The infiltrated creative route is the most common because it’s the easiest to perpetrate, said Amit Joshi, director of product and data science at Forensiq.
“All you have to do is come up with one or two pieces of bad creative and distribute it,” Joshi said.
In fact, some fraudsters will pose as legit ad networks for a period of time in order to gain a publisher’s trust, running campaigns that seem to be on the level before starting to insert bad creative as a way to drop malware.
And mobile is particularly fertile ground for that sort of shenanigan.
“Mobile provides a better ‘use case,’ if you can call it that, for malware, because it’s a single screen rather than multiple tabs on one screen like in the desktop environment,” said Alex Calic, CRO at The Media Trust.
But Who’s To Blame?
Demand Media's Bornstein has a few choice words for third-party ad networks.
“Mobile redirects are a problem, but they are just the symptom of a larger issue, and that’s fraud being perpetrated by ad networks,” he said. “What makes publishers like me so frustrated is that despite so much talk in the industry about how to get them to do better, it’s still happening. It’s like a game of whack-a-mole – you get rid of something bad from one exchange and then it appears somewhere else soon after under a new name.”
Bornstein acknowledged that every ad network or exchange isn’t sitting in a basement somewhere in Eastern Europe twirling its proverbial mustachios. But many, he said, are at the very least tacitly complicit, purposely turning a blind eye to unsavory activity.
“They might have a legitimate business, but they’re also letting in shady traffic because what they really care about is scale, volume and traffic,” Bornstein said.
KPIs are part of the problem. Affiliate networks and ad exchanges aren’t thinking much about lifetime value if they get paid on a cost-per-install basis.
“If a marketer says, “I don’t care, just sell me app installs at cost per whatever,’ that’s what these companies will do,” said Jonah Goodhart, CEO of Moat. “And if you throw enough junk at people, something will get through even if users aren’t actively choosing to do whatever the action is.”
But it’s not necessarily cost per install’s “fault,” according to Forensiq's Joshi.
“You have to incentivize networks in some way, and you could argue that no matter what incentive you give a network, some bad players will game that metric to get a payout,” he said, noting that Forensiq has even seen fraudsters start to mess with viewability requirements by faking the request a measurement vendor sends back to the system to acknowledge that an ad is viewable.
Beyond involuntary redirects, most of which point users to the App Store or Google Play to try to force a download, The Media Trust’s Calic said he’s noticed another distasteful desktop-inspired tactic bleeding its way into the mobile ecosystem over the last several months – phishing.
“We’re seeing links that redirect to landing pages with calls to action to win free prizes or participate in surveys which are being used as a platform to launch malware or other malicious activity,” Calic said. “It’s like direct marketing for bad guys, and if the profit exceeds the cost, they’re going to keep doing it.”
But the question remains: Who the heck actually downloads anything after being effectively kidnapped and taken to the app store against their will or being presented with a random webpage that promises a free iPad?
It’s a numbers game. Send out enough spam and it’s worth it. It wouldn’t be happening if it wasn’t, said Joshi.
“The players doing this are submitting such a high volume of fake clicks that even if their click-to-install is super low, say sub-5%, the payout is high enough,” he said. “And it’s not always the physical app store or a real mobile webpage that’s being opened in front of the user anyway.”
The redirect could be stuffed into a 1-by-1 pixel on the page. When users unknowingly "convert," it looks like they’re downloading an app organically.
The only thing publishers, and advertisers for that matter, can really do to protect themselves is stay vigilant.
“Publishers should be QA-ing all of the direct stuff they bring in, but when it comes to third parties, there’s unfortunately no company that’s going to always be completely clean,” Calic said. “The fact is, the more third-party monetization you have, the more risk there is.”
Which is why Demand Media only works within exchange environments “that are properly vetted and have safeguards in place” like Google AdX, Bornstein said. Demand Media also has what Bornstein called “optimization specialists” whose job is to ensure transparency around yield, but who also monitor partners to ensure ad quality and that the user experience is not being degraded.
“With that said, as a larger publisher, we have access to resources that others may not have,” he said. “The industry is not doing enough to permanently expunge bad actors. … Many ad networks continue to be unscrupulous in nature.”