Digital advertising spend is set to hit $480 billion by 2022. With more than half of it allocated to mobile networks, ad fraudsters are loving the direction of travel.
On current trends, losses from advertising fraud will reach $87 billion by 2022. That puts it on track to become the planet’s second-biggest organised crime racket. Only the drugs trade will be bigger.
Despite industry efforts to battle back, cybercriminals know how to find and follow the money. All a fraudster needs is a few computers and the technical expertise to extract fraudulent revenue from the mobile ad ecosystem.
For added appeal, hacking the mobile advertising supply chain offers incredibly high payouts with almost no chance of being brought to book. Why risk holding up a bank when you can just trick an ad network into lining your pockets?
With minimal risks and low barriers to entry, ad fraud has become a serious way for cybercriminals to make serious money.
And unlike traditional organised criminality like drug smuggling and human trafficking, ad fraud has its own money-laundering capabilities built right in.
How Fraudsters Follow The Money
The frustrating truth about ad fraud is that everyone, except the brands paying for the ads, has some incentive to hide the full extent of the problem. From publishers to agencies to advertising networks, there is often shared culpability that leaves the industry’s co-operative, voluntary measures to stop ad fraud somewhat toothless.
Because the technical ecosystem is so complex, fraudsters can hide at multiple points in the supply chain and use their position to game the system.
There are three common steps in the fraud process:
1. An advertiser hires a media buying agency
A big brand allocates significant budget for digital ads, and like any business aims for a high-performing campaign. Targets are set against a specific volume of impressions, clickthroughs, or conversions such as sales, downloads and sign-ups.
Some advertisers handle their media buys in-house, but more often engage media agencies to manage their digital ad spend.
2.The media agency buys inventory from an advertising network
Media agencies are responsible for finding an appropriate inventory of media placements. They then partner with ad networks and affiliates to advertise their brand and pay them an agreed commission if objectives are reached.
The ad network then displays the advertising creative, usually an image or video, to smartphone end users.
3.The fraudster becomes an ad network intermediary
Mobile advertising networks buy their ad placement inventory from publishers, mobile apps or affiliate websites who want to monetise their traffic with display advertising.
Fraudsters undermine what should be a simple commercial relationship by mimicking the behaviour of real end-users. They use technology and shady third parties to trick ad network tracking systems into counting fake clicks as legitimate.
Gaming the system
The bad actor could be a malicious publisher, a fraudulent or unethical ad network, or a phoney affiliate website.
For example, a fraudulent website might hire a ‘traffic seller’ to artificially inflate their click volumes or falsify their invoices to advertisers with fees for fake conversions, or charging for impressions against advertisements that were never actually served to an end-user.
Traffic sellers typically work with hackers who operate vast networks of bots – software programs that emulate real devices and human browsing behaviours to create bogus click traffic.
The bots repeatedly load webpages to generate ad impressions. With a single command, a fraudster can make them act in unison to deliver the exact amount of traffic – to order.
For some affiliate networks and publishers, it’s a quick and easy way to hit a performance target when it looks like a campaign might fall short of its objectives.
And it’s here that ad fraud starts to look like a secretive game; with multiple stakeholders who would prefer to keep everything from public view.
— Websites get the traffic they need to inflate their ad revenues or justify their rates
— Ad networks get the volumes they needed to reach their volume targets
— Media agencies can boast to clients about the billions of impressions they’ve secured at low CPMs, delivering apparent savings and increased
A real-world example
In a typical scenario, an advertiser might pay a media agency $1 CPA for each conversion it can deliver, for example a form containing lead information. The media agency hires an affiliate network and pays $0.8 for each conversion, taking a 20% commission for each conversion. The affiliate network then serves the ad to websites on its network. When a conversion takes place, the affiliate is paid the commission ($0.8).
Now insert fraud into the picture. If the affiliate is unethical and uses traffic sellers to generate (fake) conversions, the $0.8 per conversion is split by the affiliate with the traffic seller, who then pays the hackers who rent space on their botnets. For the sake of argument, let’s say they get half: $0.4.
If the numbers sound too small to worry about, remember that bots can generate millions of fake clicks at practically 0 cost to the fraudster. If one bot creates 100 fake conversions for a single campaign in a day, $100 in ad spend has been wasted, while the botnet operator has earned $40 profit.
What can advertisers and mobile networks do?
Last year, 1 in 5 website requests – 20.4 % – was generated by a botnet, wasting a massive amount of ad budget and diverting the rest into criminals’ bank accounts.
Cybercriminals are smart and able to turn complex mobile ad transactions into opportunities for fraud. When it comes to combatting mobile crime and securing m-commerce for mobile subscriber, sophisticated scams need sophisticated solutions.
That’s why it’s never been more critical to have a mobile security solution dedicated to the specific risks faced by the mobile and advertising industries as a whole.