Fraud is more insulting than a four-letter word and costs billions


As marketers put all budgets under the microscope for 2021, we decided it was a good time to revisit the minefield of digital ad fraud.

“Ad fraud and other forms of invalid advertising traffic can waste up to 30% of a marketer’s advertising budget. CMOs have become lax with this aggressive loss to their ad campaigns, considering it just a part in doing business, and have resigned to this new ‘tax’.” 

The vast majority of businesses have no clue that 30% of their advertising budget is taxed away. From fake mobile display traffic to bots, ad fraudsters are undercutting businesses’ marketing and customer acquisition efforts.    

In the US, ad fraud is predicted to see advertisers lose $100 million a day by 2023. Creating a solution to protect against ad fraud is no longer an option for digital marketers, it is mandatory.

According to the World Federation of Advertisers (WFA), it is estimated that by 2025, over USD50 billion will be wasted annually on ad fraud.

… The objective is to drain their competitors’ ad budgets so that less ads are shown to real users, making it harder for those businesses to attract new clients…

Are you actually doing this?

One example of ad fraud as a form of sabotage is when businesses intentionally click their competitors’ advertising, using scripts to programmatically click, or commissioning click farms to do it.

The objective is to drain their competitors’ ad budgets so that less ads are shown to real users, making it harder for those businesses to attract new clients. When the target’s budget is drained completely, it is then easier/cheaper for the perpetrator to get their ad placed. 

The menace fights back

Since the introduction of ads.txt by the IAB Tech Lab two years ago, bad actors have invented ways to exploit and subvert a tool that was heralded as a vital way to snuff out ad fraud. But in a report early this year, ads.txt itself been exploited as a vehicle to cover up fraud in over 1.5 billion online ads!

“The global village that was once the internet was has been replaced by digital islands of isolation that are drifting further apart each day.” says Mostafa M. El-Bermawy  

Ad Stacking

Ad stacking is a practice where multiple ads are stacked on top of one another, with only the top ad visible to the viewer. While only one ad is visible, the impression counts for each served ad, even the hidden ads underneath the stack. Another trick to defraud advertisers.

… They hire botnets to go to the site, which in turn generates ad impressions that enter the auction environment, and are then purchased by advertisers…

iFrame/1×1 Pixels

Also referred to as pixel stuffing, this takes place when a 1×1 pixel (invisible to the human eye) is placed on a site, sometimes through an ad unit. Unknown to the user, these pixels can end up loading an entirely different website. The site that loads out of view in a 1×1 iFrame often contains advertising – none of which is ever seen by a user. While this method of fraud can be used to simulate false ad impressions, it’s also often used in affiliate marketing scams, where the hidden site ‘cookies’ the visitor. The hidden site then gets to share the credit on any conversion or purchase with the site the viewer is actually visiting.

“Advertising fraud is done by creating fake ad traffic using content-scraping websites or other environments, launching ads outside of a user’s view, or creating other fictitious mechanisms for delivering ads that are not seen by consumers.”

Ghost Sites

The most widely reported type of fraud that currently takes place in online advertising is something referred to as Ghost Sites. These are real websites with real content, usually falsely produced or stolen from other legitimate websites. The sites’ only purpose is to defraud advertisers. The site owners will create these sites and make them available through ad networks or exchanges that participate in the emergence of new ad formats and channels, like video or mobile, are today’s new breeding grounds for fraud.

… In a nutshell, it’s actually very easy to setup FAKE Accounts….

Time bidding environments hire botnets to go to sites, which in turn generates ad impressions that enter the auction environment, and are then purchased by advertisers.

THE DARK SIDE
(not recommended)

In a nutshell, it’s actually very easy to setup FAKE Accounts….

  • Purchase a domain and hosting plan. GoDaddy offers plans from as low as RM5 a month.
  • Setup multiple e-mail accounts from this domain. Most plans offer up to 100 mail accounts.
  • Imagine setting up a Gmail account with every 100 of the accounts from above…plus Google only verifies IF the above is valid and active.
  • Now it gets better, create an FB account with each and every Gmail above. Like Google, FB just wants to ensure that the email is active and the details entered for the profile fit within their so called guidelines. For good measure, create accounts with the 100 email accounts from Step 2. This could have you end up with 200 FB accounts to do some really naughty stuff.
  • Spend a weekend doing the above, including putting a stupid profile photo (which Google will be willing to provide gratis). Have a few friends for each account since you have almost 200 to play with. Do this with a chilled beer.
  • Now it looks like you have a small community which you have complete control over. All with just RM5 and some time spent.

Now the naughty stuff, depending on what your game plan is. Do you want to

  • Be a cyber trooper?
  • Help your company’s marketing campaign?
  • Be a nuisance to decent advertisers?
  • All of the above?

Let’s make our own server farm. You have two options for this…

  • Use Amazon Web Services / Microsoft Azure (can be expensive)
  •  Repurpose any old computers at home (highly recommended).

So let’s do this with option 2. 

  • Install Linux (it’s FREE). 
  • Setup VPN or TOR (instructions easily found using Google). 
  • Setup virtual machines within this computer. Depending on the configuration, it’s possible to have up to four.

Now assuming above is done, you now have 5 machines ready to do more naughty stuff such as:

  • Create fake traffic sources to let’s say your company’s marketing campaign website.
  • Create fake ad views on sites.
  • Boost your site’s visitors etc.

Of course all of the above is done automatically, a simple 5 lines of Bash script running and utilising some free open source tools such as CasperJS and PhantomJS.

Now of course all the tools mentioned here are not actually designed for naughty stuff. They are actually very useful tools to help design and stress networks and applications. But in the wrong hands, they can be harmful.

But let’s just say you are the platform owner itself or at least have access to the site (legally or not). What can you now do?

Well a lot actually…

  • Injecting fake cookies to web pages
  • Injecting fake ads (which do not actually display to the end user but is tracked as shown / viewed)
  • Really mess up your GA stats, etc

A naughty owner could actually setup a dummy page with zero content but just have all the tags required and then get his server farm to keep visiting that 1 page every minute.

… You have achieved messing up your GA with Fake Traffic, which unfortunately (fortunately for you though) some poor advertising agency bloke will believe and hence influence the ad spend…

Now think what this does to GA. It will record each visit and because of the TOR/VPN configuration the IP is different each time and hence Google will dutifully record it as unique!

You have achieved messing up your GA with fake traffic, which unfortunately (fortunately for you though) some poor advertising agency bloke will believe and hence influence the ad spend.

Back to reality

As we dwell in our online echo chambers, the time has come to stop playing victim and make 2021 as profitable as you can by policing ad fraud like never before.

This article has been widely researched and curated off the internet but the editor can guarantee no fraud was intended in the process. I’d like to credit all sources. The publisher also wants to declare that we don’t practice any of the tricks mentioned under THE DARK SIDE in this article.