TAG keeps saying fraud is low, why?

Another calendar quarter goes by, another press release by TAG claiming credit for low fraud rates. Their latest press release claims "overall fraud rates" in EU is now down to 0.55% in TAG Certified channels. Everyone knows that TAG "certification" means "self-attested" paperwork and fees paid. And obviously that doesn't stop bad guys. Even the "independently verified" instances means they had an auditing firm look through the paperwork to make sure it was complete. Neither TAG nor the auditing firm have the tech or the data or the expertise to tell if the fraud was correctly measured or not, or completely or not, as we will see below.

"No data" doesn't mean "no fraud"

In the spreadsheet above, one of the MRC-accredited vendors, whose numbers are cited by TAG, claims that entire buckets of "mobile in-app" are "99.992% fraud free." How can they mark an entire bucket nearly fraud free when they don't even know what apps the ads went to. And it's not just mobile in-app. Note the two rows further down where the delivery site is "n/a." They don't know what site the ads were delivered to, but yet these rows are also marked as "99.991% fraud free." Do you think these are fraud free, or do you think it's more likely that they failed to detect anything wrong?

Let me show you a few ways that bots avoid detection, because their job depends on it. If the bot gets caught, it won't be able to do its job, which is to cause more ads to load and make money via fraud.

Detection tag blocking or stripping

One of the easiest and most widely used methods of avoiding detection is to strip out the detection tags. If you were a bot, you'd do that too, right? Just like humans block ads, bots block detection tags, to avoid getting caught. The slide above shows a code snippet of one of the ways this is done. The bots block the tag from IAS (the domain is adsafeprotected.com) and return a "status: 200 OK" to trick IAS into thinking the tag was delivered, when it was not. When IAS has no data on that bot, it cannot mark it as IVT ("invalid traffic"). But "no data" does not mean "no bots" and no data certainly should NOT be marked as "fraud free." If the fraud vendor reports 1% IVT, everyone assumes the other 99% is fraud free, which is wrong. You should not assume that. You should ask your fraud vendor what portion of that 99% where they failed to detect invalid traffic was due to their detection tag being blocked or stripped out? Every one of the major fraud detection vendors has this problem. Bots are actively looking for their detection tags and stripping those out. Their failure to detect IVT does not mean there is no IVT; in fact it is highly likely that most of the 99% is actually bots, that successfully evaded their detection.

Disguising with residential IP address proxy networks

Another way to hide is to disguise the IP address, so it is not an obvious data center IP address. This technique is used by scrapers and fraud bots alike. If they didn't disguise their IP addresses, it would be far too easy for fraud detection to catch them since the bots are obviously coming from data centers. By bouncing the traffic through residential proxy networks, the bots can hide their origins and make it much more difficult for fraud detection to catch them. The slide above shows a few of these residential proxy network services. These services use PUPs ("potentially unwanted programs") on people's devices to route traffic. For example, when a human downloads a free VPN, not only is their traffic routed through the VPN, other bot traffic is routed through the VPN application they voluntarily installed on their own device. They are unwittingly part of a proxy network that helps bots disguise themselves so they can commit more ad fraud.

Real devices, fake or fraud apps

Finally, fraudsters also have at their disposal vast numbers of cloned mobile apps. See the slide above for hundreds of truck driving simulator apps, pencil sketch apps, goat simulator apps. Some of these apps are downloaded by humans onto their smartphones. Humans rarely turn off their phones at night. Their phones remain on and connected to the Internet all night long and that's when these rogue apps load thousands and thousands of ad impressions fraudulently. Since these are real apps on real devices, the fraud detection vendors won't mark them as IVT - invalid traffic. But yet, all of the impressions generated are not seen by humans and therefore entirely useless to the advertisers that paid for them.

So What?

Hopefully the above gives you a glimpse of why TAG is constantly saying fraud is low. After five years of press releases, it should be obvious that TAG doesn't understand ad fraud and doesn't realize the numbers they are citing are woefully incomplete, and therefore wrong. The vendors they cite can't detect most of the fraud because their detection tags are actively being blocked and stripped out by the bots; so when they report the 0.55%, no one should assume that is all the fraud there is. Everyone should read that as "that's all the fraud they could detect." Also, you don't need to take my word for it. You can run the "fartbot" experiment yourself. This is where you change the name of your browser to "fartbot" -- or spider, crawler, phantom, puppeteer, webdriver, selenium, or anything you want -- and see ads continue to load. That gives you a data point that the fraud detection vendor's tech failed to detect even a bot that told them it was a bot. Go to usatoday.com where IAS is installed; run the fartbot experiment yourself. If you see ads, you know they failed to detect "fartbot."

Instructions and details here https://www.dhirubhai.net/pulse/you-can-see-better-do-augustine-fou