A recent report from the World Federation of Advertisers claimed that ad fraud was second only to drug trafficking as a criminal enterprise. It’s certainly big business; Juniper Research estimates that it harvested $35 billion globally in 2018 and $42 billion in 2019. That’s not exactly chump change.
For criminals, ad fraud has quite the allure. Startup costs are low—a good PC, software tools, and an Internet connection are all that you need to get started. Compare this to establishing a drug cartel: organizing peasants to grow drug crops, hiring thugs, establishing an international supply chain with smugglers and mules, and bribing officials. Competition can be fierce, and when I say fierce, I mean drive-by-shooting fierce. Then there’s jail time to worry about, not to mention finding ways to launder the profits.
Cybercrime and the Ad Fraud Business
Cybercrime has much more to recommend it. Admittedly, you will need software skills honed by a few years of experience, and location can be crucial. It’s going to help if you live in a country like Russia or Belarus which has no extradition treaty with the US. The risk of jail time is lower than drug trafficking, but hackers do get caught every now and then.
Ad fraud is by no means the only financial opportunity out there. You can make a healthy living from ransomware; Netwalker ransomware earned its perpetrators $25 million in just a few months. Data theft can also be lucrative. Credit or debit card information fetch up to $110 and medical records up to $1000 on the black market.
In case you think such diversification is too ambitious for a ‘mom and pop’ hacking outfit, don’t be concerned. They are natural sidelines that will integrate neatly with your main line of business: ad fraud, the most lucrative form of cybercrime.
The Ad Fraud Industry
Ad fraud is a game of deception. The goal is to create fake traffic (clicks on ads that were not made by real people), fake leads (apparent sales leads that are not real), and fake placement of ads (on websites that are not real websites). Advertisers pay for activity that appeared to reach an audience but never did.
Organizing this requires computer resources. That’s where a significant investment, mainly of time and effort, will be necessary. The hacker needs to create bots (automated software placed on hijacked computer devices) and botnets (networks of bots, automated to work together). There are many applications that need to be run; you need apps for password cracking, for encryption, for virus generation, for phishing and spear-phishing, for network probing, and for specific exploits. Most of these can be bought at competitive prices on the darknet.
Nevertheless, growing a sizable botnet takes time, and the size of the botnet is proportional to the income it generates. The largest recorded ad fraud operation was perpetrated by the Methbot botnet. Run by just eight Russian hackers, it harvested over $1 billion per annum at its height. It spread across 571,904 compromised devices, mainly servers located in Europe and North America—equivalent to a fairly large data center running 24/7.
It supported 6000 websites with over 250,000 web pages for showing video ads. The hackers fooled the digital ad market’s selection algorithms into choosing fake web pages over legitimate ones and charged advertisers at a premium for the ads.
And that is just one kind of ad fraud. There’s ad hijacking, where the hacker hijacks a website’s ad slots, from a user device or directly, either to generate false clicks or place their own ads. Another possibility is to hijack the ad click itself, directing the user to a different web site. There’s ad stacking, where ads are stacked on top of each other on the web page so that one click is registered for every ad in the stack. How about cookie stuffing, where hackers add affiliate strings to URLs to mimic conversion activity. There are fake apps for mobile phones that can hijack ad traffic. The possibilities are legion.
What’s more, the botnets a hacker builds can be rented out to companies that wish to sabotage competitors’ ad campaigns or bombard competitor websites with denial of service attacks. They can even be rented to other hackers working on different projects. You can think of it as a cloud service.
How Can We Fix This?
Figures (from both Juniper Research and AdAge) suggest that roughly a third of digital ad revenue is collected by the hackers. The sad fact is that ad fraud is far too successful and radical solutions are needed. The underlying problem is the lack of authentication and audit trails in digital interactions. It’s simply too easy to pretend to be legitimate.
Luckily technology, blockchain technology, provides a solution. When users achieve data sovereignty it will be easy to enforce bullet-proof user authentication. The same will be true for all organizations. The same is also true of devices whether servers or simple IoT sensors. As long as they are linked directly to an authenticated owner, an audit trail can be established. By linking together and storing audit trails on the blockchain, it becomes possible to forge a web of trust, where bad actors are ejected as soon as they are detected.
The best solution to fighting ad fraud is to create an ad ecosystem where clicks are provably human and ads can be sourced back to real businesses. The upside of this, aside from the obvious reduction in ad costs, is that an ad market based on trust can be established, where users willingly and securely share their data with advertisers to enable accurate targeting and verified ad impressions. Given the cost savings, a cryptocurrency-based arrangement would be possible, allowing advertisers to regularly reward consumers who watched their ads.
If that sounds like what we are doing at Permission.io, you’re getting the picture.
Of course, this would be terrible news if you were pursuing a career in cybercrime.