Deftly sliding from desktop browsers to mobile devices to smart TVs and other Internet of Things devices, ad fraud is a multibillion-dollar business problem that has been running rampant across the Internet for years. Should chief information security officers at companies hit by ad fraud take a stronger role in stopping it?
The range of companies affected by ad fraud is vast and deep, and affects every business vertical across the globe. Any company that relies on programmatic advertising networks, which automatically buy and sell ads, is at risk, unless the network is a protected advertising ecosystem, said Dan Lowden, the chief marketing officer of bot network and ad fraud prevention company White Ops, in an email.
When it comes to costs, the debate over ad fraud is whether it costs billions of dollars per year...or many tens of billions of dollars per year. In a 2016 analysis, HP Enterprise fingered ad fraud as the most lucrative form of cybercrime. Research company eMarketer estimated ad fraud to cost between $6.5 billion to $19 billion in 2019, and Juniper Research concluded that ad fraud would cost $42 billion by the end of 2019. By 2023, Juniper expects ad fraud to cost more than $100 million per day.
Not a New Problem
Defrauding advertising networks for financial gain has been around almost as long as online ad networks themselves.
The practice became significantly more widespread when the scammers began leveraging networked bots to create fake clicks on sites they own or ads they've paid for, and now also encompasses hidden ads, targeting ad networks which measure views not clicks; click hijacking, when the fraudster redirects a click from one ad to another; and fake apps, which look like and are labeled as legitimate apps.
These techniques are often used simultaneously to victimize companies, making the fight against ad fraud even more complex, says Luke Taylor, the chief operating officer of adtech security company TrafficGuard, which coauthored the report with Juniper.
So Tayler believes that at the very least, CISOs should use lessons from the cybersecurity world to encourage their employers to become more engaged with the ad fraud challenge.
A lot of ad fraud is based on making fake traffic look real, and the way that fraudsters do that is by stealing traffic logs to mimic them and create authentic-looking but fake traffic. CISOs, Taylor says, should be protecting their logs from cybercriminals the way they protect financial data.
"Simply extracting your server logs can be a good start for ad fraud because they can be replayed as normal behavior," he says.
"First step in cybersecurity is deploying some kind of transparency — access to logs and reviewing those logs. Who has access, who is coming to your website, how big is the threat," Taylor says. "Providing more detail helps solve the problem."
While some advertisers argue that the way to solve ad fraud is through promoting self-regulated, approval-based ad networks, not all experts agree that will get the problem under control soon enough. Large websites rely on ad networks that often depend on ad resellers, making it hard to verify each ad.
So if part of the problem with ad fraud is the ads themselves, should CISOs simply prevent the ads from being viewed on websites inside their corporate firewalls?
Digital-marketing strategy expert and ad fraud auditor Augustine Fou says that tactic, while upsetting to advertisers, would ensure that neither ad fraud nor malicious advertising could be seen by employees.
Malicious advertisers and fraudsters, he says, are looking for specific computer and operating system combinations, like old versions of Windows, or specific blocks of IP addresses, in order to directly target victims with malvertising.
"It's a loophole that a lot of people don’t understand. It's the same programmatic ecosystem with a lot of loopholes — this is just one that affects security. It's the foot in the door that can lead to the other stuff."Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio