A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse.

Online advertising fraud is thriving right under the noses of website operators and corporate advertisers and on some of the largest legitimate websites, but until now there hasn't been much data on just how pervasive the problem really has become: The current rate of ad fraud translates into $6.3 billion of losses of ad revenue to advertisers worldwide in 2015 after losses of more than $5 billion this year.

That is just one of the eye-popping conclusions from a new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops. From Aug. 1 to Oct. 1, White Ops researchers studied and analyzed the digital advertising traffic of a who's who of 36 US major corporations from various industries -- all ANA members -- including Ford, Honda, General Mills, Lilly, MasterCard, Merk, MillerCoors, Home Depot, Verizon, Walmart, and Wendy's.

"This was a major move by the ad-buying community to get some clarity and wrap their arms around what's going on with this fraud. They didn't know" the scope of the problem, says Dan Kaminsky, chief scientist with White Ops, whose mission is to detect and quell the bot epidemic.

Conventional wisdom has held that ad fraud operates mainly with phony websites that live off bot traffic, but the study found that, out of nearly 3 million websites, there were just thousands of fake ones, and the rest were legitimate. About one-quarter of the bots conducting phony ad traffic were operating on Alexa Top 1,000 websites, according to findings in the report "The Bot Baseline: Fraud in Digital Advertising," which was published today. The bots inflated the monetized ad traffic by 5-50%, the report says.

"We really thought fraud was in its own corner," Kaminsky says. "But a lot of major publishers are pulled into this" fraudulent activity unknowingly.

White Ops studied 5.5 billion impressions in what it calls the largest public study ever of bot traffic in digital advertising. The company used its own technology to distinguish between a human and a bot's activity. The researchers discovered hundreds of millions of bots in all types of online ads, including video-based ads.

So called bot "impressions" give the illusion of actual ad views, and the botnet operators behind them make money via cash-out points. "Aggregators and middlemen gain reach, ensuring they never lack inventory to sell, and a diversity of bot profiles that match any conceivable audience segment," the report says. "Publishers inflate their apparent audience size and pocket the difference between their traffic acquisition cost and the revenue received from Advertisers."

Just who are the bots doing the dirty work? Two-thirds of them are home users whose machines have been recruited to the offending botnets, the study found. "The super majority of bot traffic comes from people's home computers, American IP addresses," Kaminsky says. "This is why people are breaking into Grandma's computer... American ad viewers are being targeted because they have disposable income."

Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion, because the ad fraudsters actually scaled back their nefarious activities during the study.

"How fraudsters work and their incredible intelligence stunned me. I never realized the level of sophistication" they had, says Liodice, who has raised the alarm about online ad fraud for some time now. "They lowered their activity to diminish the findings of fraud" once word got out about the study.

Even so, the volume of nefarious activity discovered during the study was significant, according to Liodice. "$6.2 billion is on the lower end of the range than I would have thought... But it's still a huge number."

The study also occurred during a relatively slow time in the advertising calendar year, according to the report, so the data is on the conservative side.

[Online fraudsters and cybercriminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to spot bots in action quickly. Read Battling The Bot Nation.]

There already was a sense of urgency among ANA members in how to quell this threat, and the report's findings have put an exclamation point on it, according to the ANA executive. "It's frightening for everyone involved in this... We have to stop this. Every CMO that's doing any form of screen or digital advertising has to recognize that criminal activity is not a cost of doing business. There is an ethics and moral" responsibility to stopping advertisers from inadvertently enabling crime, Liodice says.

The report recommends that advertisers monitor for bot traffic, to both deter and detect bots overtly as well as covertly. Today's methods of viewing impressions don't work, because bots can be built to appear human, the report says, and blacklists are difficult to keep updated and effective. And even working with only "premium" ad publishing firms doesn't prevent bot traffic.

Other findings from White Ops analysis of ANA members' online ad traffic: Nearly 60% of bot traffic came from old Internet Explorer 6 browsers, and half the impressions from IE 7 browsers were bots. Financial, family, and food industries suffered the most bots, with 16-22% of the bot traffic. Technology, sports, and science had the least bot traffic, with 3-4%.

"Huge wakeup call"
One consumer packaged goods company that purchased 230,000 ad impressions from a premium US media company got some unwanted traffic: 19% of that site's traffic comes from bots, the report found.

Half the bots White Ops found operated at nighttime, and bots generated 11% of all display impressions and 23% of the video impressions. Bots represented 19% of retargeted ad traffic.

The report is "a huge wakeup call," Lidorice says. "We have to invest in security protocols, and part of the way we're responding as an industry is the Trustworthy Accountability Group." That organization, formed by the ANA, the American Association for Advertising Agencies, and the Interactive Advertising Bureau, aims to eliminate digital advertising fraud, malware, and ad-supported piracy.

"We're going to be heavily involved in behavioral change, credentializing, and certification" of digital advertising, he says.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights