New media initiative aims to prevent fraudsters from exploiting digital advertising platforms

Advertisement fraud can take many forms – from hidden malware in banner ads and click jacking to CPU-sapping cryptominers that slow devices down to a crawl.

A study by the Association of National Advertisers (ANA) found that $6.5 billion was lost to ad fraud in 2017, a figure that is expected to rise this year.

The report also found that 22% of desktop video adverts were fraudulent, cementing the delivery channel’s reputation as a “key target” for fraudsters.

In January, Trend Micro researchers detailed how Google’s DoubleClick ads had been hijacked by Coinhive JavaScript to secretly mine for Monero.

As a result, up to 80% of the CPU resources on the users’ devices were being drained.

Google quickly removed the offensive adverts and banned the actors in question.

But the consequences don’t just stretch to the user who, in the worst-case scenario, can be left with an infected machine – website owners are also missing out on much-needed funds.

Media publisher Forbes often forces visitors to switch off their ad blockers by obscuring popular articles until permission is granted for adverts to be displayed.

This is a fairly common and reasonable request, especially during a time in which newspaper sales are decreasing rapidly year on year.

But in 2016, droves of Forbes visitors were stung when they were served with pop-under malware after disabling their ad blocking tools to view the annual ‘30 Under 30’ list.

“If you apply something like an ad blocker you’re depriving the publisher of the revenue from the traffic,” Maggie Louie, CEO of cybersecurity vendor Devcon, told The Daily Swig.

“And so it’s a very difficult position for everyone, because publishers are being exploited, they don’t want these bad ads, and then consumers, in order to block the bad ads, block all of the ads."

“That’s where we really hope to create some balance within that ecosystem,” Louie added. “To provide the consumer safety, the publisher safety, and allow some good revenue to still flow.”

Fighting on all fronts

Devcon has recently partnered with the Local Media Association (LMA) and in a new initiative aimed at educating and protecting publishers across the US.

The drive will see LMA’s 3,000 members offered access to Devcon’s fraud detection and prevention tools as part of its Freedom for Media program, as well as advice and support from non-profit AdHack.

Jed Williams, chief innovation officer at LMA, told The Daily Swig: “The tricky thing about digital ad fraud is that it takes many forms, all of which must be contended with.

“The initiative that LMA is in partnership with addresses many of these, including invasive malware, forced redirects, cookie stuffing, and more.”

Devcon’s fraud detection toolkits acts much like an antivirus, scanning for known vulnerabilities and blocking them before they can impact the publisher and consumer.

It hunts down the usual suspects – drive-by downloads, cryptominers, and malicious redirects, for example – and also collects data on new threats or attacks to be logged.

Many of the tools are provided free of charge, with bespoke packages created to meet the publisher’s demands, and are easy-to-use so that even smaller websites with little security knowledge can utilize them.

But while antivirus models such as Devcon’s tools can provide a security crutch for publishers with limited resources, this approach is not always foolproof.

It largely depends on whether the affected websites want to play ball.

Double-edged fraud

In 2017, around 20% of all registered domains were created specifically as “cash-out sites”, which exploit bots to make money.

Dr Augustine Fou, an independent ad fraud researcher, told The Daily Swig: “There are two kinds of publishers – publishers who are trying to do the right thing and do not cheat and commit fraud, and websites that carry ads and want to cheat in order to make more money.

“Good publishers already have [a] low [number of] bots because they have human audiences. Long tail publishers have few human [followers] so they want to buy traffic which is created out of thin air by bots and not humans.

“So those publishers don’t want to prevent fraud, they want to be able to keep doing it. And they may not even consider it fraud.”

Dr Fou added: “Antivirus tools are useful in detecting things that have been seen before… so [while] it may help slow the spread of malware-based ad fraud, most forms of ad fraud are not reduced.

“This is because the websites that want to commit ad fraud will not install fraud detection tech on their sites, so they can carry out the ad fraud undetected.”

So if detection and prevention aren’t the key to stopping fraudsters, what can be done?

Josh Summitt, chief technology officer at Devcon, suggests introducing stronger regulation could be one option.

He told The Daily Swig: “There’s zero regulation on how these ads are displayed and they’re a good conduit for spreading drive-by downloads or other types of malware.

“I think the security community is behind trying to create more secure protocols for the way these ads are distributed, or the way they’re displayed. I think this could be amazing for the industry.”