In the previous text, we described the biggest known Ad Frauds detected in years 2012-2017, in this article we will continue this topic and present advertising frauds exposed in the following years, i.e., from 2018 to 2022. As the data show, both the number of frauds related to online marketing and their scale of operation is growing year by year, and the technologies used by fraudsters are more advanced. Fortunately, more and more entities related to the industry are also joining the fight against fraudsters, which allows to thwart at least some of them. Certainly, in the coming years, the number of ad frauds will continue to grow, let’s hope that the statistics on their detection will also increase exponentially.
404bot / 404fraud
The scam called 404bot or 404fraud was discovered at the turn of 2018/2019 by two independent companies (at the end of 2018 by DoubleVerify, and at the beginning of 2019 by IAS Threat Lab), but this ad fraud was certainly active before.
Fraudsters launched a bot network and not only circumvented the ads.txt file security (a solution introduced in 2017 by IAB - Interactive Advertising Bureau, which was supposed to allow publishers to display a list of authorized sellers), but even used it to conduct fraud. Aware that publishers don’t update the ads.txt file and advertisers don’t check it thoroughly, the authors of this fraud found sites with large, neglected lists in this file and impersonated them. By using domain spoofing, generating bogus browser data, and creating non-existent URLs for 404fraud, they didn’t need any advertising resources - advertisers were convinced they were working with an authorized traffic sellers (because they were on the list), but in fact, after entering fabricated pages error 404 appeared, hence the name of the whole project. The IAS estimated that 404bot cost the industry at least $15 million.
DrainerBot, discovered in February 2019 by Oracle Software, is a very interesting example of mobile malware. The fraudsters used the unsuspecting authors of mobile applications to spread it - a piece of malicious code was hidden in the SDK development package used to create the application. Thousands of Android applications, which were downloaded almost 10 million times, were created using such a modified SDK, which enabled fraudsters to operate on a gigantic scale.
DrainerBot activated when a user downloaded one of the fraudulent apps from the Google Play store. When the device was infected, video ads were constantly displayed in the background. In addition to playing them out of context advertising material at every opportunity, users were also referred to websites. The app then reported to ad networks that the video had been viewed on a legitimate site, resulting in a commission payment.
DrainerBot owes its name to the fact that it consumed huge amounts of data transfer of the devices on which it was located (up to 10 GB per month), at the same time quickly depleting their batteries (the application itself could discharge the battery from 100% to 5% in several dozen minutes).
An advertising scam called Hydra, first identified by Protected Media in August 2019, was responsible for over $130 million in advertiser losses. Fraudsters used real user activity in over 8,000 infected apps, spoofed mobile IP addresses, and routed traffic through proxies to hide the fact that the clicks and impressions they generated were fake. At the same time, they used advanced technologies that made it difficult to verify the traffic as incorrect, and they worked with many advertising networks at the same time, providing each of them with small quantities of traffic in order not to be on the radar.
Hydra often changed its operating model, and the scams committed by its authors included, among others, click injection, click and impression spoofing, third-party click capture, data theft, and account hijacking.
In order to expose the activity of Hydra in 2020 Protected Media, the cybersecurity company that discovered this ad fraud provided over 100,000 IP addresses used by the botnet in to the advertising industry and in cooperation with other online security players initiated called Slay Hydra.
Not all scams are detected by cybersecurity companies. Sometimes advertisers take matters into their own hands. This is what Uber did, which in 2019 filed a lawsuit and then won a court case against five advertising networks - Fetch, BidMotion, Taptica, YouAppi and AdAction Interactive.
This happened after a high-profile company discovered that roughly two-thirds of its advertising budget (around $100 million) was not converting. As it turned out, the advertising retargeting companies were responsible for everything, which abused the system by creating fraudulent traffic. The scale of the ad fraud was uncovered when the company cut ad spend by $100 million and saw no change in app installs.
In 2020, Uber also won a lawsuit against Phunware Inc. proving that most of the Uber app installs that the company allegedly provided were generated as a result of click flood ad fraud.
In 2020, researchers working on the Check Point Research project discovered a new piece of malware called Tekya. Hidden in just a few lines in the software development kit (SDK), the code of this ad fraud was added to dozens of applications from various developers, and because it activated itself after the application was downloaded, it slipped unnoticed through the protection algorithms. The malicious program launched in the background when the user engaged in activity and recorded his interactions with the device. Tekya then used apps called Haken to create and trigger click events, which allowed the fraudsters to generate activities that mimicked human behavior. In short, Tekya copied the actions of users by pretending that they clicked on specific ads.
This malware was found in 56 Android apps that could be downloaded from Google Play. These were mainly: games and puzzles aimed at children (24 games for children), several games for adults and various utility applications such as calculators and translation applications. It is believed that Tekya had over a million downloads and that it had been operating since at least May 2019. We wrote more about this Ad Fraud in 2020 in the text - Tekya - the latest case of fraud involving online advertising. - TrafficWatchdog.
White Ops researchers have been monitoring a botnet called Terracotta since late 2019. Scammers placed apps in the Google Play store that promised users free benefits (most often free shoes, but also tickets, coupons and expensive dental treatments) in exchange for installing them on their devices. The gift was supposed to reach users within two weeks of installation, during which time users had to leave the app installed on their smartphone. Then, the malicious program downloaded a modified version of the WebView browser to the devices, which, while remaining invisible to the user, displayed advertisements and thus enabled fraudsters to earn considerable revenue from false ad impressions. The scam was carried out on a huge scale - according to White Ops, in the last week of June 2020 alone, the Terracotta botnet silently loaded more than two billion ads on 65,000 infected smartphones.
After consulting with specialists from White Ops, Google removed dozens of Android applications from the official Google Play store, which were most likely to be part of the scam, Google also disabled these applications on all users’ devices, stopping their further malicious behavior.
At the beginning of 2020, in an action called „Icebucket”, fraudsters impersonated over 2 million people from over 30 countries, tricking a total of over 300 different advertisers who wanted to show their materials in the OTT and CTV channels. This fraud, in which bots pretended to be people watching ads on streaming platforms and apps, at its peak (January 2020) accounted for 28 percent of all CTV traffic (or about 1.9 billion ad requests per day) monitored by White Ops researchers, who discovered and exposed this scam in April 2020. Fraudsters used approximately 1,700 IP addresses located in 9 countries to counterfeit CTV players and generate artificial views of Server-Side Ad Insertion (SSAI), a model in which ads are „sewn” into video content.
Just two months later, in March 2020, Pixalate revealed another scam involving Roku’s passive apps, named Monarch after Monarch Ads, the ad inventory monetization platform used by all apps detected in this scam. The fraud itself consisted in forwarding a request for advertisements showing the correct name of a given application, although a different one was displayed in the response, and the destination was „Aragon Creek”. Advertisers thought their content was being shown on Roku’s website (or app), when in fact they were buying ads in screensaver apps or programs designed with pets in mind.
The losses reached millions of dollars, and the victims of the fraud include luxury brands such as Chipotle, GEICO, Jaguar, Lexus or Uber, and even politicians using the CTV channel during elections to the Senate.
Mobile and CTV advertising has also become the target of the MultiTerra fraud discovered in 2020 by DoubleVerify, a company that analyzes advertising fraud. The scammers focused on premium publishers, from whom they were stealing about $1 million a month by spoofing their ad inventory. The botnet was named MultiTerra due to its complex operating scheme and the fact that it mainly concerned mobile channels. Within 20 minutes, one IP address impersonated 16 different smartphones, generating around 50 fake ad impressions on at least 9 different premium publisher apps, and was then replaced with a new one. At its peak, between June and August 2020, the botnet generated more than three million false ad requests per day on mobile apps and on connected televisions (CTV). Fraudsters also made sure to change the botnet’s behavior patterns every few days, and thus the fraud remained hidden for a long time.
Cybersecurity experts from the White Ops Satori Threat Intelligence And Research Team published information on their blog in July 2020 about the discovery of a new ad fraud. ChartreuseBlur was so named due to the fact that most of the applications used for the fraud were intended to be used for photo editing, specifically blurring i.e., applying the blur effect. Once downloaded to a device, the malicious code would run and show full-screen ads to the user every time the user unlocked their device, plugged it in for charging, and turned Wi-Fi or cellular data on or off. Users may also have had trouble deleting the app because the icon would disappear from the device’s screen after loading it. As a result of this scam, 29 apps disappeared from the Google Play store, previously downloaded over 3.5 million times.
At the end of 2020, Oracle announced the detection of a new advertising fraud - StreamScam, which owes its name mainly to the fact that it concerned the technology of displaying CTV advertisements. Over 28.8 million US household IP addresses, approximately 3,600 applications and 3,400 unique models of CTV devices were used in the operation. The use of valid home IP addresses demonstrates StreamScam’s sophistication compared to previous CTV ad scam operations.
Through the use of Moat technology, Oracle uncovered the scam and determined that the scammers behind StreamScam had built a network of servers that sent ad view events to advertisers without actually sending ads and video content to users. All this to pretend that the ads were playing when in fact they weren’t. According to an Oracle report, StreamScam caused advertisers losses of approximately $14.5 million.
In 2021, the already mentioned company Oracle Moat detected a scam related to the popular anime site with adult content and pirated content - mangago.me. The website owners wanted to receive higher CPM rates (cost per mile), so they decided to show advertisers a completely different side than the one visible to users. Literally, because in addition to the real website mangago.me, which has about 70 million visitors per month, the scam used 3 other domains to redirect traffic: mnggo.net claiming to be a magazine titled „newfashion”, lady-first.me pretending to be a website lifestyle magazine „ladyfirst” and fashionlib.net: presented to advertisers as a „lifestyle” magazine.
Each of these pages had two faces - when visitors entered the given domains directly - they looked like websites dedicated to women’s fashion and lifestyle and displayed related content copied from other websites, while if the redirection was from the Mangago.me website, the content displayed on them was about violent manga and featured X-genre content.
Fraudsters not only extorted remuneration from advertisers, but could also seriously damage the image of the brands whose ads they shared on their domains. It is worth mentioning that although the fraud was revealed, the Mangago.me website itself is still working.
Another fraud detected by Oracle in the first quarter of 2022 - KissFraud, named after the fake website used to carry it out - kisscenter.net, worked very similarly. The mechanics of KissFraud, as in the case of the Mangago.me scam, relied on redirecting users. In this case, they were visitors to the pirated video site kimcartoon.li. The landing page to which traffic from kimcartoon.li was redirected was named kisscenter.net. When accessed directly, it looked like a news site, and the content on it was copied from real sites of this type. However, when a user landed on kisscenter.li from a redirect from kimcartoon.li, and this was most often the case when a user clicked on a link to a specific episode or movie, they saw a continuation of the site with pirated content. Internet users used to carry out this scam often didn’t realize that they were already at a different URL. Advertisers wanting to post their materials on news sites ended up sharing their ads on sites containing… illegal movies.
In the summer of 2022, Vikas Parthasarathy, an expert at Human Security, accidentally noticed that an application was making an unusually large number of requests and returned different IDs. In this way, he fell on the trail of one of the largest advertising frauds detected, called Vastflux from the type of hacker attacks used in it „fast flow” and the template that allows displaying ads in video players, developed within the Interactive Advertising Bureau (IAB). - „VAST” (Video Ad Serving Template).
The botnet used for this Ad Fraud consisted of as many as 11 million phones (mainly iOS devices, although some Android devices were also infected), and the scammers impersonated a total of 1,700 apps and 120 publishers. In June 2022, when Vestflux achieved its best results, the malware was sending up to 12 billion ad requests per day.
The investigation lasted half a year and ended in December 2022, when the scammers shut down the servers used for the scam. The exact data on the losses this scam brought to the advertising industry and the identity of the fraudsters behind it haven’t yet been revealed due to the ongoing investigation. We recently wrote about Vastflux in the article - Vastflux – one of the biggest detected Ad Frauds! - TrafficWatchdog.