I've long wondered if the best ad blocker would be a client that simply randomly clicks ads instead of blocking them. If you send fake clicks and spoof looking like real activity, that will pressure both advertisers and the websites that display ads. If millions of people do this...
The problem is that while this might work great on a large scale, it breaks down at the individual level: why would I want all that ad-clicking activity associated with my account / cookie / IP?
Because you don't want the trackers to know your real activity?
It's pretty common now to do things like intentionally tagging the wrong friends in facebook because people are paranoid that facebook knows too much. Even with non-techie people. They're creeped out.
Throwing off retargeting is something a lot of people might want to do.
The supposed value of the ad-clicking activity profile is that it pertains to you, if a bot is making your ad-click decisions your profile gets scrambled, ostensibly making you harder to target when ad-tech reaches new heights of persuasiveness...
If you're interested in everything, you may as well have clicked nothing. Your ad profile becomes meaningless. It certainly isn't representative any more as you're lost in noise.
You'd be surprised - it often implies the lifetime value of the potential customer is exceptionally high, despite low conversion rates (a medical lawyer is a good example, as are insurance products with high stickiness).
I've never done work for a law firm but have talked to some and the small shops specializing in easy cases like DUI's and personal bankruptcies can pretty easily fill up their billable hours by turning an AdSense campaign on and not coming close to eating away their margin.
I'd guess on the keywords where law firms are spending hundreds per click, you're dealing with malpractice and personal injury cases. Those cases are likely to be done on contingent and can have pretty huge upsides. I'd think a well-run firm would have some idea of the expected value of those types of cases and can spend accordingly to acquire clients. Considering how targeted search ads are compared to how these firms normally advertise -- local TV, radio, billboards, busses, etc. the costs probably aren't radically different than they're used to spending on advertising.
Early on in my career I was an SEO Account Manager (barf) and mortgage lending PPC ads could run up to $50/click. This was in 2005. Having some specialized markets with clicks in the hundreds these days would make me raise an eyebrow, but certainly isn't shocking.
When ads are sold programatically (at least at the exchange level), they're almost always done on an impression basis, not a click basis. So by the time you see the ad, most of the financial exchange has already taken place. Some DSPs, like Criteo, charge their clients on a CPC basis, so you're affecting their downstream clients but not Criteo itself.
Depending on the exchange, you can sometimes see how much the DSP/client paid for the impression by looking at the win notification URL. Typically there will be a URL query parameter that has been filled in by the exchange, like `BID_CPM=4.00`, and when your browser requests this URL (which is owned by the DSP/client), your browser is effectively notifying the winner of the auction that they won and how much it cost. However, ad exchanges are increasingly sending these fields encrypted to protect against manipulation/fraud.
If you really want to manipulate the amount of money that advertisers pay to show you ads, look at what ad botnets like the one in this article do. The PDF above only briefly mentions it, but one of the things they do to increase their perceived value to DSPs and clients is they make their browsers visit high value advertisers websites (e.g. they might visit a shopping website and put items in their cart to make it look like they were strongly considering purchasing the items). Later, when you visit a publisher site, this will cause the bidders' machine learning systems to predict a much higher value for you than they otherwise would have, and submit higher bids as a result.
In a brazen attack on privacy, intrusive javascript tracks mouse movement, behaviour etc. and can detect if it's a human that does the clicking or your ad blocker/clicker. Next up might be eye tracking through the webcam, do you want an BS-armsrace with the ad industry or can we just block all that nonsense?
If you sell shoes, put up some shoe ads with an affiliate link, shouldn't that work good enough? You'd save millions by not being susceptible to attacks like the one in the article.
A VM running the an OS, a browser with some software identifying the interesting banners and clicking on the while they move the mouse and scroll the window in human-like ways.
Imagine now a beefy box with a couple hundred VMs running on it.
Now imagine fake cameras catching a rendered environment and tracking virtual eyes that move according to what the camera would expect.
If you want ad networks that rely on cameras to detect your presence capturing your image, imagine installing a fake camera driver on your PC that shows a rendered person in a rendered environment doing random browsing.
Yes, I'm thrilled about running all that compute on my hardware.
Contrary to what many people in adtech and web development seem to believe, electricity isn't free. Not to mention such silly concerns as worldwide resource usage and climate change.
Basically, that's why advertising needs to be reigned in hard, squeezed with regulations until it starts to behave. Because it's a zero-sum game on enough fronts to make everyones' lives worse if it's not fought against hard.
I don't think it would work. Let's say out of every click 20% come from your fake clicker. Advertisers would simply charge 20% less, the net effect would be the same for both advertisers and publishers. Especially on mobile there are already accidental clicks that have that effect.
This isn't for ads, but if you want to obfuscate Google's profile of you in the background, you can check out NYU's TrackMeNot: https://cs.nyu.edu/trackmenot/
So one way this fraud is committed is by consuming the content (youtube videos, spotify plays, etc) and taking in the direct revenue streams.
The bigger picture is virality. Nobody wants to watch your video with 100 views. Same video with 10M views, now everyone has to watch it.
The music business has been doing this so much for so long that it's to the point where I automatically distrust everything that's "popular" as having been gamed.
Just like the old-school radio scam, where radio DJ's were paid to say they played certain songs but they didn't. Then people created charts using that data and paid artists found themselves popular... system(s) have been always gamed :)
I think 13.04 would be the CPM, not per view. I'm not sure if that's high or low for video ads, but wanted to stress that number isn't per view. If it was, they would have made slightly more than $5mil. :)
I used to work on an online video platform where we were selling some 30-second unskippable video ads for £20CPM, so order of magnitude seems right to me
Is that the biggest? From 'the past' I believe (but no proof) that the fraud on normal display ads was/is much higher. Bot generated ad clicks, bot generated content to drive up ad prices etc should be much higher than $5m even by individual hacker groups? Maybe video ad clicks are easier to fake but worth less?
If you take the low estimate of 3m$ a day, this is $1B a year. The often quoted figure I've seen for the size of the ad fraud "market" is $7B. That's a big chunk of a "market" that is mostly cottage industry. And as a bonus, they target the highly profitable end of the spectrum.
Normally a "real browser" can't run 100s of ad players at once, but "methbrowser" is a node.js application with a C module that speaks Flash's plugin protocol directly. It simulates a dom, runs JavaScript in a node VM, but doesn't have to do any of the messy rendering that things like PhantomJS have to.
It was discovered years ago because:
* Their IP stack was acting like Linux[1]
* Their flash player said "I'm Linux"
* Their user agent said other things (random user agents)
* Their DNS traffic was going UK, but the hosts were coming out of the US
There are a lot of vendors in this space now, offering various kinds of "spamhaus"-type solutions. They're all crap because they operate blacklists of various kinds to keep their customers dependent.
The ideal scenario is for ad networks/SSPs to implement the anti-fraud technology themselves, however getting there from here is difficult: The first ad network to go clean will be at a significant (fiscal) disadvantage.
I'd like to get in touch with anyone ad network/SSP that wants to go first.
> lists of botnet infected IPs participating in ad fraud
This won't be enough.
A popular "audience extender" is to use an iframe containing your site as an ad tag, and run it on your display network. Unless you have been using an ad blocker for the last ten years (and maybe even then), it's very likely your IP address has been used in ad fraud.
> lists of offending/incompetent SSP blindly accepting forged requests
Google facilitates an enormous amount of ad fraud, but media buyers have to buy from Google because nobody else sells Google search ads (except, I suppose, the injection people...)
Yahoo purchased a company who was selling video ads that were muted using uncommon AS3 mixer controls.
I think a much shorter list would be the media suppliers that don't have ad fraud on them and don't facilitate ad fraud. You'll find such a list below.
> I don't understand ad networks enough to grasp how fraudulent ad inventory works, but as this article shows - you can make a killing exploiting it..
Someone has some "sites" that they show to an ad network or an advertiser and tries to sell the impressions on those sites. They receive "ad tags" in exchange, and the theory is that users are exposed to the ads shown by those ad tags, and the advertiser is satisfied.
However, once they have "ad tags", they can do whatever they want with them. They can find the URL signal that represents "give me money" and arrange to fire that signal.
> As is stands, is there any sort of compliance measure (or regulatory body) to monitor/prevent ad fraud in these networks?
No.
The Media Rating Council[1] was endowed by congress with special powers that allow participants to talk to each other antitrust protections kicking in, but these conversations are extremely non-productive.
They only have to do the very minimum to recover from detection. The incentive is for them to keep the largest possible bag of tricks ready to deploy every time they get a dip in revenue due to fraud detection to milk the fraud. Besides, most of the countermeasure takes the form of javascript to be executed by the client, since the fraudsters control the client, they can alter the operating environment of the fraud detection as needed.
When three-letter television companies will buy an audience extender from one of these shady guys rather than tell the advertiser that they don't have as much traffic as they projected, you don't really even need to worry about detection.
There exist passive techniques powerful enough to really map these kinds of actors out thoroughly, however the industry has been reticent to stop it because everyone from Viacom to Google has facilitated ad fraud, and there's this fear that stopping things too abruptly will cause advertisers to lose faith in this (still nascent) $60 billion dollar industry (US numbers).
Most anti-ad fraud vendors can't do the IP packet analysis trick since they use ELB to help control their costs/scale.
All the other techniques require JavaScript and/or AS3 and are thus subject to modification by these kinds of sophisticated attackers. The only real way to do JavaScript in these cases is to change it often enough and run enough parallel versions that the attacker cannot keep up.
Aah, they were doing it for the last 10 years or so. People who are serious into botting have software that basicaly runs the browser in a vm.
The level of programming skill in the "industrial scale botting" community is high. Top tier botters can easily get into +$100k club if they were doing whitehat stuff.
I am a developer with these types of skills, but was mainly testing for a pet project scraping data. What are you referring to with the "whitehat stuff" to get in the 100k+ (/day) club?
I reversed engineered (out of curiosity) the JS/AS code of > 10 solutions of this nature. Wrote bypasses for many (locally, for fun).
How do you make whitehat 100K+/day with these skills?
In truth they were likely exploiting a vulnerability in MethBot. Similar to XSS only server side. The legality of this, if my suspicion is correct is highly dubious, so they kept the details low key.
I imagine somewhere in MethBots virtual DOM emulation they got sloppy and ran code (JS) from the server. Using metaprogramming plus some output they could predict they could use runtime reflection and inspect server side JS object.
> The part that confused me is when they claim to have obtained MethBot source code, but never mention how.
>
On page 19 in the The Methbot Operation report they state that ‘White Ops detection technology was able to use a JavaScript language feature called “reflection” to gather extensive, detailed information about its inner workings.’
I have personally never heard about JavaScript reflection before, but it appear to be a debug method for one object to dump information or data about another object.
Maybe the White Ops software loaded some JavaScript that was able to dump much of its environment and send it back to White Ops?
I don't know more than anyone else about this particular situation, but I can imagine how JS reflection works. Something like:
let test = function() { return "hello";}
test.toString()
returns
"function() { return "hello";}"
It's not too difficult to imagine that pairing that with some JS parsing would allow you to slowly crawl your way around an app and gather the app structure. Crazy, and fascinating idea.
Can anyone explain why it's the ad buyers that lose out in this case, not the ad network? Surely it makes way more sense for the ad networks to bare the financial responsibility of preventing ad fraud and not the ad buyer? (The ad equivalent of a money-back-guarantee)
How is an ad buyer ever supposed to make an informed decision about how susceptible their chosen ad vendor is to fraud?
The ad networks sometimes do refund money for invalid clicks. However, there's not much incentive to do so, other than maintaining a good reputation. For this reason, I suspect they put just enough work into fraud detection that you see some refunds, enough to convince you they are diligent.
I suspect it's similar for the R&D spend on preventing them in the first place.
The ad networks are held responsible by basic economics -- the higher the fraud on a network, the lower the observed utility of advertising on that network, and, therefore, over time the less people are willing to pay to advertise on that network.
The world can be divided up into two types of advertising. DR (Direct Response) or Branding/Awareness.
The goal of DR is drive an immediate action, for ex. a purchase or news letter signup. Branding/Awareness is more about keeping the brand/product top of mind for the eventual time when the purchasing is actually done.
Usually small and mid-sized advertisers focus on DR. That's why you see a lot of re-targeting type ads for buying products you abandoned in your shopping cart (exception: large ecommerce).
Then you have large advertisers like the Fortune 500 and beyond. They know that you're not making the purchase right there. Hardly any toothpaste, car, $25k server ads or retirement account ads lead to a conversion instantaneously. This is Branding/Product advertising. The hope is to keep their product top-of-mind so you'll consider it when you're driving by the dealership or in the toothpaste isle at Target. This is like your traditional newspaper advertising. Traditional KPIs like CPA used in DR ads don't make sense here. And, due to fraud CPC and CTR are not that useful.
A lot of brand/product advertisements don't have a good instantaneous KPI and measuring long term ROI for a year long $25k server campaign is nebulous art at best.
So to wrap up this story. The guys running this fraud operation were spoofing "premium" video sites with $13.00+ average CPMs (this is high); they were going for the most expensive inventory. The people buying ads on "premium" video sites are not DR advertisers. The goal was to capture Branding/Product advertisers dollars.
It's a bit of a misconception that all online advertising is ROI focused. This was true maybe 4 years ago. With younger audiences (40 and under) consuming more video content online versus linear television there's been in a influx of branding dollars coming "premium" online video.
(Disclosure: My company Adfin provided data for financial estimate for this anti-fraud operation done by WhiteOps)
The frusturating thing about this is how obvious it should be that the publisher account getting paid for the impression is _not_ the premium publisher that it said it was. If your account with, say, AppNexus is registered to "Mikhail Gorsky's Ad Fraud Ring" and it's registering video plays on espn.com/video at a $30 CPM, there are some very very basic heuristics that AppNexus could run to determine there is something off about this arrangement.
The vendors that are letting the supply in (SSPs and exchanges) should do more to verify the supply. This could verifying their supply id with provided domain (would get rid of a lot of crappy arbitrage). Additional verification on new suppliers who are generating more traffic. And longer net payment terms for new suppliers to allow for clawing some of it back.
The problem is that many vendors are unwilling to do that. In many cases because they still make money on fraudulent traffic / arbitrage that goes through their platform. Or because they tend to be more accepting of bad data, because adtech is so duct tapped together. People setup their tags/campaigns incorrectly, adservers re-wrap urls, other incorrect rewrapping (fraud/viewablity/attribution), bad javascript, bad publisher sites and hostile browser environments. So they default to be more accepting to not lose on that revenue.
They are not in true ad fraud. Those guys are not in PPV, but in counter stuffing and "viralizing". They are former ebanners/ advmaker and cyberonix/telemaster ad fraud detection people.
Their ops model is this: they sell promo service for content producers; after upfront cost producers pay comission from monetisation revenue.
Every major ad publisher knows or should know that a large portion of their ad clicks are fraud. I knew this when getting into affiliate networks, it's just cost of being in this business. The actual problem has been around since web advertising's early days it's just that this particular case has been discovered.
I'm having trouble finding information about what laws cover "click fraud" or "ad fraud". The article mentioned that this was illegal behavior, but never provided any more detail. The closest I've gotten is US Title 18 - 1030, though I'm not sure if the article is even talking about US law. I did stumble across an article from 2014 arguing in favor of making click fraud a federal crime, which cited this advertisement:
It could simply imply it's "illegal" due to the contract those publisher sign with the SSPs and Exchanges that clear their inventory. i.e. "; iv) create "forced visit" traffic; v) create invisible or nested IFrames loading pages or ads; vi) intentionally falsify clicks: vii) modify or obscure display of ads; viii) fraudulently generate requests or clicks; or ix) use any means of artificially generating ad impressions or clicks, including third-party services such as paid-to-click, paid-to-surf, auto-surf, and click-exchange programs."
I thought this was about videos on YouTube. Maybe this isn't new but my suggestion box gets flooded by videos that are segments of longer content (Louis ck shows/appearances, Zizek lectures). Maybe this is hand-curated stuff by a bunch of independent channels but I'd be curious if this is done algorithmically. At least the video segmentation part.
I know some legitimate businesses depend on ads for revenue, but it really has become ridiculous. As a 'normal' internet user, being bombarded and having websites complaining about my ad blocker is starting to piss off quite a bit of people.
When I need something, I buy it online most of the time (if possible).
I'm kinda happy someone is gaming that whole system against them, maybe it will help transform the ad ecosystem into something that does not seem to be obtrusive and annoying to most people.
Quite open to counter points if anyone accepts explaining them (instead of simply down voting this comment)
I'm not sure I can see how this would really help transform the ad ecosystem, even on a sustained basis. The hackers did this enrich themselves at the expense of companies wanting to advertise a product. If the victimized companies were selling low value or dubious products (a value judgement) like magical diet pills, then it might bankrupt a few of them in the short-term.
Maybe those companies who lost money go back and try to sue the ad exchanges because they didn't adequately detect the click fraud, so then it's the ad companies who take the hit.
In the end, what actual change do you think would be enacted by companies who wish to advertise their products being the victim of fraud?
I often see the argument that we should "get rid of most ads on the web in general", but have yet to see a reasonable proposal for what replaces that in a way that works for companies wanting to reach consumers with their products.
To play devil's advocate, it would be a huge loss to society if advertisements were no longer viable due to constant fraud.
Information would flow a lot less freely because then content providers would be forced to switch to directly charging for their content rather than giving it to you for "free + ads" as they do currently. It wouldn't just be "low value" content dropping off, "low value" is another individual value judgement.
It would become much harder to connect products and services or become harder to separate actual stories from long-form product placement.
I don't find much wrong with the concept of "advertising". I do take issue with certain types of "bad" or malicious ads, but I'm also generally not receptive to most advertising.
However, ads exist because they are effective at connecting users with products.
I agree, Ads in theory do help connect people or businesses to services and products they might need/want ...
But, it becomes a race to the bottom, and it is to be expected that every business will want more eyeballs on its products and try to outdo their competitors. The collateral damage of this advertisement frenzy is with people who are bombarded and overstimulated by product placement and a relentless marketing machine. Consumers become skeptic and dulled by the efforts and advertising becomes the pain in the a it is now.
It isn't just in theory but also in practice do ads connect people with products. Actual transactions are happening from real people clicking ads and companies are realizing real returns on marketing dollars spent.
"Getting rid of most online ads" doesn't remove a business' need to connect with consumers in the most effective, lowest cost way possible. It also doesn't change a news agency's need to get paid for the content it creates.
I'm not disputing that digital advertising can get out of hand. Malicious ads are bad. Ads with dark UX patterns are bad. We likely have different definitions of "bad ads".
However, if it's the number of ads you're concerned about, you generally have a choice to pay to remove them to continue consuming the content you're interested in or product which you are using.
I still don't see how your original comment about criminals defrauding businesses out of their money and inflating the cost/risk of advertising somehow puts everyone in a better place.
Do they help you in making any decision in what to buy? No, they just mislead you, because you don't end up buying the best product, but the one that spent the most marketing dollars, meaning the product where the price is inflated the most (as, ifthey didn't pay for marketing, you could have gotten it cheaper).
Instead, you should make your decisions on what to buy based on independent product tests.
Such as the tests from Stiftung Warentest — subscribing to their tests is the best decision you could do, as they constantly test all types of products in comparison tests, you get the results in a nice readable matrix per category, and can directly see which is the best product for your use case. (Same with similar tests in other newspapers, comparing a hundred different types of headphones, or child seats for the car, or banana juices, etc).
Advertising is harmful because it means the market is not a well-working free market anymore, as the buyers don't buy the best product anynore, but the one with the highest marketing budget.
Based on the way you describe business and what you think is objectively the best way to purchase products, my hunch is that you have little experience working in a company or making products you need to sell to others.
I mean this in a most genuine way: if you have any aspiration of managing a company or even building your own, it will greatly help you to learn more about why marketing and advertising are important to business. You simply won't succeed without them.
They do whitelist. MethBot was faking URLs though so it's hard for platforms to detect that in milliseconds. This goes to the IP level at this point with that list posted online.
Our company is already getting asked to provide full reports by IP address to see how far this goes.
isn't the whitelist bound to the user?
i mean if i register account as a publisher on some ad exchange, i should be asked for domains where i will be showing my ads. in that case i can not simply report that my username is generating traffic from cnn.com f.e. as this domain is not associated with my account.
or this is not how it works?
This kind of news makes me smile. Not because I agree with the wrongdoing, but because nobody likes annoying ads... specially when a big news/network site decides to show the most "clickbaity" fake ads instead of anything relevant to me.
There is some talk of prosecution of these hackers. Does anyone else disagree with that??
Personally, I feel that a publisher of technology is responsible for ensuring there are no "holes". If someone finds a hole and pokes around and uses it for any reason, it should not be criminal.
If I found a way to methodically purchase all the pieces to win McDonald's monopoly game, would that be criminal fraud? Or would it be negligence by McDonald's? My view is the latter.
I see your point. And I know I am basically arguing against active laws. However, I feel it should work different here. You're building a tool that basically says 1) send clicks 2) get paid. That's your tool, nobody made you build it, if you wanted to be safe - find your own clicks. In my view, it's your responsibility to ensure any clicks you pay for are valid. If they are invalid, it amounts to your partner broke the service TOS/AUP. In which case, I see a case for civil damages sure but not criminal.
To counter with another analogy. Robbing a casino, criminal. Counting cards, severely frowned upon but not criminally illegal. When you create a system that users can game to their advantage, you are responsible for enforcing your rules - it doesn't (or shouldn't) make it a crime when your rules are broken.
The article doesn't explain how they made money, you need a relationship with SSPs and Exchanges to make requests and monetize the impression, even if you're just sending firing tracking pixels for creative view or complete, etc.
So how did these people make money? Are they for hire? Did they offer services to spoof the publisher domain and make revenue out of thin air, taking a cut from the pub?
I'm wondering this too. I used to work at a DSP and we had to deal with a lot of clickfraud. Typically it took the form of: a shady publisher which has somewhat legitimate content and has a relationship with one or more SSPs. Then the publisher goes to "traffic growth" sites like cpmbux.com, and purchases fake traffic. Those fake traffic sites own botnets which they leverage to generate the fake impressions on those publisher's websites. Because there's this separation between the two parties, even if the publisher gets shut down by the SSP for engaging in clickfraud (there's still plausible deniability), the fake traffic site can continue marketing themselves to other not so by-the-book publishers.
I'm not sure if it's a similar arrangement here. The linked report makes it sound like they own the publisher sites too, but it's hard for me to fathom how they could maintain "legitimate" relationships with SSPs when they're funnelling out millions of dollars per day. It goes without saying that it's much harder to fake your way through the financial system.
135 comments
[ 4.7 ms ] story [ 126 ms ] threadIt's pretty common now to do things like intentionally tagging the wrong friends in facebook because people are paranoid that facebook knows too much. Even with non-techie people. They're creeped out.
Throwing off retargeting is something a lot of people might want to do.
Trump ad ... click Comcast ... click Ambulance chasing lawyer ... click click click
So that would be better than random - a plugin that clicks the ads for things you don't like or aren't interested in.
I also think that prices are extremely inflated.
Even stuff which shows like hundred people a day costs you 8 dollar per click. No amount of selling will you get back the money.
Imho something is wrong there...
I'd guess on the keywords where law firms are spending hundreds per click, you're dealing with malpractice and personal injury cases. Those cases are likely to be done on contingent and can have pretty huge upsides. I'd think a well-run firm would have some idea of the expected value of those types of cases and can spend accordingly to acquire clients. Considering how targeted search ads are compared to how these firms normally advertise -- local TV, radio, billboards, busses, etc. the costs probably aren't radically different than they're used to spending on advertising.
If that were true these ads would just go away, or cost less. They are making money.
I also think that prices are extremely inflated.
Even stuff which shows like hundred people a day costs you 8 dollar per click. No amount of selling will you get back the money.
Imho something is wrong there...
Depending on the exchange, you can sometimes see how much the DSP/client paid for the impression by looking at the win notification URL. Typically there will be a URL query parameter that has been filled in by the exchange, like `BID_CPM=4.00`, and when your browser requests this URL (which is owned by the DSP/client), your browser is effectively notifying the winner of the auction that they won and how much it cost. However, ad exchanges are increasingly sending these fields encrypted to protect against manipulation/fraud.
If you really want to manipulate the amount of money that advertisers pay to show you ads, look at what ad botnets like the one in this article do. The PDF above only briefly mentions it, but one of the things they do to increase their perceived value to DSPs and clients is they make their browsers visit high value advertisers websites (e.g. they might visit a shopping website and put items in their cart to make it look like they were strongly considering purchasing the items). Later, when you visit a publisher site, this will cause the bidders' machine learning systems to predict a much higher value for you than they otherwise would have, and submit higher bids as a result.
(Have they come up with "no fly" lists over there yet?)
Sends a click to everything blocked in uBlock Origin.
https://adnauseam.io/
If you sell shoes, put up some shoe ads with an affiliate link, shouldn't that work good enough? You'd save millions by not being susceptible to attacks like the one in the article.
Imagine now a beefy box with a couple hundred VMs running on it.
Now imagine fake cameras catching a rendered environment and tracking virtual eyes that move according to what the camera would expect.
If you want ad networks that rely on cameras to detect your presence capturing your image, imagine installing a fake camera driver on your PC that shows a rendered person in a rendered environment doing random browsing.
edit: last part was unclear
Contrary to what many people in adtech and web development seem to believe, electricity isn't free. Not to mention such silly concerns as worldwide resource usage and climate change.
Basically, that's why advertising needs to be reigned in hard, squeezed with regulations until it starts to behave. Because it's a zero-sum game on enough fronts to make everyones' lives worse if it's not fought against hard.
The bigger picture is virality. Nobody wants to watch your video with 100 views. Same video with 10M views, now everyone has to watch it.
The music business has been doing this so much for so long that it's to the point where I automatically distrust everything that's "popular" as having been gamed.
Who on earth pays that kind of price to have someone watch their ad video? Serious question.
>> those bots "watched" as many as 300 million video ads a day, with an average payout of $13.04 per thousand faked views.
I thought the usual payout was an order of magnitude lower than that.
Something like 1$ per thousand views
I'd really like someone with monetized videos to give some real input on this.
Their usual pay is around 5 USD per hour here in Russia
CPM = Cost Per Thousand Impressions (not views)
It was discovered years ago because:
* Their IP stack was acting like Linux[1]
* Their flash player said "I'm Linux"
* Their user agent said other things (random user agents)
* Their DNS traffic was going UK, but the hosts were coming out of the US
[1]: http://geocar.sdf1.org/browser-verification.html
* list of botnet infected IPs participating in ad fraud
* list of offending/incompetent SSP blindly accepting forged requests
There are a lot of vendors in this space now, offering various kinds of "spamhaus"-type solutions. They're all crap because they operate blacklists of various kinds to keep their customers dependent.
The ideal scenario is for ad networks/SSPs to implement the anti-fraud technology themselves, however getting there from here is difficult: The first ad network to go clean will be at a significant (fiscal) disadvantage.
I'd like to get in touch with anyone ad network/SSP that wants to go first.
> lists of botnet infected IPs participating in ad fraud
This won't be enough.
A popular "audience extender" is to use an iframe containing your site as an ad tag, and run it on your display network. Unless you have been using an ad blocker for the last ten years (and maybe even then), it's very likely your IP address has been used in ad fraud.
> lists of offending/incompetent SSP blindly accepting forged requests
Google facilitates an enormous amount of ad fraud, but media buyers have to buy from Google because nobody else sells Google search ads (except, I suppose, the injection people...)
Yahoo purchased a company who was selling video ads that were muted using uncommon AS3 mixer controls.
I think a much shorter list would be the media suppliers that don't have ad fraud on them and don't facilitate ad fraud. You'll find such a list below.
As is stands, is there any sort of compliance measure (or regulatory body) to monitor/prevent ad fraud in these networks?
Someone has some "sites" that they show to an ad network or an advertiser and tries to sell the impressions on those sites. They receive "ad tags" in exchange, and the theory is that users are exposed to the ads shown by those ad tags, and the advertiser is satisfied.
However, once they have "ad tags", they can do whatever they want with them. They can find the URL signal that represents "give me money" and arrange to fire that signal.
> As is stands, is there any sort of compliance measure (or regulatory body) to monitor/prevent ad fraud in these networks?
No.
The Media Rating Council[1] was endowed by congress with special powers that allow participants to talk to each other antitrust protections kicking in, but these conversations are extremely non-productive.
[1]: http://mediaratingcouncil.org/
Thanks for the code above. What was the company name? never heard of it.
And yet they're still active with the same tech stack.
When three-letter television companies will buy an audience extender from one of these shady guys rather than tell the advertiser that they don't have as much traffic as they projected, you don't really even need to worry about detection.
There exist passive techniques powerful enough to really map these kinds of actors out thoroughly, however the industry has been reticent to stop it because everyone from Viacom to Google has facilitated ad fraud, and there's this fear that stopping things too abruptly will cause advertisers to lose faith in this (still nascent) $60 billion dollar industry (US numbers).
All the other techniques require JavaScript and/or AS3 and are thus subject to modification by these kinds of sophisticated attackers. The only real way to do JavaScript in these cases is to change it often enough and run enough parallel versions that the attacker cannot keep up.
The level of programming skill in the "industrial scale botting" community is high. Top tier botters can easily get into +$100k club if they were doing whitehat stuff.
Bot detection, ad auditing, antifraud systems
Bot detection, ad auditing, antifraud systems
I imagine somewhere in MethBots virtual DOM emulation they got sloppy and ran code (JS) from the server. Using metaprogramming plus some output they could predict they could use runtime reflection and inspect server side JS object.
>
On page 19 in the The Methbot Operation report they state that ‘White Ops detection technology was able to use a JavaScript language feature called “reflection” to gather extensive, detailed information about its inner workings.’
I have personally never heard about JavaScript reflection before, but it appear to be a debug method for one object to dump information or data about another object.
Maybe the White Ops software loaded some JavaScript that was able to dump much of its environment and send it back to White Ops?
It reminds me of ns.cnet.com
How is an ad buyer ever supposed to make an informed decision about how susceptible their chosen ad vendor is to fraud?
I suspect it's similar for the R&D spend on preventing them in the first place.
As long as you're hitting your target ROI than advertising on still makes sense.
The goal of DR is drive an immediate action, for ex. a purchase or news letter signup. Branding/Awareness is more about keeping the brand/product top of mind for the eventual time when the purchasing is actually done.
Usually small and mid-sized advertisers focus on DR. That's why you see a lot of re-targeting type ads for buying products you abandoned in your shopping cart (exception: large ecommerce).
Then you have large advertisers like the Fortune 500 and beyond. They know that you're not making the purchase right there. Hardly any toothpaste, car, $25k server ads or retirement account ads lead to a conversion instantaneously. This is Branding/Product advertising. The hope is to keep their product top-of-mind so you'll consider it when you're driving by the dealership or in the toothpaste isle at Target. This is like your traditional newspaper advertising. Traditional KPIs like CPA used in DR ads don't make sense here. And, due to fraud CPC and CTR are not that useful.
A lot of brand/product advertisements don't have a good instantaneous KPI and measuring long term ROI for a year long $25k server campaign is nebulous art at best.
So to wrap up this story. The guys running this fraud operation were spoofing "premium" video sites with $13.00+ average CPMs (this is high); they were going for the most expensive inventory. The people buying ads on "premium" video sites are not DR advertisers. The goal was to capture Branding/Product advertisers dollars.
It's a bit of a misconception that all online advertising is ROI focused. This was true maybe 4 years ago. With younger audiences (40 and under) consuming more video content online versus linear television there's been in a influx of branding dollars coming "premium" online video.
(Disclosure: My company Adfin provided data for financial estimate for this anti-fraud operation done by WhiteOps)
The vendors that are letting the supply in (SSPs and exchanges) should do more to verify the supply. This could verifying their supply id with provided domain (would get rid of a lot of crappy arbitrage). Additional verification on new suppliers who are generating more traffic. And longer net payment terms for new suppliers to allow for clawing some of it back.
The problem is that many vendors are unwilling to do that. In many cases because they still make money on fraudulent traffic / arbitrage that goes through their platform. Or because they tend to be more accepting of bad data, because adtech is so duct tapped together. People setup their tags/campaigns incorrectly, adservers re-wrap urls, other incorrect rewrapping (fraud/viewablity/attribution), bad javascript, bad publisher sites and hostile browser environments. So they default to be more accepting to not lose on that revenue.
Thank you.
They are not in true ad fraud. Those guys are not in PPV, but in counter stuffing and "viralizing". They are former ebanners/ advmaker and cyberonix/telemaster ad fraud detection people.
Their ops model is this: they sell promo service for content producers; after upfront cost producers pay comission from monetisation revenue.
http://www.legalmatch.com/law-library/article/click-fraud.ht...
How were they getting $13.04 per view?
"The article has since been updated, now it mentions $13.04 per 1000 views:" (niklaslogren) [1]
[1] https://news.ycombinator.com/item?id=13220315
When I need something, I buy it online most of the time (if possible).
I'm kinda happy someone is gaming that whole system against them, maybe it will help transform the ad ecosystem into something that does not seem to be obtrusive and annoying to most people.
Quite open to counter points if anyone accepts explaining them (instead of simply down voting this comment)
Maybe those companies who lost money go back and try to sue the ad exchanges because they didn't adequately detect the click fraud, so then it's the ad companies who take the hit.
In the end, what actual change do you think would be enacted by companies who wish to advertise their products being the victim of fraud?
They stop advertising through the web, and we can get rid of the ad-driven startup bubble, and get rid of most ads on the web in general.
To play devil's advocate, it would be a huge loss to society if advertisements were no longer viable due to constant fraud.
Information would flow a lot less freely because then content providers would be forced to switch to directly charging for their content rather than giving it to you for "free + ads" as they do currently. It wouldn't just be "low value" content dropping off, "low value" is another individual value judgement.
It would become much harder to connect products and services or become harder to separate actual stories from long-form product placement.
I don't find much wrong with the concept of "advertising". I do take issue with certain types of "bad" or malicious ads, but I'm also generally not receptive to most advertising.
However, ads exist because they are effective at connecting users with products.
But, it becomes a race to the bottom, and it is to be expected that every business will want more eyeballs on its products and try to outdo their competitors. The collateral damage of this advertisement frenzy is with people who are bombarded and overstimulated by product placement and a relentless marketing machine. Consumers become skeptic and dulled by the efforts and advertising becomes the pain in the a it is now.
"Getting rid of most online ads" doesn't remove a business' need to connect with consumers in the most effective, lowest cost way possible. It also doesn't change a news agency's need to get paid for the content it creates.
I'm not disputing that digital advertising can get out of hand. Malicious ads are bad. Ads with dark UX patterns are bad. We likely have different definitions of "bad ads".
However, if it's the number of ads you're concerned about, you generally have a choice to pay to remove them to continue consuming the content you're interested in or product which you are using.
I still don't see how your original comment about criminals defrauding businesses out of their money and inflating the cost/risk of advertising somehow puts everyone in a better place.
Do they help you in making any decision in what to buy? No, they just mislead you, because you don't end up buying the best product, but the one that spent the most marketing dollars, meaning the product where the price is inflated the most (as, ifthey didn't pay for marketing, you could have gotten it cheaper).
Instead, you should make your decisions on what to buy based on independent product tests.
Such as the tests from Stiftung Warentest — subscribing to their tests is the best decision you could do, as they constantly test all types of products in comparison tests, you get the results in a nice readable matrix per category, and can directly see which is the best product for your use case. (Same with similar tests in other newspapers, comparing a hundred different types of headphones, or child seats for the car, or banana juices, etc).
Advertising is harmful because it means the market is not a well-working free market anymore, as the buyers don't buy the best product anynore, but the one with the highest marketing budget.
Based on the way you describe business and what you think is objectively the best way to purchase products, my hunch is that you have little experience working in a company or making products you need to sell to others.
I mean this in a most genuine way: if you have any aspiration of managing a company or even building your own, it will greatly help you to learn more about why marketing and advertising are important to business. You simply won't succeed without them.
The 300x250 un-muted video in the upper left really irks me big time.
Garbage publishers are garbage.
The catch is that almost all fields in said offer can be faked by a malicious adversary due to lack of security/competence from the exchange.
Our company is already getting asked to provide full reports by IP address to see how far this goes.
Maybe this will make the video ad industry unprofitable. One can only hope.
[1] https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-...
Have they been convicted of any crime?
Is what they are doing illegal in Russia?
I hope these guys also sue this publisher for some extra income.
Personally, I feel that a publisher of technology is responsible for ensuring there are no "holes". If someone finds a hole and pokes around and uses it for any reason, it should not be criminal.
If I found a way to methodically purchase all the pieces to win McDonald's monopoly game, would that be criminal fraud? Or would it be negligence by McDonald's? My view is the latter.
To counter with another analogy. Robbing a casino, criminal. Counting cards, severely frowned upon but not criminally illegal. When you create a system that users can game to their advantage, you are responsible for enforcing your rules - it doesn't (or shouldn't) make it a crime when your rules are broken.
Isn't this the definition of victim blaming?
So how did these people make money? Are they for hire? Did they offer services to spoof the publisher domain and make revenue out of thin air, taking a cut from the pub?
I'm not sure if it's a similar arrangement here. The linked report makes it sound like they own the publisher sites too, but it's hard for me to fathom how they could maintain "legitimate" relationships with SSPs when they're funnelling out millions of dollars per day. It goes without saying that it's much harder to fake your way through the financial system.