Just announced: HUMAN’s Satori Threat Intelligence and Research team has disrupted a cunning mobile advertising fraud campaign dubbed Konfety.

Where We’ve Come From and Where We’re Going

August 2019

As recently as a few years ago, even the most optimistic observers couldn’t deny that we were in the midst of a golden age of digital ad fraud. Sites like Toothbrushing.net and CookTheFood.com were selling hundreds of millions of fraudulent ad impressions — in the second case, far more impressions than the rest of the web’s most popular cooking sites combined — and largely getting away with it.

Fortunately, the tide has started to turn — at least for the time being. In 2017, digital advertisers collectively lost some $6.5 billion to ad fraud, according to our Bot Baseline report, produced in conjunction with the ANA. Just two years later, though, this annual estimate has dropped to $5.8 billion. Impressively, this 11 percent reduction in the global cost of ad fraud has come as total digital ad spending has increased by over 25 percent.

This progress notwithstanding, the industry at large still has ample work to do to consolidate our gains and brace ourselves against the new — and increasingly sophisticated — threats on the horizon. Even in 2019, between 20 and 35 percent of all ad impressions are attempts at fraud, a figure that will creep even higher if we let complacency take hold.

As has always been the case, our ability to continue winning victories against ad fraud will depend on the extent to which we are willing and able to fight as a collective. Readily available inventories of fraudulent ad impressions depress return on ad spend for everyone, meaning it is in every advertiser’s best interest to work with other industry players to stamp out fraud wherever it rears its head.

Reclaiming Our Domain

We need only look as far as the stirring success of the ads.txt initiative for proof of the value of presenting a unified front against fraud. Introduced by the 650-plus-member Interactive Advertising Bureau in 2017, ads.txt represents a concerted industry-wide effort to combat domain spoofing.

In short, ads.txt is a simple text file a publisher can host on its domain that provides a complete list of the companies authorized to sell the publisher’s ad inventory. Similarly, ads.txt provides programmatic platforms with text files that confirm the portfolios of inventories they are permitted to sell. This solution has proven to be straightforward, secure, transparent, and, most importantly, effective.

While as of 2018, only 14 percent of all domains had published a valid ads.txt file, this vanguard included 78 percent of the world’s top domains by ad volume. In other words, despite only being installed on a relatively small number of web servers, ads.txt files already cover a healthy majority of all ads being sold. Thanks in large part to this coverage, the share of desktop display ads that are fraudulent is expected to drop to eight percent by the end of the year — a full percentage point lower than in 2017.

Building Bridges through Industry Collaboration

Straightforward solutions like ads.txt have helped mitigate the problem of domain spoofing, but they are ill-equipped to address the industry’s other long-standing bugbear: fake audiences.

CookTheFood.com was a real website featuring real (if minimal) content — the issue was that its visitors were fake. By purchasing massive amounts of traffic from pay-per-click (PPC) providers of visitors-on-demand, the site’s owners were able to artificially inflate their audience without advertisers being any the wiser.

Solving this problem is made exponentially more difficult by the fact that this kind of fake traffic lurks on real people’s computers — computers that have real cookies and real device IDs. Of course, hardly any of these people are intentionally clicking through ads on sites like CookTheFood.com; rather, their devices have fallen prey to malware that runs processes covertly in the background.

While traffic sourcing transparency efforts like those undertaken by the Trustworthy Accountability Group have spurred incremental progress in the fight against fake audiences, dramatically reducing the market supply of bot traffic (the traffic generated by malware-infected devices) will be the only way to strike a fatal blow. Since it remains effectively impossible to immunize consumer devices against malware, breaking up major botnets is the only direct approach to applying the requisite downward pressure on this supply.

A New Wave of Ad Fraud

As the industry at large has forged ahead with collaborative initiatives like ads.txt, savvy fraudsters have already begun to gravitate toward less-policed channels. In the short to medium term, mobile apps and connected television (CTV) will be the easiest targets.

In the mobile space, app spoofing and hidden ads are the most prominent causes for concern. The former consists of an app’s presenting a fake app bundle ID to pass itself off as a different app — often a premium one that will attract users. This is undeniably a significant problem, but its exploitation will be mitigated by the increasing adoption of app-ads.txt, a recently finalized extension of ads.txt that is tailored to the idiosyncrasies of mobile app environments.

Hidden ads are a tougher nut to crack. These non-viewable ads feature purpose-built deception code that enables developers to fabricate their apps’ viewability metrics. However, as popular as mobile advertising is, CTV advertising has become even more popular. In fact, of all the video ad impressions delivered during the third quarter of 2018, a larger share were served on connected TVs (38 percent) than on mobile devices (31 percent). This marked a dramatic departure from the distribution seen during the third quarter of 2017, during which connected TV accounted for just 14 percent of total video ad impressions (compared to mobile’s 39 percent share).

By our estimates, advertisers will funnel around $20 billion to CTV over the next two to three years, and fraudsters are unlikely to let this flow go unsiphoned. Because there is not a liquid pool of fake CTV viewers available for purchase on a PPC basis, CTV fraud typically takes the form of fake ad inventories produced through server-side ad insertion (SSAI). Also commonly referred to as “ad stitching,” SSAI integrates ads and video content into a single stream, making it incredibly difficult to verify whether the ads have actually been served.

The good news is that since CTV ads are delivered via smart TV apps — Hulu and YouTube foremost among them — they can be monitored by protocols like app-ads.txt. That said, especially in the short term, advertisers seeking additional transparency should direct their business only to platforms that are protected by fraud verification experts.

Looking Ahead

In the final analysis, it is impossible to deny that the “good guys” have made considerable gains in the war against ad fraud over the course of the last 12 months. This year marks the first in which the global impact of ad fraud ($5.8 billion) will dip below the mark set in 2014, the first year of our research collaboration with the Association of National Advertisers.

However, if we are not proactive, we may well end up looking back at 2018-2019 as the eye of the hurricane. To keep the skies clear, we must all do our utmost to develop solutions to problems like mobile app fraud and CTV fraud.

Our collective efforts over the next 12 months will be vital to ensuring ultimate victory over ad fraud. It is not going to be an easy fight, but it is one I have full confidence we can win — provided we fight together.