May 2018 / Page 5marketing.scienceconsulting group, inc.
Insane profits from ad fraud
Sample Campaign 1
• Amount spent to buy traffic – $183,000
• Traffic purchased – 37 million pageviews ($4.99 CPM)
• Clicks successfully sold – 3.8 million (passed all fraud filters)
• CPC earned $1.20, at 10% click through rate
$4.6 million payout
Sample Campaign 2
• Amount spent to buy traffic – $24,000
• Traffic purchased – 23 million pageviews ($1.03 CPM)
• Clicks successfully sold – 2.5 million (passed all fraud filters)
• CPC earned $0.39, at 11% click through rate
May 2018 / Page 6marketing.scienceconsulting group, inc.
The most profitable criminal activity
2,500 - 4,100% returns
11% returns1% interest
digital ad fraud
stock marketbank interest
“where else can I get multi-
thousands percent returns on
my money? Right. Nowhere.”
Pairs of Slides
a) Fraud technique
b) (Year) Documented Case
“I’ve written about the forms of fraud
mentioned below over the years…
… and when each was subsequently
documented by others, the fraud had
gone on for years even though fraud
detection was already in use
(but failed to catch it)”
May 2018 / Page 9marketing.scienceconsulting group, inc.
Faked residential IP addresses
May 2018 / Page 10marketing.scienceconsulting group, inc.
(2016) Methbot avoided detection
Source: Dec 2016 WhiteOps Discloses Methbot Research
“Methbot, steals $2 billion annualized;
and it avoided detection for years.”
1. Targeted video ad inventory
$13 average CPM, 10X
higher than display ads
2. Disguised as good publishers
Pretending to be good
publishers to cover tracks
3. Simulated human actions
Actively faked clicks, mouse
movements, page scrolling
4. Obfuscated data center origins
Data center bots pretended to be
from residential IP addresses
May 2018 / Page 11marketing.scienceconsulting group, inc.
Fake mobile apps – not detected
Top mobile apps
by ad revenue …
… are entirely
May 2018 / Page 12marketing.scienceconsulting group, inc.
(2017) mobile display ad fraud
May 26 Forbes “Judy Malware”
• 40 bad apps to load ads
• 36 million fake devices to load
• e.g. 30 ads per device /minute
• 30 ads per minute = 1 billion
fraud impressions per minute
June 1 Checkpoint “Fireball”
• 250 million infected computers
• primary use = traffic for ad
• 4 ads /pageview (2s load time)
• fraudulent impressions at the
rate of 30 billion per minute
May 2018 / Page 13marketing.scienceconsulting group, inc.
Fake mobile devices – not detected
Download and Install Apps
Launch and Interact
May 2018 / Page 14marketing.scienceconsulting group, inc.
(2017) mobile app install fraudSource: June 2017, Tune
average 20% fraud
> 50% fraud
May 2018 / Page 15marketing.scienceconsulting group, inc.
Fake geolocation – not detected
Not Normal – in both campaigns
1. 100% mobile apps; 100% Android; same top 15 apps in both markets
2. 100% of impressions generated between 4a – 5a local time
3. 100% fake devices; 15 unique devices generated top 95% impressions
4. 100% data center traffic, randomized through residential proxies
May 2018 / Page 16marketing.scienceconsulting group, inc.
(2017) bad/fake/stale geolocation
May 2018 / Page 17marketing.scienceconsulting group, inc.
Bad guys spoof good domains
because domains in bid
request are declared
reports show declared
May 2018 / Page 18marketing.scienceconsulting group, inc.
(2017) FT spoofed by bad guys
Digiday, November 2017MobileMarketing, Sept, 2017
May 2018 / Page 19marketing.scienceconsulting group, inc.
Redirect traffic – not detected
“this is bigger than
ALL of the monthly
pageviews of good
How much is available?
a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”
May 2018 / Page 20marketing.scienceconsulting group, inc.
(2017) Video ad fraud scheme
Buzzfeed, October 2017
May 2018 / Page 21marketing.scienceconsulting group, inc.
Third party JS – security loopholes
24.3s load time
1.3s load time
May 2018 / Page 22marketing.scienceconsulting group, inc.
(2017) User data exfiltration
passwords -- exfiltration
of personal data by
session-replay scripts; and
recording of user actions
on the site.”
Source: Freedom to Tinker, Nov 2017
May 2018 / Page 23marketing.scienceconsulting group, inc.
Sandboxing ad iframes
take over the page, redirect user to another site.
Source: Digiday, Dec 2017
May 2018 / Page 24marketing.scienceconsulting group, inc.
(2018) Malvertising redirects
Source: Confiant, Jan 2018 Source: GeoEdge, Jan 2018
May 2018 / Page 25marketing.scienceconsulting group, inc.
Fake audiences – not detected
Journal of Clinical Oncology “cookie matching”
Bots pretend to be oncologists
by visiting sites, collecting cookie
Attract ad dollars to fake
sites when retargeted
May 2018 / Page 26marketing.scienceconsulting group, inc.
(2018) Lotame purges bot profiles
“[LOTAME] purged 400
million of its over 4
billion profiles after
identifying them as
bots or otherwise
Lotame CEO Andy
that 40 percent of all
web traffic is fictional.”
Adweek, Feb 2018
May 2018 / Page 27marketing.scienceconsulting group, inc.
Bad guys actively trick measurement
FAKE 100% viewability
Stack ads all above the fold
to trick detection
FAKE 0% NHT
Buy traffic that passes
specific fraud filters
May 2018 / Page 28marketing.scienceconsulting group, inc.
(2018) Code to trick measurement
“the [malicious] code
used by NMG is designed
to interfere with the
ability of third-party
measurement systems to
determine how much of a
digital ad was viewable
during a browsing
This code manipulated
data to ensure that
ads showed up in
measurement systems as
valid impressions, which
resulted in payment being
made for the ad.”
Buzzfeed, March 2018
May 2018 / Page 29marketing.scienceconsulting group, inc.
Fake traffic from “social”
488M impressions per day (14.9B /mo)
Alexa shows 17M pageviews per month
May 2018 / Page 30marketing.scienceconsulting group, inc.
(2018) Facebook purges 1.3 billion
“It was barely a year ago that
Facebook proudly declared it had
more than 2.2 billion monthly
users. But on Tuesday, the social
media giant revealed
some stunning data, including
that during the six months ending
in March, Facebook disabled a
total of almost 1.3 billion fake
During the first quarter of 2018,
Facebook says it deleted 865
million posts, the vast majority of
it for being spammy, and the
remainder for containing graphic
violence, sexual activity or nudity,
terrorism or hate speech.
Source: Inc. May 2018
May 2018 / Page 32marketing.scienceconsulting group, inc.
IAB: fraud is “almost non-existent”
“Interactive Advertising Bureau
of Australia’s first report on the
local market claims that more
than 96% of ads served to
desktops and mobiles are served
to real users.
… just 3.7% of traffic delivered to
desktops was fraudulent and
3.8% on mobiles.”
May 2018 / Page 33marketing.scienceconsulting group, inc.
ANA/WhiteOps: “lower than feared”
“The global monetary impact of ad
fraud is expected to go down this
year, the amount of mobile fraud
happening in the ecosystem is much
lower than feared.
Fraud represents less than 2% of all
app and mobile web display buys
because mobile CPMs are lower and
because fraudsters need to get users
to install their fake apps. ”
May 2018 / Page 34marketing.scienceconsulting group, inc.
TAG/614: “we caused 83% reduction”
Except that they didn’t – they compared
non-optimized (12%) to “optimized” (fraud
low on good publishers anyway) (1.5%) and
claimed credit for “a monumental
“Does anyone still think ad
fraud is 9% and going lower?”
Measure your own campaigns;
don’t assume the fraud detection
you’re using now is catching
everything (or anything at all).”
May 2018 / Page 36marketing.scienceconsulting group, inc.
Brands still being ripped off
Source: Social Puncher
and Conflicts of Interest
May 2018 / Page 38marketing.scienceconsulting group, inc.
Fraud detection works - myth
• Fraud detection is used to serve specific interests -- e.g.
1. if party A wanted to find less fraud (to defend against
refund requests), they would select a vendor that showed
them less fraud (and never question the measurement)
2. If party B wanted to find more fraud (to get bigger
refunds), they select a vendor that found more fraud (and
never question the measurement)
• Fraud detection is used for CYA (“cover your ass”) – so the
party that paid for it can say “well, they said there was no
fraud, so that’s why we continued to buy it.”
• Fraud detection relies on fraud to continue so they can
continue to make money (they don’t want to solve fraud).
May 2018 / Page 39marketing.scienceconsulting group, inc.
Fraud filters reduce fraud - myth
1. Fraud filters are no better
than manual blacklists
2. In some cases, there’s MORE
fraud when filter is on
3. Using fraud filters adds 20 –
24% to costs; manual
blacklists are free
May 2018 / Page 40marketing.scienceconsulting group, inc.
Fraud detection is accurate - no
Tag in ad iframe Tag on page
window sizes detected
as 0x0 or 0x8 pixels correct window sizes
for ads detected
“if they don’t have different tags for on-page versus in-ad measurement,
they are most certainly wrong; fraud measurements yield different numbers
or could be entirely wrong, depending on where the tag is placed.”
May 2018 / Page 41marketing.scienceconsulting group, inc.
Measure for bots, but not humans
volume bars (green)
White (not measurable)
red v blue trendlines
“Fraud detection that only reports NHT/IVT is not correct”
10% bots does NOT mean 90% humans
May 2018 / Page 42marketing.scienceconsulting group, inc.
Pre-bid filtering reduces fraud - no
“sounds nice, but doesn’t
• All HTTP headers are declared and
fakable (regularly faked); at the
pre-bid level you only have
headers to work with
• Once a bot cookie is caught and no
longer makes money, they dump it
and get a new one, so filtering
won’t recognize it/filter it.
• This technique is so intensive
computationally that it is flawed
and unnecessary when you can
just turn off the sites that commit
fraud in the first place.
because domains in bid
request are declared
because bad bots dump
cookies and get new
ones (so filter would
never have seen it
May 2018 / Page 43marketing.scienceconsulting group, inc.
Audiences have lower fraud - no
Control: No Targeting
+$0.25 data CPM
+$0.25 data CPM
“verified bots” and “verified
humans” showed no difference in
quality to each other – AND both
were no different than the
control where no targeting
May 2018 / Page 44marketing.scienceconsulting group, inc.
Brand safety detection works - myth
ad iframeBad word
Basic browser security (no cross-domain)…
… means tracking tags, riding along with the
ad (in ad iframe) cannot read content on the
page to do brand-safety measurements.
May 2018 / Page 45marketing.scienceconsulting group, inc.
More reach in programmatic - myth
Top 10 sites = 66% of imps
Top 10 sites = 74% of imps
Top 5 sites = 100% of imps
Top 10 sites = 71% of imps
Top 5-10 fraud sites eat most of your budget
May 2018 / Page 46marketing.scienceconsulting group, inc.
My ads are reaching humans - myth
Most of budget wasted
between 12a – 4a; to bots
98% impressions blown
between midnight - 1a
Few impressions left for “waking hours” when humans are actually online.
May 2018 / Page 47marketing.scienceconsulting group, inc.
Walled gardens have more fraud - no
less bots | more humans
first-party IDs | logged-in environment | people-based marketing
“not on the main sites; bots can’t
make money when ads load here”
May 2018 / Page 48marketing.scienceconsulting group, inc.
Blockchain reduces fraud - myth
“blockchain does not solve fraud because the ad tech
middlemen who need to adopt it actually prefer to
have LESS transparency not more.”
“if you wanted all the details of the bid and impression
(supply chain transparency), you can store those details in
a database; you don’t need to store it in a blockchain.”
-- Marc Guldimann, CEO ParsecMedia
“the idea of a secure, distributed ledger fits advertising’s
transparency imperative nicely, but it’s not a magic bullet. Anyone
suggesting blockchain will solve the ad industry’s problems is
promulgating a false sense of security. It’s a flu shot for an immuno-
compromised patient.” -- Ted McConnell
May 2018 / Page 49marketing.scienceconsulting group, inc.
Ads.txt doesn’t work - myth
Publishers put ads.txt files on
their sites to show which
exchanges are authorized to
sell their inventory.
Marketers need to check the
ads.txt file and reconcile that the
sellerID that got paid is the
correct sellerID of the domain
specified in placement reports
• Ads.txt has not reduced ad fraud (yet), because step 2 has not
been done by most marketers (their agencies) yet
• Beware of faked ads.txt – just having an ads.txt file doesn’t
mean the contents are accurate (they could be plagiarized/fake)
Insist on sellerID based placement reports, with line item details
May 2018 / Page 50marketing.scienceconsulting group, inc.
Good publishers have high IVT - no
Domain (spoofed) % SIVT
1. fakesite123.com has to pretend
to be esquire.com to get bids;
2. fraud measurement shows high
IVT b/c it is measuring the fake
site with fake traffic
3. Fake esquire.com gets mixed with
real so average fraud rates
4. Real esquire.com gets backlisted;
bad guy moves on to another
May 2018 / Page 51marketing.scienceconsulting group, inc.
Conflict, Bad Measurement
Incorrect IVT Measurement
Source 3 - in ad iframe, badly sampled
Sources 1 and 2
One agency sticks to
company (that is owned
by same agency holding
proven errors in IVT
measurement (due to
sampling and tag being in
Uses high IVT numbers to
get refunds, which
agency keeps as profit.
May 2018 / Page 53marketing.scienceconsulting group, inc.
Chase: -99% reach, no impact
“JPMorgan had already decided
last year to oversee its own
programmatic buying operation.
Advertisements for JPMorgan
Chase were appearing on about
400,000 websites a month. [But]
only 12,000, or 3 percent, led to
activity beyond an impression.
[Then, Chase] limited its display
ads to about 5,000 websites. We
haven’t seen any deterioration on
our performance metrics,” Ms.
“99% reduction in ‘reach’ … Same Results.”
Source: NYTimes, March 29, 2017
(because it wasn’t real, human reach)
May 2018 / Page 54marketing.scienceconsulting group, inc.
P&G: cut $200M, no impact
“Once we got transparency, it
illuminated what reality was,” said
Mr. Pritchard. P&G then took matters
into its owns hands and voted with
its dollars, he said.”
“As we all chased the Holy Grail of
digital, self-included, we were
relinquishing too much control—
blinded by shiny objects,
overwhelmed by big data, and ceding
power to algorithms,” Mr. Pritchard
Source: WSJ, March 2018
May 2018 / Page 55marketing.scienceconsulting group, inc.
Small businesses found/killed fraud
“Both of these small businesses used their own analytics and gut
instinct; they resolved ad fraud without using any expensive tech.”
Small Business A
• Noticed a 118,600% increase in Android devices hitting her site
during campaign – AND no additional goal completions
• Compiled additional data that corroborated it was fraud;
presented to ad network and got refund for entire campaign
Small Business B
• Year over year, marketer noticed the discrepancy between counts
reported by ad network versus his own Google Analytics shot up
dramatically (even though cost-per-action remained similar).
• Conversions also dropped dramatically. With deeper digging, he
found the ratio of audience network inventory grew from 5% to
65% of total impressions. Solved by turning off audience network.
“First and foremost …
… don’t incentivize your agencies
to just buy more (quantity of
impressions) at lower average
CPM; otherwise YOU are
continuing to support ad fraud.”
May 2018 / Page 58marketing.scienceconsulting group, inc.
Measure every point of the funnel
30X more human
• More arrivals
• Better quality
more humans (blue)
May 2018 / Page 59marketing.scienceconsulting group, inc.
Compare relative quality of sources
• Blue means humans
• Red means bots Marketer 2
“increase spend on sources driving more humans
(blue); reduce spend on sources with more bots (red)”
May 2018 / Page 60marketing.scienceconsulting group, inc.
human conversion rate
Focus on conversions/outcomes
Site Traffic Conversions
human conversion rate
human conversion rate
human conversion rate
May 2018 / Page 61marketing.scienceconsulting group, inc.
Fight fraud w/ your own analytics
top 4 referrers – same exact pattern/data
May 2018 / Page 62marketing.scienceconsulting group, inc.
Turn off obvious fraud sites
Turn off the fraud at
the beginning of the
campaign; then you
won’t have to try to
fight to get your
money back later.
“fight ad fraud with
- stop wasting money on tech that
- insist on detailed data and look at
the analytics yourself
May 2018 / Page 64marketing.scienceconsulting group, inc.
About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com
212. 203 .7239
May 2018 / Page 65marketing.scienceconsulting group, inc.
Dr. Augustine Fou – Independent Ad Fraud Researcher
Published slide decks and posts:
Parece que tiene un bloqueador de anuncios ejecutándose. Poniendo SlideShare en la lista blanca de su bloqueador de anuncios, está apoyando a nuestra comunidad de creadores de contenidos.
¿Odia los anuncios?
Hemos actualizado nuestra política de privacidad.
Hemos actualizado su política de privacidad para cumplir con las cambiantes normativas de privacidad internacionales y para ofrecerle información sobre las limitadas formas en las que utilizamos sus datos.
Puede leer los detalles a continuación. Al aceptar, usted acepta la política de privacidad actualizada.