1. State of Ad Fraud
Q2 2018
May 2018
Augustine Fou, PhD.
acfou [at] mktsci.com
212. 203 .7239
2. “Ad fraud is at ALL TIME HIGHS
both in RATE and in DOLLARS…
… and what’s worse is fraud
detection is not catching it, so
people have a false sense of security.”
It’s not fine.
3. May 2018 / Page 2marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Simple, high profits, low risk
1. set up
FAKE SITES
2. buy
FAKE TRAFFIC
3. sell
FAKE ADS
4. May 2018 / Page 3marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Simple “arb” (arbitrage)
Ads sold through“buy low”
$1 CPM
“sell high”
$5 - $10 CPMs
Marketers duped
Source: Basis
Source: SimilarWeb
6. May 2018 / Page 5marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Insane profits from ad fraud
Sample Campaign 1
• Amount spent to buy traffic – $183,000
• Traffic purchased – 37 million pageviews ($4.99 CPM)
• Clicks successfully sold – 3.8 million (passed all fraud filters)
• CPC earned $1.20, at 10% click through rate
$4.6 million payout
25X return
$15.9 billion
annualized fraud
Sample Campaign 2
• Amount spent to buy traffic – $24,000
• Traffic purchased – 23 million pageviews ($1.03 CPM)
• Clicks successfully sold – 2.5 million (passed all fraud filters)
• CPC earned $0.39, at 11% click through rate
$982k payout
41X return
$5.5 billion
annualized fraud
7. May 2018 / Page 6marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
The most profitable criminal activity
2,500 - 4,100% returns
11% returns1% interest
digital ad fraud
stock marketbank interest
“where else can I get multi-
thousands percent returns on
my money? Right. Nowhere.”
9. “I’ve written about the forms of fraud
mentioned below over the years…
… and when each was subsequently
documented by others, the fraud had
gone on for years even though fraud
detection was already in use
(but failed to catch it)”
10. May 2018 / Page 9marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Faked residential IP addresses
11. May 2018 / Page 10marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2016) Methbot avoided detection
Source: Dec 2016 WhiteOps Discloses Methbot Research
“Methbot, steals $2 billion annualized;
and it avoided detection for years.”
1. Targeted video ad inventory
$13 average CPM, 10X
higher than display ads
2. Disguised as good publishers
Pretending to be good
publishers to cover tracks
3. Simulated human actions
Actively faked clicks, mouse
movements, page scrolling
4. Obfuscated data center origins
Data center bots pretended to be
from residential IP addresses
12. May 2018 / Page 11marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake mobile apps – not detected
Top mobile apps
by ad revenue …
… are entirely
different than
ones humans
use most.
13. May 2018 / Page 12marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2017) mobile display ad fraud
May 26 Forbes “Judy Malware”
• 40 bad apps to load ads
• 36 million fake devices to load
bad apps
• e.g. 30 ads per device /minute
• 30 ads per minute = 1 billion
fraud impressions per minute
June 1 Checkpoint “Fireball”
• 250 million infected computers
• primary use = traffic for ad
fraud
• 4 ads /pageview (2s load time)
• fraudulent impressions at the
rate of 30 billion per minute
14. May 2018 / Page 13marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake mobile devices – not detected
Download and Install Apps
Launch and Interact
15. May 2018 / Page 14marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2017) mobile app install fraudSource: June 2017, Tune
average 20% fraud
100% fraud
> 50% fraud
16. May 2018 / Page 15marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake geolocation – not detected
Not Normal – in both campaigns
1. 100% mobile apps; 100% Android; same top 15 apps in both markets
2. 100% of impressions generated between 4a – 5a local time
3. 100% fake devices; 15 unique devices generated top 95% impressions
4. 100% data center traffic, randomized through residential proxies
17. May 2018 / Page 16marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2017) bad/fake/stale geolocation
Source: Placed
Source: SafeGraph
99% faked/bad
90% stale/incorrect
18. May 2018 / Page 17marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Bad guys spoof good domains
bid request
fakesite123.com cookie
blacklist
whitelist
✅
✅
bid
ad impression
Pre-bid filters
FRAUD DETECTION
In-ad
declared
FAILS
because domains in bid
request are declared
FAILS
because placement
reports show declared
domains
esquire.com
19. May 2018 / Page 18marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2017) FT spoofed by bad guys
Digiday, November 2017MobileMarketing, Sept, 2017
20. May 2018 / Page 19marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Redirect traffic – not detected
“this is bigger than
ALL of the monthly
pageviews of good
publishers combined.”
How much is available?
a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav”
21. May 2018 / Page 20marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2017) Video ad fraud scheme
Buzzfeed, October 2017
22. May 2018 / Page 21marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Third party JS – security loopholes
42 trackers
24.3s load time
8 trackers
1.3s load time
“minimize 3rd party javascript trackers on pages”
23. May 2018 / Page 22marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2017) User data exfiltration
“Emails, usernames,
passwords -- exfiltration
of personal data by
session-replay scripts; and
recording of user actions
on the site.”
Source: Freedom to Tinker, Nov 2017
24. May 2018 / Page 23marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Sandboxing ad iframes
Malicious javascript can break out of ad iframe and
take over the page, redirect user to another site.
Source: Digiday, Dec 2017
Source: https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/iframe
25. May 2018 / Page 24marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2018) Malvertising redirects
Source: Confiant, Jan 2018 Source: GeoEdge, Jan 2018
26. May 2018 / Page 25marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake audiences – not detected
Journal of Clinical Oncology “cookie matching”
Bots pretend to be oncologists
by visiting sites, collecting cookie
Attract ad dollars to fake
sites when retargeted
27. May 2018 / Page 26marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2018) Lotame purges bot profiles
“[LOTAME] purged 400
million of its over 4
billion profiles after
identifying them as
bots or otherwise
fraudulent accounts.
Lotame CEO Andy
Monfried estimated
that 40 percent of all
web traffic is fictional.”
Adweek, Feb 2018
28. May 2018 / Page 27marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Bad guys actively trick measurement
FAKE 100% viewability
AD
Stack ads all above the fold
to trick detection
FAKE 0% NHT
Buy traffic that passes
specific fraud filters
29. May 2018 / Page 28marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2018) Code to trick measurement
“the [malicious] code
used by NMG is designed
to interfere with the
ability of third-party
measurement systems to
determine how much of a
digital ad was viewable
during a browsing
session.
This code manipulated
data to ensure that
otherwise unviewable
ads showed up in
measurement systems as
valid impressions, which
resulted in payment being
made for the ad.”
Buzzfeed, March 2018
30. May 2018 / Page 29marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake traffic from “social”
Source: Alexa
488M impressions per day (14.9B /mo)
Alexa shows 17M pageviews per month
Source: SimilarWeb
31. May 2018 / Page 30marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2018) Facebook purges 1.3 billion
“It was barely a year ago that
Facebook proudly declared it had
more than 2.2 billion monthly
users. But on Tuesday, the social
media giant revealed
some stunning data, including
that during the six months ending
in March, Facebook disabled a
total of almost 1.3 billion fake
accounts.
During the first quarter of 2018,
Facebook says it deleted 865
million posts, the vast majority of
it for being spammy, and the
remainder for containing graphic
violence, sexual activity or nudity,
terrorism or hate speech.
Source: Inc. May 2018
33. May 2018 / Page 32marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
IAB: fraud is “almost non-existent”
Source:
https://mumbrella.com.au/iabs-
first-australian-figures-claim-just-4-
of-digital-ads-fraudulent-429776
“Interactive Advertising Bureau
of Australia’s first report on the
local market claims that more
than 96% of ads served to
desktops and mobiles are served
to real users.
… just 3.7% of traffic delivered to
desktops was fraudulent and
3.8% on mobiles.”
34. May 2018 / Page 33marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
ANA/WhiteOps: “lower than feared”
Source:
https://adexchanger.com/ad-
exchange-news/anawhite-ops-ad-
fraud-will-actually-go-2017-7-2-
billion-6-5-billion/
“The global monetary impact of ad
fraud is expected to go down this
year, the amount of mobile fraud
happening in the ecosystem is much
lower than feared.
Fraud represents less than 2% of all
app and mobile web display buys
because mobile CPMs are lower and
because fraudsters need to get users
to install their fake apps. ”
35. May 2018 / Page 34marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
TAG/614: “we caused 83% reduction”
Source:
https://www.tagtoday
.net/pressreleases/stu
dy_shows_ad_fraud_
cut_by_83_percent
Except that they didn’t – they compared
non-optimized (12%) to “optimized” (fraud
low on good publishers anyway) (1.5%) and
claimed credit for “a monumental
breakthrough.”
36. “Does anyone still think ad
fraud is 9% and going lower?”
Measure your own campaigns;
don’t assume the fraud detection
you’re using now is catching
everything (or anything at all).”
37. May 2018 / Page 36marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Brands still being ripped off
Source: Social Puncher
39. May 2018 / Page 38marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fraud detection works - myth
• Fraud detection is used to serve specific interests -- e.g.
1. if party A wanted to find less fraud (to defend against
refund requests), they would select a vendor that showed
them less fraud (and never question the measurement)
2. If party B wanted to find more fraud (to get bigger
refunds), they select a vendor that found more fraud (and
never question the measurement)
• Fraud detection is used for CYA (“cover your ass”) – so the
party that paid for it can say “well, they said there was no
fraud, so that’s why we continued to buy it.”
• Fraud detection relies on fraud to continue so they can
continue to make money (they don’t want to solve fraud).
40. May 2018 / Page 39marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fraud filters reduce fraud - myth
1. Fraud filters are no better
than manual blacklists
2. In some cases, there’s MORE
fraud when filter is on
3. Using fraud filters adds 20 –
24% to costs; manual
blacklists are free
41. May 2018 / Page 40marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fraud detection is accurate - no
Tag in ad iframe Tag on page
window sizes detected
as 0x0 or 0x8 pixels correct window sizes
for ads detected
0% humans
60% bots
60% humans
3% bots
“if they don’t have different tags for on-page versus in-ad measurement,
they are most certainly wrong; fraud measurements yield different numbers
or could be entirely wrong, depending on where the tag is placed.”
42. May 2018 / Page 41marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Measure for bots, but not humans
volume bars (green)
Stacked percent
Blue (human)
White (not measurable)
Red (bots)
red v blue trendlines
“Fraud detection that only reports NHT/IVT is not correct”
10% bots does NOT mean 90% humans
43. May 2018 / Page 42marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Pre-bid filtering reduces fraud - no
“sounds nice, but doesn’t
work, because…
• All HTTP headers are declared and
fakable (regularly faked); at the
pre-bid level you only have
headers to work with
• Once a bot cookie is caught and no
longer makes money, they dump it
and get a new one, so filtering
won’t recognize it/filter it.
• This technique is so intensive
computationally that it is flawed
and unnecessary when you can
just turn off the sites that commit
fraud in the first place.
Pre-bid filters
FAILS
because domains in bid
request are declared
FAILS
because bad bots dump
cookies and get new
ones (so filter would
never have seen it
before)
44. May 2018 / Page 43marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Audiences have lower fraud - no
“Verified Bots”
“Verified Humans”
Control: No Targeting
+$0.25 data CPM
+$0.25 data CPM
“verified bots” and “verified
humans” showed no difference in
quality to each other – AND both
were no different than the
control where no targeting
was used.
45. May 2018 / Page 44marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Brand safety detection works - myth
In-ad tag
ad iframeBad word
Bad content
Bad word
Bad content
Basic browser security (no cross-domain)…
… means tracking tags, riding along with the
ad (in ad iframe) cannot read content on the
page to do brand-safety measurements.
46. May 2018 / Page 45marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
More reach in programmatic - myth
$1 CPM
Top 10 sites = 66% of imps
$5 CPM
Top 10 sites = 74% of imps
$0.50 CPM
Top 5 sites = 100% of imps
$10 CPM
Top 10 sites = 71% of imps
Top 5-10 fraud sites eat most of your budget
47. May 2018 / Page 46marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
My ads are reaching humans - myth
Most of budget wasted
between 12a – 4a; to bots
98% impressions blown
between midnight - 1a
Few impressions left for “waking hours” when humans are actually online.
48. May 2018 / Page 47marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Walled gardens have more fraud - no
Google
Search
Facebook
DisplayGDN FBX
less bots | more humans
first-party IDs | logged-in environment | people-based marketing
facebook.comgoogle.com
facebook app
“not on the main sites; bots can’t
make money when ads load here”
49. May 2018 / Page 48marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Blockchain reduces fraud - myth
“blockchain does not solve fraud because the ad tech
middlemen who need to adopt it actually prefer to
have LESS transparency not more.”
“if you wanted all the details of the bid and impression
(supply chain transparency), you can store those details in
a database; you don’t need to store it in a blockchain.”
-- Marc Guldimann, CEO ParsecMedia
“the idea of a secure, distributed ledger fits advertising’s
transparency imperative nicely, but it’s not a magic bullet. Anyone
suggesting blockchain will solve the ad industry’s problems is
promulgating a false sense of security. It’s a flu shot for an immuno-
compromised patient.” -- Ted McConnell
50. May 2018 / Page 49marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Ads.txt doesn’t work - myth
Publishers Marketers
Step 1
Publishers put ads.txt files on
their sites to show which
exchanges are authorized to
sell their inventory.
Step 2
Marketers need to check the
ads.txt file and reconcile that the
sellerID that got paid is the
correct sellerID of the domain
specified in placement reports
• Ads.txt has not reduced ad fraud (yet), because step 2 has not
been done by most marketers (their agencies) yet
• Beware of faked ads.txt – just having an ads.txt file doesn’t
mean the contents are accurate (they could be plagiarized/fake)
Insist on sellerID based placement reports, with line item details
51. May 2018 / Page 50marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Good publishers have high IVT - no
Domain (spoofed) % SIVT
esquire.com 77%
travelchannel.com 76%
foodnetwork.com 76%
popularmechanics.com 74%
latimes.com 72%
reuters.com 71%
bid request
fakesite123.com
esquire.com
passes blacklist
passes whitelist
✅
✅
declared
1. fakesite123.com has to pretend
to be esquire.com to get bids;
2. fraud measurement shows high
IVT b/c it is measuring the fake
site with fake traffic
3. Fake esquire.com gets mixed with
real so average fraud rates
appear high.
4. Real esquire.com gets backlisted;
bad guy moves on to another
domain.
52. May 2018 / Page 51marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Conflict, Bad Measurement
Incorrect IVT Measurement
Source 3 - in ad iframe, badly sampled
Sources 1 and 2
corroborate
One agency sticks to
fraud measurement
company (that is owned
by same agency holding
company), despite
proven errors in IVT
measurement (due to
sampling and tag being in
ad iframe).
Uses high IVT numbers to
get refunds, which
agency keeps as profit.
54. May 2018 / Page 53marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Chase: -99% reach, no impact
“JPMorgan had already decided
last year to oversee its own
programmatic buying operation.
Advertisements for JPMorgan
Chase were appearing on about
400,000 websites a month. [But]
only 12,000, or 3 percent, led to
activity beyond an impression.
[Then, Chase] limited its display
ads to about 5,000 websites. We
haven’t seen any deterioration on
our performance metrics,” Ms.
Lemkau said.”
“99% reduction in ‘reach’ … Same Results.”
Source: NYTimes, March 29, 2017
(because it wasn’t real, human reach)
55. May 2018 / Page 54marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
P&G: cut $200M, no impact
“Once we got transparency, it
illuminated what reality was,” said
Mr. Pritchard. P&G then took matters
into its owns hands and voted with
its dollars, he said.”
“As we all chased the Holy Grail of
digital, self-included, we were
relinquishing too much control—
blinded by shiny objects,
overwhelmed by big data, and ceding
power to algorithms,” Mr. Pritchard
said.
Source: WSJ, March 2018
56. May 2018 / Page 55marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Small businesses found/killed fraud
“Both of these small businesses used their own analytics and gut
instinct; they resolved ad fraud without using any expensive tech.”
Small Business A
• Noticed a 118,600% increase in Android devices hitting her site
during campaign – AND no additional goal completions
• Compiled additional data that corroborated it was fraud;
presented to ad network and got refund for entire campaign
Small Business B
• Year over year, marketer noticed the discrepancy between counts
reported by ad network versus his own Google Analytics shot up
dramatically (even though cost-per-action remained similar).
• Conversions also dropped dramatically. With deeper digging, he
found the ratio of audience network inventory grew from 5% to
65% of total impressions. Solved by turning off audience network.
58. “First and foremost …
… don’t incentivize your agencies
to just buy more (quantity of
impressions) at lower average
CPM; otherwise YOU are
continuing to support ad fraud.”
59. May 2018 / Page 58marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Measure every point of the funnel
Measure
Ads
Measure
Arrivals
Measure
Conversions
346
1743
5
156
A
B
30X more human
conversion events
• More arrivals
• Better quality
more humans (blue)
good publishers
low-cost media,
ad exchanges
60. May 2018 / Page 59marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Compare relative quality of sources
Marketer 1
• Blue means humans
• Red means bots Marketer 2
“increase spend on sources driving more humans
(blue); reduce spend on sources with more bots (red)”
61. May 2018 / Page 60marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Display 4
2,036 humans
human conversion rate
Focus on conversions/outcomes
Site Traffic Conversions
8,482 818
4,216 humans
5%
human conversion rate
14,539 193
225 humans
9%
human conversion rate
2,248 23
168 humans
5%
human conversion rate
1,527 9
Display 3
Display 2
Display 1
Humans
40%
62. May 2018 / Page 61marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fight fraud w/ your own analytics
top 4 referrers – same exact pattern/data
63. May 2018 / Page 62marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Turn off obvious fraud sites
Turn off the fraud at
the beginning of the
campaign; then you
won’t have to try to
fight to get your
money back later.
64. “fight ad fraud with
common sense”
- stop wasting money on tech that
doesn’t work
- insist on detailed data and look at
the analytics yourself
65. May 2018 / Page 64marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com
212. 203 .7239
66. May 2018 / Page 65marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Dr. Augustine Fou – Independent Ad Fraud Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017