Google is the biggest company in the world and makes 90% of its money from online ads. Google’s ad revenues are based on commissions it receives from ad buys on its system. When an advertiser buys an ad impression from some site through Google, the publisher takes a cut and Google keeps the rest. Google ends up with more than half of the money in any case. Where the publisher in question is sending Google fake traffic or some other form of waste, Google makes exactly as much money from selling it as they do in the case of legit inventory. The magnitude and success of Google’s business are tied to selling more and more impressions that cost less and less money. This leaves Google in a very difficult situation; on one hand, it is under pressure to remain the largest company in the world, and on the other, it is making its money from an industry that has a serious problem with fraud to the extent that World Federation of Advertisers recently called it “endemic”.

“Just let it happen, the market will correct itself”

The story starts in 2004 when Google’s then CFO Reyes says “ad fraud is the biggest threat to internet economy” [1], a claim Google’s PR jumped promptly to correct.

Two years later Google settles out of a click fraud class action for $90 million [2]. The same year CEO Eric Schmidt says in a talk at Stanford University “letting it (fraud) happen is the perfect economic solution”[3].

Fast forward to today and we have researchers showing how Google charges for Youtube views even when they know its a bot [4] a story that landed on the cover of the Financial Times [5].

Another instance where traffic quality issues got Google on the headlines, is the story about a known and convicted terrorist funder who was using Google ads to make money with his propaganda site[6].

Advertising focused security firm Sentrant recently published research showcasing how Google Play was being used for very large scale fraud operation [7].

Working with Google as an ad fraud researcher

Through Botlab, the only research foundation focused on the malicious use of advertising technology, we have interacted with Google to some extent and have learned that when presented with information, Google reps are typically resorting to one of few options:

• refute the information by claiming the superiority of their people and the scale of their investment
• refute the information by making a specific counter claim, without being willing to discuss/debate the claim further
• not refuting the information but refusing to reveal any further intention or action associated with it

In the case of scientific research, the two first are clear fallacies. This can be verified from Wikipedia’s entry on Logic Fallacies[8].

Our working theory is that Google has a lot of good people, but also it’s the world’s largest corporations with tremendous financial market pressures to perform. They bought a lot of tech, like DoubleClick, a company that in 2003 was sued for showing computer error messages in place of banners [9], or blogger.com that at the time was very popular with “advanced SEOs” and “affiliate marketers”. I can’t find the source, but there was a German bank that did a paper where they analyzed blogger and found that 2/3 of the content was auto-generated. Those times it was all Markov auto-generated gibberish. Very cool tech, but does not read well.

Google has always been under a tremendous pressure to grow. To understand this, we can evidence how Google became the largest company in the world in a very competitive global market. Somewhere along the way, under all those pressures, some baggage in terms of traffic quality may have been acquired. I know all ad fraud researchers agree with the point about “Google being the largest single beneficiary of ad fraud” and it is a point very hard to debate. Because of its share in the total market, “just letting it happen” even to tiny extent amounts to billion of dollars of ad revenue. Stock market analysts don’t understand Google’s traffic issues, so the forecasts they make are completely ignoring the fact that at some point it needs to be “corrected”.

In short, summary, if Google in its current situation suddenly admit that 10% of their traffic is bad and probably has been bad all along, it could come at a catastrophic cost. This is one of the reasons why I’m wishing so dearly Google would be more eager to work closely together with researchers when they do reach out to them. There is ZERO benefit for having publicity on matters such as these. The preference of the ad fraud research community is to treat these in a similar way as vulnerabilities would typically be treated:

1. researcher informs the company privately about the vulnerability
2. the company has a window of time to take action before info is published
3. the researcher makes the information public

In this process, there is no doubt, and everyone gets something valuable out of it. The issue with ad fraud related “vulnerabilities” is that the companies in question make money from letting them be.

How “cleaning up” looks like?

When AppNexus, one of Google’s competitors, started their fight for traffic quality, on the first move 65% of traffic footprint was lost [10]. Meaning that AppNexus at one go lost 2/3 of its immediate revenue potential, and opened the door for pissed off buyers who had been buying 2/3 garbage. When AppNexus made this move, Matomy, an Israeli ad network lost 1/3 of its market cap on the London Stock Exchange[11]. What AppNexus did in banking terms is same as bank admitting that it has many toxic assets on its books and that while it may seem fine and everyone is in on it, being part of increasing the risk associated with AppNexus significantly. In my view, this was the best thing to do in that situation. Now some other companies have already followed AppNexus’ example with similar initial results in terms of reduction to total traffic footprint. With the information I have, it seems unlikely that such an “initial push” would be less than 50% in the case of exchanges and ad networks (Google’s business models).

Is Google better off than AppNexus? Their starting point was better, but they have not made any “sudden” improvement like AppNexus and some other companies have. Because Google’s business is far bigger than AppNexus, and because it is a public company, we can conclude that Google has far more risk associated with doing something like this compared to AppNexus for example. I’m assuming that is a very difficult situation to manage even for the absolute best people in the world, which I’m sure Google employ many.

Out of the 10 or so listed adtech companies, others too have been rocked by ad fraud allegations. Rocket Fuel has lost 95% of its listing price a downturn it could not stop after being implicated in fraud allegations. At the same time, Google has increased its market cap many times the total market cap of all the other listed companies doing the same thing Google does.

After a long silence, past few months we saw how the financial analysts for the first time started to pay attention to the topic of how traffic quality issues may affect the stock price of Google [12]. Kalkis is recommending a correction to $200 per stock for Alphabet in relation to traffic quality issues.

Roughly $70 billion was invested on ads with Google last year. If even 10% of that goes to something that could be dealt with under the right circumstances, for example by being more transparent, then that means preventable losses of $7 billion in ad effectiveness. In product categories, e.g. cheap shampoo with a weak brand, easily more than half of the sales is a result of advertising. Because economies are increasingly dependent on consumer spending, weaker sales lead to fewer jobs, less tax money and other forms of tax payer burden.

Google’s problem seems to be that increasingly online advertising inventory is fraudulent, yet Google’s own revenues are almost entirely dependent on its ability to sell more and more online advertising inventory. The other problem is related to being the biggest in the world. Because Google has no other means for making tens of billions of dollars of revenue than online ads, Google wants online advertising market to expand, not shrink.

In comparison to ad networks in general, is Google bad? Definitely not. My understanding is that its traffic quality is above mid-tier in the market. For a company that grew so large so fast, some could argue that it is a feat in itself to do that and still end up mid-tier. The issue with comparing Google with other ad networks is that there are hundreds (if not thousands by now) of ad networks that 100% focused on arbitrage and nothing else.

Ari Paparo, who was the longtime product manager for Google DoubleClick both pre and post acquisition by Google, tweeted yesterday from dmexco:

“Talking to all the video arbitrage ad networks at #dmexco feels *exactly* like the scene in Big Short when Steve Carrell goes down to Florida”.

REFERENCES:

[1] Google CFO: Fraud a big threat
http://money.cnn.com/2004/12/02/technology/google_fraud/

[2] Google Agrees To $90 Million Settlement In Class Action Lawsuit Over Click Fraud
https://searchenginewatch.com/sew/news/2059444/google-agrees-to-usd90-million-settlement-in-class-action-lawsuit-over-click-fraud

[3] Google CEO on click fraud: ‘let it happen’ is perfect economic solution
http://www.zdnet.com/article/google-ceo-on-click-fraud-let-it-happen-is-perfect-economic-solution/

[4] Understanding the detection of fake view fraud in Video
http://www.recred.eu/sites/default/files/fake_views_imc15.pdf

[5] Google charges for YouTube ads even when viewed by robots
https://www.ft.com/content/53ac3fd0-604e-11e5-a28b-50226830d644

[6] Jihadi website with beheadings profited from Google ad platform
https://www.ft.com/content/b06d18c0-1bfb-11e6-8fa5-44094f6d9c46

[7] Fraud Through Comprised Apps and App SDKs Affecting Major Exchange
https://sentrant.com/2016/02/07/exposing-an-intricate-and-elaborate-scheme-of-mobile-ad-fraud-a-game-of-shells/

TL;DR

adToken is the hook in a pitch that we call “Adnetwork 2.0”. It’s the first of a kind, but not in an exciting or positive sense. Actually, it just marks the beginning of an era where ad networks (at least for a while) will be interesting and seem valuable again.

WELCOME TO THE ADTECH BOILER ROOM

Remember that time, +20 years ago, when a bunch of well dressed not-so technical guys from various backgrounds came to the online advertising scene with a promise that they would make it better. Those companies came to be known as ad networks, and they are, some argue, the root of the most pressing issues in online advertising (and the internet). The ad network model turned out to be the most popular “get rich scheme” hitting the internet in its first +20 years. Thousands of companies flocked to it in search of a quick buck. Actually, it is kind of a scam and Business Insider wrote about the ad network model as a Ponzi scheme already in 2008[0]. Ponzi schemes and other similar scams require two things in order to be sustained and keep making money for the people behind them:

1. New fools must keep coming in
2. The biggest old fools can’t pull out

When either one of these stops happening, the house of cards goes down. That’s exactly what’s happening with the +20-year-old ad network scheme. It is only a matter of time when the great majority of the current 10,000 or so ad networks will not have enough new fools coming in, while the old fools abandoning. Simply put, the ad network era is coming to an end.

Instead of trying to milk a dying cow, the most eager operators are already eyeing the next scheme. This makes sense; why not leave when you’re still “winning” in the sense that you have not yet been called out as a con. If you have any doubt about ad network model being a form of a con, you have to talk with people who setup and ran ad networks over the past +20 years. Then you will find out. Don’t take my word for it. And yes, some are legitimate in the sense that even though they take 50% or more commission, they make a sincere effort to add value. Most take the commission, with no sincere effort for much else than taking the commission and doing the absolute minimum it takes to keep getting new money coming in.

On its website, adToken (adChain) says that CPM is at the root of online advertising problems. It’s not that simple. It would be far more accurate to say that Ad networks are at the root of online advertising problems. Actually, performance (conversion) and click networks are generally far more likely to be just fraud, as opposed to CPM based networks. This is well known even within the less savvy adtech crowd.

WHAT IS ADTOKEN PROMISING

The main promise adToken is associated with, is to provide a “fraud free” advertising environment. This is promised through implying that the initial publishers have been verified fraud free and that there is a system in place, which in fact is the only tangible function of their blockchain, to ensure that only fraud free publishers can be added to their registry. Two points regarding this:

1. Nobody has a way, nor will have a way anytime soon, to guarantee a given publisher is fraud free
2. It took us minutes to come up with a multitude of way how highly fraudulent publishers can get into adChain

In the case of point 1, any respectable ad fraud researcher knows that it’s not possible to give a credible fraud free guarantee. In this regard, one of the most respected individuals covering the topic of ad fraud said:

In the case of point 2, it is actually hard to find justification for why adChain would not become a way for large scale fraud publishers to legitimize their operations. We sure could not find any, while we could easily find many scenarios where that is exactly what will happen. Further, it will allow now legitimate publishers to use “audience extension” and other techniques, while enjoying the “stamp of approval” of being part of adChain.

Just like the ad networks have done for the past 20 years, it seems that adToken is kind of a business model where anything the buyers want to hear, is said without taking much time to think if it makes even theoretical sense.This is not so surprising, given that adChain is actually just an ad network, setup by another ad network.

UNPACKING ADTOKEN

Let’s first look at the companies and brand names that are directly related with adToken. In fact, there are quite a few, which makes it much harder for anyone to start digging deeper into what adToken actually is and who is behind it.

• VidRoll (the ad network behind it all)
• adChain (seems to be more like project name)
• MetaX (same people as VidRoll)
• MetaXchain (seems to be the same as MetaX)
• adToken (the cryptocurrency token associated with adChain)

It seems, that all of these are the same group of people, who are actually the VidRoll team and their advisors. Based on a brief background check (always perform background checks on companies and individuals that make claims about dealing with fraud), we immediately identify several causes for concern. Everyone should do their own research, so we will not share the details here except for two things. One is a case related to Vidroll LLC[1].

It’s a case where allegedly Vidroll had left a video traffic bill of $200,000 unpaid to Division-D, another Adtech company. The second “red flag” is that in a panel discussion hosted by MetaX, two key individuals involved in the adChain project readily admit having in the past “monetized fraudulent traffic”[2]. If you go to casino and count cards, you get a lifetime ban. If you do as simple of a violation as insider trading for a small amount of money on Wall Street, the feds will hunt you down and put you to prison for years. In adtech, it seems, you’ll use it as a credential to peddle your next money making scheme.

There are two more parties involved in the adToken project:

• DMA (Data & Marketing Association, previously Direct Marketing Association)
• ConsenSys

ConsenSys is what could be referred to as an “ICO Factory”. A company that as its sole business model exploits the Initial Coin Offering model, fuelled by the mindless hype around the cryptocurrency space. We will cover ICO model a separate section below. First, let’s take a look at DMA.

NO-PRIVACY BY DESIGN

The three principal parties in online advertising are the publishers, the advertisers, and the internet user. All other parties are intermediaries. The fundamental problem in online advertising, beyond fraud or any other aspect, is its utter disconnect from the internet user. Unfortunately, adToken does not mention the internet user, or consideration to their rights, at all. On the contrary, the key role DMA has in controlling the adChain (at least initially), suggests the opposite. Whereas the first blockchain based advertising token, the Basic Attention Token is privacy-by-design, it seems that adToken is no-privacy-by-design. To understand this better, we have to understand two things clearly:

• DMA (and its members) have an unfair advantage in the adChain registry (at least initially)
• DMA is possibly the most significant proponent against online privacy

DMA is the organization that is possibly the most responsible for profiling of internet users becoming a standard practice, in comparison to any other single entity. It seems fair to say that DMA is to online advertising, what NSA to the intelligence community. Without surveillance of unwitting citizens, it would cease to function. Profiling of internet users is a practice that has been since its inception used by oppressive governments to make bloggers disappear, ISIS to recruit disgruntled westerners, swing the Brexit vote, and allegedly to win the US election. It will take decades to find another idea, that has created so much animosity against online advertising,  as the idea of profiling has. DMA was a key factor in the recent Senate ruling against protecting internet users from ISP and telco companies selling their data to anyone willing to pay for it. Thanks to this ruling, now it will be even easier for adversaries of the US to get access to in-depth profiling data and use it against the interest of its people. The DMA is led by a long time data profiling lobbyist, Linda Woolley.

According to What Stays in Vegas: The World of Personal Data – Lifeblood of Big Business – and the End of Privacy as We Know it, she gave a fiery speech highlighting DMA’s and her position regarding profiling[3]. Below is an excerpt from the book:

Then she potrayed a dark future in which the Federal Trade Commission and ‘privacy zealots” had gotten their wishes and persuaded Congress to bar the collection of personal consumer data without their permission. The nightmare-scenario law would bar Internet tracking and prohibit the use of public records to gain insights. “Consumers even have the right to say: ‘My marketing data is mine, and it’s private, and you can use it or sell it'” she said.

AD NETWORKS GO CRYPTOCURRENCY

By now most have come across the psychotic cryptocurrency markets, and Ethereum powered ICOs (Initial Coin Offerings) where anyone able to create hype around their idea over a period of few months can cash in, in what comes down to a financial market without regulation. A typical ICO pitch may include “compelling” sales arguments such as the one below (from an actual ICO sales pitch):

There is stark resemblance with how ICOs are being marketed, with the most lucrative internet marketing scheme of all time, the so-called product launch formula. Though the ICO model is far more potent, as it’s basically selling “stocks” as opposed to a bunch of videos that allegedly tell you some latest marketing secret. Remember, we have regulation in the financial markets for a reason. Somebody that everyone in Adtech respects (and there are not many people like that) said it very well:

“the ICO space is like adtech on steroids”.

Let that sink in for a moment. Financial market, absent any kind of regulation or oversight. Let’s also not forget that as it stands, adtech is not exactly regulated either. So how about combining the two; taking the worst kind of adtech company i.e an ad network, and building an ICO around it. Seems legit.

The first such combo, where we have an ad network doing an ICO, was witnessed on 26th of June (adChain/adToken). According to the PR, it went really well. The thing to understand about ICOs though is that “well” means that the company behind it ends up making a lot of money in a very short period of time, without actually having to show anything substantial for the money. Mere hype is enough to get to this point.

SOOOOO, WHAT HAPPENS NEXT?

An ad network, a surveillance capitalism lobby, an ad fraud consultant, and an ICO factory walks into a bar and they come up with an idea, which is not new in the online advertising space; let’s tell the buyers what they want to hear, package it with a lot of hyperbole and perceived complexity, so that gullible buyers are incapable of asking the right questions.

In this case, gullible buyers refer to ICO investors first, and advertisers second. Let’s first see what happened with the token after the ICO. Based on the press release[4]:

• The cap for the sale was 10 million USD
• The cap was reached in 23 seconds
• A supply of 1,000,000,000 tokens was issued
• From this 600,000,000 went into circulation

It seems, that this results in the initial offering token price to be $10,000,000 / 600,000,000

• The initial offering price per token was $0.017

Using data from Bittrex Exchange[5] we know that:

• The current 24 HIGH is $0.03

In other words, it’s almost doubled. This estimate is roughly consistent with the fact that today, the adToken market cap is $18,938,760 [6]. Due to the facts that there are no requirements for involved parties in terms of transparency/disclosure, and that the cryptocoin/ICO space is one big hot mess, we’re making this as an inference from available information.

What we can say for sure, is that there has been wild volatility in the bid/ask prices for adToken from 2nd of July onwards since the data became available:

• July 2nd = $0.06
• July 4th = $0.12 (+100%)
• July 8th = $0.03 (- 75%)

After that, it had stayed more or less similar to the $0.03 mark established on 8th of July. What is this based on? Did the company release some key information regarding its ability to deliver on its promise? No. Did they make an acquisition of some sort? No. Did they announce key hires? No. Actually, nothing happened. All of this is pure speculation. The below graph from Bittrex, the exchange trading ADT (adToken) gives a picture of the kind of volatility we’re talking about. The plot starts on 3rd of July 2017 and ends on 24th of July 2017.

What is this volatility based on? Did the company release some key information regarding its ability to deliver on its promise? No. Did they make an acquisition of some sort? No. Did they announce key hires? No. Actually, nothing such happened. All of this is a result of pure speculation. The below graph from Bittrex, the exchange trading ADT (adToken) gives a picture of the kind of volatility we’re talking about. The plot starts on 3rd of July 2017 and ends on 24th of July 2017. We’re talking about volatility in powers, not %.

HOW TO DO AN AD NETWORK ICO AND A WARNING TO MEDIA INVESTORS

Going forward, we will see countless companies whose business model is actually not the pitch they make to advertisers and their media investment partners, but their business model is making money in the ICO/Cryptocoin market. Some of these companies will come outside of adtech, but most will come from the ad network space. They will team up with a company such as ConsenSys, who helps them with the blockchain and Cryptocoin part, they do a white paper that outlines some novel idea that allegedly solves some big problem, partner with Cryptocoin media outlets, setup slack channels and Reddit subreddits, have a medium blog, pays a PR firm, and does a bunch of other stuff to build hype around their ICO. They rely on the idea that online advertising, with its hundreds of billions of spend and a plethora of doom and gloom statements coming from big advertisers to tap in to, is at the same time appealing and impossible to understand for the ICO/Blockchain crowd. Then they take the result of all that hype i.e. their “ICO success”, and do the reverse; rely on the fact that advertisers and their partners do not understand the ICO/Blockchain space.

Immediately after the ICO, they pocket the money (Ethereum), and the speculation kicks in. The company holds a significant part of the tokens and simply watches how ICO sharks manipulate its token. Sometimes this will work, and sometimes it will not. What this means for advertisers, is that that there will be a completely new kind of scam to watch out for, one where the original intention is to make money from the crypto coin market, and not from the online advertising market. Another variation is where initially there is an intention to solve a problem for advertisers, but due to the way the ICO/crypto market operates, the operation instead is bogged down with managing various issues that come with token based models. For example, having just a few parties control most of your tokens. In the case of adToken, just 233 token holders [6] own adTokens. Yes, some of those token holders represent more than one entity, for example, if it’s an exchange, but also some individual entities represent more than one token holder (i.e. one entity has many addresses under which they hold the tokens). In contrast to adToken’s 233 holders, Basic Attention Token (BAT) is owned by 7,413 token holders (over 30 times more).

Even if the company in question was never able to deliver on its original promise, it would not matter much, as it would be hard or impossible to validate by the online advertising industry. An industry that has proven incredibly incompetent in doing just that, validate and make sense of vendor claims. Still today almost nobody seriously questions “fraud free guarantees” or other similar gimmicks, where the advertiser is led by the nose into a false sense of security while the industry burns in flames. Indeed, the “this is fine dog” have quickly become a favored mascot for the online industry among those that understand its problems better.

Instead of seeking actual solutions to problems, particularly below director level operators in both advertisers and agencies, individuals look for convenient ways to not have to talk about the actual problems. This is exactly the kind of psychology that will help the Ad Network 2.0 models thrive.

ARBITRAGING ARBITRAGE

Whereas the original ad network model came to be more about arbitrage than anything else, the new model will not change or even promise to change in that respect. Instead, it will attempt to hide the corrupt underlying model by mixing it with hyperbole, in form of blockchain/cryptocurrency, combined with whatever might be the hottest topic in the minds of advertisers and agencies at the moment. Given that media investors have a poor understanding of issues such as fraud, and almost no understanding of blockchain, but have a strong emotional response to both, such a scheme creates a very potent mix for a new breed of online advertising snake oil peddlers. As we had highlighted in the above sections, this time there is a new element, financial speculators whose sole interest is to buy and sell tokens in order to maximize their own profits. In a sense, the ad network 2.0 model is going to be about arbitraging arbitrage more than anything else.

We conducted a scan of 50,000 websites, where we picked the sites based on how much ad inventory the site is making available in ad exchanges. I feel confident to conclude that both the quality of ad inventory, and the sites that make the inventory available are far greater problems than the ad industry, law makers or the public understand.

Money for nothing, and chicks for free a.k.a way too much ad money

By June 2015, the traffic buying problem had gotten out of hand to the extent where out of the TOP50 global websites by volume of inventory, most were what we call “spamsites”.

According to Google Trends, at that time buying clicks had become as popular of a search term as “search marketing” or “search engine optimization”. In case you are wondering, buying traffic in adtech is like buying CDOs in finance before 2008. Or like taking EPO on Tour de France. In all of these examples, at some point the situation had become so bad that “doing it” was perceived as something you had to do in order to get to your goals. I have later learn that by then, there must have been dozens if not +100 companies just in US alone that were “arbitraging” as the core for their business model.

I watched closely how one company started by people I know had an amazing innovative idea (and that’s pretty hard with online ads), and after some struggle, realised the best way to make money in adtech is to become an ad network. It grew close to 2000% last year and raised a crazy amount of money.

With the CPM “waterfall” in place, what have been going on for years is that some companies go to the bottom of the waterfall, they are called “bottom-feeders”, but what they do is push that inventory right back at the top. Now increasingly including some trick to evade verification such as IAS, WhiteOps, DV or Moat for example. It’s easier to buy traffic that pass the filters of common vendors, than it is to buy traffic that pass the filters of uncommon ones. Traffic market and vendor performance in detecting ad fraud has been covered in Mystery Shopping Inside the Ad-Verification Bubble[1].

What did we find out?

It is clear that things have changed substantially in 16 months that we’ve spent observing the market-place using data from the same source. Have they changed to better, where we have less criminal earnings from ad fraud and less very poor quality sites? In short summary, I believe that earnings are up and various stakeholders make far more money from ad fraud than they made 16 months ago. Site quality on other hand has gone significantly up in the TOP100 sites,

In other words, there is definitely an effort in the part of the industry to make things better, which is showing a response from the opponents to make their appearance better. Let’s be very clear, this does not suggest that ad fraud is now a smaller problem, it could simply just say that now the industry is not a total fool anymore (as it was based on evidence just 16 months ago). The situation roughly 15 months ago can be witnessed with Botlab’s Project Arbitrage[2], a data visualization project highlighting the intersection of very large scale botnet and some of the highest traffic sites of the time.

A more detailed findings report covering 2015-2017 will be made available through a series of post. I’m confident that nobody in the world saw the start of the golden era in ad fraud as closely as we did…and that story will not go untold.

REFERENCES:

[1] Mystery Shopping Inside the Ad-Verification Bubble
http://www.slideshare.net/ShailinDhar/mystery-shopping-inside-the-adverification-bubble

[2] Botlab’s Project Arbitrage (data visualization) https://github.com/botlabio/project-arbitrage

TL;DR What we have in ad fraud research, is companies that are not equipped or incentivized to invest in to serious research, and media that does not know what to believe and what to disregard. Once a company grows to a certain size, it becomes almost impossible for it to keep innovating.

WHAT IS RESEARCH?

The idea that makes research powerful, is that once you have found something new, others can validate your findings. This has not been the case with the papers that were referenced the most.

There is a difference between research and reporting findings. As long as you are just researching, you could violate every principle and rule and still not cause any damage. When you report findings, any findings at all, you have a responsibility for how others are influenced by your reporting.

Whenever research findings are reported, at least the following should be present:

• methodology is explained
• known caveats are explained together with methodology
• sampling and possible violations are explained
• a theoretical background (storyline) is provided

In terms of evidence, there are two very important guidelines:

• if you claim something to be true, provide evidence for it
• if you provide evidence, make sure it’s relevant to your claim

Also I would never publish anything before I had checked it with at least a few peers. I prefer someone more academic, as they tend to be better trained for reviewing such information.

This is the absolute minimum of what constitutes research when findings are reported. If you have doubt about a paper being research, it’s probably not.

WHAT IS NOT RESEARCH?

Everything else is not research. Therefore it should be clearly labeled as marketing, to avoid confusion in the media or with decision makers.

Marketing reports should not use technical titles like “botnet” or “baseline”.

NOT RESEARCH — BOT BENCHMARK REPORT BY WHITEOPS

I had tried to connect with WhiteOps using various means and with all together three different people. Given it’s a small company, I stopped trying.

After having read carefully through the paper they had done earlier in 2015 together with the ANA, I was already sceptical about the intentions and capabilities WhiteOps has regarding anti ad fraud activity. You can find the ANA white paper here:

The Bot Baseline: Fraud in Digital Advertising

This paper turned out to be the single most referenced point of information on the topic of ad fraud. Especially the point it makes about the level of ad fraud exposure in the market. The issue of course is, that the level indicated by WhiteOps is far lower than I have ever witnessed from any data I’ve analysed over the past decade while looking for ad fraud exposures. Also from the storyline it became clear that WhiteOps does not have a substantial theoretical understanding of ad fraud.

Now let’s look at the DCN Bot Benchmark Report and why it is not research, but a piece of marketing collateral. You can find the report here:

2015 DCN Bot Benchmark Report: What makes a publisher premium | Digital Content Next

A lot of work went in to this work, and real researh method had to be used in order to be able to report what is being reported here. But what is it saying? First let’s look at the Major Findings section of the report:

What had happened so far? WhiteOps had completed a hugely successful study with ANA that downplayed the problem and still was widely accepted by more or less everyone in the industry. Under closer inspection it seemed that the detection method that had been used, was one that outright missed most of ad fraud. That, or every other research on the topic of ad fraud was wrong. Nobody had ever got a number as low as WhiteOps did.

The other point related to the Major Findings section of the paper is who is paying for the paper? It is a grass-roots / tradebody organisation that represents the interest of premium digital publishers. The goal of such a body is to attract more money in to digital media from traditional channels such as TV or otherwise. It seems fair to assume that it’s principal goal for the project

What we have here is a publisher study using a bogus method to come to an artificially low number, and then compare that to another artificially low number from a previous study made by the same company. How come nobody is making the case of how dodgy this is?

The big question is on methodology that is used for detection, and for the distinction between sophisticated and not-sophisticated bot traffic. Also what does WhiteOps think about how much they are missing all together? An anti ad fraud company can’t work out of an assumption that they are detecting everything. They have to have a strong theoretical framework for understanding the various ways in which ad fraud manifests, and then be able to use that to pick the most important fights. Not only WhiteOps, but none of the other known vendors are communicating at this level.

WhiteOps comes out with aggressive marketing on its website:

Also it is completely inaccurate to say that it is the only security solution for digital ad fraud. At this point I’m not entirely sure what WhiteOps is offering can be classified as a security solution.

Both Michael Tiffany and Dan Kaminsky know that they should be more careful with what they claim in terms of credible findings. Even if their information security friends did not have good understanding of ad fraud…

There is so much more, but let’s just leave that case at that.

As I had said before, we did try to contact WhiteOps trough botlab.io on several occasions, but were not able to establish a contact. Due to this, we don’t have any other information available than what had been presented in the reports.

NOT RESEARCH — XINDI BOTNET BY PIXALATE

 

Regardless of many attempts, Pixalate was not able to produce any additional evidence to its claims regarding Xindi botnet. Myself together with many others have concluded that Pixalate’s claims about Xindi botnet were not just mistaken, but to some extent made up in order to make the marketing effort more effective.

Here is what some security researchers thought about Pixalate’s work on Xindi the Botnet:

It looks like that somewhere along the way Pixalate became confused about what is a botnet and what is botnet activity. Botnet research respects this difference, as otherwise botnet research could not make any sense. For example, you could not name a lot of stars with the same name. Each star needs to have its own demarkation, otherwise it could not be studied accurately (or at all). If knowing that there is certain kind of botnet activity would be enough to report a botnet, then anyone could do it.

In the case of Pixalate, they chose “impression fraud” as the kind of activity their bogus botnet Xindi is made off. They go to the extent of claiming that this is the first time such botnet, one focused on impression fraud, is identified. They also make claims to the extent as if ad fraud had worked in some other way previously. The issue with this is that

Pixalate did not just make up the technical part of their claims, also the underlying storyline is made up. Made up and contrary to what is commonly known.

To avoid using any more time with this, let’s look at what Pixalate’s disclaimer says:

If it’s just opinions, how come it is marketed so aggressively?! I’m assuming that everyone on their list (together with others) got this email on the day of the release of the report:

At the bottom of the same screen, we can see how Pixalate is in this case positioning itself as a company:

I hope this makes as little sense to you as it does to me.

We’ve now looked at two of the supposed leaders of the industry, and some of the most widely circulated and referenced reports of 2015. It does not look good for 2016 if you ask me, especially when some of the other “leading” companies do not fair any better. This includes the largest company, Integral Ad Sciences making statements about ad fraud rates going down.

NOT RESEARCH —MEDIA QUALITY REPORT BY INTEGRAL AD SCIENCE

 

There is a real risk in having an advertising technology company grow to a certain size. What happens is that the sales side of its business takes control of everything else, and that together with pressures to raise ever more money, make it very hard to innovate and create something new.

There’s good news and bad news about digital ads in new Integral Ad Science report

Why is it clear that Integral Ad Science Media Quality Report is nothing but a way for Integral Ad Science to sell more of its solution:

• not a single word about methodology
• not a single word about possible caveats
• very low overall reported rate:

By very low it is meant that findings suggest much lower rate than majority of research. The rates reported by Integral Ad Science are similar to the rates reported by WhiteOps.

Where as Pixalate showed some attempt to make it clear that their work should not be taken seriously (the disclaimer), and WhiteOps made a real effort to stand out as actual research, Integral Ad Science is doing neither.

Case closed.

EXAMPLES OF RESEARCH

These Madrid based academic researchers are talking about the the right problem, and backing it up with the right methodology and evidence.

False View research results from IMDEA Networks and UC3M impact advertising industry and society…

These Bishop Fox researchers used their free time to come up with some very interesting proof of concepts relevant for ad fraud researchers.

As the last example, a blog post from Sentrant, a Halifax based Anti Ad Fraud company, outlining the workings of a Ad Fraud botnet.

Bedep Ad-Fraud Botnet Analysis – Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A…

REFERENCING RESEARCH FINDINGS

It is idiotic to write a story based on a marketing report. It is just as dumb to reference to an argument that is made in a marketing paper. The function of a marketing paper is to sell someone’s product or agenda. Marketing papers should never be treated with the same confidence research papers are treated. This is because of few very important reasons:

• research papers are generally thoroughly reviewed by peers
• researchers tend to have a broader base of incentives driving their work
• research papers tend to use far more careful language
• claims made in research papers are backed up by objective evidence

When it comes to referencing research findings, let’s keep in mind that one commercially incentivised paper is not enough to establish a credible baseline for further assumptions to be made. On the contrary, it is inviting researchers to prove the initial claims wrong. In my experience, that would mean showing that the numbers are much higher, and that there is a gap between what these vendors are saying and what is really happening.

As an example of what-if, we have cio.com parroting word to word claims made in a marketing paper by a company with no previous track record in reporting security research findings.

New ad-fraud botnet targets major corporations, universities

This gap seems to be the dilemma of commercially focused research, as a company can focus only on so many things. For some reason the media and many other industry stakeholders seeem to have assumed results from the previous Whiteops paper as “true”, even though the paper presents results that are limited and in conflict with results from other researchers. It is concerning to say the least, to see how easy it is to get the press to repeat subjective findings as true.

Can DDoS attacks trigger ads? 

TL;DR

Yes. All application / layer-7 DDoS attacks trigger ads on the target site by default. The”visits” resulting from some layer-7 DDoS attack are no different from visits from advanced web scrapers visiting a page. This means layer-7 attacks may end up making money for the target and give the incentive to the target to not disclose such attacks. For ad fraud perps, it gives plausible deniability for otherwise highly suspicious patterns in their traffic profile.

Validation of the findings 

To confirm that this is the case, we tested several headless browser solutions, including the widely used phantom.js library, and found that with minimal configuration, most sites showed ads to our bots. It took as a little as minutes to setup a headless browser based visitor bot that captured the ads from the sites it visited.  We have repeated the same on a large scale using the commercial “mass scanning” technology by zulu5 [0], where we have been able to prove that almost any site can be made to show almost any ad to a headless browser configuration even when it is not focused on evading detection techniques.

There are dozens of headless browser solutions to choose from [1], with also Google recently announcing a Chrome based one[2]. We did not run actual larger scale DDoS to prove our hypothesis but conducted a brief literature review covering Layer-7 DDoS attacks. All the findings and references are below.

Why is it important if DDoS attacks trigger ads? 

In recent reporting by Financial Times[3], a Jihadi website operated by a known terror funder on US State Department sanctions list, was operating a radical website Arrahmah.com that was allegedly making significant money from ads. When investigating further to the claims made by the article, we found that Arrahmah.com was one of the most commonly referenced targets for various groups allegedly working against ISIS online[4]. This can be simply verified through countless pastebin dumps that mention the site [4]. It also seems fair to argue, much in thanks to Cloudflare, that such sites are not adversely affected from regular DDoS attacks. In fact, if the DDoS attack in question uses the right layer-7 technology, the site just ends up making more money than it would have otherwise made. We do not have any first hand information about the case of Arrahmah.com that would allow us to verify if indeed also layer-7 methods had been used, and if yes, to what extent. We also do not have any credible way to confirm if Arrahmah.com had been adversely affected by the DDoS attacks. Below will follow a summary of 3rd-party information that allows us more background to the general question.

There are two other factors that have to  be considered in respect to some DDoS attacks having the capacity to trigger ads.

1) DDoS solutions are widely available and could be used to generate massive quantities of fake traffic to sites where ads generate revenue

2) A black hat marketer / spamsite owner could drive massive quantities of traffic to their site by any means, and in case questioned about it, blame a DDoS attack

In short summary, DDoS attacks have the potential for actually generating traffic, and the potential for “plausible deniability” with just a pretense of a supposed attack.

Questionable sites often use shady ad networks to monetize their traffic, and many such ad networks will welcome any spike in traffic with open arms. Regular ad network commission is 50% or more of the revenue generated by the ad impressions on a site in their network. Therefore they do not always have the right incentives to disqualifying suspicious traffic as non-legitimate. Even major networks such as Google have serious issues in proactively dealing with traffic quality. A recent research covering Google’s ad network traffic quality shows evidence for this claim[5].

Limitations related with DDoS as a method to trigger ads

Because ad fraud activity requires javascript ad tags to be loaded, as opposed to just making a connection with the server, most DDoS attack methods / technologies are not suitable for incurring ad revenue on the target site. What we are interested in is referred to as Application Layer or Layer 7 DDoS attacks. Basically this is a way to say the attack is focused on the application as opposed to the network for example. The OSI Model [6] is used to illustrate this in a clear way even to those with no previous understanding of the topic. According to research by Akamai, there have been “51 percent more application layer attacks” from Q4 2013 to Q4 2014 and “16 percent more” from Q3 2014 over Q4 2014 [7].

Within the Application Layer / Layer-7, we are specifically interested in those kinds of attacks where the Javascript on the source code of the target page are actually executed. This requires the attack to utilize one or more of three options:

1. headless browser (phantom.js, v8, HtmlUnit, Trifle.js, Splash,etc)[8]
2. browser emulator (selenium, etc)
3. actual browser (in a compromised host)

When the DDoS attack uses any one of these three, the ads can load normally as they would to a legit user, and potentially generate revenue for the owner of the site.

How common are such DDoS attacks where ads are triggered?

According to multiple commercial reports, headless browser attacks have been on the rise for some years now. This makes sense, given that using a “browser based” approach gives the attack perceived legitimacy, in comparison to say flooding someone’s network with traffic in some simplistic way. According to Radware, in 2015 1 out of every 6 DDoS attacks were web-based (HTTP/HTTPS)[9]. These numbers clearly include simple GET methods, and those attacks will not trigger ads.

Attacks that triggers ads have been witnessed to use a relatively small number of variants in terms of browser headers and yet go undetected.

“In October 2013, for instance, DDoS mitigation service provider Incapsula said one of its customers, a trading platform whose identity it did not reveal, had been subjected to a 150-hour DDoS attack using 861 variants of the headless browser technology Phantom JS to simulate legitimate user browsing behavior and thus avoid detection.” [10]

Even a fraction of the requests in such an attack would create a very high number of ad calls on the target site. At the moment a going rate per ad call is between $0.001 to $0.01 for regular banner ads, with one pageview (page load) may involve up to 15 ad calls (because many ads are placed on one page).

In the case where either the target site or the ad call in question would utilize a common counter ad fraud technology (IAS, DV, WhiteOps, Pixalate, etc), those detection methods would typically fail to detect an ad call resulting from an attack that would utilize common features of headless browsers such as mouse movement [11]. As early as 2010, botnets have been reported to be capable of CAPTCHA breaking.[12]

How do the DDoS traffic volumes compare to site traffic? 

In the 150-hour attack reported by Incapsula, there were over 180,000 IP addresses involved world-wide, sending 6,000 hits per second on average, which is nearly nearly 700,000,000 hits per day[13].

According to a report by Sucuri [14], the average attack generates over 7,000 requests per second, which could mean up to 100,000 ad requests. Given that these requests are distributed on average across over ~11,000 IP addresses, the traffic profile is not unlike the largest scale ad fraud sites.

The entire online advertising “bidstream” is roughly 200 billion unique impressions per day, which can ben translated in to roughly 2 million request per second. The largest companies by traffic volume such as Google or Taboola, may deal with up to 100 billion impression events per day. The highest number of ad impressions we know of, per a single entity is 4,4 billion per day and that is the current world record to our knowledge when it comes to impression volume in ad exchanges per a single entity (app, website, etc).

A website which is currently reporting 100 million ad impressions per day (there are hundreds of sites like that), would no doubt struggle to take in all the traffic from a very large scale DDoS attack. But as we can see from the big sites in general when they are under attack, they do try to keep the site live or at least their partners do. For a smart target of a DDoS attack, the goal with the right attacker (headless browser) would be to sustain the attack as long as possible. Basically have the attacker/s work for you for free, in effect make the “hunter” in to prey.

As far as we could conclude, really big attacks go to big targets generally. Smaller targets enjoy smaller attacks. In fact, even a small site under a large attack, could proportionally to its legit revenue “make a lot” from being able to handle even a small portion of the attack. Many such small sites are with Cloudflare which is very good at keeping sites up.

What are the implications? 

In the light of the information we have reviewed, it seems fair to argue the following:

• Certain DDoS techniques are triggering ads
• Those triggered ads have the potential for making money for the site owner
• DDoS attacks can be used as an excuse to explain ad fraud related traffic patterns
• Major sites are already used to dealing with VERY high load (hard to take down)
• Even small sites often use Cloudflare (even harder to take down)

Further we conclude that DDoS attacks are a key technique used by “hactivists”. According to a report, Hactivism and Extortion related DDoS attacks are expected to rise [15]. A former U.S. Air Force General Dale Meyerrose said recently [15] that almost every major campaign seeking to compromise an organisation for hactivism reasons has a DDoS component in it.

We were not able to find evidence to put the two together, and estimate to which extent hactivist attacks leverage relevant technologies, such as headless browser based solutions.

REFERENCES: 

[0] Brand protection and fraud monitoring
http://www.zulu5.com/en/

[1] A list of (almost) all headless web browsers
https://github.com/dhamaniasad/HeadlessBrowsers

[2] Headless Chrome is coming soon
https://news.ycombinator.com/item?id=11839303

[3] Jihadi website with beheadings profited from Google ad platform
https://www.ft.com/content/b06d18c0-1bfb-11e6-8fa5-44094f6d9c46

[4] Pastebin dumps that mention Arrahmah.com
http://pastebin.com/search?q=arrahmah.com

[5] Independent auditing of online display advertising campaigns
http://eprints.networks.imdea.org/1434/

[6] OSI Model
https://en.wikipedia.org/wiki/OSI_model

[7] State of the Internet Security
https://blogs.akamai.com/2015/01/q4-2014-state-of-the-internet—security-report-some-numbers.html

[8] Wikipedia article on Headless Browsers
https://en.wikipedia.org/wiki/Headless_browser

[9] YoY diversity in DDoS trends
https://security.radware.com

[10] Tackling the DDoS threat to banking
https://www.akamai.com/us/en/multimedia/documents/content/ovum-tackling-the-ddos-threat-to-banking-white-paper.pdf

[11] 2014-2015 Global Application & Network Security Report”
https://www.radware.com/ert-report-2014/

[12] CAPTCHA Solving botnet used in ticket fraud operation
http://www.spamfighter.com/News-14027-CAPTCHA-Solving-Botnet-Used-in-Ticket-Fraud-Operation.htm

[13] Headless Browsers and DDoS attacks

Headless-browser DDoS: How to Flush Out a T-1000

[14] Analyzing popular Layer-7 DDoS attacks
https://blog.sucuri.net/2015/09/analyzing-popular-layer-7-application-ddos-attacks.html

[15] 2016 DDoS attack trends
http://www.radware.com/newsevents/mediacoverage/4-ddos-attack-trends-2016/

In the light of recent high profile malvertising attacks, the adtech industry is finding itself as a center of attention in respect to the ongoing malware epidemic. In this article we will cover how in fact it is the industry itself that to some extent is causing malvertising attacks to be possible.

HOW DO MALVERTISING ENTER ONLINE ADS? 

Malvertising is made up of ads that in addition to delivering the ad creative, also deliver malicious payload targeting internet users. Using standard function of common ad platform, malvertising can be targeted in many different ways, for example:

• individual users (against a cookie)
• based on vulnerability (browser, device, software, etc)
• audience profile (affluent users, etc)
• geography (city, country, region, etc)
• organization (based on IP address)
• sites or categories of sites (based on domain or IAB tier-1 category)

In all of the cases, the mechanism and process are exactly the same:

1. sign-up with a common ad platform
2. create a campaign and upload a creative
3. together with the creative include a custom javascript code
4. wait for the approval of your campaign
5. start the campaign
6. watch how your targets are exposed to your malicious code

To understand how this is possible and how exactly malware can get in to the system, we have to first understand how the adtech industry is structured.

The adtech supply-chain is principally made of 5 different stakeholders:

• internet users
• publishers
• exchanges
• demand side platforms (DSP)
• trading desks / buyers

Out of these, the user is a genuine victim.

The publisher is a minor cause due to irresponsible behavior in respect of working with too many 3rd-parties, including working with more than one exchange partner to increase yield, not having appropriate policies in place and by allowing 3rd-parties to act as conduits for nth-parties.

Exchanges are a slightly greater cause due to not having appropriate policies in place and by allowing 3rd-parties to act as conduits for nth-parties, not only in respect to tracking but also in respect to redirecting practices.

Demand side platforms are a far greater cause due to allowing through their platforms virtually any 3rd-party tag to be delivered together with ad creatives.

Trading desks and buyers can be broken into two in this case; where the trading desk is acting as a conduit for the buyer/s, and where the trading desk itself is a buyer. Further, these can be broken down into two; where the trading desk is intentionally engaging in malvertising, and one where they are being used as a conduit for malvertising.

In all of the cases, trading desks commonly expect demand side platforms to allow inclusion of 3rd-party javascript tags to be delivered with ads, even when in most cases they themselves have no idea what is being loaded through those tags. Which acts as a major cause of the wider problem.

In simplistic terms, the way the supply-chain operates in terms of transactions is also important to understand:

1. a user goes to a website
2. ad exchange tag on the website creates an auction based on step 1
3. demand side platforms participate in the auction
4. demand side platforms create a separate auction based on step 3
5. trading desks bid on the auction created in step 4
6. each demand side platform taking part in the auction created in step 2 send back the winning bids from the auctions created in step 4
7. ad exchanges pick the winner among the demand side platforms based on the bids received in step 6
8. ad together with javascript tags gets displayed on to the user

In order for this process to make sense, we have to remember how at the trading desk level, the buyer had already created a campaign, where the creative and the javascript were approved. As part of the process of setting up the campaign, targeting criteria for bidding had also been set.

There are 4 different modes in which this process takes place:

1. where the publisher is connected with single exchange and the exchange is not engaged in redirecting between other exchanges (this is very rare)
2. where the publisher is connected to more than one exchange and the exchange is not engaged in redirecting between other exchanges (this may be slightly more common, but still rare)
3. where the publisher is connected with single exchange and the exchange is engaged in redirecting between other exchanges (this is somewhat more common, but still rare)
4. where the publisher is connected to more than one exchange and the exchange is engaged in redirecting between other exchanges (this is very common)

1. single exchange – no exchange redirects

2. multiple exchanges – no exchange redirects

3. single exchange – exchange redirects

4. multiple exchange – exchange redirects

The most complex of the four modes in which malware delivery take place within the online advertising eco-system is also by far the most common. Arguably more common than the three others combined. A point indicative of the structural issues acting as a cause to the malvertising problem.

ROLES AND RESPONSIBILITIES OF VARIOUS ADTECH COMPANIES

In the light of recent high profile malvertising attacks, the adtech industry is finding itself as a center of attention in respect to the ongoing malware epidemic. In this article, we will cover how in fact it is the industry itself that to some extent is causing malvertising attacks to be possible.

EIGHT MYTHS ABOUT MALVERTISING 

MALVERTISING MYTH 1.

MYTH: the adtech industry and namely ad platforms that are used for conducting such attacks, are a victim of malvertising

FACT: not only ad platforms get paid for delivering malvertising, but do to negligence and structural issues are a significant cause for such attacks to be possible in the first place

MALVERTISING MYTH 2.

MYTH: malware enters the ad eco-system because of “hacking” or technological vulnerability of some kind

FACT: malware enters because of structural issues and wide spread negligence in the adtech industry, namely the popularity of allowing 3rd-party javascript in to ad delivery

MALVERTISING MYTH 3.

MYTH: adtech companies are “doing everything they can” to keep malware from entering the internet advertising eco-system

FACT: with few exceptions, adtech companies have changed nothing in order to being more responsible or to address the underlying structural issues

MALVERTISING MYTH 4.

MYTH: there are strict auditing processes that adtech companies adhere to in terms of what can be delivered through their systems

FACT: such auditing processes rarely consider javascript payloads delivered together with the ads, but are merely focused on the ad creative itself

MALVERTISING MYTH 5.

MYTH: bigger publishers are less prone to malvertising attacks than small websites

FACT: malvertising attacks are increasingly focused on major publishers, due to their massive reach together with other possible reasons

MALVERTISING MYTH 6.

MYTH: malvertising is typically delivered through small shady ad networks / exchanges

FACT: malvertising attacks take place through major ad platforms regularly, due to poor policies pertaining 3rd-party tags, and poorly understood redirecting practices 

MALVERTISING MYTH 7.

MYTH: malvertising attacks are focused on blindly infecting as many internet users as possible

FACT: malvertising attacks are increasingly focused on attacking specific countries and major publishers in that country

MALVERTISING MYTH 8.

MYTH: for a malvertising attack to be effective, user needs to click the ad or take other action

FACT: malvertising attacks are delivering ransomware and other types of malware unconsciously to users’ device

ADTECH’S ROLE IN MALVERTISING

A quick Google search reveals a substantial number of results highlighting the popularity of allowing 3rd-party tags to be delivered together with ads [1]. Google is one of the few ad platforms that does not allow buyers to freely include 3rd-party javascript codes to be delivered inside ads, unless the payload is provided by one of the 2,000 or so Ad Exchange Certified External Vendors [2]. Regardless of Google’s supposedly more stringent policies making it harder to use its Doubleclick platform for malvertising attacks, it is one of the most common platforms mentioned in association with such attacks [3][4].

While ‘modern’ malvertising incidents have been reported since 2004 [5], Doubleclick was sued for a large scale tech support banner ad scam as the actual perpetrator already in 2003 [6]. An attack that can be considered an early form of malvertising. Since 2004 Doubleclick has been frequently reported for being used in malvertising attacks [7][8][9][10] and most recently in March 2016 [11]. Such is the track record of the largest, best resourced and in terms of related security policy, the most responsible company in the adtech eco-system.

In  a Black Hat 2013 live demo [12] by security researchers Jeremiah Grossman and Matt Johnson from a leading web application security firm Whitehat Security, it was for the first time shown just how easy it is to get custom javascript to be delivered together with ads using a common ad network. As a testament to this ease at which malicious payloads can be delivered using ad platforms, one of the inventors of Javascript, Douglas Crockford said “The most reliable, cost-effective method to inject evil code is to buy an ad.” [13]

Because auditing processes in the adtech industry are focused on meeting the IAB Advertising Creative Guidelines [14] and not concerned with the safety of the internet users, there are virtually no obstacles to getting malicious codes to be delivered inside ads using ad platforms in the way they are intended to be used. Because the intended use of the the platforms includes delivery of 3rd-party javascript codes that violate user privacy and function in other malicious ways, there is nothing that stop malware delivery using those same standard functions of common ad platforms. To further complicate things, with only few exceptions such as AppNexus, even larger ad platforms generally tend to have no information security focused staff. This can be easily witnessed through LinkedIn profiles of the employees of such companies. 

While malvertising has been an issue for more than a decade, a point illustrating the persistence of the problem on one hand, and the inability of the adtech industry to contain it on the other, the shift towards targeting major sites has brought the topic under wider attention only recently [15][16][17][18][19]. In the light of these facts, it seems fair to argue that IAB’s and its members’ self-regulatory efforts in this matter have failed, and further involvement from outside of the industry is badly needed to address malvertising as the serious threat to internet users, business and civil society it presents[20]. In this respect, perhaps the most alarming trend that can be seen in recent malvertising attacks is the way attacks are targeting specific nations, for example UK [21], Netherlands [22] and Finland [23].

Based on a survey conducted by botlab.io, even savvy users rarely know that malvertising can be used to deliver malware unconsciously to the user’s device. Yet installing of ransoware and malware infecting the user’s device without any action on the users part has become a hallmark of malvertising attacks [24][25][26]

REFERENCES: 

[1] https://www.google.com/search?sourceid=chrome-psyapi2&ion=1&espv=2&ie=UTF-8&q=using+custom+javascript+inside+ad+creative&oq=using+custom+javascript+inside+ad+creative&aqs=chrome..69i57.7232j0j7&gws_rd=cr&ei=7wM8V-Bn59fpBKK8jsgP

[2] https://developers.google.com/third-party-ads/adx-vendors

[3] http://www.theverge.com/2014/9/19/6537511/google-ad-network-exposed-millions-of-computers-to-malware

[4] https://blog.malwarebytes.org/threat-analysis/2015/09/large-malvertising-campaign-goes-almost-undetected/

[5] http://news.netcraft.com/archives/2004/08/06/phishing_attacks_using_banner_ads_to_spread_malware.html

[6] http://www.bizjournals.com/pittsburgh/stories/2003/07/21/daily17.html

[7] http://archive.wired.com/techbiz/media/news/2007/11/doubleclick

[8] https://zeltser.com/malvertising-malicious-ad-campaigns/

[9] http://www.cnet.com/news/malware-delivered-by-yahoo-fox-google-ads/

[10] https://www.solutionary.com/resource-center/blog/2010/02/malvertising-and-corporate-security-a-no-win-situation-right-now/

[11] http://www.techtimes.com/articles/141546/20160317/major-ad-based-cyberattack-slaps-top-publishers-with-malware-tied-to-angler-exploit-kit.htm

[12] https://www.youtube.com/watch?v=D6MG2uBIfUI

[13] crockford.com/pp/principles.ppt

[14] http://www.iab.com/guidelines/iab-display-advertising-guidelines/

[15] https://www.trustwave.com/Resources/SpiderLabs-Blog/Angler-Takes-Malvertising-to-New-Heights/

[16] http://www.bbc.com/news/technology-35821276

[17] http://proofpoint.com/us/threat-insight/post/video-malvertising-bringing-new-risks-high-profile-sites#comment-10285

[18] https://blog.malwarebytes.org/malvertising-2/2016/03/top-australian-classifieds-site-serves-malware-in-malvertising-attack

[19] https://blog.fox-it.com/2016/04/11/large-malvertising-campaign-hits-popular-dutch-websites

[20] http://botlab.io/malvertising-a-serious-threat-to-internet-users-business-and-society/

[21] https://blog.malwarebytes.org/threat-analysis/2016/03/a-look-into-malvertising-attacks-targeting-the-uk/

[22] https://nakedsecurity.sophos.com/2016/04/12/massive-malvertising-attack-poisons-288-sites/

[23] http://m.digitoday.fi/tietoturva/2016/03/16/tietokoneesi-on-vaarassa-vaikket-tekisi-mitaan-ilmiossa-havaittu-piikki/20162985/66

[24] http://www.infoworld.com/article/2625124/malware/the-doubleclick-attack-and-the-rise-of-malvertising.html

[25] https://blog.malwarebytes.org/threat-analysis/2015/04/flash-ek-strikes-again-via-googles-doubleclick/

[26] https://blog.malwarebytes.org/threat-analysis/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/

Here is a simple guideline for researchers to establish a basic level of online anonymity for the purpose of disconnecting identity and physical location from research activity.

What do you need? 

• a prepaid credit card
• an anonymous prepaid sim card

What level of anonymity will this guidance provide?

• basic level, yet sufficient for most research activity
• not at all suitable against state-level surveillance

What will this tutorial cover? 

• creating both client-side and server-side anonymity
• basic ideas about maintaining anonymity in online research

1) Getting a prepaid credit card

In some countries, you can get prepaid cards from grocery stores, pharmacies and such. This includes the US. If you can’t get one in your country, you can get one online. You find many options from Google. You should not put much more money into the card than you know you will need. You might have to discard it. Once you have the card, it might be good to buy some bitcoin using it (for paying VPN and other services where you want more complete anonymity).

2) Getting an anonymous sim card

You can get one easily from many countries. If you travel frequently, you can get it from a country where you can get it if yours don’t allow it. Many will work abroad as long as you activate it before you leave the origin country. Don’t ask others to do it. Never mix others to your activities.

3) Choosing the VPN that is right for you 

Choose one that is not known for spying on its users, data brokering, easily giving data to authorities, etc. Also, make sure that it has a choice for the country where your Sim card is.  Don’t tell to others which VPN you use.

4) Use a random name generator to create your alias (name)

http://www.behindthename.com/random/
http://random-name-generator.info/

or for a little more fun:

http://character.namegeneratorfun.com/

5) Create an avatar for you new alias 

Most people use some kind of image as their avatar, which is usually a photo of a person, or something else “personal”. Profiles that follow this idea seem more legitimate. One way is to pixelate a photo of someone:

http://www.facepixelizer.com/

The other is to create an anime / game character:

http://avachara.com/avatar/
http://www.rinmarugames.com

The most important point is to NEVER USE SOMEONE ELSE’S PHOTO without making it completely obscure first. Never. Also don’t just take images online and then reuse it. Otherwise you expose yourself to reverse image searches with tools like:

https://www.tineye.com/

If and when you use an image, do make sure to use a meta-data scrubber. While it may be better to have a more comprehensive system designed for your operating system, you can get started with an online tool such as:

http://www.verexif.com/en/

6) Setting up your Browser

You can’t use Google Chrome because, at the time of writing this, it still has the problem of WebRTC leak i.e. it will leak your actual IP under any condition, including one where you use a VPN. If you can make it work so that it doesn’t, then you could use it.

Once you’ve setup your browser with ad blocker (uBlock Origin seems to ok), check that your WebRTC does not leak:

https://www.browserleaks.com/webrtc#webrtc-disable

AdBlock Plus is not really an ad blocker, but adware, so don’t use that.

Very importantly, uninstall flash, java, and Silverlight. And no, you can’t replace the instructions on this guide by using Tor. Forget Tor, it just means you’re going to be flagged everywhere you go.

7) Creating an anonymous Google account 

Turn on your VPN to the country of your SIM card and create a Gmail account with your new alias. Gmail account is a major trust factor on the internet. I can’t imagine why, but it is.

Usually, the name you choose is not available as it is because somebody else is already using it. Extend it with the birth year you select, or something else that you would if you were really creating an email address for actual use.

Verify the account with your anonymous SIM card. Do not add an alternative email address.

8) Some additional points about anonymity 

Your cover can be blown at various levels:

• network level > use VPN and WebRTC leak
• router level > use a strong password and keep your router up-to-date
• device level > keep everything up-to-date, use strong passwords and change mac address
• browser level > WebRTC leak block, ad blocking and uninstall java, flash, and Silverlight
• persona level > read the guide again if it’s unclear
• identity level > keep alias disconnected from persona

Network level in some cases leads to a precise location, which is as bad as identity level. So using a VPN and preventing WebRTC leak is VERY IMPORTANT.

You can find the right way to change the mac address in your system from Google. Do that frequently.

If you think your persona and identity is mixed, drop the persona and create a new one.

9) Setting up anonymous server

AWS has many advantages for this kind of use,  but you could use any hosting provider. Some accept Bitcoin, but are mostly the kinds of hosts that get flagged easily. If you have servers already, you can use AWS for tunneling or proxy between your target hosts and your own servers.

This page is a collection of malvertising evidence found on major publisher sites. It is continually updated as new findings emerge.

14.3.2016 [1]

answers.com
zerohedge.com
infolinks.com

16.3.2016 [2]

msn.com
aol.com
nytimes.com
bbc.com
newsweek.com

25.3.2016 [3]

msn.com
start.lenovo.com
start.toshiba.com
foxnews.com
inquisitr.com
theguardian.com
reuters.com
agar.io
boston.com
americancolumn.com
latimes.com
chicagotribune.com
nypost.com
theadvocate.com
cbssports.com
dictionary.com
ehow.com
politico.com
myconnection.cox.com
thehill.com
photobucket.com
gazeta.pl
dailymotion.com
whitepages.com

25.3.2016 [4]

gumtree.com.au

11.4.2016 [5]

nu.nl
marktplaats.nl
sbs6.nl
rtlnieuws.nl
rtlz.nl
startpagina.nl
buienradar.nl
kieskeurig.nl
veronicamagazine.nl
iculture.nl
panorama.nl

SOURCES:

[1] https://www.trustwave.com/Resources/SpiderLabs-Blog/Angler-Takes-Malvertising-to-New-Heights/

[2] http://www.bbc.com/news/technology-35821276

[3] http://proofpoint.com/us/threat-insight/post/video-malvertising-bringing-new-risks-high-profile-sites#comment-10285

[4] https://blog.malwarebytes.org/malvertising-2/2016/03/top-australian-classifieds-site-serves-malware-in-malvertising-attack

[5] https://blog.fox-it.com/2016/04/11/large-malvertising-campaign-hits-popular-dutch-websites

There has been a lot of talk about ad blocking in regards to how certain ad formats are annoying internet users, but not nearly enough about the threat Malvertising and leaving it unchecked is causing to internet users, businesses and the society. The Internet finds itself in a malware epidemic, one that is fueled by the biggest ad networks and publishers. More than any other single thing, the epidemic can be made worse by attempts to stop internet users from blocking ads.

In a recent article by Wired [1], malvertising, the practice of delivering malware to a user’s device through an ad, is described as “hacking us softly”.

This disction between the old way of malware delivery where a user could effectively reduce chances of exposure by using common security software and avoiding clicking suspicious links, and when malware is delivered through an ad, is that there is very little the user can do to avoid exposure using any traditional security solution or behaviour based practice.

What is making the threat even more worrysome for internet users, is where these Malvertising attacks are being carried out. For example last week BBC reported that their own site, together with 13 other major sites were being used by criminals to deliver Ransomware on to users’ devices[2].

Examples of major sites recently used in Malvertising attacks to deliver Ransomware on to users’ devices include:

• MSN
• BBC
• The New York Times
• AOL
• Newsweek

In the last quarter of 2015, Ransomware attacks increased by 26% quarter-on-quarter [3] and the word ‘epidemic’ have been widely used in the media and by security experts[4] to describe the dramatic growth in Ransomware activity.

Another recent report found that Google’s Doubleclick ad platform was used for targeting specific countries with Malvertising attacks[5]. Because malvertising attacks have been and continue to be connected with ad fraud malware [6] and ransomware, an enemy of state can effectively use malvertising attacks to directly cause harm to a given nation state and its people.

In the US there are many reports from police stations where they have to pay for unlocking the data in their systems after being hit by Ransomware[7]. This is not a surprise as Google Doubleclick and other common ad platforms allow targeting of ads based on IP address and even company name. This way public officials and key state-level services and infrastructure could be easily attacked using the same methods covered in the sources referenced in this article.

It is not just Ransomware that is growing dramatically, but there is an even darker picture in overall Malware situation.

With a recent report claiming 325% year-on-year growth for malvertising[8], delivering malware through ads is rapidly becoming the preferred method for targeted and untargeted malware at any scale. Cisco’s Annual Security Report [8], found that ads were the second most common source for malware exposures with 16% of all exposures.

In a Senate Testimony, Online Trust Alliance reported that while in 2013 year-on-year growth for Malvertising attacks was already 200%, there were already at that time over 12 billion malicious ads[9], or more than 4 for every internet user. As the recent reports show, these attacks are increasingly being conducted through trusted major sites.

SOURCES:

[1] http://www.wired.com/insights/2014/11/malvertising-is-cybercriminals-latest-sweet-spot/

[2] http://www.bbc.co.uk/news/technology-35821276

[3] http://www.timeslive.co.za/scitech/2016/03/23/Epidemic-of-ransomware-is-growing-hacking-threat

[4] https://blog.kaspersky.com/ask-expert-ransomware-epidemic/9332/

[5] https://blog.malwarebytes.org/malvertising-2/2016/03/a-look-into-malvertising-attacks-targeting-the-uk/

[6] https://www.invincea.com/2015/10/invincea-uncovers-advanced-malvertising-attack-launching-rootkit-and-click-fraud-threats-via-top-10-german-website/

[7] http://www.darkreading.com/attacks-breaches/police-pay-off-ransomware-operators-again/d/d-id/1319918

[8] http://go.cyphort.com/rs/181-NTN-682/images/Malvertising-Report-15-RP.pdf

[9] https://otalliance.org/news-events/newsletters/may-15-2014-online-trust-alliance-us-senate-testimony-malvertising-jumped

[/content_container]