A version of this article was originally published on The Drum.
According to Juniper Research, by 2023, there will be more than $100 billion in global revenue lost to ad fraud. The current global climate has likely only encouraged the surge of these sophisticated crimes.
More companies have been transitioning to digital environments so that workers can do their jobs from home. However, this shift that has been so beneficial to employees increases the number of potential targets for criminal ad fraud. Many companies struggle to detect abnormal activity since “the new normal” has changed the behaviors of people online.
Oracle Moat is staying ahead of these crooks by exposing several sophisticated ad fraud schemes. We’ve narrowed in on suspicious nonhuman activity using advanced invalid traffic (IVT) detection capabilities and lead the way in protecting the vulnerable, emerging-format connected TV (CTV).
The following is a recap of some of Oracle Moat’s most notable discoveries.
The fraudsters forged household IP addresses, app IDs, and device models to make it look as if the ads were playing in digital environments, but that never happened. Oracle Moat’s technology revealed the operation by identifying the fake impressions and classifying them as invalid.
The con cheated advertisers out of an estimated $14.5 million and stole that revenue from legitimate publishers whose apps were being spoofed.
Our IVT team found that criminals created a network of servers that requested ads with spoofed information and sent ad-impression events to Oracle Moat and advertisers. Neither ads nor videos were served to any users. Both advertisers and publishers were tricked by this scam.
Criminals used malware-infected Android phones to generate fraudulent ad impressions.
The fraudsters were able to leverage malware-infected devices to spoof ad impressions. The botnet underwent three pivotal changes in its evolution as it tried to evade detection.
These ad fraud botnets are estimated to have stolen more than $100 million in in-app ad spend from players across the digital ad industry over the past year.
Our IVT team detected this threat through a series of mistakes the fraudsters left behind. These errors allowed us to develop the first round of detection. Oracle Moat also joined the effort led by Trustworthy Accountability Group (TAG) to eliminate the threat. Combining our findings with Protected Media and White Ops allowed us to take disparately reported threats and merge them into a single botnet signature.
Criminals used a fake URL and showed a 404 webpage so that they could siphon advertising dollars.
The perpetrators were able to spoof URLs on popular websites by utilizing a botnet that was distributed by malware. This was first reported as a 404bot due to the originally spoofed URLs resulting in 404 errors for anyone who bothered to check. However, the scheme evolved to spoof URLs that did not result in 404 errors, if checked.
It’s estimated that the 404bot scheme robbed advertisers of more than $15 million and wasted at least a billion video ads.
Oracle Moat researchers caught on to the perpetrators’ scheme. IVT researchers investigated the evolution of 404bot and pinpointed the actual proxy software distributing the malware, taking it apart in our clean room and developing customized protections.
In a malicious in-game advertising scheme, criminals tricked advertisers into giving away money through a popular video game.
Often, players of various games watch paid advertising to earn virtual rewards such as currency. However, in this scheme, a bot viewed the ads instead, using real gamers’ IDs taken from public forums. Advertisers thought they were engaging gamers; instead, they were engaging a bot.
Compared to other schemes that milked millions, this one wasn’t as profitable.
The bot used User Agent spoofing to make it look as if traffic came from several browsers, but Oracle Moat researchers figured out that the underlying features across all the User Agents were the same.
Although we uncovered it in 2019, in 2020, we recapped the DrainerBot ad fraud scheme with a deep-dive podcast. DrainerBot was among the first ad fraud operations to financially compromise consumers.
The infected code consumed hidden and unseen video ads on smartphones. The owners never saw the ads. Meanwhile, the app told the ad network that the video ad appeared on a legitimate publisher site, but the site, ultimately, wasn’t real.
DrainerBot infected consumers’ mobile apps using up as much as 10 gigabytes of data a month. The malicious bot drove up data charges on mobile devices, slowed the devices, and drained their batteries.
Oracle Moat and Oracle Cloud Infrastructure edge services picked up on the suspicious activity. They found that an infected SDK from Tapcore, a Dutch mobile monetization company, distributed the DrainerBot into popular Android apps.
Fraudsters will leverage channels they know are popular so they can tap into engaged audiences and hide their devious activities among real users. However, in a landscape full of risks and opportunities, IVT detection capabilities can expose and stop these fraudsters from wreaking havoc, and weed out the nonhuman traffic that’s intended to cause harm.
To hear more about how Server-Side Ad Insertion (SSAI) servers are used to spoof users, devices, and apps and the road to Oracle Moat's StreamScam discovery, watch the replay of "StreamScam Exposed: How Oracle Moat Uncovered CTV's Largest Ad-Fraud Scheme."
Sam Mansour is Principal Product Manager for Moat Analytics. Moat provides an ad verification platform for brands, agencies, publishers and technology platforms to measure and optimize their advertising. With a history of developing cutting edge ad products for both the advertiser and publisher sides of the ecosystem, Sam is well versed in the tools and technologies of the trade. He applies his experience to his focus on General and Sophisticated Invalid Traffic (IVT) detection at Moat.