Threat Intelligence

12/9/2014
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year

A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse.

Online advertising fraud is thriving right under the noses of website operators and corporate advertisers and on some of the largest legitimate websites, but until now there hasn't been much data on just how pervasive the problem really has become: The current rate of ad fraud translates into $6.3 billion of losses of ad revenue to advertisers worldwide in 2015 after losses of more than $5 billion this year.

That is just one of the eye-popping conclusions from a new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops. From Aug. 1 to Oct. 1, White Ops researchers studied and analyzed the digital advertising traffic of a who's who of 36 US major corporations from various industries -- all ANA members -- including Ford, Honda, General Mills, Lilly, MasterCard, Merk, MillerCoors, Home Depot, Verizon, Walmart, and Wendy's.

"This was a major move by the ad-buying community to get some clarity and wrap their arms around what's going on with this fraud. They didn't know" the scope of the problem, says Dan Kaminsky, chief scientist with White Ops, whose mission is to detect and quell the bot epidemic.

Conventional wisdom has held that ad fraud operates mainly with phony websites that live off bot traffic, but the study found that, out of nearly 3 million websites, there were just thousands of fake ones, and the rest were legitimate. About one-quarter of the bots conducting phony ad traffic were operating on Alexa Top 1,000 websites, according to findings in the report "The Bot Baseline: Fraud in Digital Advertising," which was published today. The bots inflated the monetized ad traffic by 5-50%, the report says.

"We really thought fraud was in its own corner," Kaminsky says. "But a lot of major publishers are pulled into this" fraudulent activity unknowingly.

White Ops studied 5.5 billion impressions in what it calls the largest public study ever of bot traffic in digital advertising. The company used its own technology to distinguish between a human and a bot's activity. The researchers discovered hundreds of millions of bots in all types of online ads, including video-based ads.

So called bot "impressions" give the illusion of actual ad views, and the botnet operators behind them make money via cash-out points. "Aggregators and middlemen gain reach, ensuring they never lack inventory to sell, and a diversity of bot profiles that match any conceivable audience segment," the report says. "Publishers inflate their apparent audience size and pocket the difference between their traffic acquisition cost and the revenue received from Advertisers."

Just who are the bots doing the dirty work? Two-thirds of them are home users whose machines have been recruited to the offending botnets, the study found. "The super majority of bot traffic comes from people's home computers, American IP addresses," Kaminsky says. "This is why people are breaking into Grandma's computer... American ad viewers are being targeted because they have disposable income."

Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion, because the ad fraudsters actually scaled back their nefarious activities during the study.

"How fraudsters work and their incredible intelligence stunned me. I never realized the level of sophistication" they had, says Liodice, who has raised the alarm about online ad fraud for some time now. "They lowered their activity to diminish the findings of fraud" once word got out about the study.

Even so, the volume of nefarious activity discovered during the study was significant, according to Liodice. "$6.2 billion is on the lower end of the range than I would have thought... But it's still a huge number."

The study also occurred during a relatively slow time in the advertising calendar year, according to the report, so the data is on the conservative side.

[Online fraudsters and cybercriminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to spot bots in action quickly. Read Battling The Bot Nation.]

There already was a sense of urgency among ANA members in how to quell this threat, and the report's findings have put an exclamation point on it, according to the ANA executive. "It's frightening for everyone involved in this... We have to stop this. Every CMO that's doing any form of screen or digital advertising has to recognize that criminal activity is not a cost of doing business. There is an ethics and moral" responsibility to stopping advertisers from inadvertently enabling crime, Liodice says.

The report recommends that advertisers monitor for bot traffic, to both deter and detect bots overtly as well as covertly. Today's methods of viewing impressions don't work, because bots can be built to appear human, the report says, and blacklists are difficult to keep updated and effective. And even working with only "premium" ad publishing firms doesn't prevent bot traffic.

Other findings from White Ops analysis of ANA members' online ad traffic: Nearly 60% of bot traffic came from old Internet Explorer 6 browsers, and half the impressions from IE 7 browsers were bots. Financial, family, and food industries suffered the most bots, with 16-22% of the bot traffic. Technology, sports, and science had the least bot traffic, with 3-4%.

"Huge wakeup call"
One consumer packaged goods company that purchased 230,000 ad impressions from a premium US media company got some unwanted traffic: 19% of that site's traffic comes from bots, the report found.

Half the bots White Ops found operated at nighttime, and bots generated 11% of all display impressions and 23% of the video impressions. Bots represented 19% of retargeted ad traffic.

The report is "a huge wakeup call," Lidorice says. "We have to invest in security protocols, and part of the way we're responding as an industry is the Trustworthy Accountability Group." That organization, formed by the ANA, the American Association for Advertising Agencies, and the Interactive Advertising Bureau, aims to eliminate digital advertising fraud, malware, and ad-supported piracy.

"We're going to be heavily involved in behavioral change, credentializing, and certification" of digital advertising, he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MPH426
50%
50%
MPH426,
User Rank: Apprentice
12/9/2014 | 3:44:41 PM
Re: ad agencies
It would be interesting to see correlates with shoplifting, "missing" inventory, etc...  4% of the buget seems a bit steep, but it's probably on par.

Don't get me wrong, theft of any kind is wrong.  Sad thing is to the corporations it's just another number.  We're the ones it's hurting.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/9/2014 | 1:54:20 PM
ad agencies
It will be interesting to see what's really going on at the ad agencies that are getting abused by bots. Hopefully, this will open the floodgates to finding out more there.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0243
PUBLISHED: 2018-07-19
Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job.
CVE-2014-2302
PUBLISHED: 2018-07-19
The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.
CVE-2018-7602
PUBLISHED: 2018-07-19
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Rem...
CVE-2018-14332
PUBLISHED: 2018-07-19
An issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user...
CVE-2018-1529
PUBLISHED: 2018-07-19
IBM Rational DOORS Next Generation 5.0 through 5.0.2, 6.0 through 6.0.5 and IBM Rational Requirements Composer 5.0 through 5.0.2 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potential...