The criminal enterprise behind the recently detected HyphBot digital advertising scam, reportedly one of the biggest of its kind in the world, exploited the lax oversight procedures of more than a dozen SSPs and Exchanges to build a sophisticated global fraud operation that raked in as much as $US1.2 million a day.
As we reported yesterday, some of the world’s most famous media brands were caught up in the scam, as were Australian publishers like News Corp and Fairfax Media, and television network Nine.
While the adtech industry is trumpeting initiatives like ads.txt to limit ad fraud, industry insiders say a gaping hole remains the failure of many platforms and exchanges to catch the fraudsters when they first set up direct payment facilities online. To save costs, these processes are typically automated with little or no oversight.
According to Jochen Schlosser, chief strategy officer at Adform, the Copenhagen-based full stack advertising technology business which blew the whistle on the scam, it notified all the affected SSPs and exchanges immediately upon discovering the fraud.
- An Adform white paper, How Adform Discovered HyphBot describes how the scam was uncovered. The paper is based on a two-month investigation following the initial discovery in August.
Citing confidentiality agreements Schlosser declined to identify those platforms, however, he told Which-50, “While some took action immediately, others were slower to act or have still not taken action. We are currently working with the authorities to help target the source of the issue.”
Ad fraud is a huge and growing problem. Juniper puts the scale of loss to ad fraud currently at over $US19 billion annually and says that if unchecked this will grow to $US44 billion by 2022. This would also make ad fraud one of the largest black markets in the world.
All this fraud is funded out of marketing budgets spent on poorly controlled campaigns and lax industry oversite, but ultimately the consumer pays though higher prices at the cash register.
No wonder then Which-50 hears murmurings that regulators around the world feel they may need to intervene if the industry doesn’t put its own house in order.
According to Schlosser, “We are not publicly disclosing a list of the SSP and Exchanges involved as our primary focus is helping them to implement the necessary changes and shut this down as quickly and collaboratively as possible.”
“Our sole focus is helping our peers across the industry stop HyphBot and prevent future variations,” he said.
The Hyphbot scam focussed on spoofing premium sites, using a botnet of millions of machines to trigger video inventory plays.
Video advertising is a lucrative target because the yields are higher than typical banner display advertising.
How it works
Legitimate sites like the Sydney Morning Herald or news.com.au are spoofed by the ad fraudsters. Botnets then caused millions of infected browsers to autoplay video advertising served programmatically to the more than 34,000 domains set up by the ad fraudsters.
The SSPs or exchanges which served the ads then pay a fee to the ad fraudster either on a cost per thousand or cost per click basis.
“These bots are running on the back end of legitimate users, as such some of their behaviours and their profile looks more authentic than a purely automated system,” he said.
“For instance, they access the internet via real residential IP addresses. Despite this, the people owning the infected computers have no opportunity to see the ads and are not engaging with the content. The browsers being hijacked are being utilised without the awareness or consent of the individual users.”
For advertisers that results in wasted advertising spend from the advertiser, and lost monetisation opportunities and inventory de-valuation for the publisher, according to Schlosser.
We also asked Schlosser if the IAB’s recent ads.txt initiative would have mitigated the problem.
He told Which-50, “Ads.txt is not a 100 per cent stopgap to these types of attacks, but it is a huge step forward and makes it much easier to catch these schemes.”
“In theory, ads.txt can fully stop this. However, we’ve already seen that some publishers have partners in their ads.txt – meaning these are whitelisted and legitimate sellers for that site – that have questionable or overly lax practices and mix human traffic with bot traffic,” he said.
Ads.txt is a major step forward once fully implemented, but the onus is still on the publisher to pick partners wisely, he said.
“From working with publisher clients, we know that installing and keeping ads.txt can be a challenging proposition for some publishers. However, HyphBot illustrates the significant value that results from having it in place as well as the protection it helps deliver. Ultimately, the more transparent the transaction, the better and that’s where ads.txt has real value.”
He argued that to this end it is important that advertisers and publishers realise that ads.txt adoption will not happen overnight. “But the sooner we see widespread adoption, the better.”