Following this month’s conviction of Aleksandr Zhukov – the ringleader of an ad fraud scam called Methbot that bilked digital advertisers out of more than $7 million five years ago – industry leaders said that such scams are becoming more frequent in connected TV (CTV) and are often tied to larger cybercrime operations.
Leaders from Amazon, MediaMath, Verizon Media, and Human discussed the need to tackle ad fraud in CTV during the IAB Tech Lab’s CTV & Video Advertising: Growing with Standards event on Wednesday.
The panel agreed that the Methbot case prompted advertisers to pay closer attention to the issue and sent a message to fraudsters that there are real criminal consequences. They called on the industry to get “relentless” in stopping such scams, which costs advertisers billions of dollars a year.
“It is diverting money away from high-quality content creators,” said Michael McNally, chief scientist of engineering at cybersecurity company Human, which shut down the Methbot scam at the end of 2016. “Malware that monetizes through ad fraud harms user privacy. There’s no more fundamental privacy violation than to have your machine owned and operated by organized crime.”
McNally said that shutting down fraud schemes curbs funding that flows to other cybercrime operations. Methbot, for example, used a network of servers allegedly used by Russian state-backed hackers who hacked the 2016 Democratic National Convention.
“It turns out that the same services that were hosting Methbot were also hosting the state-sponsored [hacking] attacks on the Democratic National Convention,” McNally said. “There’s an ecosystem of bad actors out there of which ad fraud is a primary monetization chain.”
CTV an easy target
CTV, McNally added, is uniquely vulnerable to fraud because there’s less to observe compared to other forms of advertising that have click-through, performance and conversion metrics.
Human and ad verification companies such as Oracle Moat and DoubleVerify have shut down multimillion-dollar “spoofing” schemes such as ParrotTerra, ICEBUCKET and StreamScam in recent years. Most of these fraud schemes used server-side ad insertion to generate fake CTV inventory across a large number of apps, IP addresses and devices.
Server-side ad insertion technology combines content and ads into a single video stream, which enables seamless playback on OTT devices, such as Roku, Apple TV and Fire TV. But the scams trick advertisers into paying for ads that were not actually seen in households.
In April, Human uncovered a botnet scheme called Pareto which infected nearly a million mobile Android devices, and pretended to be millions of people watching ads on smart TVs and other devices.
“With Pareto, the attackers would be rotating through SSP identities … and they would keep coming back with new accounts,” McNally said. “But it’s a straight-up fiction.”
Low-quality content is often a tell for fraud, but doesn’t get much attention, said Angie Pennington, sales operations and strategy lead at Verizon Media.
She added that it’s easy for scammers to create a fake channel and push through ad opportunities that look like legitimate CTV ad requests using bundles they’ve created, including a classic spy movie channel that had created 500,000 impressions a week in the channel store.
“The volume that comes along with those are completely unrealistic,” she said.
Stopping the scams
One solution to spoofing, McNally said, is “device hardware attestation,” an anti-abuse API that allows app developers to assess the Android device that their app is running on.
“Other platforms and vendors can do it, but this hasn’t moved into CTV yet,” he said. “In principle … if you have hardware and iOS collaboration, that CTV device can cryptographically prove that it is a real physical device in a privacy-safe way.”
But there’s also the issue of fake apps, which are easy to spoof. McNally said that can be prevented by implementing anti-fraud SDKs into the apps.
Panelists called for a collective approach to mitigating fraud, which include partnering with app and play stores and law enforcement to identify bad actors.
In April, Human launched the Human Collective, a program that brings together publishers, demand-side platforms (DSPs), supply-side platforms (SSPs), agencies, and brands to protect digital advertisers against fraud. Members include Omnicom Media Group, The Trade Desk, Magnite, and Amica Mutual Insurance.
Panelists recommended the adoption and refinement of standards developed by the IAB Tech Lab through the past several years, such as ads.txt, for publishers to declare who sells their inventory; sellers.json, for supply-side platforms or exchanges to declare their sell-side relationships; and app-ads.txt, which reduces fraudulent in-app inventory.
The IAB Tech Lab has also been working on enhancing CTV standards via app-ads.txt, and recently announced a tool called authenticated connections and delivery to authenticate an SSAI server, McNally said.
Publishers should audit sellers of content, which would allow them to trace funds coming from sellers that they’ve authorized, said Neal Richter, director of advertising science at Amazon Advertising.
“If I give someone a copy of my house key, I really have to trust that person because they could copy it … and I may have a stranger showing up to my house,” Richter said.
Buyers also need to take responsibility by doing more due diligence around the supply chain process, McNally said.
“If there are parties in the ecosystem that allows publishers to come to them and rapidly rotate identities, they’re probably much more vulnerable,” he said. “Get curious about your upstream. Where’s the traffic coming from? If a source is high IVT [invalid traffic], you should probably stop buying from that source. If it’s mixed IVT, you should ask questions.”