Threat Intelligence
12/9/2014
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year

A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse.

Online advertising fraud is thriving right under the noses of website operators and corporate advertisers and on some of the largest legitimate websites, but until now there hasn't been much data on just how pervasive the problem really has become: The current rate of ad fraud translates into $6.3 billion of losses of ad revenue to advertisers worldwide in 2015 after losses of more than $5 billion this year.

That is just one of the eye-popping conclusions from a new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops. From Aug. 1 to Oct. 1, White Ops researchers studied and analyzed the digital advertising traffic of a who's who of 36 US major corporations from various industries -- all ANA members -- including Ford, Honda, General Mills, Lilly, MasterCard, Merk, MillerCoors, Home Depot, Verizon, Walmart, and Wendy's.

"This was a major move by the ad-buying community to get some clarity and wrap their arms around what's going on with this fraud. They didn't know" the scope of the problem, says Dan Kaminsky, chief scientist with White Ops, whose mission is to detect and quell the bot epidemic.

Conventional wisdom has held that ad fraud operates mainly with phony websites that live off bot traffic, but the study found that, out of nearly 3 million websites, there were just thousands of fake ones, and the rest were legitimate. About one-quarter of the bots conducting phony ad traffic were operating on Alexa Top 1,000 websites, according to findings in the report "The Bot Baseline: Fraud in Digital Advertising," which was published today. The bots inflated the monetized ad traffic by 5-50%, the report says.

"We really thought fraud was in its own corner," Kaminsky says. "But a lot of major publishers are pulled into this" fraudulent activity unknowingly.

White Ops studied 5.5 billion impressions in what it calls the largest public study ever of bot traffic in digital advertising. The company used its own technology to distinguish between a human and a bot's activity. The researchers discovered hundreds of millions of bots in all types of online ads, including video-based ads.

So called bot "impressions" give the illusion of actual ad views, and the botnet operators behind them make money via cash-out points. "Aggregators and middlemen gain reach, ensuring they never lack inventory to sell, and a diversity of bot profiles that match any conceivable audience segment," the report says. "Publishers inflate their apparent audience size and pocket the difference between their traffic acquisition cost and the revenue received from Advertisers."

Just who are the bots doing the dirty work? Two-thirds of them are home users whose machines have been recruited to the offending botnets, the study found. "The super majority of bot traffic comes from people's home computers, American IP addresses," Kaminsky says. "This is why people are breaking into Grandma's computer... American ad viewers are being targeted because they have disposable income."

Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion, because the ad fraudsters actually scaled back their nefarious activities during the study.

"How fraudsters work and their incredible intelligence stunned me. I never realized the level of sophistication" they had, says Liodice, who has raised the alarm about online ad fraud for some time now. "They lowered their activity to diminish the findings of fraud" once word got out about the study.

Even so, the volume of nefarious activity discovered during the study was significant, according to Liodice. "$6.2 billion is on the lower end of the range than I would have thought... But it's still a huge number."

The study also occurred during a relatively slow time in the advertising calendar year, according to the report, so the data is on the conservative side.

[Online fraudsters and cybercriminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to spot bots in action quickly. Read Battling The Bot Nation.]

There already was a sense of urgency among ANA members in how to quell this threat, and the report's findings have put an exclamation point on it, according to the ANA executive. "It's frightening for everyone involved in this... We have to stop this. Every CMO that's doing any form of screen or digital advertising has to recognize that criminal activity is not a cost of doing business. There is an ethics and moral" responsibility to stopping advertisers from inadvertently enabling crime, Liodice says.

The report recommends that advertisers monitor for bot traffic, to both deter and detect bots overtly as well as covertly. Today's methods of viewing impressions don't work, because bots can be built to appear human, the report says, and blacklists are difficult to keep updated and effective. And even working with only "premium" ad publishing firms doesn't prevent bot traffic.

Other findings from White Ops analysis of ANA members' online ad traffic: Nearly 60% of bot traffic came from old Internet Explorer 6 browsers, and half the impressions from IE 7 browsers were bots. Financial, family, and food industries suffered the most bots, with 16-22% of the bot traffic. Technology, sports, and science had the least bot traffic, with 3-4%.

"Huge wakeup call"
One consumer packaged goods company that purchased 230,000 ad impressions from a premium US media company got some unwanted traffic: 19% of that site's traffic comes from bots, the report found.

Half the bots White Ops found operated at nighttime, and bots generated 11% of all display impressions and 23% of the video impressions. Bots represented 19% of retargeted ad traffic.

The report is "a huge wakeup call," Lidorice says. "We have to invest in security protocols, and part of the way we're responding as an industry is the Trustworthy Accountability Group." That organization, formed by the ANA, the American Association for Advertising Agencies, and the Interactive Advertising Bureau, aims to eliminate digital advertising fraud, malware, and ad-supported piracy.

"We're going to be heavily involved in behavioral change, credentializing, and certification" of digital advertising, he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MPH426
50%
50%
MPH426,
User Rank: Apprentice
12/9/2014 | 3:44:41 PM
Re: ad agencies
It would be interesting to see correlates with shoplifting, "missing" inventory, etc...  4% of the buget seems a bit steep, but it's probably on par.

Don't get me wrong, theft of any kind is wrong.  Sad thing is to the corporations it's just another number.  We're the ones it's hurting.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/9/2014 | 1:54:20 PM
ad agencies
It will be interesting to see what's really going on at the ad agencies that are getting abused by bots. Hopefully, this will open the floodgates to finding out more there.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.