Failure to Act Against Ad Fraud is Equal to Supporting Cybercrime

With malvertising reportedly rising over 300% in the last year – and with ad fraud widely reported to be at least a 10-times bigger threat than identity theft – cleaning up the next biggest cybercrime, internet advertising, should be everybody’s priority. Mikko Kotila (pictured below), principal, botlab.io, tells ExchangeWire how advertising technology is a threat to internet security and general society.

Many national economies rely on consumption as the primary driver for GDP. Production, and therefore employment, are associated with demand for products; which, in turn, is driven by advertising effectiveness and brand value. Both advertising effectiveness and brand value are mostly results of successful investment in media. In some categories, up to 90% of sales are directly attributed to the effect of investment on media.

When media investment is rendered inefficient, as is the case with ad fraud, there is often substantial damage to the national economy. Because of the damages ad fraud cause, it can be used as an economical cyber weapon: a case where a malicious actor wanting to cause harm to a given nation and its economy achieves this goal by using advertising fraud methods. In this same way, a company’s opponents may use ad fraud to effectively attack its bottomline. Unlike other attacks, in ad fraud’s case, the attacker can also make substantial amounts of revenue at a very high profit margin.

In addition to being a source of criminal earnings and an economic cyber weapon, for internet users with limited data plans, ad fraud and malvertising are also a problem associated with increasing data transfer costs. Almost everyone pays for ad fraud, one way or another.

An ad: the easiest way to put a malicious code on a device

Due to the way ad platforms help host third-party codes inside ad calls as a standard industry practice, distributing malware at scale is easier than before. Adversaries can use ad platforms to target malicious codes based on specific browser versions, or other ad targeting criteria. There are thousands of ad platforms, and the majority of them are wired to operate in a very simple way:

– get a customer who wants to deliver ads

– deliver the ads (and the codes together with the ads) for the customer

– charge the customer for delivering the ads (and the codes)

The ad platform is left at a great disadvantage; and to counter this, the adversary can create infinitely more shell companies and create infinitely more trading accounts. A guidance on how third-party codes should be handled, in regards to ad impressions, is desperately needed to help make ad platforms more secure.

As the user can’t know about the codes that are loaded inside an ad, it seems fair to argue that having any third-party codes inside ad calls is questionable at best. In the current situation, with no guidance or regulation, this practice is creating a real threat to the security of the internet.

It is fairly straightforward to setup a campaign to distribute ad fraud malware inside ad calls. Every infected device will then, in turn, start to generate fake traffic that goes to spam sites; from where it goes to ad exchanges and may end up for auction on the same platform where the scheme was started earlier. Sometimes the infected device will run the ad fraud malware in a way that makes it very hard to stop it or remove it unless you know exactly what you are looking for. The level of sophistication in ad fraud malware is moving very fast, as a natural result of companies taking action against the most obvious and least sophisticated schemes.

Why ad fraud will continue to growMikko_headshot (2)_resized

If you have a burglar problem in your area, and you change the locks on your front door, it will work to repel burglars to the extent that nobody else is changing their locks in your area. Once everybody has a lock at least as hard to pick as yours, there is no benefit from having it. When somebody is making money from ad fraud, they’re not going to settle for less money suddenly because it’s more difficult to do now. Just like anyone working with an enterprising attitude elsewhere, burglars are going to look for growth. Ad fraud is the first blockbuster cybercrime, larger than all other forms of cybercrime combined. It doesn't seem likely that once someone has gotten a taste of it, they will move on to do something else just because someone is countering their activity.

How big is ad fraud already? Depending on the market, type of investment and other factors, it will be somewhere between 10% and 90% in the majority of media investments in 2016. With TV being pushed to programmatic, even at a 10% rate, total ad fraud revenue will be pushed towards USD$50bn (£34.7bn) by 2025. Making it the second largest form of organised crime. At a less conservative rate of 30%, the ad fraud industry would be nearly as big as the entire global cyber security industry, in terms of revenue.

Failure on part of the advertising technology vendors, publishers, agencies and advertisers to understand these arguments, and to take corresponding action urgently, is equal in risk to being a supporter of cybercrime and rogue economic warfare activity. In an internet where mixed incentives and unsecured platforms of advertising technology, companies have the kind of effect we can witness today, it becomes in the internet users’ interest to protect themselves from internet advertising, thus defeating the purpose of internet advertising.