A significant percentage of the top 100 online advertisers are being victimized by pay-per-view (PPV) networks that perpetrate impression fraud, according to a new study conducted by MdotLabs, an ad secure platform recently spun off from Broadcast Interactive Media.
“We conservatively estimate the number of invalid impressions that are generated from PPV networks to be on the order of 500 million per day. Assuming the modest quality level for sites that are part of PPV networks, we estimate the cost to advertisers for this fraudulent traffic to be on the order of $180 million annually,” says Dr. Paul Barford, MdotLabs Chief Scientist and co-founder.
Dr. Barford, also a professor of computer science at the University of Wisconsin, will present his team’s findings at the Usenix Security Symposium in Washington D.C. on Wednesday, August 14.
Fake Impressions From Real Users
The more traffic ad networks and publishers can drive, the more revenue they can generate from ad impressions on display and video ads. The sales pitch from most PPV traffic generation services is that they drive real user traffic, without using “black hat techniques”, to publishers’ sites. However, that’s not what MdotLabs found.
PPV networks pay legitimate publishers to add what looks like a standard ad tag to their sites. When users go to the publisher’s site, the tag triggers other publisher sites to display in a way that’s invisible to users — typically via pop-unders. The other publishers receive ad impressions and sometime even clicks from the camouflaged pages without users’ knowledge. Advertisers end up paying for ad impressions are never seen by — and more often invisible — users.
Luring The PPV Networks
To better understand PPV networks and the legitimacy of the traffic claims they make, MdotLabs set up “honeypot” websites designed to look legitimate, with real content, standard designs and deployments. They then purchased traffic from a selection of PPV services.
MdotLabs identified and reviewed 34 PPV traffic generation services. They chose five that would give them diversity of delivery rates and price points for their test. Rates ranged wildly: 28 of the sites they looked at charged between $29.99 and $200 to purchase 25 thousand visitors.
“We did not see any indications of natural traffic.”
As the authors note, natural site typically traffic follows a diurnal cycle, peaking during the day and dropping off at night when users are sleeping. That’s not what they saw from the PPV networks they tested.
One network delivered traffic through the entire day. Another sent traffic only during the first 10 minutes of the hour.
Below are screenshots of traffic patterns of four of the five PPV networks MdotLabs signed on with (the fifth never delivered any traffic):
The team was surprised to see no evidence of traffic from botnets. Instead they discovered widespread use of pop-unders for traffic generation. A PPV will tie pop-under creation to a user action so when a user clicks anywhere on the site they’re visiting, the pop-under action is fired.
When the pop-under is fired, MdotLabs says that they were able to see that their honeypot sites were being loaded into a frame with as many as ten other sites. On one of the networks, a single tag trigger resulted in a total of 11 “page loads”, with ten of them being invisible to users because they are loaded in a frame that was zero pixels high.
On that same PPV only a single frame covered the entire viewport, but the outer page reloaded itself every 15 seconds, continuing to load a different site every 15 seconds even when entirely out of view of the user.
The team also tracked the size of the ad units on their honeypot sites when the ad scripts fired. Overall 46.5 percent of the ad views had a height or width of zero, meaning they were entirely invisible to users.
In their analysis, MdotLabs found that tags from PPV services are deployed on tens of thousands of publisher sites.
You can find the complete paper here for more details. The authors say they plan to conduct more tests with higher volume purchases in future work.
Komentarai