Not surprisingly, therefore, a host of clever systems have been developed by enterprising hackers to fool digital advertising algorithms into believing their come-ons have generated genuinely interested web traffic, for which the various providers, enablers and hangers-on are then duly paid.
Yes, this is fraud. And it is illegal. But it is hard to police, let alone prove. And the volumes are not insignificant. As the following article explains, as many as one third of the traffic being generated for such ads is fraudulent. Which amounts to approximately $10 billion on an annual basis. So when flinty-eyed finance types raise questions about why digital advertising does not appear to be producing as much in the way of business as had been hoped, creativity and marketing strategy are only part of the answer. JL
Christopher Stewart and Susan Vranica report in the Wall Street Journal:
"It's drug-level money, but you don't have to kill anyone," says Tamer Hassan , a co-founder and chief technology officer of White Ops, a year-old startup in New York that has developed technology that it says can spot robotic traffic and uncover digital ad fraud.
The website Songsrpeople.com looks a lot like other amateur-video sites. It is wallpapered with clips featuring "the most insane amusement park ever" and "your girlfriend's six friends."The site draws tens of thousands of visitors a month, according to audience measurement firms. It also has ads for national brands, including Target Corp.But Web-security investigators at a firm called White Ops contend that most of the site's visitors aren't people. Rather, they are computer-generated visitors, or "bots," designed to fool advertisers into paying for the traffic, says White Ops, which has blacklisted the site—and thousands more like it—so that ads from clients such as Zipcar don't land there.An anonymous representative for Songsrpeople declined to discuss the site's traffic but in an email called the White Ops methodology into question.State Farm said it was looking into the matter while Target declined to comment and Amazon didn't immediately respond to requests for comment.Authorities and Internet-security experts say tens of thousands of dubious websites are popping up across the Internet. Their phony Web traffic is often fueled by "botnets," zombie armies of hijacked PCs that are controlled from unknown locations around the world, according to Internet security experts.The sites take advantage of the simple truth that advertisers pay to be seen. This creates an incentive for fraudsters to erect sites with phony traffic, collecting payments—often through middlemen and sometimes directly from advertisers."When you walk into this world, you walk with eyes wide open," said Brian Harrington , chief marketing officer at Zipcar, which ran a recent ad campaign, assisted by White Ops to filter out bogus traffic. "You know stuff is not real."At their most sophisticated, botnets can mimic the behavior of online consumers, clicking from one site to the next, pausing at ads, watching videos, and even putting items in shopping carts.Earlier in the year, an FBI operation, "Ghost Click," resulted in two men from Estonia pleading guilty in U.S. federal court in New York for their roles in a botnet ad-fraud scheme. The fraud involved four million hijacked computers in 100 different countries and yielded at least $14 million for a group of seven, federal prosecutors said.Security experts say that botnets can be rented or purchased on private forums and message boards around the world. In a translation of one proposal written in Russian, a member called "Shantaram" offers to drive 1,000 visitors to any website for $1, noting that it can source the traffic to any country "desired."Hackers build botnets by infecting computers with malware, which are regularly buried in email attachments or disguised as legitimate website downloads. Those infected computers are then connected by a command machine, which stealthily directs the network of zombies to do its work, whatever it may be. A computer user may not be aware of it.Ad industry executives blame the murky and complicated online ad ecosystem for creating an environment for the fraud. Most publishers, big and small, sell inventory through multiple channels, using middlemen who aggregate space across a host of sites and resell it to brands.The middlemen include ad networks, which often have sales teams, as well as ad exchanges, which employ automated systems that allow advertisers to bid on publishers' inventory. That inventory can be supplied either directly by the publisher, by ad networks, or through other companies that help websites sell their ad space.It isn't unusual for marketers to now have ads running across hundreds of different websites, elevating the chances that ads could land on questionable sites, unbeknownst to the advertiser. Even when advertisers find out their ads ran on a botnet-fueled site, there's no formal process for them to get their money back, ad buyers say.Automated systems have "enabled greater buying efficiencies and controls, but also made it easier for the bad guys," said Arthur Muldoon , co-founder and chief executive of the media buying firm Accordant Media, whose clients include Starwood Hotels, Seamless and Zipcar.To sift out bad traffic, Accordant uses a growing cast of security and verification companies, including comScore Inc., SCOR +1.11% comScore Inc. U.S.: Nasdaq $28.36 +0.31 +1.11% Oct. 10, 2013 4:00 pm Volume (Delayed 15m) : 148,154 U.S.: Nasdaq $28.37 +0.01 +0.02% Oct. 10, 2013 4:33 pm Volume (Delayed 15m): 3,226 P/E Ratio N/A Market Cap $1.00 Billion Dividend Yield N/A Rev. per Employee $238,686 More quote details and news » DoubleVerify and White Ops. Last year it doubled the money it spent on their services. Accordant also has a swelling blacklist of sites where it won't buy ads. That list has tripled from last year and now includes hundreds of thousands of sites.White Ops was founded by Mr. Hassan, Michael J.J. Tiffany , Ash Kalb and well-known Internet security researcher Dan Kaminsky about a year ago and operates out of a science-fiction bookstore in Brooklyn. Early on, the company chased bank fraud schemes. But that changed when someone at a party showed Mr. Tiffany a snapshot on his iPhone: a $900,000 check from an ad network. The acquaintance said he had gamed the ad network into thinking he hosted sites with big traffic. "It got me thinking, 'We should take a look at this,'" said Mr. Tiffany, the chief executive of the company.White Ops has cataloged tens of thousands of suspect websites. Its technology identifies bots in real time and then prevents ads from going to the bad sites. The aim is to strike at the cash flow of the scam sites instead of trying to put "guys in handcuffs," Mr. Tiffany says.Digital ad spending in the U.S. is expected to jump 14.9% this year to $42.3 billion, according to eMarketer. Most websites make money from advertisers based on how many people visit the sites. While low traffic sites can earn 25 cents per thousand views, more well-known sites can make as much as $20 for every thousands views. Video ads tend to fetch higher ad rates.Some experts say ad networks and exchanges aren't screening the publishers they work with well enough, and therefore are partly responsible for botnet-related fraud.Critics say the middlemen have a conflict of interest, since they get a cut of fees advertisers pay. "If they reduce the fraud, they reduce their revenue," said Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, a Web-application security firm in Santa Clara, Calif."Follow the money—the blame [for the fraud] lies with the entity that gains the most," said Susan Bidel , an analyst at Forrester Research Inc. "That would be the publishers and every middleman that gets a fee to process [the ad buy]. They are all complicit in some way, whether they are actively complicit or passively."The middlemen say they are doing their best to stamp out fraud using their own filter techniques and policing teams to weed out fraudulent publishers. They reject the notion that they are turning a blind eye to botnets."Everybody recognizes that this is a problem," said Steve Sullivan , vice president of advertising technology at the Interactive Advertising Bureau, a digital ad industry trade group. "The reality is some of those companies are in fact doing the best they can."While some scammers create stand-alone operations, others devise sprawling empires. In one case, the White Ops technology uncovered a zombie-populated lifestyle network, with hundreds of connected sites, including bodybuildingfaq.com, financestalk.com, and abctraveling.com. No one at the sites could be reached for comment.In some scenarios, legitimate websites inadvertently set themselves up for botnet invasions when they hire companies to help boost their traffic. That can involve building audiences through methods such as paid keyword-search advertising with search engines.White Ops discovered that more than 30% of the visitors to the education portal Education.com were robots. In the past month the site received about four million unique views, according to Quantcast.A spokesman for Education.com said it was aware of the bot-traffic and that it had likely come from an initiative in the summer to boost its audience numbers. Education.com had bought traffic from a variety of legitimate sources, including search engines, to lure in new subscribers, as well as users "who would perform well for advertisers.""We shut down the program," the spokesman said.Online measurement company comScore said well-known websites with heavy traffic can have single digit percentages of bad traffic while lesser-known sites might get 25% of their traffic from bots.The losses to ad fraud are hard to nail down. Security company Solve Media Inc., for instance, estimates that up to 29% of display advertising traffic world-wide is driven by bot armies, and could cost advertisers roughly $10 billion dollars this year, the company said.Microsoft Corp. and security-software maker Symantec Corp. recently went after a network called Bamital, which the companies estimated had been taking in more than $1 million a year from ad fraud. A federal court order shut down Bamital and U.S. Marshals confiscated the servers behind the cyber operation. The companies are now doing forensics on the equipment, hoping to uncover in part the workings of a botnet business, as well as the location of the people behind it.One botnet called ZeroAccess is thought to have hijacked 685,000 computers in the U.S., according to Alcatel-Lucent Kindsight Security Labs, a unit of Alcatel-Lucent. Every day, it generates about 140 million ad views on sites with fake traffic whose "sole purpose appears to be to host ads," costing advertisers some $900,000.
0 comments:
Post a Comment