The cybercriminal's cash cow and the marketer's machine: Inside the mad sad bad web ad world
We peek behind the curtain of banners and gimmicks that go too far
Special report Digital ad fraud is potentially lucrative, difficult to detect, and getting worse.
"It is one of the biggest ways bad guys have of pulling money out of the online economy," said Louis-David Mangin, co-founder and CEO of Confiant, a firm that helps publishers mitigate the damage done by hosting bad ads, in a phone interview with The Register. "It's definitely getting worse."
Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, makes a similar point in a report he plans to publish on Monday.
"Ad fraud is the most lucrative way to cash out of other major criminal activities," his report, provided in advance to The Register, reads.
It's nearly the perfect crime in the sense that it often goes unnoticed and hasn't been as high a law enforcement priority as other online threats. Some industry experts talk about digital ad fraud as if it were legal, though they don't really mean it.
Illegal, or is it
Fou has in the past claimed digital ad fraud is legal, and he says something similar in his latest findings.
"Ad fraud isn't illegal (no laws pertain to it) but other laws may be broken in the committing of it," his report says.
"Ad fraud is against the terms of service of most ad exchanges, so it’s almost certainly a breach of contract," said Ratko Vidakovic, founder and principal consultant at AdProfs, ad tech consultancy based in Toronto, Canada, in an email to The Register.
"Then again, plausible deniability is always on the table, so it's very hard to prove that a publisher is deliberately engaging in ad fraud without a rigorous investigation. To my knowledge, it’s not explicitly illegal. Although, I'm sure some could argue that it constitutes wire fraud, or violates any number of computer crime laws."
While online ad fraud may not be specifically defined as a crime, it is nonetheless fraud, and is actionable at least under US law. What's more, there are various statutes that can be brought to bear related to computer crimes, money laundering and the like, depending on the circumstances.
Asked about this, Fou said what he means is that digital ad fraud isn't often prosecuted.
A tsunami of scams
Digital ad fraud can mean many different things. It can involve fake websites, fake online traffic, fake ads, fake ad agencies, fake audiences, fake ad bidding, fake accounts, fake devices, fake apps, and fake data.
It's not just click fraud – bots clicking on ads or loading display ads to get paid. It may involve installation fraud, by which physical or virtual devices download and install apps, cycling through fake device identifiers to collect the installation payment from the app publisher. Or it may involve showing ads that paid to reach a high-value audience to a low-value audience.
AdProfs describes some of the variations: invisible ads, traffic arbitrage (buying low-value traffic and reselling it for more than it's worth), domain spoofing (bad publishers misidentifying their sites), site bundling (bad publishers bundling networks of domains under a single ad network identifier), ad injection, cookie stuffing (to get credit for affiliate fees), and click farms.
Of course, before anyone asks, El Reg's highly capable ad operations team works hard around the clock to ensure our ads are not only served to and seen by millions of real eyeballs each month, but are also high quality and safe.
Evolved DNSChanger malware slings evil ads at PCs, hijacks routersREAD MORE
There is at least agreement that digital ad fraud happens, though not everyone considers it all that serious. A 2017 report by the Association of National Advertisers (ANA) put bot fraud losses at $6.5bn in 2017, down 10 per cent from $7.2bn in 2016.
The ANA report said 9 per cent of desktop display ad spending and 22 per cent of desktop video ad spending is lost to fraud. It dismisses mobile ad fraud as less than 2 per cent of spending, while noting "this does not include fraud in mobile web video or pay-per-click fraud, which remain high and problematic."
Juniper Research last year predicted $19bn will be lost to digital ad fraud in 2018.
But ad fraud statistics offer an incomplete picture of what's going on because they tend to focus on one specific segment of the industry while omitting others. Fou, who said he has stopped estimating ad fraud as a percentage, previously said 43 per cent of mobile display ad impressions were bogus.
Others have suggested about half of paid programmatic impressions are fake.
Call in the lawyers
Digital ad fraud litigation is not very common, but it does occur.
The US Justice Department brought a click fraud case against six Estonian nationals and one Russian national in 2011. There have been a handful of other criminal click fraud cases, such as one in 2017 against Fabio Gasperini.
There have also been a few notable civil cases as well. Google settled a click fraud claim by Lane's Gifts and Collectibles in 2006 for $90m and in 2017 settled another click fraud case covering the 2004 through 2008 period for $22.5m. Last year, Uber sued ad biz Fetch alleging click fraud.
One reason for the scarcity of lawsuits, Fou and others have argued, is that there's an industry incentive to maintain the status quo.
"This is because marketers want the fraud to continue," Fou explained in an email to The Register. "If they cut out the fraud there will be less impressions to buy."
Some marketers, at least.
"Certainly some buyers like cheap inventory and don't care to ask too many questions, said Ben Edelman, an associate professor at the Harvard Business School who had conducted many ad fraud investigations over the years, in an email to The Register.
"But that's not typical. In my experience most advertisers care about results – they have products to sell, which requires finding real buyers, which requires quality advertising inventory that real people see and engage with. In my view, that's as it should be."
"There is no direct incentive from anyone in the industry, with the exception of marketers, to eradicate ad fraud," observed Vidakovic. "That said, it’s hard to generalize the industry’s will in such a way."
Sponsored: Becoming a Pragmatic Security Leader