The cybercriminal's cash cow and the marketer's machine: Inside the mad sad bad web ad world

Web hosting caught red handed

Vidakovic said industry players tend to fall into two categories: those trying to solve systemic problems and those trying to exploit them.

"Personally, I think there will always be an underbelly in the ad world," he said. "At the same time, things will slowly clean up among legitimate players. Those who fail to muster the will to solve these problems will either become members of the underbelly themselves or go out of business."

"The web hosting industry is definitely complicit," said Fou, adding that cloud service providers like Amazon appear to be similarly reluctant to police content flowing through their pipes.

Vlad Shevtsov, director of investigations for ad consultancy Social Puncher, suggests the boundary between good and bad players is partly a matter of semantics.

"The ad industry earns on companies' ad budget spending, but they are just wholesale resellers of someone's audience attention to advertisers," he explained in an email to The Register. "Those who try to sell low-quality simulation, they call 'ad fraudsters,' but if the simulated audience formally passes the client's rules, ad industry calls them 'publishers' and shares the client's money with them."

Mangin suggests the industry has been so profitable for so long that there's a disinclination to rock the boat. Cybercriminals, he said, "have created a structure where the industry is addicted to their revenue," he said.

What's more, it can be technically challenging to detect ad fraud.

"If you try to make the decision about every click and every ad view in real time, it is impossible to detect simulated audience," said Shevtsov. "But if you start to analyze the historical behavior of the audience, of the source of visits and views which was sold to advertisers, the anomalies will be obvious."

"It's a very complicated thing to trace and identify culprits," said Mangin.

Commissioning crime

In January, his company, Confiant, outed a major ad fraud operation dubbed the Zirconium Group, said to be responsible for operating 28 fake ad agencies and buying a billion ad views for malvertising last year.

Zirconium Group, explained Mangin, wasn't itself focused on malicious behavior. Rather it created compromised browsers through ads and sold those impressions to scammers.

"They were selling access to those impressions," he said. "They didn't infect anyone themselves."

As soon as Confiant published its findings, he said, they took down all their systems. Presumably law enforcement is aware of the operations – Mangin declined to comment on whether there's an investigation underway – but the absence of any publicly announced arrests underscores the difficulty of cybercrime investigations.

Fou argues that digital ad fraud and cybercrime shouldn't be considered separately because the two are so closely intertwined.

Vidakovic agrees they're interrelated. "However, one distinction is that general cybercrime can be aimed at any number of targets: individuals, corporations, governments, and so on," he said. "On the other hand, ad fraud is almost always aimed at defrauding advertisers. That is, corporate brand marketers are the primary aggrieved party. Media companies and publishers also lose out because every dollar that goes towards fraud is a dollar that is essentially diverted from the pockets of legitimate publishers."

Shevtsov offers a slightly different view, which perhaps explains why ad fraud isn't often punished. "Ad fraud is not a tech cybercrime," he said. "Ad fraud is a financial white-collar crime. Audience simulation is like what Enron or Bear Stearns did."

There's reason to believe that law enforcement authorities may be ready to pursue ad fraud more aggressively. Vidakovic pointed out that that last September, the FBI attended the ad industry's Dmexco conference and has shown interest in ad tech since then.

Mangin argues marketers need to step up too. "If we as an industry don't stop this, the users suffer for this and that drives the ad blocking installations," he said.

Asked if there's anything the ad industry can do to fix things, Shevtsov said, "No, whole ad industry ecosystem was designed to be totally non-transparent for advertisers. Can advertiser get the full list of beneficiaries of every cent for every ad view, that company has paid for? NO! But every ad reseller knows this." ®