From clickbots to malvertising. What can we do about rising ad fraud?

From clickbots to malvertising. What can we do about rising ad fraud?

There’s no escaping it. Advertising fraud is a very real problem. From clickbot fraud to malvertising, costs associated with digital advertising fraud were estimated to have reached approximately $81 billion in 2022 and are forecast to reach $100 billion in 2023. Money lost to advertising fraud has now surpassed credit card fraud and research suggests that up to 10.5% of digital marketing activity is fraudulent.

Ad fraud schemes are evolving fast and the term ‘ad fraud’ has become synonymous with a whole range of different methodologies. Methodologies like PPC fraud, malvertising, bot fraud, domain spoofing, and clickbot attacks, all of which we’ll delve into below.

For an industry already wearied by recession and feeling the squeeze of ever-tightening ad budgets, the rise in ad fraud is a legitimate concern. And for ad platforms, fraud prevention and ad fraud protection mechanisms are fast becoming a fundamental imperative, both for protecting margins and reputation.

What is ad fraud and why is it on the rise?

Advertising fraud is any attempt to defraud an advertiser or publisher. Scammers use various methods to generate stolen revenue by tricking ad platforms into paying them. Fraudsters do this by falsely representing online ad impressions, conversions, or clicks. Any activity of this nature is known as invalid traffic.

When we think of advertising fraud, the first thing that typically comes to mind is fraud on the supply side. Bot fraud stealing from publishers. But that’s only half of the picture. The other half, demand-side fraud, involves stealing from advertisers.

Common types of demand-side fraud include PPC fraud (fake clicks and impressions generated by a clickbot or human agent) and attribution fraud (in which the wrong person gets paid for a publisher’s work). Demand-side fraud like PPC fraud and ad attribution fraud damages advertiser-publisher relationships and leads to security violations when fraudsters circumvent user consent to track users.

Several high-profile cases have started to emerge over the past few years. In February 2023, an investigation by fraud prevention and anti-malware platforms DeepSee and Malwarebytes uncovered a new online ad fraud ring. The attack, dubbed “DeepStreamer”, involved illegal movie streaming platforms selling ad inventory through Google Ad Manager.

Malwarebytes Labs reported that these streaming sites generated an estimated 210,550,928 visits in January 2023 and hundreds of millions of bid requests between January and February. By even the most conservative estimates, advertiser spend on the scheme is thought to have reached between $120k-1.2 million in January 2023 alone.

The scam emerged only shortly after reports of another large-scale attack. The Vastflux attack, discovered by researchers at Human Security in early 2023, is one of the biggest ad fraud campaigns ever uncovered. 1700 spoofed apps were found, impacting 120 targeted publishers, and resulting in 12 billion false ad requests daily.

The rise of programmatic advertising, which automates the media buying process, has both revolutionized and complicated the digital advertising landscape. As well as increasing ad efficiencies and reducing advertising costs, programmatic platforms have also created an environment where clickbot scammers and PPC fraud schemes can thrive. Moving forward, these platforms will need to fortify themselves against bad actors with improved ad fraud protection mechanisms.

How advertising fraud impacts ad platforms

Advertising fraud is a serious problem for the digital advertising industry. Not only does it damage the monetary value of a platform’s ad inventory, but it also robs advertisers of their ability to accurately gauge the effectiveness of campaigns.

“Mobile ad fraud devours marketing budgets, contaminates performance data and can turn successful campaigns into losses” comments Andreas Naumann, anti-fraud evangelist for AppsFlyer.

Take ad stacking, for instance, when multiple ads are layered on top of each other in a single ad placement, with only the top ad visible to the user. If a campaign is impacted by ad stacking, the ratio between impressions and clicks is distorted, making it virtually impossible to generate an accurate assessment of that campaign’s performance.

Ad fraud also erodes reputation. If a publisher’s website is compromised by bot fraud or fake ads are injected onto the platform, it can quickly lead to a loss of trust even if the publisher isn’t at fault.

Some fraudsters take this one step further still by setting up their own fake ad platforms. Advertisers are reeled-in with cheap ad space, forcing legitimate publishers to follow suit and, in so doing, devaluing the entire market.

“Invalid traffic is a major issue in the ad world,” comments Dhiraj Gupta, co-founder of ad fraud detection company mFilterIt. According to Gupta, invalid traffic is leading to “a dysfunctional interaction system between brands and consumers”.

From clickbots to malvertising. What can we do about rising ad fraud?

Prevalent types of advertising fraud

Ad fraud isn’t a singular thing. It encompasses many different activities and techniques. The Interactive Advertising Bureau categorizes these schemes into three distinct groups: schemes based on fake traffic, fake supply, and fake data.

Schemes based on fake traffic typically use a variation of bot fraud. These schemes involve falsely inflating the number of website visits and engagements to increase the total number of impressions registered. This is a type of PPC fraud and includes methods such as:

  • Bot fraud: programs that trick publishers into thinking that users are engaging with ads by generating false clicks, page loads, and plays via a clickbot.

  • Click fraud: groups of real people paid to engage with ads across platforms, on mass. Both bot fraud and click-based PPC fraud are types of ‘human traffic impersonation’.

  • Ad hijacking: modifying a device to perform desired actions (such as clicking on a link or creating an ad request) without the device user’s consent.

  • Ad stacking: layering multiple ads on top of each other in a single placement. Users unknowingly view multiple ads and advertisers pay for the impressions.

  • Pixel stuffing: reducing ads in size so that they aren’t visible to the human eye. Ads are technically ‘viewed’, and advertisers still have to pay for each impression. Both ad stacking and pixel stuffing are types of ‘invalid human activity’.

Schemes based on fake supply involve tricking advertisers into bidding on illegitimate placements and include methods such as:

  • Ad injection: hacking web pages and inserting ads without the publisher’s consent. Ads may be visible or hidden behind other pieces of content.

  • Cross-domain embedding: connecting two websites via an iFrame (an HTML element that places a second webpage within a parent page) to trick advertisers into bidding on ads served on unsafe or low-quality websites.

  • Domain spoofing: there are various types of domain spoofing. A common spoofing method is URL substitution (changing URLs at the time of bidding so that ads are served on a different website than was originally bid on).

Schemes based on fake data involve hacking performance metrics to show buyers inflated impression, viewability, and website visit metrics, giving a false impression of performance.

Advertising fraud is constantly evolving

New threats are always coming out of the woodwork and for every fraud scheme dismantled, there’s another just around the corner. New developments like malvertising, a cyberattack technique that injects malicious code into digital ads served to consumers via legitimate ad networks. Since the ‘infected’ content is indistinguishable from a legitimate ad, not even publishers are aware if they’re serving malicious ads on their platforms.

Hydra, a sophisticated botnet scheme used to defraud advertising platforms, steal data, and conduct account takeovers, mobilized malware-infected Android devices to generate fake ad impressions. The malvertising scheme was first uncovered by cyber-security and ad fraud protection firm Protected Media in 2019 and has continued to evolve and evade detection by fragmenting its operation across thousands of apps.

Malvertising schemes like Hydra are a growing problem. Recent studies show that one in every 100 ads are now injected with malicious content and even prominent news outlets like the New York Times and BBC have fallen victim to malvertising operations.

Ad fraud is also venturing onto new platforms. DoubleVerify recently shut down the the first-large scale ad impression fraud scheme to hit the audio space. The BeatSting attack, which was first discovered in 2019, cost unprotected advertisers up to one million dollars per month. The scheme spoofs and falsifies streaming apps, causing advertisers to waste ad dollars on fake opportunities and punishes publishers by diverting spend away from legitimate channels. DoubleVerify anticipate that the scheme will continue to evolve. BeatSting didn’t always target audio. The attack originated as a single connected TV (CTV) scheme in 2019, targeting television sets connected to the internet, and further mutations targeting the Internet-of-Things (IoT) have already been detected.

Although it’s anyone’s guess what form the next big attack will take, the fact that one is coming is indisputable. And that means ad platforms have no choice but to put up a strong defense.

The war against advertising fraud has begun

Ad fraud isn’t going to disappear overnight, meaning ad fraud protection is set to become a mainstay of every adtech platform and marketing room. So much so that global demand for ad fraud detection tools is forecast to reach $9.4 billion by 2031.

Fraud prevention tools like AppsFlyer, Adjust GmbH, Branch Metrics, and Traffic Guard, use probabilistic data analysis to identify and counter bot fraud and other variations of fraudulent activity. Steadily, more companies are adopting these ad fraud protection tools as damage limitation to support spend optimization and monitor campaigns.

Others are turning to blockchain as an ally against the problem. Ad fraud prevention platform, Adwatch, leverages blockchain for advertisers, publishers, and ad networks, to certify programmatic campaigns. By encrypting campaign metrics in the blockchain, Adwatch creates an immutable ledger where all data can be tracked and accounted for.

“The Adwatch vision is to secure the entire programmatic advertising supply chain with a unified set of data that’s been verified, that’s secured by blockchain, and that’s free of discrepancies” reports Adwatch.

Another company leveraging blockchain to tackle ad fraud is Verasity. The company’s blockchain-powered ad-stack, known as VeraViews uses a proprietary proof of view technology to prevent fraudulent views on video-based content. Why? Because according to Veracity’s CEO Justin Wenczka, to solve the ad fraud problem “you need technology that is transparent by design”.

Is a fraud free future in sight?

The growth of ad fraud is in many ways a story of success. The proliferation of clickbot fraud, malvertising, and various other forms of advertising fraud is the unfortunate side effect of a thriving digital advertising industry. Carried by the digital ad boom, fraudsters stumbled upon an easy and profitable enterprise.

Combating advertising fraud will be no easy task. Like a virus, ad fraud is constantly mutating and one scheme can have dozens of variants. And that means ad fraud protection measures must act equally fast. Whether or not advertising fraud will ever be eradicated is questionable. What is certain is that to protect budgets and limit reputational damage, ad platforms now have only one option.

Fight back.


Related articles