Ad fraud is the biggest cybercrime, making a whopping $10 billion or more for cybercriminals this year, causing damages in hundreds of billions of dollars to society. While ad fraud threatens to grow greater than the entire cybersecurity industry in terms of revenue, parties seen as responsible for the safety of the advertising eco-system, have limited understanding of the topic are often further burneded by conflicts of interests.
DID YOU EVER ASK?
Did you ever ask yourself who is it that really makes money out of ad fraud, and how much? Or did you ask how much of the value of a publicly listed company could be just outright fraud? The company might not know about it, but that does not make the stock any more valuable for the investor. We have one recent example of this conditino in Matomy.
Earlier this year, when AppNexus turned off blind inventory (domain is not disclosed), Matomy claimed that as a result, they lost substantial revenues, which the immediately led to losing 1/3 of their market cap together with deteriorating investor confidence. Just like that, 1/3 of their market cap vanished in the air as their exposure to fraud became clear.
In summary what happened with Matomy was:
- the company had exposure to ad fraud
- they had not taken the measures to understand and reduce the exposure
- suddenly it became obvious for investors that this was the case
- the market value of the company was corrected by investors
Matomy has since then lost another 1/3, leaving it roughly at 40% of its market cap pre “incidence”.
Now that we’ve started asking questions, so let’s ask a few more. How many of the 5,000 or so adtech companies are like Matomy in this way? How about really big adtech companies, how can we know that they don’t look like Matomy. If company’s market cap is 20 billion, how do we know that it’s accurate and not 2/3 off like in the case of Matomy?
Can we ask more questions like this?
If the industry starts to ask more questions like this, things will become more clear very fast. This is the kind of questions we need in the media, the discussions of the trade association agendas, briefs of researchers and in the Twitter #adfraud stream. At the moment, outside of this post, these questions while seemingly obvious, are virtually absent from the discussion.
MONEY FLOW IN THE AD FRAUD MARKET
To understand any aspect of ad fraud, it seems important to first understand how money flows in the market. Before going there, let’s summarise how the participants connect to each other in the market, facilitating for transactions in the first place.
- Sites connect with Exchanges.
- Exchanges connect with DSPs
- DSPs connect with trading desks
- Trading desks connect with the buyers’ money
Soon $100 billion of media per year is being traded in this way. The entire eco-system consist of roughly 200 billion traffic events per day and some tens of billions of inventory events, where a transaction on the traffic event is performed.
Traffic event constitutes a website passing on http request to an advertising exchange, with the intention of receiving revenue in return
The fact that everything is algorithmic, means that once the money enters the system, the attacker has tremendous leverage. The attacker will always have greater control over the appearance of his traffic than someone who is depended on the actual traffic they have earned. To understand this point, we have first understood how many ad fraud related vulnerabilities have to do with data. More about data in the context of ad fraud in this article:
In summary, once the adversary has an understanding of what kind of data and traffic buying algorithms have a preference for, it becomes trivial to focus on feeding the system with what is most likely to result in transactions. The legit publisher will never have this option. In the current programmatic marketplace, the adversary will ALWAYS have this advantage.
Still, before moving to answering more questions about the adversary, let’s look at an anecdote with insights to why adtech suffers from the ad fraud problem in the first place. We know that adtech systems are not secure because the fraud problem is so big, but it has not been deliberately discussed why. Myself with a group of researchers have come to the conclusion that the primary reason is that there is almost zero security capabilities or culture even in some of the biggest companies in adtech.
INFORMATION SECURITY IN ADTECH (OR THE LACK OF)
Let’s start with a question again. Are advertising networks and other advertising technology platforms secure, and as such suitable for the role they have as part of major internet infrastructure. For example, how many companies do you think there are that collected data on more than 1,000,000,000 people on a given month? Actually, this too is a question nobody will be able to answer. When you have had the exposure to many startups in the space intimately, you will know that while the number is hard to come by, there are many. Maybe a hundred at the moment. Most of these do not have any serious investment to infosec in place. Let’s look at one as a point of reference, MediaMath.
MediaMath’ story starts with one of the first companies to ever appear in the programmatic scene. Now MediaMath is an adtech behemoth that has somehow found a way to get its tags on over 300,000 sites[1]. One of the highest number for any company in the world.
[1] http://trends.builtwith.com/websitelist/MediaMath
With ~1,000 employees, MediaMath is one of the largest companies in the adtech space. It’s revenues are likely not far from 500 million per year, and it is argued to be one of the few major adtech companies that is profitable.
MediaMath in summary:
- Profitable company with ~1000 employees
- One of the largest tag footprints in the internet
- One of the oldest adtech companies
Ok, now let’s go to Linkedin and search for “pentest”, “snort”, “security analyst”, “infosec”. Yes you guessed, the results look like this:
“sysadmin” comes up in one profile. For the sake of comparison, AppNexus that has made a point about fighting ad fraud even at the expense of its own short-term revenue, has many employees claiming the right kind of skillsets in their LinkedIn profiles. There are roughly 5,000 adtech companies and many of them are not dissimilar to MediaMath in this respect. You will far more likely find no serious investment in security than find some.
To be fair, there was one profile that says “infosec” in the profile:
The issue, of course, is that this person is a lawyer, and works as legal counsel for MediaMath, and does not seem to have any experience with helping companies have more secure systems.
In this light, do you think that a company like MediaMath would be more or less vulnerable to ad fraud, in comparison to a company that had invested seriously security?
VERY IMPORTANT: There should be no doubt or discussion about the importance of having in-house staff capable and focused on security. And no, sysadmins are not security people, and no, sysadmins can’t do it for you.
The fact that in the adtech industry there is no particular concern for security, helps to explain why advertising exchanges have become the playground for the world’s largest cybercrime.
WHO IS MAKING THE MOST MONEY FROM AD FRAUD?
Ok guys, this is what we’ve been building towards. Let’s do this, let’s answer the question of who is pocketing all these billions of dollars.
It is well known that Google and other ad networks take 50% or more of the money that comes to them. At that point there is already a dilution from commissions for the agency on record and agency trading desk, so out of a 100 from the advertiser, the network ends up getting $36 or more.
It is safe to say that the perpetrators of ad fraud rarely end up getting 50% of the whole, and the adtech industry will in most cases end up getting more than 50% of the whole. By whole, we mean the entire revenue generated from ad fraud.
Today in 2015, when you answer the question “which company sells the most internet advertising”, you’ve also answered the question “who is making the most money from ad fraud”.
A typical scenario looks like this ( the left graph is % share of the whole):
At this point we’ve look at the big picture, now let’s look at the spammer/botmaster side of the eco-system. As part of creating a Compedium of Taxonomic Information About Advertising Fraud, botlab.io researchers have identified 9 different kinds of perpetrators that fall under 3 groups. In this post we’re going to focus a little on 2 groups covering 6 of the kinds.
BLACK HAT MARKETER
Often coming from affiliate or SEO background, sometimes having reached the coveted “super affiliate” status, black hat marketers are generally highly skilled, technically savvy, business savvy, hard working and driven to learn more than their non black hat counterparts. The issue in the marketing industy, is that it’s very hard to point your finger at “white hats”, due to the fact that many marketers do not have well established value system as professionals.
MAJOR COMPANY
As internet increasingly becomes part of people’s lives, so does the advertising aspect of the internet (adtech). Even if it was manifesting as something like ad blocking, which in effect is part of the same industry. This means more and more major companies will find themselves exposed to, and sometimes actively involved in, ad fraud.
ADTECH COMPANY
This could be anything from running a few websites with fake traffic, to operating a full-blown ad network or data brokerage company. Many of these startups appear legit enough to even the most seasoned technology decision makers.
INVESTOR
Here we have an investor who may be involved in several, or several dozens of companies with various roles and levels of exposure in the ad fraud market.
THIEF
Right now there is a lot of “kids” making a lot of money with very little need for any technical provess. It is a massive vulnerability in the internet, and because it’s associated with big bad advertisers, nobody cares. Or those that care, don’t know what to do about it. Basically, a paradise for the petty thief.
ORGANISED CRIME
Ad fraud is 10 times bigger than ID theft in terms of revenue. Super affiliates and spammers are not that distinct from one an other always, and spammers are closely associated with organised crime. When will the organised crime flock to ad fraud, unfortunately it seems reasonable to assume that to be just a matter of time.
In terms of risk, these 6 can be ranked from the least risky to the riskiest. This is especially important to those who are actively involved in fraud research as researchers or employers of researchers.
This simple framework is based on evaluating two different criteria. One is how much the subject of research has to lose, and the other is the readiness of the subject to use methods that the researcher or the researcher employer should be concerned about. The yesteryears where click fraud was a way to get Darth Vader on your slides, now it’s a playing field with 10x the revenues of identity theft, no real risk of going to prison, and some genuinly dangerous gamers involved. The way I see ad fraud, having been very strong in online RTS games in the past, is that it’s the next evolution of gaming.
SO WTF ARE WE SUPPOSED TO DO NEXT?
I will be the first to admit that I don’t have a clear answer. We have developed a lot of guidance and a lot of lists and that’s all 100% available for botlab.io members. There is a lot of answers there, but this is not something that is easy to articulate in to few lines of text. I advice caution with anyone who suggests otherwise. So yes, if you’re one least bit interested in ad fraud research, I highly recommend joining (it’s free) from www.botlab.io
What comes to what the adversary should do next, the picture is clear.
Ad fraud is the single most effective way to take server resources, use it to create http requests and monetise it using various ad fraud schemes. If you play in the video fraud market, you can make up to $0.01 per http request. Also you rarely have to walk away with less than $0.001 per http request.
Let’s couple that with the virtually unrestricted access to complimentary cloud and hosting resources that is available through AWS and such. Then using the free resources in a completely anonymised way to create all the requests, and operate it out of even just one shell company with anonymity done ok.
I think that is some serious shit right there.
Ding ding adtech, time to wake up. There will be no smell of coffee though.