The online ad fraud issue is far worse than you think. It involves organized crime, Russian millionaires, ex-bank robbers and one-sixth of the computers in the U.S. Oh, and forget those estimates of a few million at stake. Rather $6 billion is being stolen from advertisers—$6 billion.
Those are just some of the explosive charges being leveled by White Ops, a Web security firm born of experts from the bank fraud and Internet securities industry—i.e., the best of the best hacker fighters in the country.
The company, founded originally to fight malware and bank fraud, claims that billions are being stolen from advertisers and agencies in the U.S. The company says it has identified sites where 20 percent to 90 percent of ads and clicks are fraudulent—i.e., the result of bots, not humans. And they’ve naturally got a new tool to attack this problem.
White Ops calls its technique Side Channel Analysis. Essentially, they claim to be able to identify bots and "fingerprint" them. Eventually their technology will help companies identify bots traffic in real time—with the ultimate goal of making ad fraud so cost prohibitive for crooks that they’ll walk away.
White Ops CEO Michael Tiffany said that he and others in the industry had long believed that ad fraud was a minor problem. “I assumed Google would have fixed it by now,” he said. Part of that assumption was that the dollars involved weren’t worth it to bad guys. “Credit card theft seems to be a managed problem," he added. "And spam doesn’t seem worth it. How many people want to buy herbal Viagra? So we kept asking, 'Why is grandma’s computer getting broken into?' The dollar figures frankly don’t make sense."
Tiffany and his team, which includes noted cyber security expert Dan Kaminsky (who Wired has credited with saving the Internet) and Kirshenbaum Bond + Partners co-founder John Bond, had been focused on bank fraud where sophisticated crooks don’t bother with stickups, but instead hack into bank computers to change wiring instructions, stealing from individuals little by little. “It looks normal on the back end and is crazily hard to catch,” Tiffany said.
But Tiffany, whose background is in government security, started noticing that these high-tech Jesse Jameses were shifting gears toward online advertising. Why? “It’s a better crime,” said Tiffany. "There are fewer people looking for you.”
Kaminsky, who has logged 13 years in Internet security at companies like Cisco, said he stumbled into the ad fraud world as well. “I did not set out to fix problems for the advertising space,” he said. “I care about keeping people’s computers safe. But I soon realized that the giant pot of money in advertising is quite attractive.” Kaminsky says that he met someone claiming to have stolen $1.8 million from Google in 2007, and this person was not sophisticated.
The new scammers are, he said. “You are starting seeing bad guys from my world,” noted Kaminsky. "These are professional organized crime operations. And they are not trying to steal docs from nation states. Rather they are going after ad dollars. In advertising, you can commit million dollars of fraud and no one will notice. In fact, people are happy because the click numbers went up.”
Both Kaminsky and Tiffany pointed to the open nature of the online ad system as being a great strength and a huge flaw. Too few people understand it. And to hear White Ops chairman Jon Bond tell it, not enough care.
“Most people make money on this,” said Bond, who now works as an advisor at Tomorro LLC. “They are not incentivized to fix this. There is tacit cooperation. And the clients are getting screwed. Agencies are afraid of looking bad. They don’t know what to do with it and then rationalize it away. But people are making insane amounts of money. Guys in Russia and far away places. I always joke, there are no poor bot vendors–you're dead or you're rich.”
Many in the industry will see such claims as outrageous, tales from the world of Tom Clancy novels. There is a large sector of the ad industry that sees bots and fraud as a nuisance, not a crisis, or a well-managed problem that is “priced in.”
That may be changing. Last week, Medialink president and COO Wenda Millard made the bold charge that 25 percent of the online ad spending pie may be going to fraud. Even e-commerce companies, which would presumably be immune to the problem since bots can’t buy stuff, are starting to raise their voices.
"We use data to build our conversion models," said Charles Hachtmann, CTO of the e-commerce firm Novica (which employs the firm Adroit Digital to fight bots). "You can’t build good models with bot data. And this is starting to cost us. It's not a margin of error thing, more like 4 to 5 percent of our revenue. That's eating into margins."
Of course, besides skepticism, the challenge that White Ops has is that the company isn’t revealing many specifics. It won’t say who the bad guys are and won’t say which brands are getting robbed (though it did reveal a big issue with the site Education.com in today's Wall Street Journal). It will be tough for some to take their scary assessment seriously without any of that.
White Ops execs claim it has two big motivations for secrecy. They need to protect client confidentiality, and they need to keep their secrets secret.
Nevertheless, the company’s leadership is confident if can lick the bot/fraud challenge like nobody else.
And there’s a broader, more noble goal. "The Internet is monetizing the wrong stuff," said Tiffany. "That’s money that is going to the wrong content. All the people who make good content are having to compete with free. We are trying to achieve the redirection of those ad dollars. The fundamental value proposition of these ad tech companies who are de-anonymizing the Internet is, 'Why spend big CPMs on branded sites when I can get them on no-name sites. Yet they've created a security hole that you can literally drive a truck through."