Replay attacks and how bad guys optimize the efficiency of fraud

How do bad guys get by fraud detection? Easily. But let me show you how they use a specific technique called replay attacks to get by the strictest detection method. One way to tell obviously fake bid requests is to see if there's a deviceID present -- Identifier for Advertising (IDFA) or the Google Advertising ID (AAID). So what do bad guys do? They pass a deviceID in the bid request. If the fraud detection doesn't check if the deviceID is a real one, all they have to do is generate a random deviceID that has the same format as real ones (left side of slide below). The fraud detection only checked for the presence of the deviceID, not whether it was real or not. So defeating that kind of fraud detection is laughably simple.

Replay deviceIDs to defeat fraud detection

What if the fraud detection tech made the extra effort to do what is known as "carrier checks?" That means they check that the deviceID is a real device with a real phone number from a wireless carrier -- i.e. has a SIM card. They will then be able to tell real deviceIDs from fake ones created with a random character generator. They store this list of real deviceIDs in a database and refresh it periodically. How do bad guys get around this, more strict form of detection? They simply replay deal deviceIDs. How do they get real deviceIDs? They harvest the en masse by buying that data from any app, or apps purpose-built for malicious activities. Any app has has the ability to collect deviceIDs from Android and iOS devices. Apple's privacy initiative will clamp down on this; apps now have to ask permission before collecting deviceIDs. Until recently, bad guys have had free reign to harvest mass quantities of deviceIDs and replay them to defeat fraud detection, that looked for real carrier-verified deviceIDs (right side of slide above). This is what is known as "replay attacks."

Replay cookies to defeat fraud detection

The same kind of attack works with cookies, the snippets of code in browsers that are used to identify the unique browser. Fraud detection tech typically works by detecting the fraud and setting a cookie; that way they can see if the same browser/bot comes back or loads another ad. If they see that same cookie, they assume it's the bot they caught before so they can block it right away without needing to repeat the detection calculations. But bots readily defeat this by dumping the cookie and getting a new one; they dump the cookies that no longer make money within seconds. So they are back up and running, making money within seconds of getting caught and blocked.

What if bad guys wanted to make more money by having their bot impersonate a real person? Simple, just replay the cookie of a real person. The cookies of real people have a "history" - a set of sites they have visited before. A brand new cookie that has never been seen before has no history. And some fraud detection works by checking for this. The bad guys can defeat the fraud detection that looks for cookie history by replaying a real cookie from a real person, that has cookie history. Bad guys can even earn higher CPMs this way, because cookies with history sometimes get higher bids, because buyers assume it is more valuable, and a real person. Practically speaking, the fraudster passes the cookie in the bid request they fabricated, and pass their own sellerID so they get paid once they get ads returned.

100% fabricated bid requests, no device, no site, no app required

I have seen dozens of examples now where bad guys don't need sites, bots, streaming devices, or streaming apps to be successful in ad fraud. All they need to do is generate 100s of billions of fake bid requests with python scripts. When ads are returned, that means every form of fraud detection upstream from that has failed, and they make money. Remember when I said WhiteOps reviewing 15 trillion bid requests per week is mostly useless in detecting and stopping ad fraud, because everything in the bid request is made up?

Remember when Integral Ad Science tried to get PR for themselves in 2020 saying they detected a bot they named 404bot? There was no bot, and none of the ads ran anywhere. The 404 comes from "404 error" for "page doesn't exist." The python scripts simply made up fake page urls to pass in the bid requests. When some interns checked those pages manually, they got 404 errors -- page could not be found. The same goes back to 2017, when Forensiq claimed they found Sports Bot "doing ad fraud on major sites like NFL.com, ESPN.com, MLB.com," etc. None of it was real, no ads were ever served, and there were no bots on any of those sites. It was 100% fabricated bid requests, that passed those sports domains in the domain field. Same thing happens in CTV. Remember Grindr, the mobile app, was passing faked bid requests, pretending to be CTV devices, so it could earn higher CPMs than regular display or video ads.

Uber paid on success -- CPI ("cost per install") -- for app installs. Bad guys defrauded them by claiming credit for app installs that had already occurred. They just falsified the reporting. University, financial services, insurance advertisers paid on success -- CPL ("cost per lead") -- for completed lead forms. Bad guys continue to defraud them by using bots to complete and submit lead forms so they can get paid the CPL.

When you think ANYTHING programmatic (display ads, video ads, CTV ads, clicks, installs, leads, etc.) you should think "100% made up, 100% fake, 100% fabricated" unless proven innocent with detailed supporting data. FouAnalytics can help with this, if you want. If not, no worries, you can carry on as before. I am here if you need me.