eCommerce has been on the rise for quite some time now, and the popularity of online shopping is only growing further. This was seen particularly during lockdowns and quarantines in the recent COVID-19 crisis, where non-essential shops were forced to temporarily close, leading to a huge boom in online shopping that is only set to continue. But with the rise of eCommerce has come a rise in ad fraud. According to research, falsely represented sites and bots are the most known forms of ad fraud. But what is it exactly, and how is it affecting businesses today?
What is ad fraud?
Click or ad fraud is a method used to steal funds from genuine advertisers, and it has been around for as long as online marketing has. However, as online marketing has become more popular recently, so has ad fraud. There are various different ways that fraudsters commit this crime, which we will explore further. Since some of these methods are harder to detect than others and the methods designed to prevent it are still quite new, nobody knows exactly how much fraudsters have been able to steal from advertisers – although the figure is estimated to be in the billions.
Hidden and invisible ads
Hidden and invisible ads are exactly that – adverts that a fraudster has placed on a website but are invisible to the user, while still reporting the impression. There are many ways in which this can be done, including displaying the ads away from the user’s view, displaying it in a way that is impossible for the naked eye to see, such as in a 1×1 pixel iFrame, or by loading one iFrame in a single ad slot but displaying multiple ads in it, so that the user will only be able to see one of them.
With this attack, the malware takes over the ad slot on a particular website and instead displays a different ad that will benefit the fraudster rather than the website owner. There are a few different ways in which this can be done, including compromising the website or the owner’s device to amend the ad tag HTML, compromising the owner’s computer to change the DNS resolver over to the IP address on the server that the attacker controls, or compromising the owner’s router or proxy server in order to amend the HTML content.
A popunder is similar to a pop-up window with an ad, except for that rather than appearing in front of the website, the ad will be situated behind the web browser. There are some domains where this is considered to be a legal method of advertising, but the majority of ad networks do not allow it.
Impression laundering is often used in conjunction with popunders to generate even further revenue for the attacker, and it conceals the real website where the ad is displayed. For example, an advertiser might purchase ads from a publisher who has an audience that is relevant to the advertiser’s brand. Part of the impressions that the advertiser purchases will then be served on fraudulent websites where neither the content nor the audience is relevant to the advertiser’s brand. The ad calls are ‘laundered’ through nested ad calls through iFrames and complex redirects so that the advertiser will see legitimate sites rather than the actual sites where the ads have been displayed.
Clicks can also be hijacked in a similar way to ad placements. With this type of attack, the user is redirected to a different site when they click on an ad rather than the site that it should have led to, which essentially steals a potential customer from the advertiser. This can be achieved in a few different ways, but it usually involves compromising the publisher’s website to hijack the click by inserting an onClick event on the ad iFrame, or compromising the user’s computer and changing the DNS resolver.
Activity that imitates that of humans can also be used by fraudsters. This usually involves a variety of different methods such as malware, bots, or farms for app installation and clicks with the end goal of creating a large audience of users that do not actually exist. For example, click bots are used to make actions that are fake, tricking advertisers into believing that a lot of users have clicked on their ads when in reality, the ads have never reached an organic user. Another method is the click farms, which consist of low-paid human workers who will spend hours clicking through the ads even though they are not interested in making a purchase, therefore earning money for the fraudsters.
Bots are designed to perform a range of fake or malicious actions. In ad fraud within apps, bots are used to send events and clicks for fake installs. They falsely take the credit for in-app engagement by real-life users when fraudulent clicks find their way to an attribution system. The main goal of click fraud is to fabricate clicks in two different ways:
Click spamming: Real, hijacked mobile device IDs send click reports that are fake. When a real user with the same ID installs the app organically, the credit – and the profit – go to the fake click and the fraudster behind it.
Click injection: Users download fraudulent apps where fake clicks are generated; the fraudulent apps also take the credit for the installation of other apps.
How ad fraud is detected
Detecting ad fraud can be very difficult since there is such a variety of different methods. The good news is that as e-commerce and click fraud becomes more commonplace, there are now several companies out there that offer services to discover and prevent ad and click fraud, such as ClickGuard. They provide a range of solutions to help you detect and prevent click fraud along with useful information on their blog, such as the article “The Growth of Pay-per-click Ad Fraud with eCommerce”. Mostly, companies such as these will use algorithms that are designed to detect suspicious behavior such as unusually high CTRs and very poor campaign performance.
What else can I do?
Although there are more companies out there who specialize in detecting ad fraud, these fraudsters are continuously coming up with further new ways to take advantage of the system and take funds from advertisers. Bots are becoming increasingly sophisticated, which is making the detection of ad fraud even more difficult. So, what can you do? Experts recommend that developers perform regular SDK updates, perform frequent fraud assessments and tests, and closely monitor data for anything out of the ordinary. If you are an eCommerce store owner using PPC advertising, it’s worth considering working alongside a company that focuses on detecting and preventing ad fraud to conduct regular tests and respond to any suspicious activity quickly.
Online ad fraudsters and technology companies that are trying to fight click fraud have found themselves in a constant war that’s comparable to the ongoing fight between hackers that create viruses and software brands that offer antivirus solutions. Ad fraud is becoming a more and more serious problem for advertisers, and the financial loss that it can cause is getting bigger and bigger. And, since ad fraudsters follow the money, it seems to be a problem that is going to continue to stay around as digital advertising grows.