3-5 millions by faking 300 Million video impressions in a day with ad fraud. They have build a complex system able to make the ad server think to deliver the impression on ESPN and Vogue, to mention a few, but actually the ad is going to a fake domain. This practice is the so called domain spoofing.

ad fraud catch it if you can

I digged into the issue and I’ve found many articles written by the “good guys” fighting against ad fraud. Some of this good guys, were “Good Fellows” in the past, performing fraudulent activities and then decided to help advertisers. The person I have interviewed for this article, claims to be one of those  converted to good. He prefers to stay anonymous. We will call him Frank, like the movie “Catch Me If You Can”. You can find a lot of similarities with the character in the Steven Spielberg’s masterpiece: Frank Abagnale is a sharp lad who committed frauds for millions by faking checks and then turned to work for the FBI to catch other fraudsters.

RG: Frank, since when did you leave the dark side?

Frank: Since late 2015, when I got an idea of start up and I actually needed to promote my product online, I realized that I was spending money and it was going into ad fraud when I got the first reports

RG: So you were wasting budget due to the systems you have created yourself?

Frank: Not exactly from me. There are so many cases of ad frauds around the web that would be impossible to detect and remove them all. I decided to stop earning money in this way trying to build a product which could be helpful for the ad market.

RG: Do you want to talk about it?

Frank: I prefer not to, we are here to talk about ad fraud

Frank seemed irritated when I asked him about his project, either he got burned by his own fire or didn’t want to talk for not giving evidence to be recognized.

The types of fraud, explained from an hacker

RG: What kind of ad fraud did you performed?

Frank: My fraudulent activity was mainly based on click fraud and cookie stuffing. Then, when I joined an hacker group, we mainly carried out domain spoofing, that turned to be the most lucrative.

RG: Can you explain a bit these practices?

Frank: I got paid by affiliates for doing click fraud, which is definitely the easiest: I’ve used a bot able to go on webpages and start clicking and following certain paths. Usually an ad-box is placed on the right side of the page, and the bot is able to click automatically on ads, generating clicks and faking the numbers in the reports

RG: I have heard that today click fraud is not that easy

Frank: Correct, bots for navigating the pages are the easiest to detect by ad verification tools. In fact they now tend to hire low paid workers to click on ads.

RG: You mentioned they, who are you referring to?

Frank: We say the sin, not the sinners. Even though I’m sure you know some of them. There are couple of companies reaching Italian traffic as well

RG: You mentioned cookie-stuffing, is it still popular?

Frank: Cookie stuffing consist in attaching multiple cookies to users without their knowledge and yes, it is very popular. There are many ways cookie stuffing is performed, but it is tricky too. It does require human traffic, which is a limit if you think that robots can generate potentially 300 times more traffic than an actual user. I had fun doing domain spoofing instead. We made money, but of course nothing compared to the Methbot or the Hyphbot [Frank is referring to the news I’ve reported in the link at the beginning, the Methbot was detected by WhiteOps in late 2016. The Hyphbot is a kind of its evolution, but with a bigger impact]

RG: Had fun? Why domain spoofing is so facinating?

Frank: Let’s say that is fascinating because it is the easier way to make money with ad fraud: it is NHT (non human traffic) and can be scaled rapidly.

domain spoofing ad fraud

domain spoofing ad fraud on Forbes fake domains

RG: And the ADS.txt initiative by the IAB? [stands for Authorized Digital Seller, that is a text file stamp in the page of the publishers certifying which players are allowed to sell inventory in programmatic]

Frank: I’m no longer in the dark side, they asked me to participate to the project, but placing a string of code on publishers properties won’t be the solution to ad fraud. Bots are built in more sophisticated ways than ever. There is no certainty still now, to determine upfront if the impression can be fraudulent. You can tell it just when the impression is served and the money gone.

Frank refers to the pre-bid analysis most of the ad verification do before the impression is fired. However, the pre-bid analysis is done only on a sample inventory, leaving the fraudsters the chance to sidestep the controls.

The solution to ad fraud, according to an expert in the field

RG: Brands cannot trust digital otherwise, there must be a solution to ad fraud. What about blockchain?

Frank: We are working on it in our company too. It is strange: just a few years ago I was on the other side and now fighting for the good of the budget spending. I believe blockchain is the likely solution to most of ad fraud types. Having the information recorded in the ledger, it will make it tough to hack a publisher page for domain spoofing. Nothing will help with ad injection though.

RG: So ad injection will still be present, even with the likely consolidation of blockchain in the ad tech?

Frank: Ad injection makes ad calls from the client side, where basically a user have downloaded the tool to serve ads. Until the software is installed and hidden in the operative system, the ads flow continue to stream, generating impressions that maybe the user will not see, but the ad ledger records.

RG: Long life to programmatic advertising despite ad fraud?

Frank: I am a big fan of automation: programmatic advertising is a powerful method to buy and sell impressions. It is up to us to use the right tools and trade in an intelligent way.