Publishers have enough to juggle without worrying about sketchy ads sneaking in through video inventory. But with malvertising on the rise — especially those sneaky auto-redirects infecting VAST tags — EX.CO and GeoEdge are joining forces to shut it down.

This partnership is grounded in ad quality to safeguard user trust and ensure publishers’ revenue keeps flowing without the hassle of bad ads ruining the party.

The post EX.CO and GeoEdge Team Up to Shut Down Video Malvertising appeared first on AdMonsters.

The MFA site traffic craze was a hot topic in ad tech last year. Many questioned: are all MFA sites bad? What exactly distinguishes what an MFA site is? At the time of the craze, MFA sites made up 15% of global programmatic ad spend, but agencies were working to combat them, much like AdLib and Jounce, and are working on them now. 

In a strategic move to enhance the quality and effectiveness of programmatic advertising, AdLib Media Group has announced a partnership with Jounce Media by integrating its MFA detection technology. 

In an effort to guarantee that advertisers focus their media investments on premium publishers to drive real consumer engagement, AdLib is providing agencies with tools to optimize their digital ad spend by connecting Jounce Media’s advanced MFA detection technology to automatically block low-quality traffic. 

“MFA websites are a growing threat to advertiser success. By integrating Jounce Media’s technology, we can safeguard client campaigns against wasted media investment,” said Mike Hauptman,founder and CEO of AdLib.. 

Jounce Media President Chris Kane echoed this sentiment. If the industry proactively blocks low-quality traffic, it ensures that media investments go toward genuine publishers that influence consumer purchase decisions.

Mike Hauptman: The Future of Programmatic Advertising

Andrew Byrd: Why did AdLib partner with Jounce Media specifically to block MFA traffic? What stood out about their solution?

Mike Hauptman: We partnered with Jounce Media because their approach to detecting and blocking MFA traffic is both innovative and reliable. 

What really stood out to us was their ability to dynamically identify and classify MFA sites, ensuring that we’re always one step ahead of the curve. 

They don’t just rely on static lists—they continuously update and refine their detection methods, which is crucial given how quickly MFA sites can evolve. This level of precision and their commitment to transparency made them the perfect fit for AdLib, where our goal is to deliver the highest quality media experiences for our clients.

AB: How does this partnership align with AdLib’s broader mission and strategy within the programmatic advertising space?         

MH: This partnership is a natural extension of our mission to make premium programmatic advertising accessible to all agencies, regardless of size. Our strategy has always been about reducing complexity and increasing transparency in the ad buying process. 

By integrating Jounce Media’s technology, we’re ensuring that our clients can trust the inventory quality they’re purchasing. It’s about removing the guesswork and inefficiencies that have long plagued programmatic, particularly for mid-market agencies that don’t have the resources to tackle these issues on their own.

AB: What impact do you expect this partnership to have on your client’s campaign performance and overall media investment?

MH: The impact is going to be significant. By automatically blocking MFA traffic, our clients will see a reduction in wasted ad spend and an improvement in campaign performance. MFA sites are notorious for inflating metrics without delivering real value, so by eliminating them, we’re ensuring that our clients’ budgets are directed toward high-quality, impactful placements. This not only boosts performance metrics like engagement and conversion rates but also enhances brand safety and reputation. 

AB: How do you plan to further enhance AdLib’s DSP platform with similar integrations in the future?         

MH: We’re always looking for ways to bring best-in-class tools and technologies to our platform. The Jounce partnership is just the beginning. Moving forward, we plan to integrate additional solutions that address other pain points in the programmatic space. Our focus is on building a platform that’s not only powerful but also easy to use, so our clients can focus on strategy and creativity rather than the technicalities of media buying.

AB: What steps will AdLib take to educate and onboard clients about this new feature and ensure they fully leverage its benefits?

MH: The beauty of this integration is that it’s completely turnkey and automatically enabled for all AdLib clients at no additional cost. There’s no setup required—clients will immediately benefit from enhanced ad quality without lifting a finger. We’ll also provide insights through the platform to highlight the positive impact on their campaigns.

AB: Are there any initial testing results to share after Jounce integrated its MFA detection tech into your DSP?

MH: While we’re still in the early stages of gathering comprehensive data, the initial results from our beta testing have been very promising. We’ve already seen a noticeable decrease in MFA traffic, leading to a more efficient ad spend allocation and improved campaign outcomes. We’re excited to share more detailed results as we collect data.

Chris Kane: Accelerating the Shift Toward Premium Supply

AB: We’ve discussed the MFA problem. What is the current state of Made for Advertising sites from your perspective? Has the ad tech industry gotten better at eliminating MFAs?

Chris Kane: Because MFA publishers are highly dependent on paid traffic, the availability of MFA supply is extremely responsive to buyer behavior. As buyers spend more on MFA inventory, those publishers can afford to buy more paid traffic. And as buyers pull back their spending on MFA sites, those publishers can no longer profitably buy traffic. 

The result was a giant run-up in the availability of MFA supply from 2020 through mid-2023, peaking at 30% of all web auctions. But as marketers have implemented MFA blocking solutions, MFA has contracted to less than 10% of web auctions. Still, MFA is a very large share of available supply, and buyers need to actively manage whether they participate in MFA auctions.

AB: Please remind us how Jounce Media developed the technology to accurately identify and block MFA sites. Can you walk us through the process?

CK: We post our criteria for classifying inventory as MFA here. We perform a battery of tests every day on every RTB-traded website to quantify whether each domain meets our criteria for MFA classification. Based on that daily-updating process, we regularly add and remove sites from our MFA list, and AdLib will now similarly continuously modify their default exclusion list to block new sources of MFA supply and re-enable bidding on sites that have retooled their operations to create a premium advertising experience.

AB: How does Jounce Media differentiate between MFA sites and legitimate publishers that might have similar characteristics?

CK: In addition to the process described above, we publish our complete MFA list to all of our clients via dashboards and data feeds on a daily-updating cadence. There are over 3,000 advertising professionals from over 100 companies that have direct access to our data, making our MFA list far more transparent and far more pressure tested than any other solution in the market.

AB: In your opinion, how will this partnership with AdLib impact the broader industry’s approach to MFA supply?

CK: In addition to benefiting their clients, AdLib’s decision to block MFA supply by default will accelerate an industry-wide shift toward premium supply. SSPs feed DSPs what they eat. 

When buyers shift their spending patterns away from MFA supply toward premium publishers, SSPs reshape the mix of ad opportunities that they make available to DSPs. Premium publishers are more available in the bidstream today than they were last summer, and AdLib’s decision to block MFA will accelerate this trend.

AB: What are the next steps for Jounce Media to improve and expand its technology to identify low-quality traffic?

CK: We are continuously researching new sources of supply chain inefficiency and new opportunities to deploy RTB investments more effectively. Among other topics, we are currently studying the landscape of in-stream video, benchmarks on ad density, and the accuracy of user targeting signals.

AB: Can you share any initial testing results after integrating your MFA detection tech into AdLib’s DSP?

CK: In July 2023, MFA bid request volume was at 30% but has since decreased to 10%. Through their partnership, AdLib and Jounce are committed to implementing best practices to reduce this percentage further.

The post AdLib Media Group and Jounce Media Join Forces to Combat MFA Traffic appeared first on AdMonsters.

HUMAN’s Satori Threat Intelligence Team began noticing that apps that don’t offer advertising were generating an abundance of IVT traffic. Concerned, they began studying the traffic source and, in the process, discovered a massive mobile malvertising scheme that used highly sophisticated tactics.

They named the scheme Konfety, which means “candy” in Russian, in a nod to CaramelAds, the Russian mobile advertising SDK that the threat actors managed to abuse. Konfety is a massive fraud perpetrated against DSPs and advertising networks, and at its peak, Konfety-related programmatic bids reached 10 billion requests per day.

To learn more about the threat, AdMonsters talked with Lindsay Kaye, VP of Threat Intelligence at HUMAN, who was instrumental in uncovering Konfety. For a complete discussion, see the HUMAN Satori Threat Alert: Konfety Spreads “Evil Twin” Apps for Multiple Fraud Schemes.

Susie Stulz: Konfety uses several new mechanisms in malvertising. This scheme uses decoy apps and evil twins. Can you provide an overview of the scheme and how it worked?

Lindsay Kaye: Sure. The threat actors created about 250 decoy Android application package files — or APK apps — which they uploaded to the Google Play Store. These apps don’t provide any sort of fraud when we download and execute them. 

And yet, in the real world, we saw a lot of IVT coming from those apps, so we started investigating. We found that APK apps in the Play Store are decoys and they provide something really important to the threat actors, which is the legitimate identifiers of Google Play Store Apps.

After a lot of research we discovered the presence of evil twins to those decoy apps. Those evil twins are not distributed in the Play Store, they spread through malvertising, and they are the apps responsible for the ad fraud. 

SS: So, the evil twin apps offered “inventory” in the programmatic markets 10 billion times per day?

LK: Yes, and at first glance, it looks like the fraudulent traffic comes from these decoy apps because both the evil twins and the decoy apps use the same Google identifiers. We believe threat actors have developed a new and very sophisticated technique to host malicious apps outside of the Play Store.

SS: Is that what tipped you off that a unique type of malvertising was at work?

LK: We saw no ad fraud stemming from the decoy apps we downloaded from the Play Store itself. In fact, those apps do not show ads, even if they technically can support advertising. However, when we looked at third-party repositories, like VirusTotal and some others, we noticed that there were two APKs with the same name. To dig deeper, we looked at the hashes and saw they were different.

SS: What do you mean by hashes?

LK: Hashes are unique identifiers which are generated when a developer applies a hash function to a file’s contents. They act as digital fingerprints, so that when there are changes to a file, a new hash will be generated. Comparing hashes allows us to determine if two files with the same name are identical or different.

SS: So, were the different hashes the first clue?

LK: Yes, that was the first tip, and we began investigating from there. We thought this was interesting: two APKs with the same name but different hashes. 

But the two APKs themselves were also really different; they weren’t even pretending to be the same app. The decoy APK in the Google Play store may be a car racing app, but its evil twin wasn’t. It was just stealing the legitimate Google identifiers of the decoy to commit ad fraud.

SS: How often were the decoy apps downloaded?

LK: Not very often; they averaged 10,000 downloads per app, which is nothing in the app world. This is one of the things that stood out to us: Apps with a small number of installs were generating a huge amount of IVT. 

SS: Is the CaramelAds SDK inherently fraudulent?

LK: SDK has some vulnerabilities that allow threat actors to abuse it. If you’re looking for an SDK to monetize your mobile app, I suggest looking elsewhere until those vulnerabilities are fixed.

SS: At present, HUMAN has observed ad fraud only stemming from Konfety, but haven’t you noticed other things getting loaded on the user devices, such as a search tool and intent signals? What are the purposes of these things?

LK: To date, we have only observed ad fraud, but in the report, we describe other things, like intent filters, that were loaded onto the devices. These are links that pretend to open other applications, such as Zoom or TikTok. Certainly, those intent links can be used for other frauds that target the user, such as credential stealing or pushing other kinds of malware onto the device. We just didn’t observe that kind of activity to date.

Obviously, this is an ongoing threat, and one that we expect will evolve and we will continue to monitor.

SS: What advice do you have for AdOps teams so they can avoid the Konfety threat?

LK: The most important thing AdOps teams can do is to use an IVT monitoring tool or platform. Obviously, HUMAN offers one, but there are others. Campaigns like Konfety show that the threat actors are getting more sophisticated, making their threats very difficult to detect.

Uncovering the evil twins required an extremely complex investigation that AdOps teams might not have the time or skillset to conduct on their own.

The second thing I’d recommend is for AdOps teams to look at their past traffic. Do you see a lot of ads served to apps that have a small number of downloads? If yes, you might want to investigate it and share your findings with your partners. Sharing insights makes the industry safer.

As I said earlier, avoid using CaramelAds until they’ve fixed its vulnerabilities. 

SS: The challenge, I think, is that fraudsters are often copycats. They see threat actors succeed with one tactic, in this case, decoys and evil twins, and they create their version of it. Does this mean evil twins in malvertising will be with us for a while?

LK: That’s likely, so AdOps teams must choose their SDKs wisely and work with only reputable companies. However, even then, threat actors may find new vulnerabilities to exploit, so monitoring IVT regularly is critical.

Cybersecurity has always been a game of cat and mouse, and Konfety is a great example of this. Threat actors were getting kicked out of the Play Store, so they found a way to commit fraud outside the official app stores.

SS: Final question: the report offers a great deal of technical descriptions, sample code, the domain names, the names of the decoy apps and so on. Where can readers access that report?

LK: It’s available online, at: https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-konfety-spreads-evil-twin-apps-for-multiple-fraud-schemes

The post HUMAN’s Satori Team Uncovers Konfety Fraud Operation With New Malvertising Tactics appeared first on AdMonsters.

Video advertising has always been a bright spot for the industry: effective, profitable, and malware-free. Because it’s threat-free, AdOps teams don’t need to spend a lot of time scanning for scams. Sadly, that is changing rapidly. 

Earlier this year, I wrote about ScamClub’s breach into the video channel, successfully injecting malicious redirects through VAST and VPAID tags in Q4 2023. Since then, video malvertising attacks have proliferated and show little sign of abating anytime soon. Worse, other scammers have no doubt noted the success of ScamClub’s assault on video ads. In the months ahead, we should expect a surge in automatic and malicious redirects, and everyone — publishers, SSPs, and video platforms — should begin hardening their video tech stack immediately.

How Video Automatic Redirects Work 

In case you missed the first article, here’s a rundown of the ScamClub scheme, the first industry-wide attack against video ads. GeoEdge discovered the scheme injected malicious redirects through VAST tags, sending users to a malicious website regardless of whether they played the ad or how long they watched it.

Essentially, the scammers run fingerprinting tests on both the client and the server sides, looking for malware detection systems. Once the information from the client is sent and checked by the malicious server, the POST request’s reply or response includes instructions that tell the user’s device to navigate to a new website. This redirect code includes several different methods to initiate the forced redirect. This diversified attack strategy increases the chances of successful redirects, making it harder for security vendors to detect and identify the attack.

Bad Actors Have Breached Video Advertising

For a long time, video has been considered the safest channel in digital advertising. The high inventory cost has deterred scammers from attacking the channel, concentrating on the abundance of low-cost and vulnerable display ad units. As a result, many publishers, SSPs, and even video platforms haven’t screened for malware even as they actively screen for it in their web and mobile inventory.

But we need to understand that scammers have breached the video world. GeoEdge’s security research first exposed the video malware epidemic in July 2023, but as you can see in the chart below, the number of instances has escalated dramatically. 

We’ve seen dozens of SSPs—all the major industry players—affected by the ScamClub malicious VAST and VPAID attacks. The same goes for video platforms, which scams have infected in equal measure. Any publisher that relies on an SSP or video platform to fill video inventory is likely exposed. 

In fact, AdOps teams are now receiving complaints from publishers, who are receiving complaints from their users and editorial team about sketchy ads that pop up on landing pages that look like system messages prompting users to download fake software updates or fake antivirus software that records and transmits their bank information or credentials to the scammer’s servers.

Even though we already see hockey stick growth in the ScamClub version of the attack, we are at the beginning of the growth trajectory. For this reason, we should assume that automatic redirects in video will dramatically increase over the next 12 months.

Time to Harden the End-to-End Video Tech Stack

This means it’s time to harden the video tech stack. Publishers must recognize the importance of monitoring and safeguarding their video technology infrastructure, as it’s no longer secure. This shift in mindset is crucial.

SSPs need to begin to reassess their video demand, with an understanding that they can no longer assume it’s safe. They must acknowledge the presence of malvertising in the channel, which many expect to increase significantly.

Additionally, the entire video platform segment, which supports video players and previously remained unscathed, now faces new threats. These platforms must start monitoring and addressing security issues at their own level.

This, of course, brings up the question of CTV. Is that channel safe? It’s unlikely that consumers will click on ads, visit landing pages, and fill out forms from their smart TVs. However, as QR codes become common in CTV advertising, they will introduce new risks, as fraudsters will have the opportunity to redirect the user who scans that code via a mobile device.

A New Approach Required 

Because of the multiple mechanisms that block attacks from security vendors, new approaches are needed. In our experience, it’s not enough to monitor the video ad units themselves but the entire page itself. By monitoring the entire page, security teams can identify, analyze, and classify copycat and emerging variants of redirect scams immediately and proactively block them every time they appear. 

A Call to Action

Video is no longer a safe haven; we need to pay attention to it. The channel has been breached, and fraudsters are rushing in. However, we are by no means defenseless. To combat this rising threat, we must embark on a new era of cooperation across the entire industry. By working together, we can identify and mitigate video threats more effectively and share our learnings to strengthen our collective defenses.

The post Automatic Redirects Flood Video Ad Space (and it’s Just Getting Started) appeared first on AdMonsters.

How do publishers plan to rev up their revenue in the coming years?

Share your insight in our 5-minute survey.

We want to understand where you see the biggest opportunities and challenges in the digital publishing landscape. Your feedback will help us identify key trends, innovative strategies, and potential obstacles in pursuing sustainable growth and profitability.

Let’s uncover where the opportunities are together, as an industry. Your contributions to this survey will help other publishers better understand the industry’s challenges, and learn the strategies to help them sustain, and even thrive. Results will be announced at Publisher Forum Boston, August 4-6.

The post AdMonsters Publisher Pulse Survey: Unlock the Keys to Ramp Up Your Revenue Strategies appeared first on AdMonsters.

Unfortunately, the buy side and sell sides are at odds again – what else is new in ad tech? The buy side called out publishers and their tech partners for using deceptive practices to identify audiences. The practice in question is a technique called ID bridging. ID bridging has become a contentious issue as digital advertising grapples with the deprecation of third-party cookies in Chrome. 

As Paul Bannister, CSO and co-founder of Raptive said, “The rise of ID Bridging over the last year is almost directly correlated to cookies going away. This technology could have appeared five years ago, but there wasn’t a pressing need. Now, with 3PC going away, buyers and sellers are looking for more ways to reach addressable audiences and bridging definitely can work for that.”

While many on the sell side rely on these techniques to monetize audiences that would otherwise be inaccessible, some warn that DSPs should be aware of and prepared for such methods because of the potential lack of transparency. 

Despite ongoing discussions within industry bodies like the IAB Tech Lab, transparency around ID bridging practices remains a significant concern. The legitimacy of these methods varies widely, with some using ethical approaches while others border on deceptive practices. 

As discrepancies between bid requests and actual ad delivery become more apparent, DSPs find tracking conversions and managing ad frequency increasingly difficult. Some platforms, such as Quantcast, had detected these issues, but many others only became aware through recent industry conversations.

ID Bridging: Deterministic and Probabilistic Matching 

ID bridging allows publishers to package and target segments of their audience in a privacy-conscious manner, making their inventory more attractive to advertisers even in a cookieless environment. Essentially, ID bridging connects the dots between different user identities without relying entirely on third-party cookies. By leveraging first-party data, such as email addresses obtained with user consent or login information, publishers can create a valuable dataset that serves as the foundation for their targeting strategies.

There are two primary methods of ID bridging: deterministic and probabilistic matching. Deterministic matching is the most accurate, relying on direct, persistent identifiers like a hashed email address that remains consistent across devices. This method requires users to log in on multiple browsers, ensuring higher accuracy. 

On the other hand, probabilistic matching is more common in ID bridging. It involves using complex algorithms to analyze signals, such as IP address, device type, and browsing behavior. While it offers a wider scale, it is less precise than deterministic methods, relying on smart guesswork to link different browsing profiles to the same individual.

The Potential Publisher Benefit

First and foremost, ID Bridging can help publishers keep their inventory valuable without third-party cookies, allowing them to maintain addressable audience segments and preserve the value of their ad impressions. Additionally, some argue that by adopting ID bridging, publishers can attract top-tier advertisers who are increasingly hesitant about cookie-based targeting and are reassured by privacy-conscious solutions. 

As Yang Han, CTO and cofounder of StackAdapt said, “If publishers can reliably indicate that it’s the same user across different devices, it’s a valuable signal. However, there must be consistency and standardization. It’s not useful for a DSP to know if it’s the same user within a single publisher; we need to identify the same user across multiple publishers.” 

Han warns that to achieve this at scale, publishers need to use a Universal ID. A publisher can assign their user ID, even without cookies, and share it with the DSP. However, different publishers generate different IDs for the same user, creating a fragmented and sparse data pool. To make the data useful, a universal user ID across all publishers is necessary.

This approach also supposedly ensures compliance with regulations like GDPR and CCPA, demonstrating a commitment to respecting user choices while safeguarding your business. Moreover, some ID bridging solutions open access to unique demand pools, potentially expanding publisher revenue opportunities beyond traditional cookie-based advertising. 

The Not So Great Side of ID Bridging

After a year+ of talking to dozens of companies about ID bridging, I can confidently say that all ID bridging conversations are a series of miscommunications and misunderstandings.

— Paul Bannister (@pbannist) June 5, 2024

Not all that glitters is gold, and the same is true for ID Bridging. One of the primary concerns with ID Bridging is its potential to exacerbate the digital divide that already exists between the sell and buy sides. Advertisers who have long relied on third-party cookies may find the transition to ID bridging daunting and resource-intensive. These advertisers might be skeptical of new solutions, perceiving them as risky or unproven. The shift requires a significant change in infrastructure and a rethinking of strategies that have been developed and optimized over the years. 

The reliance on ID bridging demands robust first-party data, which can be challenging for smaller publishers or those who have not built strong direct user relationships. This transition phase can cause friction, with some advertisers potentially experiencing a decline in campaign performance during the adaptation period.

Moreover, privacy concerns remain a significant issue. While ID bridging aims to enhance transparency and compliance with data protection regulations, the method of using hashed or anonymized identifiers might raise alarms among privacy advocates and users. The challenge is ensuring that these measures are sufficiently robust to protect user privacy without compromising the effectiveness of targeted advertising.

In addition, Bannister warns about the ease of taking advantage of ID Bridging. Shady publishers or ad tech firms can bridge IDs that don’t represent the user, so buyers waste their budgets. He adds,  “Even for cases where the buyer has consented to the use of Bridging, it can be challenging to ensure that it is being done correctly. ID Bridging can be a good thing but has to be done responsibly.” 

The scale and reach of ID bridging solutions also have limitations. These solutions generally have a smaller reach compared to cookie-based systems. This reduced reach can limit advertisers’ ability to deliver personalized ads at scale, potentially impacting campaign outcomes. 

There is still plenty of headway before the industry reaches a consensus on ID Bridging. But this is a vast industry with many intermediaries in between, and there’s a chance the industry may never agree. Yet, if the conversations around ID Bridging are, as Bannister characterized them, “A series of miscommunications and misunderstandings,” then we won’t get anywhere.

The post ID Bridging Explained: Benefits, Controversies, and the Battle for Transparency in Digital Advertising appeared first on AdMonsters.

The proliferation of low-quality, Made for Advertising (MFA) sites has been one of digital advertising’s biggest talking points over the past 12 months. It recently rose to the top of the agenda when Forbes — one of the world’s most respected publications — was accused of running ads on a secret subdomain.

The rise of MFA does bring up an old question: at what point will the industry stamp out these bad behaviors?

For the sake of a sustainable ad ecosystem, this clean-up needs to happen sooner rather than later. While change will come from multiple directions, a real driving force will result from all industry contributors adhering to and enforcing the guardrails. Specifically, those standards set by the Media Rating Council (MRC) and the Trustworthy Accountability Group (TAG), ensure digital advertising practices remain above board.

The certifications and accreditations awarded by these organizations are not easily secured. Indeed, being independently audited by some of the highest authorities around, they provide concrete assurances about quality, care, and trust. If the industry can unite and back these initiatives to the hilt, it can focus on its most important task: delivering game-changing ads to consumers.

Setting the Standard

Founded in the 1960s as the Broadcast Rating Council, the MRC audits and accredits media measurement and data products across the entirety of the media space. It grants accreditation to those who, based on an independent audit, meet its set standards and guidelines around measurement. Notably, accredited services are reaudited every year to ensure standards are maintained.

Receiving MRC accreditation is a costly and lengthy process, and requires a significant allocation of resources. This is a testament to a business’s commitment to promoting trust and transparency internally and externally.

Meanwhile, TAG focuses on ad fraud, brand safety, transparency, and malware. The cost of TAG may be less than that needed for MRC, but certifications are still awarded based on an auditing process. Compulsory independent audits are specifically carried out for brand safety and ad fraud, but compliance with TAG’s other programs defaults to self-attested, although you can choose to be externally evaluated. If the industry is to clean up its act, having compulsory third-party reviews apply to all TAG’s programs would be beneficial.

In addition, the industry and bodies should continue to set new standards that address the evolving challenges and opportunities facing the industry. This includes signal loss, which the MRC recently issued guidance on, emerging types of fraud, such as low-quality MFA sites,  as well as growing technologies, like artificial intelligence (AI). Moreover, if the associated costs of these processes can be kept down, so as not to be prohibitive, more businesses would feel empowered to be accredited.

Creating a Cleaner Industry

These genuine indicators around the reliability of players within the digital advertising ecosystem are one of the first things brands should review when exploring partnerships. Moreover, with AI and increasingly sophisticated AI-driven scams and schemes, having safeguards in place ensures that these instances of non-compliance and bad practices are the exception.

Because of this, brands should see these certifications and accreditations as an essential hygiene factor when choosing partners. They should also pressure their existing partners to meet these levels of quality and care and threaten to seek more reliable and trustworthy partners if these standards aren’t met. Transparency should be the bare minimum that any advertiser expects from their partners.

By the same token, it’s up to legitimate vendors to evangelize for these certifications and accreditations, or the industry will never be able to leave behind its past and move toward a more sustainable, trustworthy, and profitable future.

Creating this trust can only be beneficial for the industry. It will lead to stronger partnerships between advertisers and vendors, more effective use of ad spend, and a better quality digital advertising ecosystem overall. This is especially pertinent for the Open Web, as without action advertisers will only be increasingly drawn toward spending in the relatively safe confines of the walled gardens.

Digital advertising’s next chapter should be one built on quality, care, trust, and transparency, and the standards set by not-for-profit organizations should be placed at the center of the story’s continuation. Advertisers need to create an environment where they only work with partners who are adhering to these standards, forcing the hands of vendors to fix up or lose out on business. It’s going to require every stakeholder to begin putting more emphasis on the importance of living up to certain standards.

The post Why Advertising Standards and Certifications Matter in 2024 appeared first on AdMonsters.

HUMAN’s Satori Threat Intelligence issued a Security Threat Alert this morning, detailing a scheme it calls Merry-Go-Round. At its peak, Merry-Go-Round reached 782 million fraudulent bid requests daily, cleverly evading detection through a sophisticated cloaking mechanism.

Although the scheme has been detected and interrupted, the Satori team warns that the industry isn’t out of the woods as the operation is still active and accounts for 200 fake million bid requests daily.

How it Works

Consumers visit several piracy and adult-content websites that are affected by Merry-Go-Round (HUMAN has not published the names of those domains). 

The Merry-Go-Round kicks off when a user clicks on a story or video from one of the affected site’s directory. An overlay hijacks the click, opening a second tab to display the content the user expects to see. Meanwhile, the original tab- now out of the user’s focus- redirects the user to a series of pages on fake sites that the fraudsters created for the scam. Those sites, all of which have benign names such as beautyparade.co and caloriamania.co don’t have any actual content. They’re simply pages cluttered with ads that sell via the open markets.

The volume of impressions created on these out-of-focus tabs is immense. Let’s say a user visits one of the affected sites to download a movie and doesn’t notice the out-of-focus pop-under tab for the entire two hours he or she watches the movie. Every 60 seconds, the out-of-focus tab directs the user to the next page in the fake domains that make up the Merry-Go-Round network. Each page can contain up to 100 fake ads, so over the course of that movie, some 12,000 bid requests will occur. If, like many people, the user doesn’t notice the open tab and leaves it open for 24 hours, some 150,000 ad requests will be generated.

The more tabs left open, the more fake bid requests sent to SSPs. In one instance, HUMAN saw more than 789,000 ad requests associated with Merry-Go-Round from a single residential IP address in a single day.

Cloaking Mechanism

So, how do brands and their advertising partners not know these sites are fake? Don’t they audit sites in their networks?

To evade detection, the Merry-Go-Round perpetrators have deployed a sophisticated domain cloaking mechanism built on path-dependent domain loading, a method in which the content displayed on the website depends on how the user arrives there. Brand auditors who directly type a Merry-Go-Round domain into their browsers will see a seemingly legitimate, if mundane, website, as they have programmed those sites to prevent redirects during direct visits.

“These actors have gone out of their way to conceal what they’re doing,” explained Will Herbig, Director of Fraud Operations at HUMAN Security. “They scrubbed all the referral information between the Merry-Go-Round domains and the piracy domains, as well as all the referrals within the Merry-Go-Round network. They’ve also added some anti-crawler features to the website. As a result, it is very challenging for a layperson at a brand to detect the scheme.”

To protect their budgets from the Merry-Go-Round scheme, Herbig recommends that brands know as much about their partners as possible. Direct relationships can help brands avoid these types of situations.

The rise of domain cloaking techniques like path-dependent domain loading and IP address filtering presents a significant challenge in ad fraud detection. These techniques allow fraudsters to mask a website’s true nature, creating a major disconnect between what advertisers believe they’re buying (ad impressions on legitimate sites) and what they actually get (impressions on hidden, malicious content).

“We found quite a bit of fraud around this domain cloaking, and we’re going to be publishing other things along those lines and throughout the rest of the summer, but it continues to be an area where we’re seeing quite a lot of fraud, and the techniques there are evolving and making it you know, harder and harder for people, especially advertisers to know whether or not what they’re getting is actually real or not,” Herbig said.

For more details, including examples of the iFrames and overlays used in the Merry-Go-Round scheme, download the report, Satori Threat Intelligence Alert: Merry-Go-Round Conceals Ads from Users and Brands.

The post Merry-Go-Round Scheme Conceals Ads for Consumers and Brands appeared first on AdMonsters.

According to Juniper Research, the global losses companies will face due to ad fraud will be about $100 billion by the end of 2024. And, as the digital world is changing rapidly, fraudsters are becoming more advanced and organized. They are already actively using artificial intelligence to create bots, and that’s not the limit.

The cybercriminal community is applying the latest technologies to test new and more effective ways to siphon money from advertisers’ budgets. The reason for this is simple. Advertisers place ads to build up their audience or customer base, and they are increasingly using mobile devices to access the Internet. This is what leads to the growing number of cybercrimes.

Fraudsters are also following technological developments and adapting the latest solutions for their own selfish and criminal purposes. Digital advertising fraudsters are rapidly increasing in number and are organizing themselves into criminal gangs to strengthen their attacks and implement new ideas.

But it’s not like ad tech is sitting idly by on this one. Let’s look deeper at the strategies that ad tech platforms are implementing to enhance ad fraud security in 2024.

Fraud Detection Algorithms

Ad exchanges and programmatic middleware solutions use strict verification procedures to ensure the authenticity of traffic sources and eliminate fraudulent impressions. This involves monitoring various metrics, including user engagement, traffic origin, and historical data, to distinguish genuine human traffic from bot-generated activity.

While it may seem complex, the crux lies in balancing security and profit preservation. A multi-tiered approach to traffic verification is indispensable in today’s landscape. Indeed, implementing a sophisticated verification system demands resource investment, yet ultimately yields benefits in the form of consistent profits and advertiser trust.

Advanced Analytics and AI

Today’s fraud detection tools leverage machine learning, data analysis, and pattern recognition techniques to assess the validity of ad impressions, clicks, and conversions, enabling advertisers and publishers to detect and block fraudulent traffic in real time. These technologies enable the analysis of vast amounts of data to identify anomalous patterns and behaviors indicative of fraudulent activity. 

Machine learning algorithms can glean insights from past data and adjust to evolving fraud schemes, thereby improving the precision and effectiveness of fraud detection systems. Real-time monitoring and automated decision-making empower advertisers, publishers, and ad networks to promptly address potential threats and mitigate ad fraud before it adversely affects campaign performance.

Ad Verification Partnerships

Teaming up with specialized ad verification companies can enhance fraud prevention efforts. Collaborating with these organizations provides access to advanced tools and specialized expertise tailored for detecting and preventing ad fraud. By integrating their solutions into the platform, ad exchanges can provide advertisers with heightened transparency and confidence in the legitimacy of their ad campaigns.

Moreover, these partnerships enable continuous monitoring of ad inventory, ensuring alignment with industry standards and best practices. Prioritizing such collaborations not only fosters trust with advertisers but also reinforces the integrity of the advertising ecosystem.

Industry Initiatives

Embrace collaborative strategies in the fight against ad fraud by forming partnerships with industry initiatives such as the Trustworthy Accountability Group (TAG). Many ad exchanges have joined forces with TAG to establish standardized guidelines and protocols for fraud prevention.

TAG certification programs enable ad exchanges to showcase their commitment to ensuring transparency across all platform processes, a crucial aspect in the fight against advertising fraud. Initiatives like TAG enable the creation of a safer environment that benefits all participants in the advertising bidding process, ensuring satisfaction and preventing any grievances. 

The digital advertising sector grapples with an ongoing challenge posed by ad fraud. Consequently, ad exchanges are implementing stronger measures to mitigate this threat. They are amplifying their endeavors to implement advanced and resilient prevention strategies, aiming to counteract this problem and uphold a reliable ecosystem beneficial for both advertisers and publishers.

The post Safeguarding the Digital Ad Ecosystem: Strategies for Ad Fraud Prevention in 2024 appeared first on AdMonsters.

Towards the end of last year, my company began to notice an uptick in malicious redirects stemming from video ad units—a first for the digital media ecosystem. Specifically, scammers have begun injecting malicious redirects through VAST tags that redirect users to a fraudulent website, regardless of whether the ad was played or for how long a user watched it.

The redirects started slowly as fraudsters were testing the strategy. In January, however, the number of such attacks exploded. It is the first time we’ve seen such large-scale fraud in video ad formats, which have traditionally been considered safe. In fact, publishers have assumed that the high cost of video inventory was enough of an impediment for fraudsters that they didn’t need to deploy malware detection and mitigation tools to the channel. This assumption of safety was the opening scammers needed to exploit VAST and VPAID ad units.

Our research shows that nearly a dozen major SSPs and DSPs across multiple regions have been affected by these attacks, although mobile devices in the US were the worst hit, accounting for 60% of the attacks.

So, who is behind the scam, how does it work, and, most importantly, what can we do about it?

ScamClub’s Sophisticated Attacks

These scams are the work of ScamClub, a persistent and well-organized crime ring group that has been plying malvertising schemes since 2018. ScamClub uses sophisticated techniques, such as Obfuscation and real-time bidding integration, to push malicious codes to users.

In this scenario, ScamClub actors act as a go-between, selling redirected traffic to other scammers who then trick users into downloading fake antivirus software or purchasing fake gift cards.

How it Works

This is an incredibly sophisticated attack with many mechanisms to prevent security vendors from detecting and reverse engineering them so they know how to block the scam.

Step: 1: Creating the Malicious Script. The first thing ScamClub did was inject malicious code hidden in the “MediaFile” element of the VAST tag—the same element that calls the ad’s video file. This malicious code collects fingerprinting data about the client to detect clients of a security vendor (if security is detected, the attack isn’t deployed). At this stage, they store the collected data in an environment external to the script.

Step 2: Executing the Malicious Obfuscated Script. This script, which is deliberately scrambled or obfuscated, then probes the client device for information, such as its settings and installed software, looking for suitable targets.

Step 3: Server-Side Fingerprinting. Once the script finishes fingerprinting the client, it proceeds to the server-side fingerprinting phase. Basically, it makes a request to a malicious ad server hosted on a private domain to which it passes additional information about the users’ devices, client applications, and web pages they’re on. This triggers a series of high-level, server-side fingerprinting tests in order to reassure the attackers that their scam will not be exposed to security vendors.

Step 4: Redirect Code. Once the information from the client is sent and checked by the hidden server, the POST request’s reply or response includes instructions that tell the user’s device to go to a new website. This redirect code includes several different methods to initiate the forced redirect. This diversified attack strategy increases the chances of successful redirects, making it harder for security vendors to detect and identify the attack.

Step 5: Redirect Domain Chain. The domain obtained from the redirect code initiates a redirect chain, taking the user to a fraudulent website. This is the final step; they’ve delivered traffic to their clients, who somehow attempt to defraud the user. 

In the most recent variant of the ScamClub scam, the attacker moved the malicious script’s hosting server to their own domain instead of Azure. 

For a more detailed explanation of this attack, including fingerprinting information inside the attacker environment variable, the fingerprint functions used in the script, and other technical details and sample code, please see Decoding ScamClub’s Malicious VAST Attack.

Protecting Your Inventory

The best way for a publisher is to ensure a real-time protection service (if they don’t already have one) that covers their video demand channels and video players.  

Additionally, platforms should consider applying higher scanning rates to their video demand because it is not as safe as they used to think.

The post What Every Ad Ops Team Needs to Know About ScamClub’s Malicious VAST & VPAID Attacks appeared first on AdMonsters.