Why Cyber Security Experts Are Taking Aim At Sourced Traffic


The mistaken belief that there’s an infinite supply of targetable inventory on the Internet keeps fraud viable.

That’s a key takeaway from a presentation last Thursday by Videology and White Ops at Videology’s New York City office, following a partnership between the two companies in May.

“Online ad spending spikes up in November and December,” said White Ops CEO Michael Tiffany, alluding to the deluge of holiday marketing. “Much of that isn’t because there’s more human attention online. … It’s phantom inventory.”

There are two primary ways for a fraudster to operate. One is to open his or her own domain (anything from a “mommy blog” to home improvement or celebrity gossip), stuff it with canned content and tap cloud-based botnets to supply a stream of traffic, which is then passed through a daisy chain of syndicates, affiliate programs and sell-side vendors until it eventually reaches the exchange, squeaky clean.

The second variety comes from sourced traffic, which is when one publisher pays another to send users to its site. Sourced traffic accounts for what happens to the marketing that is lost when ad spend rises without a corresponding rise in human traffic, such as over the holidays.

Using sourced traffic is a fairly standard practice. “It’s made total sense for the industry,” said Quinn Sanders, Videology’s product director. “You’re giving performance-based metrics, and paying as publishers hit those benchmarks.”

Except that a White Ops and ANA study of non-human traffic from 2014 found that while a direct audience is mostly human, sourced traffic is almost 90% attributable to bots.

That’s why Dow Jones and The Wall Street Journal (owned by Dow Jones & Co.) don’t accept any sourced traffic, according to Suzanne Sypulski, the executive director of advertising operations at those digital networks. But while that’s an option available to the Journal, many publishers and ad networks rely on sourced traffic to hit their audience targets for direct campaigns.

Even the agencies acknowledge that it’s a part of doing business. Julian Zilberbrand, EVP of insights and technology for Zenith Optimedia, said agencies shouldn’t lay the blame on publishers when there are tools available to them.

“If you only want [owned-and-operated] traffic, then put that in your contract,” he said. “And there are third-party verification tools available, so there’s no excuse if you can’t respond to wasted spending before it does material damage.”

Sypulski, for her part, puts the onus on publishers to filter their inventory. But Tiffany and other cybersecurity experts said making publishers responsible for tackling the crisis is akin to leaving retailers in charge of all credit card fraud.

“The only way to address the problem sustainably is to have security controls and responsibilities allocated across every level of the industry,” Sanders said.

For instance, publishers can’t be solely responsible for policing fraud because bot traffic is often the most valuable traffic. Hackers understand what marketers want, and design bots to very convincingly portray themselves as that target audience.

According to Sanders, bots do things like “go to Amazon and put items in a shopping cart but bail before purchasing, and register for newspapers online or move the mouse and scroll around a page like a human would.”

Bots also tend to have better viewability metrics, since the people programming them are responding to what advertisers are pushing agencies and vendors to prioritize.

Tiffany sees the problem getting worse before it gets better, as new channels emerge (notably online video and mobile), “we’ll see increased fraud flow to them alongside ad dollars” – where he thinks there’s an opportunity is the ability to use market forces and industry cooperation to make ad fraud unprofitable.

For example, the study White Ops conducted in partnership with the ANA didn’t just generate statistics on bot traffic, it provided legal language around transparency and inventory quality that can be inserted into contracts: “There’s no technical countermove to that kind of business operational change.”

These are ways the white hat community can overcome systemic disadvantages – like a lack of resources available to match the scale of cybercrime. Some cybercriminal investments rival top-end security outlays in the private sector.

According to Tiffany, by successfully shutting down streams within the digital advertising ecosystem that are currently available to fraudsters, they’ll be pushed into domains that put them at legitimate risk.

“These are the people committing bank fraud and other cybercrimes, as well as some more outrageously horrible things like human trafficking,” he said. And by shutting down fraud coming from sourced traffic, itself only a slice of the total ad fraud pie, the industry can decrease the “rolling funds” criminals have available to sustain their operations and “push them back to fields that are less lucrative and carry personal consequences.”

When asked if he sees advertisers eschewing digital as a whole due to concerns over fraud, Zilberbrand sums up both why there’s an urgency to find solutions and why the ecosystem is an attractive target for crime in the first place. “The reality is consumers are on and spending on digital devices, so it’s just not something we can avoid.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!