How to commit ad fraud

"How to commit ad fraud and get away with it? Easy, just find advertisers that are still using legacy fraud detection vendors. Virtually all the fake ad impressions you fabricate out of thin air will get through their prebid filtering and postbid detection; and the money goes straight into your bank account."

I've studied the problem of ad fraud for going on 14 years. Bad guys have optimized their tech and techniques to maximize not only revenues but also profits over that same time period.

Fraudsters have optimized their tech and techniques for years

For example, in the early days, they set up tens of thousands of fake sites using wordpress templates and plagiarized content. But to save time and costs, they moved to "naked ad calls" where their bots just loaded the ads, and didn't waste time or bandwidth loading webpages. Then they further optimized to just faking the bid requests, and making ad revenue without even loading the ads themselves. They just had to trick the reporting systems that the ad was served. See the sequence from fake sites (2015) to naked ad calls (2017) to faked bid requests (2019) in the slide below.

Legacy fraud verification have failed to detect fraud for years

The legacy fraud verification vendors used by most advertisers were originally tuned to look for bots -- fake visitors loading webpages, which caused programmatic ads to load. These vendors failed to detect most of the bots, even some obvious ones. That's why they've been reporting IVT/fraud at 1% for the last 8 years. Everyone knows ad fraud is more than that. Even the overall averages of bot traffic across the internet put bot traffic at at least 50% of all traffic. But when it comes to the fake sites that no humans know about, the bot traffic is 100%. That's how they generate the fake ad impressions to sell, literally as much as needed to absorb all of the irrational budgets being spent by the largest advertisers.

The legacy fraud detection vendors failed to detect most of the bot traffic, and stop ads from going to bots. They are also not tuned for catching all the other forms of fraud, including simple curl and python scripts running on servers. A recent post by Sander Kouwenhoven (linked below) shows these legacy vendors not detecting something wrong at the time of the bid request (and letting it through); in other words their prebid filtering failed their customers. These vendors tech was also not detecting anything wrong postbid, when the ad is served; in other words their postbid detection failed their customers. Sometimes the failure to detect is due to sampling (measuring 1 in 100, and not measuring 99 out of 100 ad impressions, and missing the fraud in the 99 out of 100 impressions they didn't measure).

It's been shown over and over and over these legacy vendors failed to do what they sold to their customers -- i.e. to detect ad fraud and brand safety issues. They failed to protect their customers from these issues. It's not just me saying it any more. And more and more advertisers are realizing that their legacy fraud detection vendor is not adequate any more, and upgrading to better analytics so they can "see Fou themselves" what the real rate of fraud is and take specific action - block bad sites and apps, or remove those from their inclusion lists.

Live data from the field, entirely fake sites and fake apps.

In Sander's article, linked above, there are code samples to show how to fabricate fake bid requests, including declaring which domain the ad was supposed to go to. For example, if the fraudster falsified the domain in the bid request, the ad buyers' algorithms would think they are bidding on a legit site, like espn or foodnetwork or marthastewart.com. Keep in mind the falsified bid request is entirely fabricated out of thin air. There was no webpage needed. The fraudster doesn't even need bot traffic.

The fraudster just creates the bid request out of thin air and sends it into the auction, exactly like Sander demonstrated in his article. Yes, you can also just falsify the viewability by just lying about it in the bid request. Obviously bad guys will declare their non-existent ad opportunity to be "viewable" all the time because if they didn't they wouldn't get any bids. This is just like 15 years ago when bad guys just declared a lat, long in the bid request (for geolocation) because the presence of a geolocation was enough to get them higher bids (compared to the lack of geolocation). It didn't matter if it was correct or not, or outright lie or not. No one was checking, and the verification vendors failed to detect anything wrong.

Because it is so easy to declare any website or webpage, bad guys are getting away with just fabricating fake bid requests and making ad revenue. They can also easily declare any app name. The fraudsters are literally mocking us with 2-word app names, 3-4 word app names, and even some entirely nonsense app names. NONE of these apps actually exist in Google Play, but yet we see them in FouAnalytics in-ad measurement of programmatic ads.

Keep in mind, bad guys have the tech and techniques to falsify most things and make it look right. They definitely have the tech and experience to bypass legacy fraud verification, both prebid filtering and postbid detection. Of course they can trick FouAnalytics too, but they do have to work harder at that... with data like the above, you can see where the fraudulent apps and sites entered your media buy and lock it down more strictly to avoid getting ripped off.

Many advertisers and agencies have upgraded their fraud detection to FouAnalytics. When is it time for you to do the same?