Ad fraud remains ever-evolving in the programmatic landscape, and its toll on advertisers continues to climb.
Digital ad fraud is complex and difficult to stop because it’s constantly changing. Fraudsters deploy increasingly sophisticated tactics, like CTV fraud and advanced mobile SDK spoofing. At the same time, legacy fraud tactics like bot traffic and domain spoofing continue to stand the test of time as they evolve with the industry. These tactics make it difficult for ad buyers to ensure legitimate ad impressions.
SupplyChain Objects (SCOs) have emerged to provide more transparency in the programmatic supply chain and guard against ad fraud. However, cybercriminals can also manipulate SCOs, as HUMAN’s Satori Threat Intelligence and Research Team investigation into the Apollo audio ad fraud scheme found. Operations like these highlight the critical importance of comprehensive SupplyChain Object validation to combat sophisticated ad fraud like Apollo and ensure a transparent and trustworthy digital advertising ecosystem.
The Necessity of Comprehensive SupplyChain Object Validation
In a nutshell, SupplyChain Object works with ads.txt / app-ads.txt and sellers.json to provide transparency into the programmatic ecosystem by letting ad buyers and intermediaries see all parties selling or reselling ad inventory.
SCO does this by mapping all intermediaries involved in selling or reselling an impression across a chain of nodes representing all the sellers paid in an individual bid request. Each node in the SCO represents a specific entity participating in the bid request, including all entities involved in the direct payment flow for inventory. SCO must be included in the initial bid request for an impression to work as intended.
Invalid or incomplete SCOs make it harder to detect misrepresentation of inventory location (otherwise known as domain spoofing), which leads to wasted ad spend and obscure low-quality inventory or fraudulent activity. This is why validating each node in the SupplyChain Object is critical to determining authorization, transparency, and consistency. Unauthorized sellers can still infiltrate the supply chain, enabling potential fraud.
For example, there is the issue of “supply chain convergence,” in which an unauthorized set of inventory’s supply chain “converges” with a legitimate supply chain a publisher was trying to authorize. Numerous sites and apps authorize large numbers of reseller accounts so that a threat actor can get unauthorized spoofed inventory into the programmatic ecosystem. This inventory can eventually funnel through intermediaries to a reseller account that happens to be authorized by the publisher being spoofed. Fraudulent behaviors like these make proper adherence to standards like SupplyChain object and app-ads.txt across the supply chain critical.
The Apollo Audio Ad Fraud Scheme: A Case Study in SCO Exploitation
Recently, in partnership with The Trade Desk, our Satori team uncovered and disrupted an ad fraud operation dubbed Apollo that centered on spoofed bid requests for audio inventory. The scheme targeted limited signal and transparency in server-side ad insertion (SSAI) backed audio ad impressions to the tune of 400 million fraudulent bid requests daily—the highest peak volume of audio-related ad fraud ever uncovered.
The Apollo actors spoofed SSAI impressions by delivering ad requests from data centers for “spoofed” or faked edge devices. Spoofed bid requests contain partially or entirely incorrect attribute declarations. Fraudsters can artificially generate an entire bid request and send it into the supply chain but not represent a genuine request.
In the case of Apollo, the spoofed bid requests claimed to be from apps where audio ads were unlikely or impossible. Each bid request was custom-generated to mimic legitimate requests from that specific audio publisher. Satori researchers observed that the threat actors copied the exact impression request flow from the publisher’s legitimate app, meaning they had specifically and intentionally copied the bid request format for the publisher to hide their invalid traffic among legitimate traffic. The traffic likely came from a script, which allowed the threat actors to create and modify requests in bulk with desired parameters.
A significant portion of the Apollo traffic appeared legitimate because it used intermediaries who were app-ads.txt authorized on the last seller, masking the fraudulent origin. This fact highlights the need for ad buyers to go beyond checking whether just the final seller is authorized. Had the buyers vetted each step in the supply path, they would have been able to tell that the publisher did not authorize the spoofed inventory.
Conclusion
The threats posed by schemes like Apollo demonstrate the critical role of comprehensive SupplyChain Object validation—not just a quick check of the last seller. Only with this due diligence can ad buyers work towards confirming the authenticity of bid requests across media-buying channels.
However, ad buyers should not be left with the heavy lifting. It is essential to pursue an industry-wide approach and collaboration among all digital advertising parties to combat audio fraud and improve supply chain transparency. There will never be an easy button for fighting fraud, but maintaining vigilance and adopting standards like SupplyChain object, ads.txt, app-ads.txt, and sellers.json can help nurture a healthier programmatic ecosystem.