Online advertising is a growing, multi-billion-dollar market. ZenithOptimedia predicts that advertisers’ ad expenditure will reach $545 billion by the end of 2015. This amount of spending tempts criminals and hackers into creating technology and finding techniques to steal money from the advertisers.
The phenomenon of ad fraud existed from the beginning of online advertising, but in recent years it has been gaining traction as the real-time bidding (RTB) model is now being widely adopted.
The distributing nature of the RTB ad exchange makes it easier to commit and conceal fraud.
It is estimated that $6 billion is being stolen from advertisers every year due to online ad fraud, but because some types of ad fraud are very hard to detect, and the technology to protect advertisers is immature, the actual figure may be much higher.
In this article, I will try to explain the basic types of RTB fraud, how it is committed, and the techniques that can be used to potentially detect and prevent them.
But before we dive deeper into that, let’s start with a short introduction about RTB ad exchanges.
How Does an RTB Ad Exchange Work?
Similar to a bourse, an RTB ad exchange is an organised market, but instead of commodities or currencies, ad impressions are traded.
Every single banner impression is put on an auction along with information about the user and the context about where the ad is displayed.
The process can be illustrated in the following way:
- A user visits a page.
- The user’s browser sends a request to the server to load an ad.
- The ad server/ad network puts the ad impression on the ad exchange.
- The ad exchange announces available ad impressions to all bidders (essentially, the advertisers buying through DSP platforms).
- Bidders evaluate the bid and match targeting parameters (such as the page domain, demographics, context, location and other data collected about the user).
- Bidders place bids (basically, how much they want to pay for this impression, if anything).
- The ad exchange receives the bids and the winning bidder’s ad is served to the user.
All of the above happens in real-time when the banner is loaded onto the page (usually within 100-150ms).
There are no direct relationships between advertisers and publishers, once an auction has been won and the ad served, the transaction is complete and it’s very hard to question it.
What’s more, on RTB exchanges, ads are sold in a Cost Per Mille (CPM) model which means that the advertiser pays for every impression (rather than for performance like in CPC or CPA models).
Learn About The 12 Main Challenges And Opportunities In Programmatic & RTB
A comprehensive guide for all those who work within the online advertising industry...Download FREE Guide
So now that we know how the RTB process works, let’s look at the the different types of online ad fraud.
Ad Fraud Technique #1: Ad Placement Fraud
This type fraud is performed by dishonest publishers who want to increase their revenues by generating more ad traffic.
Invisible and Hidden Ads
This type of attack makes the ad invisible on the website, even though the impression will be reported. There are several techniques used in this type of attack:
- Display an ad in a 1×1 pixel iframe.
- Display the ads outside of the viewport area.
- Display (multiple) re-sized ads.
- Display several ads in an iframe loaded to a single ad slot (essentially, out of all the ads loaded, only one will actually be visible to the user).
This type of fraud should not be mistaken with non-viewable impressions because banners that are properly displayed on the page but are not seen by the user (i.e. at the bottom of the page) are valid, accountable impressions.
You can find out more about the viewable impression model by reading my earlier article ‘Viewable impression tracking and pitfalls‘).
This type of attack conceals the real website where the ad is displayed:
- The advertiser buys ads from a carefully selected publisher (one with a relevant audience and content that coincides with the advertiser’s brand), usually paying high CPM rates.
- Part of the ad impressions bought by the advertiser are served on irrelevant websites where neither the audience nor the content is relevant to the advertiser’s brand (i.e. high traffic sites with illegal content which are hard to monetise).
- Through a complex number of re-directs, nested ad calls through iframes, the ad calls are ‘laundered’ so that the advertiser sees legitimate sites instead of the real sites where the ads are displayed.
Ad Fraud Technique #2: Malware and Adware
Attackers perform these frauds by taking control over the users’ computers or browsers to generate ad revenues.
The so-called ad replacement attacks refer to the event in which the malware hijacks the ad slot on a website and displays an ad, generating revenue for the attacker rather than for the publisher (the owner of the website).
This could be done in a few ways:
- Compromise the user’s computer to change the DNS resolver (i.e. resolve the ad.doubleclick.com domain to the IP of the server controlled by the attacker, and therefore, serve different ads).
- Compromise the publisher’s website or the user’s computer to change the HTML content on the fly (change ad tags placed by the publisher to ad tags controlled by the attacker).
- Compromise the user’s proxy server or router (or the ISP’s router) to spoof the DNS server or change the HTML content of the site on the fly.
Similar to hijacking ad placements, an attacker can hijack a user’s click.
When the user clicks on an ad, the attacker redirects the user to a different site, essentially stealing a prospective client from the advertiser.
There are a few ways in which the attackers can achieve this:
- Compromise the user’s computer to change the DNS resolver.
- Compromise the publisher’s website and hijack the click (i.e. by inserting an onClick event on the iframe with the ad).
- Compromise the user’s proxy server or router to spoof the DNS or change the HTTP request on the fly.
Popunders are similar to pop-up windows with ads with the exception that the ad window will appear behind the main web browser window, rather than in front. It can be combined with the impression laundering technique to generate additional revenue.
In some domains, it’s considered as a completely legal advertising method, but most of the ad networks forbid ads served in this way.
Attackers can use a botnet (either consisting of compromised users’ computers and/or a set of on-demand cloud servers and proxy servers) to generate fake traffic to the website in order to generate more ad revenue.
How to fight back?
It’s a constant arms race between online ad fraudsters and ad technology companies that are trying to prevent these types of fraud, similar to the war between hackers creating computer viruses and antivirus software companies.
There are various ad verification technologies on the market which use various techniques to detect, prevent, and measure these types of fraud:
- Ad delivery and visibility measurement.
- Bluff ads (honey pots).
- Statistical models for detecting anomalies.
- Heuristic-based and machine-learning algorithms detecting fake traffic.
- Website and botnet monitoring software.
I will explain how some of them work, who the main players on the market are, and who the new prospecting startups in the space are in the next article, so stay tuned!
Here at Clearcode, we build scalable and innovative RTB and Ad Tech platforms for the programmatic advertising industry. Click here to learn more about how we can help you with your next ad tech project.