CISOs should put ad fraud security on their radars

Digital advertising has vulnerabilities, and this type of cybercrime will cost businesses $100 million a day by 2023, but goes almost completely unnoticed, according to adtech company TrafficGuard.

istock-1266422354.jpg

Image: jadamprostore, Getty Images/iStockPhoto

Ad fraud security needs to be taken as seriously as other forms of cybersecurity. It is a cybercrime. Yet, ad fraud is not on the CISO's radar, according to Luke Taylor, COO of adtech company TrafficGuard. 

Ad fraud is a deliberate attempt to serve ads that have no potential to be viewed by a human user, according to HP Enterprise's Business of Hacking report. Attackers set up a page of ads and have bots visit to generate fake traffic. Since it looks like the ads were viewed, the advertising network still gets paid.

SEE: Identity theft protection policy (TechRepublic Premium)

CISOs must consider the implications of ad fraud security, which the HPE report said is the easiest and the most lucrative form of cybercrime—even above credit card fraud, bitcoin mining, and bank fraud. 

The average company now spends 16% of its IT budget on cybersecurity protection measures, according to IDG's 2020 State of the CIO report. And overall, information security spending is expected to reach $123.8 billion in 2020, according to Gartner.

But ad fraud, which will cost businesses $100 million a day by 2023, goes almost completely unnoticed by the same cybersecurity decision-makers who invest in protection for much less costly measures, Taylor said. The issue is so unaddressed, CMOs consider it almost a tax in doing business, he said.

Why CISOs should be concerned with ad fraud protection

"In cybersecurity, you need to protect your network and storage to ensure that viruses don't take business critical infrastructure offline; ensure that your IP is protected; adhere to compliance standards,'' Taylor said "You are protecting from external threats that are designed to infiltrate systems, control or corrupt them, extract data."

To prevent ad fraud, CISOs need to protect against similar external threats such as click spam, which Taylor said is tactically similar to Distributed Denial of Service (DDoS), and SDK spoofing, which is similar to man-in-the-middle attacks.

"These tactics, among others, are designed to steal ad spend, while also polluting data and impacting advertising performance,'' he said. "Your digital advertising has vulnerabilities, just like your network does, that should be patched to maintain optimal performance."

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Given the similarities in execution, Taylor believes it is probable that ad fraud and other forms of cybercrime are perpetrated by the same organizations. "Stemming the profitability of ad fraud could also stem the innovation of other types of cybercrime,'' he said.

Ad fraud prevention has always been in the purview of marketing decision-makers, Taylor said, and maintained that "there doesn't seem to be a lot of directive coming from the C-level to address the problem of ad fraud. If it [were] a higher business priority, I think there would be more stakeholders across the business interested in solving it."

How ad fraud works

There are vulnerabilities in the digital advertising process that criminals exploit typically for financial gain but also for the purpose of sabotage, Taylor said.

In digital advertising, a publisher puts an ad on their website, for example, a gaming blog. Every time someone lands on the blog, an advertiser serves an ad to that user and pays the blog owner for the impression, he said.

"The publisher and all the intermediaries are paid on the volume of advertising they show to users, which means they are incentivized to make it look like more users have been on that gaming blog than have actually been there,'' Taylor said. "This is the main motive for ad fraud."

One broad ad fraud method is creating fake traffic, which can be done by using bots, botnets, clicks farms, and malware designed to generate advertising engagement in the background of mobile devices. This traffic makes it look like more people have seen and engaged with advertising, making money for everyone in the chain, he said.

The other broad ad fraud method is attribution theft. "It is common for some types of advertising to only incur a fee when a conversion occurs, for example, when a user installs the advertised app," he said. The function of attribution is to designate the source of the install and who gets paid for it. Attribution theft is a category of ad fraud tactics that are designed to steal attribution of the conversion event, Taylor said.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

The most obvious impact of invalid traffic is lost ad spend. TrafficGuard audits for new clients reveal anywhere between 10% and 30% of their digital ad budgets being wasted on ad fraud when fraud prevention is not in place, Taylor said.

"The most significant, yet often overlooked cost of invalid traffic is the lost opportunity associated with wasted ad spend," he said. "Another significant impact is data quality. Data informs decisions around advertising optimization, where to invest more, where to scale back."

It also guides user experience decisions such as whether people are clicking on ads and dropping off a site, he said.

"If all of this user data is skewed because ad fraud is delivering non-genuine traffic, then all of the decisions that rely on that data are compromised."

Treat ad fraud like any other cybercrime

Ad fraud is a business like any other business, and it is in a growth phase because it is so lucrative for attackers, experts say.

"Corporations must begin to think, 'Does this affect my business?' If it does, what can you do to disrupt it?" the HPE paper said. "There is no IDS signature for ad fraud or a rule you can put into a firewall to block it."

One solution is to not pay for online advertisements through advertising networks, or hold the ad vendor accountable for fraudulent clicks, the paper suggested. "This is a non-technical solution to the problem, which will reduce wasted spend from your company and also decrease profits for the attackers."

In terms of technical solutions, encrypting data on mobile devices and enforcing password protection is a start, the HPE paper said. Additionally, organizations should consider application security tools like DNS Malware Identification.

Also see