Fake-Ad Operation Used to Steal Over $500,000 a Day From Publishers Is Uncovered

Fake-Ad Operation Used to Steal From Publishers Is Uncovered

Adform says ‘Hyphbot’ scheme created fake websites, nonhuman traffic to scam advertisers of more than $500,000 a day

The fraudsters behind the Hyphbot scheme created more than 34,000 different domain names and more than a million different URLs in an attempt to fool advertisers.

By Lara O’Reilly Updated Nov. 21, 2017 3:05 p.m. ET

An ad-tech firm says it has discovered a large and sophisticated advertising-fraud operation in which fake websites and infected computers were used to scam advertisers and publishers out of upward of hundreds of thousands of dollars a day.

Denmark-based Adform, identifier of the scheme, named it “Hyphbot” and estimates that it has been going on since at least August.

According to Adform, the fraudsters behind the Hyphbot scheme created more than 34,000 different domain names and more than a million different URLs, many designed to attempt to fool advertisers into thinking they were buying ad inventory from big-name publishers such as the Economist, the Financial Times, The Wall Street Journal and CNN. It is a tactic known in the industry as “domain spoofing.”

The perpetrators then generated a wave of nonhuman, or “bot,” traffic that loaded the fraudulent sites, which made money mostly through video ads. Video ads are lucrative because they carry higher rates than other online display ads.

Fake traffic is a serious issue for advertisers because it means they have wasted money buying ads that were served to computer programs, rather than real people who might go on to purchase their products. And real publishers get cheated out of potential advertising revenue.

Adform says much of the impact of the scheme could have been thwarted if publishers and ad-tech companies had implemented and kept up-to-date with a new industry initiative called Ads.txt, which is designed to stamp out domain spoofing.

Adform’s investigation suggested that the fraudsters behind Hyphbot used a network of data centers and unwitting consumers’ computers, infected by malware, to access more than half a million IP addresses, mostly from the U.S., to mimic real browsing behavior on the network of fake sites.

The suspicious URLs were presenting themselves in ad auctions via at least 14 different ad exchanges at a rate of up to 1.5 billion requests to ad buyers a day.

Adform began informing the majority of ad exchanges affected on Sept. 28, two days after it began its analysis. Since then, it has seen a reduction in the fraudulent traffic, although Hyphbot is still believed to be active. Adform also informed the Federal Bureau of Investigation in the U.S. and Metropolitan Police in the U.K. Adform’s full findings were independently reviewed by two industry experts before the publication of the white paper.

Jon Slade, the chief commercial officer of the Financial Times, said the publisher was “not surprised” to hear of another fraud scheme based around spoofing. Last month, the Financial Times ran its own investigation and found 25 ad exchanges had been offering fraudulent ad space, purporting to be from FT.com.

“We are urging all actors in the supply chain to urgently implement and adopt the Ads.txt standard,” Mr. Slade said. “It’s one of the best bets for a cleanup that we have.”

Dow Jones, the unit of News Corp that includes The Wall Street Journal, said it implemented Ads.txt about a month ago and echoed the FT’s sentiment that solving the larger problem “requires the participation of all parties involved.”

A spokesman for Turner, the Time Warner unit that operates CNN, said it also implemented Ads.txt earlier this year.

The Economist declined to comment.

It is difficult to extrapolate exactly how much money the scheme has made so far. Adform describes Hyphbot as “likely the biggest bot network” to hit the online ad industry. Jay Stevens, Adform’s chief revenue officer, gave a “conservative” estimate that, at its height, the scheme could have been generating at least $500,000 a day.

Last December, ad-fraud detection firm White Ops discovered a Russian ad-fraud operation called Methbot that it said was defrauding U.S.-based online advertisers of more than $3 million a day, a figure that some in the industry say was overstated.

Hyphbot has the potential to be “three to four times” bigger than Methbot because it spoofed more web domains and used a larger bot network to generate the fake traffic, according to Adform’s research findings, outlined in a white paper published Tuesday.

An estimated $6.5 billion in ad spending is expected to be wasted this year due to fraud, according to a report released in May by White Ops and the Association of National Advertisers. But, that amount is down 10% from 2016, suggesting some industry efforts to tackle the problem may be working.

Ads.txt is a mechanism that allows publishers to display to ad buyers all the legitimate sellers of their ad inventory via a text file on their websites. Buyers and their ad-tech vendors can crawl those files —such as thisone from WSJ.com—and know to only to buy a particular website’s ads from those listed sellers.

More than 36,000 web domains have adopted Ads.txt since it was introduced five months ago by the Interactive Advertising Bureau, the U.S. trade body said.

Publishers adopting Ads.txt isn’t a full solution. It requires everyone else in the chain—from ad buyers to demand-side platforms and ad exchanges—to sign up and ensure the files are updated and scraped regularly in order for the initiative to work effectively.

Aside from Ads.txt, Adform has also listed other suggested remedies in its Hyphbot white paper, which include encouraging ad-tech vendors to check their data warehouses for suspicious patterns of bid requests outlined in its report and shutting off associated networks.

https://www.wsj.com/articles/fake-ad-operation-used-to-steal-from-publishers-is-uncovered-1511290981