A major cybercrime scheme is costing businesses billions of dollars a year, but the problem remains largely overlooked...
by enterprises and hidden to its victims.
According to startup security firm White Ops Inc., ad fraud botnets, which secretly divert traffic from infected systems to artificially inflate the number of clicks on web ads, are rampant and are wreaking havoc on advertisers and marketers. An annual study conducted by White Ops and the Association of National Advertisers estimated more than $7 billion will be lost globally this year because of online ad fraud. The study, which included 49 ANA members and nearly 10 billion ad impressions over the course of two months, found ad fraud botnets accounted for 11% of all display impressions and 23% of all video impressions.
As a result, White Ops has been focused on attacking the problem at its source: the ad fraud botnets. White Ops CEO Michael Tiffany recently spoke with SearchSecurity about the growing problem of ad fraud -- also known as click fraud -- how these botnets spread and evade detection, and how they are leveraging modern technology to their advantage. He also discussed the damage ad fraud is causing the online advertising industry and why some companies are reluctant to address the problem. Here are excerpts of the conversation with Tiffany.
Why did ad fraud become such a big focus for your company?
Michael Tiffany: The foundational goal of White Ops is to disrupt the profit centers of cybercriminals, specifically cybercrimes that affect a large number of people. And much to our surprise, the crime that really scales is ad fraud. And that wasn't on anyone's radar when we started looking into it.
The reason why it took a while to catch up to this was that, unlike other forms of cybercrime, ad fraud succeeds by going almost completely unnoticed; it's a form of theft where nothing goes missing. So, it was widely underestimated. But as demand for ad fraud increased, the parasite grew so big it began to threaten the host, and it became an undeniable problem.
How does the problem of ad fraud compare to other cybercrime schemes, like ransomware, for example?
Tiffany: This is why the economics of ad fraud are so amazing. No matter how stealthy your infection vector is, once you do the ransomware attack or whatever the payoff mechanism is, it's very obvious. So, the victim knows they've been attacked. And you can't keep holding a victim's data hostage again and again, month after month. So, it's a one-time transaction.
That's not the case with ad fraud. It's a reoccurring revenue stream. And all of us, 100% of us, are targetable consumers for ad fraud. So, you can turn any machine you've popped into an ad fraud botnet.
What were some of things that surprised you when you first started looking into this problem?
Tiffany: Even when we started looking into ad fraud and the co-founders of White Ops found evidence of it, I wasn't thinking it was a big crime. In fact, I thought it couldn't possibly be a big crime because online advertising was so targeted and performance-obsessed. So, I understood how anonymous bots could maybe skim a little traffic, but I didn't see how those bots could stay anonymous and hide from Google and other companies. Well, that turned out to be a naïve belief. And I think it's a naïve belief that is shared by much of the ad industry today.
The way ad fraud works today is by turning ad-targeting and performance metrics against us. When you infect a whole bunch of consumers' machines, those consumers have Gmail accounts and they're logging into Facebook and other social media accounts. And if your malware process is just driving a hidden web browser, and it's reading from the local cookie store, then your totally bogus bot suddenly looks like a real, authenticated user as far as the ad ecosystem is concerned. There's a real purchase history. Analytics companies are going to recognize those cookies and say, 'Oh, that is a high-income male who's in the market for luxury travel.'
That's what makes ad fraud so profitable. It can be a long-tail crime, where every machine you've popped is a source of continued profit. What you're really doing is just inflating the number of web visits that come from that machine. If that machine is connected to the internet, then it is authenticated to some stuff. So, when you get your malware riding along on those cached credentials, whether they're cookies for the desktop environment or device IDs for mobile environments, you basically have assured profits. Then, when companies serve you ads, they're not just being duped -- they're confident that they're not being duped. They say, 'I just served an ad to Bob, and here are all the crazy facts I know about him,' because ad targeting has grown so sophisticated that it's creepy.
So, at first, we thought these were two conflicting observations: Ad targeting has gotten so good it creeps people out and makes for Wall Street Journal exposés, and yet ad fraud is a problem. But we found that the two actually support each other. Since the malware is coming from real consumers' devices, it's being targeted as if it were real consumers.
So, what's the effect of these ad fraud schemes overall?
Michael TiffanyCEO of White Ops
Tiffany: The net of it is ad fraud botnets are being used to inflate the web views all across the internet. It looks as if there is more browsing happening than there actually is. That's what all of these robo-processes are doing -- they're inflating the total page views on the internet. That's how they increase the opportunities to advertise.
So, that has a major distorting effect on the market, because it looks as though there is more supply than there is. And that has led to a nice business for White Ops, because we're helping advertisers and we're also working with the premier publishers and ad platforms in this space who want to compete on quality. They want to be able to say, 'Our numbers are real, and that's why you should have more of your ad spend with us.'
But there must be some companies that aren't happy with this news. Are some in denial about the problem?
Tiffany: Yes, there are two broadly different reactions that we get. One of the reasons we decided to pursue this was because we were worried about the perverse incentives. As [White Ops co-founder and chief scientist] Dan Kaminsky once observed, 'On the internet, no one's numbers are allowed to go down.' Everything has to be up and to the right. So, it's a big problem if your numbers have included botnet traffic for a while. What do you do? Do you tell Wall Street that your views are 30% lower? No, probably not, because that may mean that teenagers don't think your brand is cool anymore, and that means your stock price needs to be cut in half.
So, that's scary. I know if I sell a security solution to a bank because the bank is getting robbed, the bank will pay for it. Banks are really into not getting robbed. But looking at the ad ecosystem, it's not actually clear that people care. Maybe they're actually enjoying the fact that the numbers are inflated.
Well, it's not like the advertising industry has done such a great job on security with things like malvertising.
Tiffany: Exactly. So, we were on the fence. But what tipped us over was the macro analysis; imagine a future in which we win, and all of the botnet traffic is gone. In that world, there will literally be less ad inventory. But advertisers aren't going to spend any less. The consumers that they really want to reach are still there, and they're still moving away from TV and going digital. So, what happens is, if advertisers are still going to spend their $60 billion, but no one is jacking the numbers anymore, then the dollars are going to flow to the places that have real human audiences.
So, the theory was at the time that there are some companies that are clean -- and we didn't know who they were, because everyone was looking dirty -- and some companies were going to say, 'Thank God you've arrived; now, we can compete on quality.' So, we've opened the doors and told them we can separate the fake traffic from the real traffic, and some companies have stepped up and accepted us with open arms. Even if they have a bot problem -- because you can't prevent bots from visiting your websites -- they're making a strategic analysis to cut off some traffic and potentially hurting ad revenue, but they know it's going to be way more painful for their competitors. So, they'd rather set the bar here and have everyone else come up to them.
But then there are others who say, 'Oh no, is the gravy train about to stop?' We were dealing with media companies that were indignant that White Ops wasn't helping them [to replace the bad traffic]. They would say, 'Oh, so you're just pointing the finger, but you won't help us solve the problem.' But the only way to solve the problem is become more popular. And we don't know how to help companies with that.
Stay tuned for part two of SearchSecurity's interview with White Ops' Michael Tiffany, which will discuss the effects of ad fraud on enterprises outside of the advertising industry, as well as how White Ops is tackling ad fraud infections.
Find out the best ways to improve endpoint security in the enterprise
Compare the leading web fraud detection tools on the market
Read more on stopping ransomware through network security hardening