Here Are 4 Common Methods That Ad Fraudsters Use to Make Their Ill-Gotten Money

Where crime continues to pay

Headshot of Christopher Heine

We all know bot-fueled ad fraud is a major problem for digital marketers, but how exactly does it work? Who makes money off fraudulent ad views, and how do they insert themselves into the process?

There's been a consistent thread of reports in the past couple of years about ad fraud that marketers have rightfully found alarming. The latest development came just last week, when a joint study by the Association of National Advertisers and White Ops found that bots-driven ad fraud will cost brands $7.2 billion globally this year, up from the $6.3 billion in 2015.

To clarify exactly how fraudsters steal from advertisers' budgets, we asked two veteran ad tech experts, Index Exchange CEO Andrew Casale and DoubleVerify chief Wayne Gattinella, to explain how such thieves typically operate. 

Here are four common methods, per our experts: 

METHOD 1: The Phony Traffic Broker

Casale said a common approach is traffic sourcing, in which a publisher signs up—usually unwittingly—with a fraudster. It works like this:

  • The publisher wants to increase traffic to his or her site and goes to a traffic broker site that's actually run by a fraudster, who promises volumes of highly qualified users.
  • The publisher selects a package and pays for it.
  • The fraudster deploys bots to simulate human traffic to the site.
  • The publisher's numbers soar.
  • Advertisers pay the publisher for the increased traffic, and the fraudster already has his or her money. 

"The brilliant thing about this approach is that the fraudster is one step removed from the actual fraud," explained Casale. "They get paid well before any ad transactions take place, and their name is nowhere near the transaction. The exchange doesn't know who it is, the marketer doesn't know who it is, and the publisher doesn't know which traffic is real and which she bought."

Gattinella adds: "Most website owners with high bot fraud are uninformed that they're purchasing bad traffic; they simply know that the cost per visit is extremely economical. The bots themselves have been created on real users' personal computers, often through the installation of malware."

As far as flow of cash, he said, five parties typically make money from the bots:

1. The infectors of the machines who then sell access to whoever wants it.

2. The renters of the infected machines who create programs to defraud advertisers through bot traffic.

3. The sellers of "traffic" to website owners who need it.

4. The website owners who are monetizing the bot traffic.

5. The intermediaries who are executing campaigns on behalf of advertisers.

METHOD 2: Ghost In The Machine

Another approach is done through ghost sites, in which fraudsters essentially eliminate the publisher from the equation.

They create sophisticated, large content farms with whatever topics a marketer might want, then deploy bots to make non-existant, "qualified audiences" appear. Absolutely zero actual publications and viewers are involved.

Then, Casale said, they contact one of the half-dozen or so major ad exchanges and hope to get listed. And they'll get bumped from most, he stated, but eventually they may find an unknowing exchange to accept them. It's a hit-and-miss numbers game, in other words. 

"So now they're ready to take real money from real marketers in exchange for phony traffic on fake sites," Casale said. "And instead of taking $500 from Publisher X in Method 1, they're pocketing the full amount of the transaction. Eventually, the exchange may get wise and boot them, but they might still get paid 30, 60, 90 days later for the traffic they sent before getting booted. And at that point, they crank up the templates, create a new content farm, and go about getting relisted under a new name."

METHOD 3: Masking URLs In Bidstreams

One of the most straightforward-yet-detailed methods, said Gattinella of DoubleVerify, is masking a website's true URL address where the ad will actually appear.

"A large portion of the infrastructure on which advertising technology is built was not designed with fraud prevention in mind," he said. 

For example, Gattinella said, programmatic buying and selling platforms typically rely on what's called a "bidstream" to determine whether marketers purchase a particular ad impression and, ultimately, how much they pay. Bidstreams are simple, static lines of information, he said, in which it's not possible to peek under the hood before making an ad bid.

"Imagine buying a car without being able to see it in person," Gattinella hypothesized. "No test drive, no popping the hood, you can't even open the door and sit in it. You have to rely on the information passed to you by the seller, who in many cases also has never seen the car in person."

Unscrupulous sellers can seize the opportunity to represent their site as being more targeted, more relevant or more credible than what it actually is—and charge high cost-per-thousand (CPM) rates, really ripping off advertisers. So a site that's fraught with material that infringes on copyrights might be listed as a premium site. 

"This can be accomplished through simply wrongly declaring the domain name to the exchange that is creating the auction, or through a process known as 'impression laundering,' whereby the owner of the copyright infringement site works with another site to hide the true location of the ad," Gattinella noted. "Most advertisers would not pay for ads next to pirated content and the website owner knows this." 

METHOD 4: Hiding Ads

Two relatively easy-to-explain tactics entail how rogue, normally small-time Web publishers gin up their revenues with pixel stuffing and ad stacking. 

With pixel stuffing, they systematically cram an advertisement into a 1-pixel-by-1-pixel unit at the bottom of a page. The promo, of course, is so tiny that it's indecipherable. 

In terms of ad stacking, the website owner places numerous promos on top of one other in a single unit.

For both cases, once again, the marketers are getting stolen from, and the publisher gets paid from ad networks that it has fooled into thinking is legitimate.

@Chris_Heine Christopher Heine is a New York-based editor and writer.