Advertising fraud, malvertising, and its impact on publishers

According to a 2019 Digital Ad Fraud report, it has been estimated that advertising fraud costs the ad tech industry between $16.5 and $19 billion annually. In this case, ad fraud is being used in general terms to include malvertising.

However, advertising fraud and malvertising are used interchangeably as they have some very similar consequences. In reality, they’re completely two different things and have significantly different targets. Either way, it’s important for publishers to understand what defines them, what makes them different, and how to prevent an attack.

What is ad fraud and how does it work?

Advertising fraud, or ad fraud, is defined as the act of fraudulently representing traffic, impressions, clicks, conversions, or any data events related to generating ad revenue. As simple as that may sound, ad fraud is actually a very complex practice that negatively affects both publishers and advertisers across multiple platforms and ad formats. It even goes as far as to affect affiliate marketing.

Most often you’ll hear ad fraud in relation to invalid traffic (IVT) as that is its formal name according to the Trustworthy Accountability Group (TAG) and the Media Rating Council (MRC). According to these two governing bodies within the ad tech industry, IVT is more or less a ‘traffic quality’ issue. This is largely due to the fact that the primary forms of ad fraud come from fake user traffic and ad bots — both of which directly affect the quality of clicks, impressions, and conversions generated by a dishonest source.

The different types of ad fraud

Ad fraudsters directly target ads in their various formats and trick advertising platforms into thinking that this fake activity is real for one specific purpose: Financial gain. This is where you can see how sophisticated ad fraud really is, as there are several different ways to implement it.

Here are the most common types of ad fraud:

Domain spoofing

Domain spoofing is the act of impersonating publishers by disguising one website as another website. This ‘other’ website is always posed as more valuable to trick advertisers into paying premium prices for fake ad inventories.

Domain spoofing is also implemented by using bad actors to scrape content in order to set up a fake site that appears legitimate. From there, the ad fraudster will generate revenue by buying low-quality traffic and running ads.

Cookie stuffing

Many eCommerce brands and platforms use affiliate marketing by leveraging content creators to promote their products or services. When a user makes a purchase, the affiliate who influenced the sale is paid a commission. The attribution for these types of sales is managed by third-party tracking cookies.

Cookie stuffing is the act of implementing tracking cookies onto these websites without the user or anyone else knowing. Once a user makes a qualifying purchase, the ad fraudster behind the cookie stuffing receives the commission from that sale — not the affiliate. Not only does this type of ad fraud steal the affiliate publisher’s commission but it also steals their credit for the sale.

Pixel stuffing

Pixel stuffing is the act of exploiting advertising campaigns using the cost-per-mille (CPM) model, otherwise known as impression fraud. In this scenario, the ad fraudster creates 1×1 pixel placements and stuffing one or several ads into the placement.

They’re invisible to the naked eye and they allow fraudsters to display numerous ads on a single webpage to reap the credit for the impression served. Because of this, advertisers don’t generate results for their campaigns since the impressions are never actually seen by real users.

Ad stacking

Ad stacking is similar to pixel stuffing, only the ad units are stacked on top of one another rather than fitting into a 1×1 pixel placement. As many as five ads can be stacked at once and the ad fraudster will claim credit for all five impressions served while the user only actually sees the one ad on top of the stack.

Non-human traffic

Non-human traffic refers to bots, spiders, and any other type of traffic that does not meet TAG’s ad serving quality or completeness criteria — otherwise referred to as IVT. IVT is broken down into two categories:

• General invalid traffic (GIVT)
• Sophisticated invalid traffic (SIVT)

GIVT revolves around search crawlers, traffic from known data centers, and irregular engagement patterns such as duplicate clicks. SIVT revolves around ad fraudsters taking the extra steps to mask their behavior as ‘legitimate user behavior’. This would include incentivized clicks, misleading user interfaces, and fraudulent browser automation.

What is malvertising?

Malvertising is when bad actors pose as advertisers and buy up ad space. In doing so, they also serve creatives embedded with malicious JavaScript. This hidden code enables forced clicks to advertiser sites and can download malware directly onto the user’s device.

Malvertising manifests in a variety of ways. Forced redirects, where an ad causes the browser to redirect the user to a new site, are one of the most common forms of malvertising. In this instance, the new site will present a ‘system alert’ to convince users to install the fraudster’s malware onto their computer.

Other instances involve attacking browser vulnerabilities to completely compromise a user’s entire machine or device. This can happen without the user taking any specific actions whatsoever and can happen without them knowing until it’s too late.

It also crops up in certain programmatic advertising infrastructures, especially third-party ad exchanges. This is where publishers come to sell their impressions, as well as position and deliver ads. It offers a significantly large reach as well as optimal targeting capabilities, which “malvertisers” like to take advantage of.

Essentially, malvertising leverages digital ads to spread malware or launch phishing campaigns. Therefore, they target the safety and quality of the ads in question, which directly impacts publishers and users. Ultimately the goal is to either drop cookies to rip off a publisher’s ad revenue or steal user information to use against them.

What makes advertising fraud different from malvertising?

Put simply, ad fraud targets ad traffic while malvertising targets ad quality. The goal of ad fraud is to steal ad revenue from publishers via invalid traffic whereas malvertising aims to not only steal ad revenue, but publisher and user data as well.

Of course, there are certain implementations that fall under the advertising fraud umbrella term but refer to malvertising. This would include ad injection where fraudsters use compromised plugins and browser extensions to insert their ads and malware.

Why should publishers care?

For a long time, it was thought that ad fraud only affected advertisers. However, advertisers really only have to worry about wasted ad spend and in some cases, their reputation.

Publishers, on the other hand, have to worry about several things. First, they have to worry about losing out on ad revenue on top of losing access to their ad networks and exchanges. Second, ad fraud and malvertising also ruin the trusted relationships between advertisers and publishers, which in turn can ruin a publisher’s reputation. Lastly, they have to worry about users installing adblockers to avoid ads that could lead to unwanted redirects.

This is substantiated in our 2021 PageFair Adblock Report where we found that 62% of surveyed users decided to install an adblocker to protect themselves from malware. Given that most publishers have an adblock rate between 10-40%, neglecting to engage one’s adblocked audience can result in a substantial amount of lost ad revenue.

How to prevent advertising fraud

If you don’t take the steps to protect yourself and your visitors from ad fraud, then you stand to lose an entire source of income. The key to prevention is to proactively keep an eye on your website and implement proper safety measures.

Here are a few ways to prevent invalid traffic from ruining your website:

• Understand your visitors: Having a good sense of what typical user behavior looks like on your website is the first step to tracking suspicious traffic patterns. Based on what you’re seeing, you may want to remove certain ad codes or partner with a dedicated ad fraud vendor.
• Set up custom alerts: Observing on-page behavior alone isn’t enough to detect all the types of ad fraud out there. It’s a good idea to set up alerts for monitoring your traffic and revenue metrics for any sudden and suspicious fluctuations. Most analytics tools allow you to create custom alerts based on various metrics.
• Use an ads.txt file: Having an ads.txt file in place will explicitly state which ad networks, exchanges, and SSPs are authorized to re-sell your ad inventory. This will help you trace any compromised inventory. Just make sure any monetization partners are using a valid Sellers.json file so advertisers can verify the source of the inventory and impressions being purchased.
• Assess all third-party plugins and scripts: Publishers depend on third-party CMS plugins, extensions, and scripts to run their analytics and extend the functionality of their sites. Therefore, it’s essential to inspect the code beforehand and make sure it’ll only do what it’s supposed to do.

In summary

There’s a whole laundry list of ways to prevent ad fraud from wreaking havoc on your website, users, and media partners. The best thing you can do as a publisher is to keep up with the current ad fraud trends and standards to ensure you’re taking the correct measures to prevent it.