Clever, Clever Bad Guys

What Pete said, above! (check it)

You know what an unfair fight is? Right, it's where one side has every advantage and the other side can only hope to keep up or catch up. That's what digital ad fraud has been for the last two decades -- an unfair fight. Bad guys have every advantage and good guys can only hope to keep up or catch up. How do I know? I've been on the front lines of this fight for the last 10 years, and have observed how clever fraudsters have been in digital for even longer.

Bad guys innovate faster

To say that bad guys push the envelope of what is possible in the code would be an understatement. Hackers and criminals are often the most savvy and experienced with what can be done with technology or code. They use this to make money, often without the constraints of ethics, morals, or laws. On occasion, determined good guys uncover the hack or fraud scheme exploiting a theretofore unknown vulnerability; that's called a "zero day" because that's the first time anyone's discovered it. Once they stop one hack or scheme, bad guys innovate and find workarounds, so they can keep making money. Far, far too much money is at stake for the bad guys to just give up and accept defeat.

To be more concrete in terms of digital ad fraud, let's look at how clever bad guys innovated to make money. In the earliest days of digital advertising, ad revenue was dependent on the number of pageviews -- the more pageviews, the more ads, the more revenue for a website, even ones that no humans ever heard about. Fraudsters took developer tools called headless browsers and used them to make money by repeatedly loading webpages. Headless browsers are regular browsers used for automatic website testing; but they are called "headless" because they don't need to display anything on screen. Headless browsers are software programs that run in data centers; thousands or millions of instances can be created and managed in data centers, to deliver virtually unlimited traffic as needed.

As good guys caught on to these schemes, fraudsters disguised their headless browsers more carefully by changing the browser name and version, randomizing the screen resolutions, list of plugins, etc. As fraud verification caught up to this, and the fact that these fake users -- i.e. bots -- came from Amazon data centers, the fraudsters innovated and bounced the bot traffic through residential proxy services. This masked the data center traffic and made it appear to come from residential IP addresses, making it far harder to tell apart from real humans using devices at home. Fraudsters also started programming their headless browsers to fake mouse movements, page scrolling, clicks and touch events, all in the effort to foil fraud detection. And the cleverest of all tricks is simply to block the detection tags of widely used fraud verification vendors like DoubleVerify, Integral Ad Science, and Moat (now owned by Oracle) so they have no data and therefore cannot mark the bot as IVT ("invalid traffic"). But no data does not mean no fraud, right?

Bad guys cut dead wood faster

What happens if the 600,000 IP addresses used in a vast botnet were caught and blocked? Right, swap them out and get new ones. Bad guys swapped out all 600,000 IP addresses within 6 hours, so the botnet was back up and running, despite all the press releases and articles written about this famous takedown. What happens if 10,000 websites are booted from ad exchanges for apparent fraud? Nothing. That's because bad guys have 100,000 more domains at the ready to take their place and continue the money-making.

Same with mobile apps. The list of top mobile apps, by ad revenue, are entirely different from the list of top mobile apps used by humans. How is that possible? Bad guys use mobile emulators to continuously "play" hundreds of mobile apps at a time, something humans can't do 24/7/365. By continuously using these fraud apps -- e.g. casual mobile games, keyboard apps, flashlight and alarm clock apps, etc. -- bad guys can continuously make money loading ads throughout the day continuously. What happens of 600 mobile apps get booted from the app store? No problem. Bad guys have 6 million more. Beyond just cloning apps, bad guys are even more clever and clone entire developer accounts. That way, even if an entire developer account gets shut down, they have dozens more developer accounts that continue making money.

By the way, they have also created thousands of fake CTV apps for the sole purpose of CTV fraud, not to provide more entertainment choices for human viewers.

Bad guys optimize for profit better

Bad guys are also relentlessly optimizing for profits. It's not just good enough to make revenues, they also aggressively reduce costs, so they can keep more profits. For example, while they used to have to make thousands of fake websites using Wordpress templates, they no longer have to do that. Why load the entire webpage when their bots can simply load the ads themselves. These so-called "naked ad calls" means they can save time and bandwidth, not having to load the entire webpage surrounding the ads. The bots can load many more ads this way, in the same timeframe, and save on bandwidth costs. The next step of this evolution is to no even load the ads themselves. Since bad guys have been proven to be successful in getting paid for bids won, there's no need for the bots to stick around and load the ads either. The bots can even be simplified to just python scripts running on servers and generating 100s of billions of faked bid requests. Whatever portion gets by fraud filters will already make money for them. This is exactly how they are currently getting away with CTV fraud. Since verification tech can't even verify if an ad ever rendered on-screen, this is a veritable playground for fraudsters. Oh by the way, CTV CPMs are by far the highest of all forms of digital ads right now. So every impression they get away with is hugely profitable.

The gross outstripping of supply by demand encourages even more criminals to get in on this fraud. Out of all 16 documented cases of CTV fraud in the last 3 years, all of them involved falsified bid requests -- from the Grindr mobile app sending faked CTV bid requests, to python scripts on servers, to smart refrigerators, to javascript in ad slots -- all fabricating CTV bid requests. NO ads ever ran on any CTV. One such case of fraud saw 12 billion faked CTV bid requests per DAY. Fraudsters are having fun at-scale and making money all the while laughing at the advertisers buying billions of CTV ad impressions, while believing the verification vendors' reports that tell them CTV inventory is "virtually fraud free." Perhaps they don't consider ads running when the TV is off or ads that never ran to be useless?

Will standards help against fraud?

Many advertisers have been led to believe that standards and certifications help in reducing ad fraud. I won't belabor this, because it is so simple and obvious. Nope. Standards and certifications don't help reduce ad fraud. That's because the certification bodies like the MRC (Media Ratings Council) and TAG (hilariously named "Trustworthy Accountability Group:") have

1) no tech,

2) no data (from real campaigns),

3) no "answer key" (to know if bots are marked correctly), and

4) no processes, to kick out vendors they accredited, but that are clearly committing fraud or not meeting minimum standards to keep accreditation.

Furthermore, standards are "goal posts" that make it easy for bad guys to get away with fraud. For example, the "viewability" standard for display ads says "50% of the pixels of the ad, in view for 1 second." What do you think the bad guys do? They refresh the ad slot at exactly 1 second. By knowing what "goal post" they need to shoot for, they can optimize their fraud to be the most efficient possible. Why wait for more than 1 second, if that is all that is required to sell a "viewable" ad impression?

Is all hope lost?

If you've followed along so far, you're probably wondering if my takeaway message is that we should all just give up and go home, since the bad guys will always have unfair advantage over the good guys. No.

In fact, good guys can win the entire game, by going back to buying ads directly from legitimate publishers (of websites and mobile apps). Legit publishers are the ones not trying to rip you off with any means possible. Real publishers are ones you have heard of, and other humans haven heard of; these publishers have real human visitors to their websites and real human users of their mobile apps.

Take just a moment, and try to name 10 websites you visit every day, as quickly as you can. Go ahead. I'll wait. Do the same for mobile apps you use every day. Were you able to get to 10 sites and 10 apps you use every day? Most people could not. They would already slow down by 5 - 8 sites or apps. This common sense check will tell you that there are not countless humans on long tail sites and apps, that no one has heard of. The vast majority of those 10s of millions of sites are not visited by humans, and the vast majority of those millions of mobile apps are not used by humans. Those sites and apps are used by fraudsters to take your money.

Advertisers -- buyers of digital ads -- can avoid most of the clever bad guys described above, by moving to an inclusion list approach. Specify no more than 1,000 sites and apps in a whitelist/inclusion list. Buy through programmatic platforms, but reduce the number of exchanges from 40 to 4. This way you eliminate countless supply paths that are entirely useless.

How do you outsmart the clever bad guys? By working around every workaround they have, and not buying from them. No amount of fraud verification or brand safety tech can do that for you. And you can do all of the above with common sense, for free. No need to pay verification vendors. You don't even need to pay for FouAnalytics. But you are welcome to use it for free to verify your inclusion lists are being enforced for you.

Let's thumb our noses at the bad guys for a change, shall we?

Further reading: https://www.dhirubhai.net/today/author/augustinefou