Inside this article, we will get accustomed with the ten techniques used ever more frequently for committing digital advertisement fraud. From hijacking adverts to using bots, cybercriminals make money off the backs of ad publishers and the advertising industry. The attacks are increasing both in frequency and variety, while the most recently discovered attack also has multiple purposes and practical usage among the attackers. Know about these dirty tricks and learn how and why you should recognize them and work toward getting rid of them from your adverts.
Advertisement Fraud Technique #1: Invisible and Hidden Ads
Advertisement fraud pixel
Advertisements can successfully be hidden within 1×1 pixels, making them too small to be seen by a human eye, while they still generate revenue for their publishers.
What differentiates non-viewable impressions from this kind of fraud is the fact that their banners are properly displayed on a page. These banners are not seen by the user (for example, they are placed at the bottom left of the page), but are still legitimate, accountable impressions.
Advertisement Placement Fraud
Advertisement placement fraud is performed by dishonest publishers who want to increase their revenues by generating bigger advert traffic.
The first and foremost technique involving ad fraud makes the advertisement invisible on a website, despite the fact that the impression will be reported. There are several methods that implement this technique:
- An advertisement displayed in a 1×1 pixel Inline frame element.
- Advertisements displayed outside of the viewport area.
- Multiple re-sized advertisements are being displayed.
- Displaying several advertisements in an Inline frame element, while they are all loaded to a single advert slot. This makes all of the ads loaded, but only one will actually be visible to users.
Advertisement Fraud Technique #2: Impression laundering
This particular technique conceals the actual website where the advertisement is displayed. Below you can see how the whole procedure plays out.
The advertiser buys advertisements from a carefully selected publisher (one that has relevant audience and content which accompanies well the brand of the advertiser), usually paying high cost per thousand impressions. A part of the advertisement impressions bought by the advertiser are pushed on fraudulent websites where both the audience and the content are irrelevant to the advertiser’s brand (for instance, high traffic sites with illegal content which are generally hard to monetise).
Via a number of complex redirects and nested advert calls through inline frame elements (iframes), the advertisement calls are laundered so that the advertiser sees legitimate websites instead of the fraudulent sites where the adverts are displayed.
The next few techniques are performed by hackers by simply taking control over computers or browsers to generate advertisement revenues.
Advertisement Fraud Technique #3: Hijacking Ads
Ad-hijacking or otherwise known as ad replacement attacks refer to such cases in which the malware hijacks the advertisement slot on a website and displays an advert, generating revenue for the attacker rather than for the publisher (the owner of the website).
This could be accomplishment in a couple of ways:
- Compromise the computer of the user to change the DNS resolver (i.e. resolve the ad.doubleclick.com domain to the IP of the server controlled by the attacker, and therefore, serve different ads).
- Compromise the publisher’s website or the user’s computer to change the HTML content on the fly (change ad tags placed by the publisher to ad tags controlled by the attacker).
- Compromise the user’s proxy server or router (or the ISP’s router) to spoof the DNS server or change the HTML content of the site while the devices are running.
Advertisement Fraud Technique #4: Hijacking Clicks
Similar to the above, hijacking ad placements, an attacker can hijack the click of a user. After a user clicks on an ad, the attacker redirects the user to another website, essentially stealing a prospective client from the advertiser.
The following ways show how the attackers can achieve this:
- Compromise the user’s computer to change the DNS resolver.
- Compromise the publisher’s website and hijack the click (i.e. by inserting an onClick event on the inline frame element with the ad).
- Compromise the user’s proxy server or router to spoof the DNS or change the HTTP request on the fly.
Advertisement Fraud Technique #5: Pop-unders
Pop-unders are quite like the pop-up windows with advertisements. However, in this case the advertisement window will appear behind the main web browser window, rather than in front. It can be combined with the impression laundering technique to generate additional revenue.
Despite most of the ad networks forbid ads served in this way, it is still considered as a completely legal advertising method in some domains.
Advertisement Fraud Technique #6: Bots Traffic
Publishers can use botnet traffic, which either consists of compromised computer systems of users or a set of cloud servers and proxies in order to:
- Achieve higher revenue targets.
- Maintain comScore audience growth.
- Ensure eCPM growth.
In the past there have been a number of large-scale botnet operations, the purpose of which was solely to generate revenue, with few actual business goals behind them. Methbot is the most profitable and most disruptive fraud operation discovered to date.
Advertisers spending money on machines to buy ads, also known as programmatic ad buying, are losing more and more because of online advertising fraud.
Methbot is an elaborate fraud scheme was first detected back in 2016. This scheme is considered one of the biggest and most profitable digital ad fraud operations up to now. Discovered by White Ops, a US-based security firm, Methbot was found to be controlled by a Russian criminal organization operating under the name Ad Fraud Komanda better known as AFK13. The fraud was estimated to pull in from three to five million dollars from advertising every day, making the programmatic industry lose money.
Methbot was incredibly difficult to detect as the organization used a number of efforts to disguise the bot as real human traffic. These methods included:
- Fake clicks and fake mouse movements
- Fake social network login data
- Fake geographical location associated with the IP addresses controlled by the organization
- Countermeasures against code from over a dozen different AdTech firms
- A custom HTTP library and browser engine with Flash support, all running under Node.js (a regular Internet browser cannot run hundreds of ads simultaneously)
- Dedicated proxy servers making it impossible to track the traffic to a specific origin
The Methbot operation was very carefully planned and considered, and compromised several elements of the ad delivery chain. It not only impersonated premium sites and fabricated their inventory, but also disguised itself as legitimate Internet Service Providers (ISPs). Methbot successfully impersonated some ISPs and disrupted the following three areas of the ad delivery chain:
- Ad Networks
In addition, Methbot generated fake, human-like traffic which opened the advertisements on these false premium websites. At the same time, with fake domain registrations, Methbot played the system by deciding where the most profitable adverts should appear, thus ensuring their fraudulent web space was purchased at maximum profit.
Mobile Applications and Ad Fraud
Mobile applications are becoming another increasingly lucrative target for fraudsters. This is mainly because ads in mobile apps are rarely blocked by ad-blocking software. Also, Android is generally considered more vulnerable to attacks due to its open-ended architecture which, coupled with the reach and size of the ecosystem, makes a very attractive and easy target for the fraudsters.
Advertisement Fraud Technique #7: Fake users
Exactly similar to the case of desktop and laptop fraud, fraudsters also use mobile applications to imitate human-like activity. It typically involves a combination of methods like bots, malware and click or app install farms, all with the goal to build large audiences of fake users, and consequently feed on the online advertising ecosystem.
Click farms use low-paid workers who physically click through the ads, earning CTR money for the the fraudsters. Click bots are designed to perform fake in-app actions. In this way, the advertisers are tricked to believe that a large number of real users clicked their adverts while the advertisements never reach organic audiences.
Advertisement Fraud Technique #8: Fake Installations
Installation farms are another method to imitate human-like behavior — they install apps using real people as dedicated emulators. Like in the case of fraudulent advert clicks, fraudsters use teams of actual people who install and interact with applications on a large scale.
A technique rising in popularity among fraudsters is to use emulators to mimic real mobile devices. To remain untraced, device farms regularly reset their DeviceID and avoid detection by using newly created Internet Protocol addresses.
Advertisement Fraud Technique #9: Attribution manipulation
Bots are pieces of malicious code that run a program or perform an action. These bots aim to send clicks, installs and in-app events for installs that never actually happened. Fraudulent clicks, for example, are sent to an attribution system, gaming attribution models and falsely taking credit for user in-app engagement. While they can be based on actual phones, most of them are server-based.
The one objective of click fraud is to fabricate clicks on CPC-based adverts. There are two ways to do this:
- Click spamming (a.k.a. click flooding) – real, but hijacked (for instance appropriated) IDs of mobile devices are used to send fake click reports. When a real user with that ID organically installs an app, the fake click will get the credit and make profit.
- Click injection – fraudulent apps downloaded by users generate fake clicks and take credit for the installation of other applications.
Advertisement Fraud Technique #10: Polyglot Attack
Cybersecurity specialists that work specifically for the media industry have discovered a new type of method that hackers use to hide malicious code in advertisements. With the help of that technique they are committing digital ad fraud in a more technically complex way than ever before. The attack is called a “Polyglot”. Some websites got involved in such an attack recently, when hackers madeMyFlightSearch Malicious Ads to appear instead of the legitimate ads of the MyFlightSearch service.
However, that is not everything, as with this technique hackers can also easily implement other types of malware to be downloaded to the computer of an unsuspecting user who clicked on a compromised advertisement.