Ad Stacking - Tried and True, Widespread and Commonplace
Yesterday, HUMAN Security published a great blog post with technical details of how they found and took down a large ad fraud operation targeting video ads, called VASTFLUX . The perpetrators were using a tried and true technique of ad stacking, sticking up to 25 ads in the same ad slot, all in different layers, to make it hard for fraud detection to detect. Ad stacking has been around since the beginning of digital ads (why stop at only 1 ad in the ad slot when you can load many and make more money?). This was such a pervasive problem that OpenX famously banned all video ads that appeared with a size of 300x250. This was because bad guys were buying low cost display ad slots (300x250) and stuffing expensive video ads, often many of them, into the same ad slot, and pocketing the difference.
This morning, a PageXray showed the exact phenomenon. Note the example on the right side. The top yellow arrow points to a video ad (not yet loaded in), stuffed into a larger ad slot with another display ad below it. To say this is commonplace would be an understatement. By making ad calls from different layers and iframes, bad guys effectively hide the fraud -- i.e. fraud detection tech and ad exchanges can't "see" the problem. But FouAnalytics can. Let me show you.
FouAnalytics practitioners, here's a pro-tip on how to find ad stacking in FouAnalytics. In the search bar you can start typing the following three variable names (in bold) to see the data not shown by default.
1)?page-frame-count?tells you how many iframes were on the page, anything greater than 50 is suspicious. Note in the data grid above that we are literally seeing some pages that have 215 - 222 iframes.
2)?page-ad-count?tells you how many ads were on the page, anything greater than 20 is suspicious, right? In the data grid marked page-ad-count, you can see 88 ads on the page, 76 ads, 62 ads, 55 ads, etc.
3)?page-frame-list?tells which what was in each iframe. The data below shows nearly 30 ads from Google's ad network loaded into a single page along with the ad size. "300x250#google" means a 300x250 ad loaded from a google ad-serving domain. Look at how many there are in this one example (1 page).
领英推荐
In addition to too many ads on the page we can see other shenanigans. The data below shows nearly 50 "widgets.outbrain.com" loaded into the page, all inside 0x0 pixel iframes. That's called "pixel stuffing" where they put entire webpages, widgets, or ads in 0x0 or 1x1 iframes, which obviously are invisible to humans (but do these sites even have human visitors?)
Finally, you don't have to manually find these bad sites that are doing the on-page shenanigans listed above. In the Domain App Report tab, you can scroll down to see a section called Stacked Ads. It will surface the domains that are doing ad stacking so you can review them and decide whether to include them in your block lists. Note that often, even mainstream sites will be in this list. Ad stacking may not be as egregious as 62 - 88 ads in the same slot, but are you OK with 5 ads stacked on top of each other in the same ad slot? You decide.
For funsies, try the following search "page-ad-count:greaterthan(19)" and then look at the "source" data grid. That will tell you which sites and apps are doing egregious ad stacking, as seen the page-frame-list data below.
Happy fraud hunting, y'all. Let me know if I can help further.