Dr. Augustine Fou - The Lowdown on Ad Fraud for Advertisers - Seattle Interactive 2016

The Lowdown on Ad Fraud for Advertisers

October 2016Augustine Fou, [email protected] 212. 203 .7239 (New York)

mailto:[email protected]

Ad Fraud Background

October 2016 / Page 3marketing.scienceconsulting group, inc.

linkedin.com/in/augustinefou

Fraud continues up as digital ad spend goes up

Digital ad fraud

Digital ad spendSource: IAB 2015 FY Report

$ billions

E

High / Low Estimates



Bad guys follow the money – focus on CPM, CPC fraud

Impressions(CPM/CPV)

Clicks(CPC)

Search32%

91% digital spend

Display12%

Video7%

Mobile40%

Leads(CPL)

Sales(CPA)

Lead Gen$2.0B

Other$5.0B

• classifieds• sponsorship• rich media

(86% in 2014)Source: IAB 2015 FY Report

(83% in 2013)



Two main types of fraud, two key ingredientsImpression (CPM) Fraud

(includes mobile display, video ads)

1. Put up fake websites and load tons of ads on the pages

Search Click (CPC) Fraud

(includes mobile search ads)

2. Use bots to repeatedly load pages to generate fake ad impressions

1. Put up fake websites and participate in search networks

2. Use bots to type keywords and then to click on the ads to generate the CPC revenue

screen shots of fake sites



How profitable is digital ad fraud? Extremely…

Source: https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

“the profit margin is 99% … [especially with pay-for-use cloud services ]…”

Source: Digital Citizens Alliance Study, Feb 2014

“highly lucrative, and profitable… with margins from 80% to as high as 94%…”

https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

https://hbr.org/2015/10/why-fraudulent-ad-networks-continue-to-thrive

https://media.gractions.com/314A5A5A9ABBBBC5E3BD824CF47C46EF4B9D3A76/4af7db7f-03e7-49cb-aeb8-ad0671a4e1c7.pdf



How scalable are ad fraud operations? Massively …Cash out sites are massively scalable

131 ads on pageX

100 iframes=

13,100 ads /page

One visit redirected dozens of timesKnown blackhat technique to hide real referrer and replace with faked referrer.

Example how-to:http://www.blackhatworld.com/blackhat-seo/cloaking-content-generators/36830-cloaking-redirect-referer.html

Thousands of requests per pageSingle mobile app calling 10k impressions

Source: Forensiq



AppNexus example – cleaned up 92% of impressions

Increased CPM prices by 800%

Decreased impression volume by 92%

Source: http://adexchanger.com/ad-exchange-news/6-months-after-fraud-cleanup-appnexus-shares-effect-on-its-exchange/

260 billion

20 billion

> $1.60

< 20 cents

“pity those advertisers who bought before the cleanup”

Fake Websites(cash-out sites)



Websites – spectrum from bad to good

Ad Fraud Sites

Click Fraud Sites

100% bot

mostly human

Piracy Sites

Premium Publishers

Sites w/ Sourced Traffic

“fraud sites” “sites w/ questionable practices” “good guys”Websites

“real content that real humans want to read”



Identical sites – fraud sites made by template



Countless fraud domains used to commit ad fraudhttp://analyzecanceradvice.comhttp://analyzecancerhelp.comhttp://bestcanceropinion.comhttp://bestcancerproducts.comhttp://bestcancerresults.comhttp://besthealthopinion.comhttp://bettercanceradvice.comhttp://bettercancerhelp.comhttp://betterhealthopinion.comhttp://findcanceropinion.comhttp://findcancerresource.comhttp://findcancertopics.comhttp://findhealthopinion.comhttp://finestcanceradvice.comhttp://finestcancerhelp.comhttp://finestcancerresults.comhttp://getcancerproducts.com

100s of thousands more sites like these, designed to profit from high value ads

Fake Visitors(bots)



Bots are developer tools (browser) used for ad fraud

Headless BrowsersSeleniumPhantomJSZombie.jsSlimerJS

Mobile Simulators35 listed

Bots are made from malware compromised PCs or headless browsers (no screen) in datacenters.

Bots

http://www.mobilexweb.com/emulators



Bots range in sophistication, and therefore cost

Javascript installed on webpage

Malware on PCsData Center BotsOn-Page BotsHeadless browsers

in data centersMalware installed on

humans’ devices

Less sophisticated Most sophisticated

Source: AdAge/Augustine Fou, Mar 2014 Source: Forensiq Source: Augustine Fou, Oct 2015

“not many people know that the official industry bot lists catch NONE of these bots, not one.”

1 cent CPMsLoad pages, click

10 cent CPMsFake scroll, mouse movement, click

1 dollar CPMsReplay human-like mouse movements, clone cookies

http://adage.com/article/digital/bots-scam-advertisers-pretending-human/293428/

http://www.slideshare.net/augustinefou/digital-ad-fraud-ecosystem



Bad guys’ bots earn more money, more efficientlyHigher bots in retargetingBots collect cookies to look attractive

Source: DataXu/DoubleVerify Webinar, April 2015 Source: White Ops / ANA 2014 Bot Baseline



Bots – from easy-to-detect to advanced bots

10,000bots observed

in the wild

user-agents.org

bad guys’ bots3%Dstillery, Oct 9, 2014_

“findings from two independent third parties, Integral Ad Science and White Ops”

3.7%Rocket Fuel, Sep 22, 2014

“Forensiq results confirmed that ... only 3.72% of impressions categorized as high risk.”

2 - 3%comScore, Sep 26, 2014

“most campaigns have far less; more in the 2% to 3% range.”

industry lists(bot name-match)

“not on any list”disguised as normal browsers –

Internet Explorer; constantly adapting to avoid detection

http://finance.yahoo.com/news/dstillery-leads-industry-1-inventory-173635834.html

http://finance.yahoo.com/news/dstillery-leads-industry-1-inventory-173635834.html

http://rocketfuel.com/blog/forensiq-confirms-the-quality-of-rocket-fuel-programs

http://rocketfuel.com/blog/forensiq-confirms-the-quality-of-rocket-fuel-programs

http://adexchanger.com/platforms/fraud-day-with-comscore-an-ad-impression-is-a-terrible-thing-to-waste/

http://adexchanger.com/platforms/fraud-day-with-comscore-an-ad-impression-is-a-terrible-thing-to-waste/



Any device with chip/connectivity can be used as a botTraffic cameras used as botnet (Engadget, Oct 2015)

mobile devices

connected traffic lights

connected cars

thermostat connected fridge

Security cams used as DDoS botnet (Engadget, Jun 2016)

(TechTimes, Sep 2016)

Bot Detection Toolset



Tech toolset - javascript tag installed on-site or in-adIn-Ad (ad iframes)On-Site (publishers’ sites)

• For publishers to detect and characterize each visitor to the website

• Installed just like Google Analytics via 2 lines of code

• For advertisers (served as an ad tag) to characterize the user that caused the ad to load

ad tag / pixel(in-ad measurement)

javascript embed(on-site measurement)



Visual difference between good publishers, networks

good publishers

ad exchanges/networks



End of month traffic and impressions fulfillment

Impressions surgevolume bars (green)

Stacked percentBlue (human)Red (bots)

red vs blue trendlines Caused by bots



Real traffic surges caused by humans on news site

Traffic surgesvolume bars (green)

Stacked percentBlue (human)Red (bots)

red v blue trendlinesBy humans



AdMonsters Publishers Study – Class of May 2016

AdMonsters Publishers Study• 30 days, directly measured• 30 publishers/sites• 1 billion pageviews• ocean of blue



Declared/search bots should be low, no ads served

- searched for "HTTP_USER_AGENT:smartbrief"- searched through 98784 visits in 101 batches.- found 11519 matches (11.66%).

- searched for "HTTP_USER_AGENT:moatbot"- searched through 98784 visits in 101 batches.- found 2064 matches (2.09%).

- searched for "HTTP_USER_AGENT:googlebot"- searched through 98784 visits in 101 batches.- found 425 matches (0.43%).

- searched for "HTTP_USER_AGENT:bingbot"- searched through 98784 visits in 101 batches.- found 85 matches (0.09%).

Smartbrief Bot GoogleBot

moatbot Bingbot



Ad Fraud Risks for Advertisers(scenarios illustrated with examples)



How many impressions do you want to buy?

Rectangular traffic patterns – turn bots on, turn bots off on demand



http://www.olay.com/skin-care-products/OlayPro-X?utm_source=msn&utm_medium=cpc&utm_campaign=Olay_Search_Desktop

What premium sites do you want to buy from?

Click thru URL passes fake source “utm_source=msn”

buy eye cream online(expensive CPC keyword)

1. Fake site that carries search ads

Olay.com ad in #1 position

2. search ad served, fake click

Destination pagefake source declared

3. Click through to destination page

http://www.olay.com/skin-care-products/OlayPro-X?utm_source=msn&utm_medium=cpc&utm_campaign=Olay_Search_Desktop_Category+Interest+Product.Phrase&utm_term=eye%20cream&utm_content=TZsrSzFz_eye%20cream_p_2990456911









How many clicks/sessions/views do you want?

click on links

load webpages tune bounce rate

tune pages/visit

“bad guys’ bots are advanced enough to fake most metrics”



What click through rates are you shooting for?Programmatic display

(18-45% clicks from advanced bots)Premium publishers(0% clicks from bots)

0.13% CTR(18% of clicks by bots)



Campaign KPI: CTRs



What is your target viewability?

Bad guys cheat and stack ALL ads above the fold to make 100% viewability.

Good guys have to array ads on the page – e.g. 50% or lower overall average viewability.

Fraud SitesGood Publishers

“100% viewability? Sure, no problem.”

AD



Need 0% NHT traffic? Or Middle East traffic?• “IntegralAdScience filtered traffic, she says,

can be monetized on any banner network from “the exchanges.”

• Pixalate filtered traffic, she says, can be monetized on any search feed.

• MOAT filtered traffic, she says, works well with video networks but not one in particular.”

Source: Shailin Dhar, Ad Fraud Researcher



Case Examples of Reducing Ad Fraud



Line item detail reveals obvious fraudLine item details

Overall average 9.4% CTR

“fraud hides easily in averages”



Once detected, we turn off specific referring source

102,231 sessions

0 sessions

goal event – no change



Advertiser increased ads served to humans, less to bots

• By systematically reducing spend to sites that had the highest incidence of bots, the advertiser increased ad impressions served to humans, and lowered those served to bots



Advertiser increased goal events by serving to humans

Period 1 Period 2 Period 3

20% confirmed humans30% confirmed humans

190k 5k

220k6k

280k 7k

total goal eventsaverage daily goals

10% confirmed humans



Advertiser turned off highly suspicious placements

.xyz domains suspicious mobile apps



Best Practices of Savvy Advertisers“don’t assume your agency took care of it”

• Challenge all assumptions – don’t assume someone else “took care of it.” Verify, by demanding detailed reports, because fraud hides easily in averages

• Check your Google Analytics - question anything that looks suspicious; more details that can reveal fraud and waste

• Corroborate measurements – measure different parameters together and see if they still make sense; reduce false positives or negatives

• Use conversion metrics – CPG client uses click-and-print digital coupons; pharma client uses doctor finder zip code searches, plus clicks to doctor pages; retailers use sales



About the Author/Researcher

October 2016Augustine Fou, [email protected] 212. 203 .7239 (New York)

mailto:[email protected]



Dr. Augustine Fou – Recognized Expert on Ad Fraud2013

2014

SPEAKING ENGAGEMENTS / PANELS4A’s Webinar on Ad Fraud AdCouncil Webinar on Ad Fraud TelX Marketplace Live Panel on CybersecurityARF Audience Measurement / ReThinkIAB Webinar on Ad Fraud / Botnets AdMonsters Publishers Forum / OPSDMA Webinar – Ad Fraud & Measurement

2016

2015



Harvard Business Review – October 2015Excerpt:

Hunting the Bots

Fou, a prodigy who earned a Ph.D. from MIT at 23, belongs to the generation that witnessed the rise of digital marketers, having crafted his trade at American Express, one of the most successful American consumer brands, and at Omnicom, one of the largest global advertising agencies. Eventually stepping away from corporate life, Fou started his own practice, focusing on digital marketing fraud investigation.

Fou’s experiment proved that fake traffic is unproductive traffic. The fake visitors inflated the traffic statistics but contributed nothing to conversions, which stayed steady even after the traffic plummeted (bottom chart). Fake traffic is generated by “bad-guy bots.” A bot is computer code that runs automated tasks.

Marketing

Dr. Augustine Fou - The Lowdown on Ad Fraud for Advertisers - Seattle Interactive 2016