Digital advertising fraud is big business, and according to White Ops, it's the engine that now enables botnets to make money.
Automated bots are costing advertisers an estimated $7.2 billion, according to a new study
conducted by the Association of National Advertisers (ANA) and security vendor White Ops. It isn't just simple click fraud; it is an elaborate process that makes use of multiple components of the online ad delivery system.
Bots are automated and can help trigger non-human clicks and ad impressions that end up costing advertisers money, in turn, generating revenue for the bot owners. In 2014, the ANA/White Ops study found that bot advertisers had fraud percentages of 2 to 22 percent, which grew to a range of 3 to 37 percent for 2015.
Many organizations tend to think of ad fraud as just being about click fraud, but White Ops CEO Michael Tiffany said that is not the case. With click fraud, the fraudster uses a mechanism to click on a cost-per-click ad, generating revenue for the ad network, but costing the advertisers for the click. Tiffany explained that today most online ad spending is for display advertisements, including banners and video ads. Large brand marketers, for example, are not advertising online just to drive traffic to their own Websites, but rather to educate and market a brand message.
"Brand advertising is more about exposure than driving e-commerce," Tiffany told eWEEK
Tiffany said that most fraud operations make their money through a number of mechanisms. Tiffany explained that a bot fraud Website can make money by having a Website signed up with an advertising network and then serving ads whenever a visitor arrives.
"Bot fraud operators buy clicks with a traffic broker at a low price rate," Tiffany said. "When the visitor arrives, the page is filled with banner ads."
Tiffany explained that the banner ads are paid for by a brand advertiser. The revenue for the display ad is split between the advertising network and the site publisher.
Another piece of the online ad threat landscape is malvertising in which an online ad had links to some form of malicious content that infects a user with some form of trojan or exploit payload. Malvertising is largely a mass exploitation exercise to infect users, Tiffany said. There are different types of malicious infections, including ones that turn victimized systems into zombies that can then become part of an ad fraud botnet, helping to generate page views and clicks.
"The crime that really scales with a botnet is ad fraud because every single one of us is a target-able consumer," Tiffany said. "So a victim can generate extra page views for malware that is visiting Websites all day, enabling the attacker to make money with that. It's a crime that keeps on giving."
The money that is generated from ad fraud enables botnet economics to work, Tiffany said, adding that if ad fraud were less profitable, it wouldn't be as worthwhile for an attacker to infect a whole bunch of machines in the first place.
Advertisers can do a number of things to limit the impact of ad fraud this calendar year.
"As an advertiser, you lose money to ad fraud if anyone between you and the Website where your ad appears is trying to game you, or if anyone between you and the Website is being gamed by a third party," Tiffany said. "So the trick to winning is to sharply dis-incentivize everyone between the advertiser and the Website to even try and game the system."
Advertisers that were able to reduce their bot ad fraud exposure in 2015 did so because they instituted some form of third-party monitoring to verify ad placement and click quality. Additionally, the use of monitoring was helpful to hold publishers and ad networks to account.
"Advertisers didn't try and take responsibility for trying to stop the fraud directly themselves," Tiffany said. "They are telling their ad suppliers that they are responsible and they are held accountable."
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist