Malicious Life Podcast: Ad Fraud, Part 2

"What makes ad fraud so successful, and so prevalent, and why can’t we stop it? The answer isn’t technical at all. It’s not hard to understand. But it’s a harsh reality that many people are simply not willing to face. – check it out...

 

Powered by RedCircle

Augustine-Fou

Dr. Augustine Fou

Creator of FouAnalytics

Dr. Fou has been on the front lines of digital marketing for nearly 3 decades. It is from that vantage point that he studied and documented the nexus of cybercrime and ad fraud. As an investigator, Dr. Fou assists government and regulatory bodies; as a consultant he helps clients strengthen cybersecurity, mitigate threats and risks, including the flow of ad dollars that fund further criminal activity, and improve the effectiveness of their digital marketing campaigns.

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Transcript

 In the last episode of our show, we heard the story of Methbot: an army of hundreds of thousands of bots, programmatically viewing thousands of advertisements on thousands of made-up websites in order to siphon away millions of dollars worth of ad revenue. The scheme was picked up by a security firm and then the FBI, earning a hefty jail sentence for one Russian national, Aleksandr Zhukov, and some of his colleagues.

But even the giant Methbot scam was just a drop in the ocean that is ad fraud. Putting Zhukov in jail made hardly any difference at all, because of how many other people just like him are still out there today.

What makes ad fraud so successful, and so prevalent, and why can’t we stop it? The answer isn’t technical at all. It’s not hard to understand. But it’s a harsh reality that many people are simply not willing to face.

Types of Ad Fraud

Cybercriminals use all sorts of methods to defraud advertisers. But often, in the end, it’s quite simple.

Individuals and other low-level actors can use stacking — placing multiple ads on top of one another — or pixel stuffing — squeezing an ad into even just one pixel on a computer screen. In each case, you’re effectively registering an ad without actually having to show it to the user.

One method of maliciousness we’re all familiar with is pop-up windows. Websites can rake in profits while annoying you and providing no value to the advertiser, since you’re almost certainly just going to close the window as soon as you notice it.

If you want to defraud major corporations, you figure the bar is probably going to be a little higher. Methbot created a ghost army of fake users fitted with their own locations, browser histories, and demographic profiles, who seemed to be browsing and interacting with spoofed web pages.

But you’d be surprised at how little you can do to get away with a whole lot in this business.

40 Websites Scheme

In 2017, Buzzfeed broke a story about a scheme affecting over 100 of America’s biggest brands: Disney, Chase, Citi, Geico, Ford, Nissan, Hershey’s, and on and on. Researchers estimated the scheme could’ve been costing those companies up to 20 million dollars a year, though, remarkably, all of this was happening on just 40 fraudulent websites run by just a few ad industry executives. And it really wasn’t as sophisticated as you’d think.

They started with generic domains — HealthyBackyard.com, MomTaxi.com, GossipFamily.com — and filled them with content that seems to have been written by low-skilled copywriters or AI. “Kylie Jenner’s Post Instagram Posts A Fascinating Selection Of Shirts,” reads the headline for one article on StyleFashionista.com. Its opening line, quote, “Don’t assume rumored baby bump of Kylie Jenner anytime soon.” End quote. The images and style of the pages were either plagiarized, or otherwise designed to mimic websites in profitable industries like fashion and celebrity news.

It was all just an excuse to run video ads. Websites earn money for every ad they show, and video is more lucrative than static images. But here’s the rub:

Advertisers might catch on if somebody watched one of their video ads thousands of times in a row. So the websites were designed to automatically redirect at the end of each video.

So let’s say an ad for Hershey’s plays on https://rightparent.com/. Once it’s completed, the browser auto redirects to https://beautytips.online/, and runs an ad for Charmin’s, and this cycle repeats on and on forever. Researchers speculated that the creators of the scheme might have simply opened a bunch of these windows running these simple scripts, left them running indefinitely, and watched the money pour in.

The perpetrators cycled websites in and out every so often, to make it seem like the traffic was coming from more than just a few dozen places. If there was any element of the campaign you’d call “sophisticated,” it was the way they avoided detection by outsiders. From Buzzfeed, quote:

“If any real visitors did happen upon these sites, the scheme was designed to avoid detection by ensuring that a normal user visiting the homepage or regular URL would not be exposed to the malicious behavior. The sites were configured with a “friend or foe” system that only triggered the redirects when a specific URL was accessed.”

Eventually, researchers figured out the secret URLs with the endless video ad loops, just as, eventually, the security firm White Ops uncovered Methbot’s ghost army of ad viewers. But it’s hard to tell whether any significant portion of fraud is actually being uncovered. 

Here’s Dr. Augustine Fou, an Independent Ad Fraud Researcher whom we’ve met in part 1 of this mini-series. 

“[Dr. Fou] The bad guys are committing all sorts of different kinds of fraud, they’re using all sorts of obfuscation mechanisms to stay hidden. So they could be operating and may have been operating for a very long period of time before getting discovered.”

Thesis

And even if they are discovered, does it really matter? Aleksandr Zhukov, the creator of Methbot, was far more the exception than the rule. Most fraudsters don’t get caught, and those that do rarely get penalized for it.

Like those ad execs, who got away with it.

Or look at Asher Burke, the blonde, jacked 27 year-old CEO from San Diego who co-opted thousands of Facebook accounts to spread misleading ads for a subscription scam, and only suspended the operation once reporters started digging around.

And there’s Daniel Yomtobian, an L.A. entrepreneur whom Buzzfeed found to have been running ad scams for the better part of two decades (and he’s not exactly an old guy). Most recently, Daniel was found to have been operating over 60 Chrome extensions purporting to do things like convert webpages to PDFs, when, in fact, their purpose was to generate invalid traffic to advertisers. Today Daniel is a father. He claims to be a philanthropist, and the founder of a private investment firm called “Bian Capital” — presumably, a knockoff of the famous Mitt Romney-founded “Bain Capital” — and you’ll find him connected with many people in the cybersecurity community on LinkedIn.

Even the entity behind Methbot could, theoretically, be operating in some form or another today — not under the same name or the same leader, of course, but remember what we mentioned in our last episode: based on the best information we have available, Zhukov didn’t actually invent his scheme, he was contracted to do it.

Even if one day all of these guys get arrested — which they won’t be — new fraudsters would just take their place. If you destroy a 850,000-strong botnet, a new one will pop up in its place, because it’s cheap enough to do so. Take down 6,000 domains, and 6,000 more can be created out of thin air.

“[Nate] is there something that you see that fraud detection services can do now to get ahead, or at least one step ahead of the bad guys at this moment until they come up with that new solution to get around this?

[Dr. Fou] Actually, no. The reason for that is the good guys, the detection companies, are struggling to even figure out what the bad guys are doing.”

How do you even begin to solve this huge, intractable online ad fraud problem? Probably not with traditional cybersecurity.

“[Dr. Fou] So, ad fraud is not a tech problem that can be solved by throwing more tech at it.”

The way Dr. Augustine Fou sees it, there’s a reality of online advertising fraud that many people don’t want to acknowledge.

It’s as widespread and successful as it is not simply because the fraudsters are good at what they do. It’s also because the people who’d otherwise be in charge of stopping them maybe…just maybe…don’t want to. As he once wrote, quote: 

I was recently asked a simple question, by someone relatively new to adtech — “if there’s so much fraud, who’s making all that money?” My answer surprised him. My answer was “everyone.”

Incentive: Exchanges

We’ll start with the most obvious offenders.

“[Dr. Fou] The ad exchanges who sit in the middle.”

The companies facilitating the buying and selling of online ads.

“[Dr. Fou] They’re all like toll takers, right? So every impression that passes through their system, they get a small toll. So in their case, even if they’re not the ones making the bot traffic, they’re certainly sitting back and benefiting from it, right? The larger a flow through their system, the more money they make.”

This is how it went with Methbot: Zhukov pocketed his share, the exchanges got their tolls, and nobody was the wiser.

“[Dr. Fou] And because this had been happening for 10 years, they’re not going to voluntarily cut out the fraud.”

American Companies

Picturing Zhukov working in the shadows with the ad exchanges might give you the impression that these exchanges are also foreign, cybercriminal operations.

“[Dr. Fou] But these are definitely American companies based around the US.”

It’s worth emphasizing this point. A surprising share of the companies inventing invalid ad traffic operate in well-regulated markets like the United States.

Take Phunware, a 70 million dollar corporation with offices in Texas, California and Florida. In 2017, Phunware sued Uber for over 3 million dollars worth of unpaid invoices. It certainly looked bad for the car service company.

But the story quickly changed. Phunware, it turned out, was billing Uber for clicks they hadn’t actually delivered. Much of the traffic they actually did earn came from forced redirects — sending internet users to the Uber app install page without the user having requested it. To cap it off, they were placing Uber ads on porn sites, and falsifying reports to make it seem like those impressions were coming from more legit sites.

One Phunware employee summed up the mood around Uber in an email to colleagues on Halloween, 2016. “Guys it’s… time to spin some more BS to Uber to keep the lights on,” they wrote.

It’s doubly surprising that such an email came to light, considering Phunware’s extensive efforts to destroy evidence — including erasing logs and silencing a whistleblower — which were uncovered by the legal team Uber hired for a 17 million dollar counter suit.

“[Dr. Fou] There’s another example that just recently came to fruition. Chicago-based company called Outcome Health, they were purportedly selling ad impressions on screens in doctors’ offices.

But over the years, the OIG basically caught them for lying, right? They were basically falsifying the documents they were representing that they had tens of thousands more screens than they actually had. And they were representing that they had hundreds of millions more impressions, ad impressions than they’re actually were. They were just inflating the numbers.”

Incentive: Publishers

It’s clear, then, that the companies responsible for selling ads — often large, American companies — don’t always practice honesty and legality.

Then there are the publishers — the platforms where ads are served.

“[Dr. Fou] If you’re a publisher, and you know, your stockholders, or maybe your CEO says, “We have to drive, you know, a 10% increase in revenue next quarter.” Human audiences don’t grow by 10% by next quarter, and they certainly don’t visit your site, you know, and view 10% more page views per visit, right, on command. OK, so human audiences don’t work that way.

So when a publisher is put under undue pressure to make more ad revenue, it’s very easy to just kind of close your eyes and ignore the problem and just go over to the dark side, if you will, and just start buying bot traffic. Because “Oh, by the way, they’re not – nobody’s detecting it as odd traffic. So if they’re not complaining, why shouldn’t I do that?” Right. So some of the publishers decide to buy bot traffic so that they can hit their number.”

Even some well-known publishers have taken part in the act. For instance, maybe you’ve heard of The International Business Times — a worldwide publisher which, according to its website, receives over 20 million readers every month.

According to the research firm Social Puncher, in 2016, as IBT’s organic traffic was declining, they started purchasing cheap pop-up traffic. You know the type — you visit a site for, say, pirating movies, click “download,” and suddenly a spammy new browser window pops up in the background. They used these kinds of pop-ups to generate better viewer numbers, routing them through other domains along the way to disguise their origin and make them seem like higher-quality traffic.

But that wasn’t all.

Whenever you get one of those spam pop-up windows, you always close it right away, right? Everybody does. But IBT needed people to actually see their ads, so they ran malicious code on their sites in order to fudge viewability metrics. As Buzzfeed explained, quote, “In order for an ad impression to be considered valid, it must be at least partially viewable to a user. This code manipulated data to ensure that otherwise unviewable ads showed up in measurement systems as valid impressions, which resulted in payment being made for the ad.” End quote.

Incentive: Media Companies

You won’t hear stories like that about major publishers too often. One kind of organization that more often publicly benefits from fraudulent traffic on the web is large media companies.

“[Dr. Fou] So the agencies also benefit from the very large volumes of ads that are made available through programmatic channels, even if they’re not the ones committing the fraud or making the bots. It’s given them a lot more quantity, or a lot more inventory, to sell to their own clients.”

You may remember how, before his purchase last year, Elon Musk commissioned a study that found that 11% of all Twitter accounts are bots. Twitter claimed to delete millions of fake accounts every day, and maybe they just couldn’t keep up. But were they really incentivized to stamp out the problem?

In his opening statement to the Senate Judiciary Committee in September, Peter Zatko — “Mudge,” formerly of L0pht — spoke of how backwards the company’s priorities were, simply by virtue of the business they were in. Quote:

“Twitter leadership ignored its engineers because key leadership lacked the competency to understand the scope of the problem, but more importantly, their executive incentives led them to prioritize profits over security. Upton Sinclair famously said “It is difficult to get a man to understand something when his salary depends on his not understanding it.” This mentality is exactly what I saw at the executive level at Twitter.”

Mudge also added that, quote, “they don’t know what data they have, where it lives, or where it came from.” End quote. Perhaps, to some degree, that wasn’t an accident.

Incentive: Advertisers

And now, we arrive at the advertisers themselves. You’d think they’d be on the front lines of solving ad fraud, but even they have some motives not to.

For one thing, admitting you’ve spent thousands or millions of dollars on scams isn’t something you might want to admit to investors, or the wider public, making it harder for stories like this to come to light and for awareness to spread.  

And then there’s a bigger problem.

“[Dr. Fou] Because they were highly addicted to buying super large quantities of impressions from programmatic exchanges, and paying super low prices, right, absurdly low prices on the exchanges.”

You see, there’s actually an extremely simple solution that would solve the entire problem of ad fraud in an instant.

Just ask “Boris,” an individual who was interviewed by Bloomberg in 2015. Not long after the 28 year-old Ukrainian moved to Brooklyn on a temporary visa, he built out an ersatz media empire — websites he claimed were raking in 10 million views every day, thanks in large part to 50,000 dollars spent every year on cheap traffic.

When a reporter met him at a cafe in Flatbush, Boris brought along his wife and infant son. The reporter noted how, when presented with evidence of his fraudulent activities, quote, “Boris didn’t dispute the findings or appear at all concerned.” 

“If I can buy some traffic and it gets accepted, why not?” Boris replied. If advertisers truly cared enough about fraud, quote, “they should go buy somewhere else. They want to pay only a little and get a lot of traffic and results. If they want all human traffic, they should go direct to the publisher and pay more.”

“[Dr. Fou] So if the advertiser, the buyer of the ads, buys from a legitimate publisher, like a New York Times, directly, and basically avoids all of programmatic, the exchanges and everything else. That is going to avoid 99% of the fraud, because New York Times or any legitimate publisher is not trying to rip them off, right? If you buy ads through the programmatic exchanges, and you have 100 million sites trying to sell your inventory, they are trying to rip you off. “

It sounds great, but obviously it’s much more expensive.

“[Dr. Fou] Because when you’re buying from a mainstream publisher, it’s going to be like $30, $50 CPMs, not $3 to $5 CPMs.”

Outsourcing ad placement to a company that’ll do it in bulk, for cheap, and come back to you bearing good-looking KPIs? You can see why that’d be more alluring than visiting publishers one by one, and paying their higher prices.

Companies Starting to Catch On

So here we are: with ad exchanges directly profiting off fraud, publishers using it to cover their behinds, media companies benefitting from inflated figures they can show investors, and advertisers either too embarrassed, unaware, or cheap to do something about it.

It’s tough to imagine how you’d unravel this massive web of deceit, where somehow everybody is both profiting and also suffering. In recent years, though, there have been little slivers of hope that something might change.

“[Dr. Fou] So there’s a few data points that we can see over the years, where advertisers have actually turned off their digital ad spend and saw no change.”

One high-profile case was Procter & Gamble.

“[Dr. Fou] So in 2018, PNG turned off $200 million of digital spending, and saw no change in business outcomes.”

It’s not clear from reports — or possibly even to Procter & Gamble itself — how much of their ad spend went to bots versus any other explanation, but the fact that 200 million dollars equated to zero difference in their sales certainly does tell you something.

“[Dr. Fou] Around that same time Chase turned off 99% of their programmatic reach. So what that means is they’ve previously had their ads showing up on 400,000 websites. And then they change to an inclusion list approach of just 5,000 websites showing their ads. So that’s a 99% decrease in reach and they saw no change in business outcomes.”

Another company that tried this was Uber. Not because of Phunware, but an entirely different set of fraud. The impetus came from their Head of Performance Marketing, Kevin Frisch.

“[Dr. Fou] Kevin Frisch, looked at the data and said, “OK, why don’t we pause the ad spending for a week.” They were basically paying for app installs, right. So for every Uber app that was installed, they would pay a mobile network, a bounty, I forget the exact amount, but they would pay on a cost per install basis. When they turned off the ad spending for a week, the installs continued. Then Kevin said, “Let’s leave it off for one more week.”

Then they left it off far longer than that, but installs didn’t slow down in kind. Now, they’re cleaning up the mess.

“[Dr. Fou] Uber is still in the process of a lawsuit where they’re suing 100 mobile exchanges, right? Not five mobile exchanges, not 10, they’re suing 100 Mobile exchanges for ripping them off. But unfortunately, by the time that gets prosecuted to conclusion, vast majority of those mobile exchanges won’t exist anymore. Meaning these are businesses that made off with the money and they don’t exist, so there’s no entity to go after to get your money back.”

Uber has been very unlucky with their online advertising, you’d have to say.

Or maybe they’re not — maybe they’re just one of the few companies out there that’s realized what’s been happening to them, and done something about it. That won’t help them save all the money they’ve already blown but, over time, stories like these might help more companies wake up.

“[Dr. Fou] There’s a glimmer of hope, if you will, of advertisers starting to realize, you know, spending so much money and buying trillions upon trillions of ad impressions is really not doing anything. So they’re finally asking the questions and potentially making the harder decisions to make it right.”