Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/9/2014
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year

A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse.

Online advertising fraud is thriving right under the noses of website operators and corporate advertisers and on some of the largest legitimate websites, but until now there hasn't been much data on just how pervasive the problem really has become: The current rate of ad fraud translates into $6.3 billion of losses of ad revenue to advertisers worldwide in 2015 after losses of more than $5 billion this year.

That is just one of the eye-popping conclusions from a new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops. From Aug. 1 to Oct. 1, White Ops researchers studied and analyzed the digital advertising traffic of a who's who of 36 US major corporations from various industries -- all ANA members -- including Ford, Honda, General Mills, Lilly, MasterCard, Merk, MillerCoors, Home Depot, Verizon, Walmart, and Wendy's.

"This was a major move by the ad-buying community to get some clarity and wrap their arms around what's going on with this fraud. They didn't know" the scope of the problem, says Dan Kaminsky, chief scientist with White Ops, whose mission is to detect and quell the bot epidemic.

Conventional wisdom has held that ad fraud operates mainly with phony websites that live off bot traffic, but the study found that, out of nearly 3 million websites, there were just thousands of fake ones, and the rest were legitimate. About one-quarter of the bots conducting phony ad traffic were operating on Alexa Top 1,000 websites, according to findings in the report "The Bot Baseline: Fraud in Digital Advertising," which was published today. The bots inflated the monetized ad traffic by 5-50%, the report says.

"We really thought fraud was in its own corner," Kaminsky says. "But a lot of major publishers are pulled into this" fraudulent activity unknowingly.

White Ops studied 5.5 billion impressions in what it calls the largest public study ever of bot traffic in digital advertising. The company used its own technology to distinguish between a human and a bot's activity. The researchers discovered hundreds of millions of bots in all types of online ads, including video-based ads.

So called bot "impressions" give the illusion of actual ad views, and the botnet operators behind them make money via cash-out points. "Aggregators and middlemen gain reach, ensuring they never lack inventory to sell, and a diversity of bot profiles that match any conceivable audience segment," the report says. "Publishers inflate their apparent audience size and pocket the difference between their traffic acquisition cost and the revenue received from Advertisers."

Just who are the bots doing the dirty work? Two-thirds of them are home users whose machines have been recruited to the offending botnets, the study found. "The super majority of bot traffic comes from people's home computers, American IP addresses," Kaminsky says. "This is why people are breaking into Grandma's computer... American ad viewers are being targeted because they have disposable income."

Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion, because the ad fraudsters actually scaled back their nefarious activities during the study.

"How fraudsters work and their incredible intelligence stunned me. I never realized the level of sophistication" they had, says Liodice, who has raised the alarm about online ad fraud for some time now. "They lowered their activity to diminish the findings of fraud" once word got out about the study.

Even so, the volume of nefarious activity discovered during the study was significant, according to Liodice. "$6.2 billion is on the lower end of the range than I would have thought... But it's still a huge number."

The study also occurred during a relatively slow time in the advertising calendar year, according to the report, so the data is on the conservative side.

[Online fraudsters and cybercriminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to spot bots in action quickly. Read Battling The Bot Nation.]

There already was a sense of urgency among ANA members in how to quell this threat, and the report's findings have put an exclamation point on it, according to the ANA executive. "It's frightening for everyone involved in this... We have to stop this. Every CMO that's doing any form of screen or digital advertising has to recognize that criminal activity is not a cost of doing business. There is an ethics and moral" responsibility to stopping advertisers from inadvertently enabling crime, Liodice says.

The report recommends that advertisers monitor for bot traffic, to both deter and detect bots overtly as well as covertly. Today's methods of viewing impressions don't work, because bots can be built to appear human, the report says, and blacklists are difficult to keep updated and effective. And even working with only "premium" ad publishing firms doesn't prevent bot traffic.

Other findings from White Ops analysis of ANA members' online ad traffic: Nearly 60% of bot traffic came from old Internet Explorer 6 browsers, and half the impressions from IE 7 browsers were bots. Financial, family, and food industries suffered the most bots, with 16-22% of the bot traffic. Technology, sports, and science had the least bot traffic, with 3-4%.

"Huge wakeup call"
One consumer packaged goods company that purchased 230,000 ad impressions from a premium US media company got some unwanted traffic: 19% of that site's traffic comes from bots, the report found.

Half the bots White Ops found operated at nighttime, and bots generated 11% of all display impressions and 23% of the video impressions. Bots represented 19% of retargeted ad traffic.

The report is "a huge wakeup call," Lidorice says. "We have to invest in security protocols, and part of the way we're responding as an industry is the Trustworthy Accountability Group." That organization, formed by the ANA, the American Association for Advertising Agencies, and the Interactive Advertising Bureau, aims to eliminate digital advertising fraud, malware, and ad-supported piracy.

"We're going to be heavily involved in behavioral change, credentializing, and certification" of digital advertising, he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/9/2014 | 1:54:20 PM
ad agencies
It will be interesting to see what's really going on at the ad agencies that are getting abused by bots. Hopefully, this will open the floodgates to finding out more there.
MPH426
50%
50%
MPH426,
User Rank: Apprentice
12/9/2014 | 3:44:41 PM
Re: ad agencies
It would be interesting to see correlates with shoplifting, "missing" inventory, etc...  4% of the buget seems a bit steep, but it's probably on par.

Don't get me wrong, theft of any kind is wrong.  Sad thing is to the corporations it's just another number.  We're the ones it's hurting.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.