Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/9/2014
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year

A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse.

Online advertising fraud is thriving right under the noses of website operators and corporate advertisers and on some of the largest legitimate websites, but until now there hasn't been much data on just how pervasive the problem really has become: The current rate of ad fraud translates into $6.3 billion of losses of ad revenue to advertisers worldwide in 2015 after losses of more than $5 billion this year.

That is just one of the eye-popping conclusions from a new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops. From Aug. 1 to Oct. 1, White Ops researchers studied and analyzed the digital advertising traffic of a who's who of 36 US major corporations from various industries -- all ANA members -- including Ford, Honda, General Mills, Lilly, MasterCard, Merk, MillerCoors, Home Depot, Verizon, Walmart, and Wendy's.

"This was a major move by the ad-buying community to get some clarity and wrap their arms around what's going on with this fraud. They didn't know" the scope of the problem, says Dan Kaminsky, chief scientist with White Ops, whose mission is to detect and quell the bot epidemic.

Conventional wisdom has held that ad fraud operates mainly with phony websites that live off bot traffic, but the study found that, out of nearly 3 million websites, there were just thousands of fake ones, and the rest were legitimate. About one-quarter of the bots conducting phony ad traffic were operating on Alexa Top 1,000 websites, according to findings in the report "The Bot Baseline: Fraud in Digital Advertising," which was published today. The bots inflated the monetized ad traffic by 5-50%, the report says.

"We really thought fraud was in its own corner," Kaminsky says. "But a lot of major publishers are pulled into this" fraudulent activity unknowingly.

White Ops studied 5.5 billion impressions in what it calls the largest public study ever of bot traffic in digital advertising. The company used its own technology to distinguish between a human and a bot's activity. The researchers discovered hundreds of millions of bots in all types of online ads, including video-based ads.

So called bot "impressions" give the illusion of actual ad views, and the botnet operators behind them make money via cash-out points. "Aggregators and middlemen gain reach, ensuring they never lack inventory to sell, and a diversity of bot profiles that match any conceivable audience segment," the report says. "Publishers inflate their apparent audience size and pocket the difference between their traffic acquisition cost and the revenue received from Advertisers."

Just who are the bots doing the dirty work? Two-thirds of them are home users whose machines have been recruited to the offending botnets, the study found. "The super majority of bot traffic comes from people's home computers, American IP addresses," Kaminsky says. "This is why people are breaking into Grandma's computer... American ad viewers are being targeted because they have disposable income."

Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion, because the ad fraudsters actually scaled back their nefarious activities during the study.

"How fraudsters work and their incredible intelligence stunned me. I never realized the level of sophistication" they had, says Liodice, who has raised the alarm about online ad fraud for some time now. "They lowered their activity to diminish the findings of fraud" once word got out about the study.

Even so, the volume of nefarious activity discovered during the study was significant, according to Liodice. "$6.2 billion is on the lower end of the range than I would have thought... But it's still a huge number."

The study also occurred during a relatively slow time in the advertising calendar year, according to the report, so the data is on the conservative side.

[Online fraudsters and cybercriminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to spot bots in action quickly. Read Battling The Bot Nation.]

There already was a sense of urgency among ANA members in how to quell this threat, and the report's findings have put an exclamation point on it, according to the ANA executive. "It's frightening for everyone involved in this... We have to stop this. Every CMO that's doing any form of screen or digital advertising has to recognize that criminal activity is not a cost of doing business. There is an ethics and moral" responsibility to stopping advertisers from inadvertently enabling crime, Liodice says.

The report recommends that advertisers monitor for bot traffic, to both deter and detect bots overtly as well as covertly. Today's methods of viewing impressions don't work, because bots can be built to appear human, the report says, and blacklists are difficult to keep updated and effective. And even working with only "premium" ad publishing firms doesn't prevent bot traffic.

Other findings from White Ops analysis of ANA members' online ad traffic: Nearly 60% of bot traffic came from old Internet Explorer 6 browsers, and half the impressions from IE 7 browsers were bots. Financial, family, and food industries suffered the most bots, with 16-22% of the bot traffic. Technology, sports, and science had the least bot traffic, with 3-4%.

"Huge wakeup call"
One consumer packaged goods company that purchased 230,000 ad impressions from a premium US media company got some unwanted traffic: 19% of that site's traffic comes from bots, the report found.

Half the bots White Ops found operated at nighttime, and bots generated 11% of all display impressions and 23% of the video impressions. Bots represented 19% of retargeted ad traffic.

The report is "a huge wakeup call," Lidorice says. "We have to invest in security protocols, and part of the way we're responding as an industry is the Trustworthy Accountability Group." That organization, formed by the ANA, the American Association for Advertising Agencies, and the Interactive Advertising Bureau, aims to eliminate digital advertising fraud, malware, and ad-supported piracy.

"We're going to be heavily involved in behavioral change, credentializing, and certification" of digital advertising, he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MPH426
50%
50%
MPH426,
User Rank: Apprentice
12/9/2014 | 3:44:41 PM
Re: ad agencies
It would be interesting to see correlates with shoplifting, "missing" inventory, etc...  4% of the buget seems a bit steep, but it's probably on par.

Don't get me wrong, theft of any kind is wrong.  Sad thing is to the corporations it's just another number.  We're the ones it's hurting.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/9/2014 | 1:54:20 PM
ad agencies
It will be interesting to see what's really going on at the ad agencies that are getting abused by bots. Hopefully, this will open the floodgates to finding out more there.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.