The Many Faces Of Programmatic Ad Fraud

• Non-human traffic (i.e., bots).

• Zero chance of being seen (i.e., zero percent viewability).

• Intentionally misrepresented.

• Simple Bots: Simple bots are essentially just scripts that run from a server somewhere, like Amazon Web Services or some other hosting provider. Because they are simple, they are usually easy to identify — since they have a static IP, user agent, cookie ID and so on — which makes fingerprinting and blocking them relatively easy.

A simple look at some DSP auction logs, or even Web server logs from those that click through, make simple bots fairly easy to detect and block. For example, one could simply block all known data center IPs.

• Sophisticated Bots: Sophisticated bots, on the other hand, employ tactics like rotating user agents, using random proxies (to rotate IP addresses), mimicking normal click-through rates, and in some cases, even mimicking real mouse movements from captured browser activity. All of these factors make it harder to fingerprint and block them.

• Botnets: Botnets are generally a large array of personal (residential) computers that have been compromised by bad actors. These actors have control of these machines, employing them for tasks like loading and clicking on ads, which generates legitimate-looking, but ultimately fake, impressions and clicks for advertisers.

Botnets are the hardest to detect and block, but they are also highly illegal and, therefore, riskier for bad actors to deploy. (To see an actual demonstration of how an infected computer behaves as a bot, check out this eye-opening video from the folks at Integral Ad Science.)

• Invisible Ads: There are a few common ways that fraudulent publishers “hide” ads so that they fit the criterion of having “zero chance of being seen” by a human visitor.

The first is referred to as “ad stacking” or “impression stacking,” which is basically hiding ads behind other ads. In such cases, the publisher is generating multiple impressions for a single page view, but the only ad that is visible is the top one.

In a similar vein, invisible iFrames are another way of intentionally hiding ads. By loading ads in unviewable (1 pixel by 1 pixel) iFrames, an impression or multiple impressions are generated, with no chance of ever being seen. Such tactics are relatively easy to detect using off-the-shelf ad verification tools like Integral Ad Science or Pixalate.

• Arbitrage: One of the most under-reported but insidious forms of human-based traffic fraud is a form of arbitrage. It can take many shapes and affect multiple formats, such as display and, most notably, video.

In essence, the bad actors purchase traffic for a very low cost and resell it for a multiple of the price. For example, a publisher may sell their inventory for $5 CPM on average but may be purchasing questionable traffic to their site for a fraction of that cost.

• Domain Spoofing: In the RTB (real-time bidding) ecosystem, publishers are sometimes allowed to declare their own domain and the label of their Site ID. Fraudulent publishers use this as an opportunity to misrepresent their inventory. They may identify themselves as huffingtonpost.com, but if you dig deeper, the actual domain the ad was served on was different. In other cases, the ad-serving domain is spoofed within the bid request.

• Site Bundling: Site IDs are how inventory is classified in the RTB ecosystem. The way RTB was designed, each Site ID was supposed to correlate to a single domain.

But in practice, many publishers and exchanges bundle entire networks of domains under single Site IDs. So an advertiser might think they are buying abc.com but end up with ads served on xyz.com.

This configuration happens on the supply side, which is outside the control of DSPs (demand-side platforms). This falls under the “intentionally misrepresented” inventory category.

• Ad Injection: As a result of browser toolbars and other adware plugins, ads can get injected and/or replaced on any site, often without the user or publisher noticing. This creates a situation where ad inventory might show up as facebook.com, for example, but is no way related to Facebook’s actual ad inventory.

After all, any Facebook user could tell you that there are no 300×250 or 728×90 banner placements. But with ad injection, inventory can be created on premium websites out of thin air.

• Cookie Stuffing: The practice of cookie stuffing is nothing new to the world of online advertising. There have been some high-profile cases of cookie stuffing where it was used to maximize affiliate revenue.

Cookies are just as important today, because they are the mechanism through which a large part of the programmatic ecosystem targets audiences. And with inexpensive sources of internet traffic available for purchase, cookie stuffing to dilute or misrepresent audience target data is now a real thing.

It’s also worth noting that cookie stuffing can occur on both human and non-human traffic, so technically, it could fall into either category, and sometimes both.

• Click Farms: There are incentivized programs, often masked as “work from home” or “make money online” schemes, that pay real people to click on ads and even fill out forms, resulting in valueless impressions, clicks and conversions.

Since these are real people, it’s hard for most software vendors to catch these schemes, but they are most definitely fraudulent activity. (Check out this video to enjoy a good parody of what these schemes look like.)

• Why does ad fraud exist in the first place?

• Who is responsible for ad fraud?

• How do marketers protect themselves against fraud?