RSS - Rich Kahn - eZanga Blog - and advertising articles by the eZanga Public Relations staff.en-us© 2003-2021, (eZanga Public Relations) (eZanga Webmaster) Fraud 101: 8 Types of Ad Fraud That Plague All Marketers<img src="" width="820" height="326" alt="Ad Fraud 101: 8 Types of Ad Fraud That Plague All Marketers" /><p>Ask most marketers about the state of digital advertising, and they’ll tell you it’s come a long way. From the rise of mobile to the seemingly inevitable <a href="" target="_blank">virtual reality takeover</a>, digital advertising is advancing. But, there’s one area where it’s still lacking: fraud detection and prevention.</p><p><a href="" target="_blank">Billions are lost</a> to ad fraud annually. We’ve surveyed brand and agency professionals, and realized that as much as <a href="" target="_blank">37% of the respondents</a> are unaware of how, and even if, fraudulent activity has affected their advertising efforts.</p><p>As a marketer or advertiser, the more you know about digital ad fraud detection, the better you’ll be able to prevent it. Here are the different types of ad fraud you should know about.</p><h2>1. Search Ad Fraud (CPC)</h2><p>Search fraud is one of the top areas where advertisers are losing the most money to ad fraud.</p><img src="" alt="Search Ad Fraud" title="Search Ad Fraud" class="float-center size100pc" width="820" height="228"><p>Search fraud involves putting up fake websites that target the most expensive keywords, which attracts advertisers by making their site look like a well-established and reputable publisher.</p><p>Advertisers purchase ad space on these sites in order to advertise against the popular keywords. Then, the owner of the fake site will use bots to click on those ads, which generates CPC revenue for them.</p><h2>2. Affiliate Ad Fraud (CPA)</h2><p>Also known as "cookie stuffing," this ad fraud targets affiliates’ commissions. Brands will reward affiliates who talk about their products or services and attempt to drive people to the website to make a purchase.</p><p>Affiliate fraudsters use bots to send traffic to affiliate sites, and then employ cookies to track that traffic. If any of that traffic converts and makes a purchase, the fraudster is able to siphon away money that’s actually meant to be an affiliate’s commission.</p><h2>3. Pixel Stuffing and Ad Stacking (CPM)</h2><p>Pixel stuffing and ad stacking both cause you to pay for impressions you’re not actually getting.</p><p>Ad stacking occurs when ads are literally stacked on top of each other within a web page, but only the top ad shows. However, when a user visits that page, an impression is counted for each of the ads, and all of the advertisers are charged, even though only one of the ads was seen.</p><img src="" alt="Ad Stacking" title="Ad Stacking" class="float-center size100pc" width="820" height="324"><em>Source: <a href="" target="_blank">FunMobility</a></em><p>Similar to ad stacking is pixel stuffing, although this time, none of the ads are seen. Publishers will "stuff" ads into the pixels of the page, so they’re technically still there when a page loads, but they’re impossible to see. And even though users can’t see them, advertisers are still charged for the impression.</p><p>Video ads can also be stuffed into a pixel. Have you ever visited a web page and audio starts playing, but there’s no video to be seen anywhere? That’s probably because it’s a video stuffed into a pixel, so you can’t actually interact with it, even if you wanted to.</p><h2>4. Ad Injection (CPM)</h2><p>Some of the biggest brands and sites in the world have fallen victim to ad injection at some point. Ad injection occurs when fraudsters offer consumers a seemingly innocent browser toolbar or extension to install that actually turns out to be software that injects ads onto unsuspecting sites.</p><p>When fraudsters inject ads onto a site, they never actually paid for that ad space. Most of the time, these ads are damaging to the site because it could advertise inappropriate content or show a competitor’s ad. After all, do you really think Walmart wanted to sell advertising to their competitor, Target?</p><img src="" alt="Ad Injection" title="Ad Injection" class="float-center size100pc" width="820" height="397"><em>Source: <a href="" target="_blank">MarketingKeys</a></em><p>Ad injections not only damage a site’s reputation; they can also slow it down to the point where consumers don’t want to stick around for the page to load.</p><p>Users might see ads on a site that never wanted to display advertising, or there might be a video stuffed into a pixel that plays audio over the site’s content with no way to turn it off. It can also devalue the site as a good ad publisher because of the type of content shown in these injected ads.</p><h2>5. Traffic Fraud (CPM)</h2><p>Traffic fraud isn’t a result of bots finding your website; instead, this one originates with publishers. In order to increase the traffic to their site (and therefore the price they can demand for advertising space), publishers will buy traffic.</p><p>This traffic is usually purchased from third-party sites, who generally have the highest percentage of fraudulent traffic. So, this means you could be paying the premium price for low-quality traffic that will never convert, let alone engage.</p><h2>6. Domain Spoofing (CPM)</h2><p>Domain spoofing can be <a href="" target="_blank">incredibly hard to detect</a>, which also makes it the most lucrative for fraudsters.</p><p>It only takes a single line of code to become a victim of domain spoofing. Fraudsters can use it to change the URL of their sites to copy the URL of a more reputable site. So, you’ll be tricked into thinking that a fraudster’s site is actually the site of a very reputable publisher, like the PayPal example below. If you log in on this spoofed domain, you’re probably giving fraudsters some very sensitive financial information.</p><img src="" alt="Domain Spoofing" title="Domain Spoofing" class="float-center size100pc" width="820" height="273"><em>Source: <a href="" target="_blank">Wikipedia</a></em><p>Fraudsters will take this "reputable" site and sell advertising on it at a discount, so it looks like you’re getting a great deal for ad space on a premium site. In reality, though, you’re paying the almost-premium cost for less than quality space. Usually, your ad will end up on a site with questionable content, such as a piracy or porn site, which could ultimately damage your reputation.</p><h2>7. Lead Fraud (CPL)</h2><p>Lead fraud can come from two places: humans and bots.</p><p>Human fraudulent traffic is usually a result of publishers buying traffic for their site. A lot of "work-from-home" schemes involve hiring people to interact on the sites that buy traffic. So it looks like your ad is getting lots of clicks and those clicks are even signing up and becoming leads, but they’ll never actually convert.</p><p>A lot of the fraudulent traffic that comes from humans also affects social media advertising. <a href="" target="_blank">Click farms</a> have become a very lucrative business, because they’ll sell likes and shares to social media profiles in order to boost organic reach, but with many of the social media algorithms, it actually hurts those profiles more in the long run.</p><p>Fraudulent bot traffic used to be fairly easy to detect, but recently, they’ve become more advanced.</p><p>Now, they can easily mimic human movements, generate false ad impressions, and even fill out lead forms. You’ll think you’ve gained a valuable new lead as a result of your ad campaign when in reality, you’ve just paid for yet another bot program.</p><img src="" alt="Bot Traffic" title="Bot Traffic" class="float-center size100pc" width="820" height="527"><em>Source: <a href="" target="_blank">Bloomberg</a></em><h2>8. Retargeting Fraud (CPL)</h2><p>Similar to lead fraud, where fraudsters program bots to mimic humans, a lot of times they’ll also commit retargeting fraud. These bots can be programmed very specifically to seem like the ideal consumers in order to trigger a retargeting campaign.</p><p>Then, once again, you’re spending your ad dollars targeting fake consumers, and you may even increase your advertising budget to try to ensure you keep these leads.</p><h2>What You Can Do</h2><p>Some types of ad fraud can be hard to catch, let alone monitor, but you can take a few preventative measures:</p><ul><li><strong>Request Transparency</strong>. Ask your publishers exactly where their traffic is coming from. If they can’t (or won’t) tell you, avoid them.</li><li><strong>Third-Party Monitoring</strong>. Real-time monitoring from a third-party source can help you stop the fraudsters before they cost you money.</li><li><strong>Search Incognito</strong>. Search for your site with your browser in incognito mode. This way, you’ll be able to see exactly how your site looks and functions for other users.</li> </ul><p>Too much time and money is being lost to ad fraud. The more you know about ad fraud and the different ways it can hurt you, the better prepared you can be. Make sure you know what you can do to stop it.</p> (Rich Kahn), 27 Dec 2016 08:00:00 -0500Ad FraudDigital AdvertisingMosQUito: Has the jQuery Malicious Exploit Attacked Your Website?<img src="" width="820" height="326" alt="MosQUito: Has the jQuery Malicious Exploit Attacked Your Website?" /><p>You have a successful blog, or at least you’re <em>working</em> on making it a successful blog. You’ve put blood, sweat, and tears into selecting the perfect template, ideal color scheme, and a font that is clean and crisp with a bit of personality. This blog represents you or your company, so I hate to be the bearer of bad news: you’re vulnerable, and could be losing a percentage of your paid and organic website traffic to fraudsters.</p><p><em>Do I have your attention now?</em> Good.</p><p>A <a href="" target="_blank">new malicious exploit</a> has been discovered quietly lurking in the backend code of your content management system. It has the ability to redirect your traffic, meaning that while visitors are trying to navigate through your website, this exploit will take the user elsewhere. It’s a nuance that is fairly annoying to the site visitor, can get you blacklisted by ad networks or advertisers, and is downright dangerous for third-party traffic scoring solutions.</p><p>To understand why this happens, it’s best to understand how it works.</p><h2>What Is This Code?</h2><p>The malicious code is called MosQUito, and to the untrained eye, it looks just like another piece of code on your website. See, jQuery is a widely used, tightly written form of JavaScript code. In short, JavaScript requires many lines of code to accomplish a task. jQuery can ‘wrap’ that code in a method that can reduce the length of the code down to a single line. It basically allows you to ‘<a href="" target="_blank">write less and do more</a>.’</p><p>If you’re running a site that includes jQuery, it is very normal to see the JavaScript file ‘jQuery.min.<strong><font color="green">js</strong></font>’ included on your site and that is not a problem. Where malicious code has gotten crafty is with the .js. They’ve masked themselves with a script called ‘jQuery.min.<strong><font color="red">php</strong></font>.’ If this is in your site’s code, this is bad.</p><img src="" alt="How to Spot the Malicious MosQUito jQuery" title="How to Spot the Malicious MosQUito jQuery" class="float-center size40pc" width="328" height="328"><p>jQuery.min.php is a malicious JavaScript code that has been found lurking on website code. At first glance, it appears to be a simple wrap around a traditional jQuery, but it’s not. It hides just above the </head> tag and can overtake your website by stealing visitors and directing them to websites other than your own.</p><p>It’s difficult to get rid of permanently. Just when you think you’ve eradicated it, it could easily come back later.</p><h2>How Do I Know If I'm Infected?</h2><p>As of April 2016, over <a href="" target="_blank">41.6 million websites</a> use jQuery in their records. More than one fifth of all websites are <a href="" target="_blank">based on WordPress</a>, which loads jQuery. The main attacks of this threat are to WordPress and Joomla users, so if you are either, you’ll need to review:</p><ul><li><strong>Google Search Console.</strong> Check for changes in your search rankings or impressions. If you find radical changes in your ranking or impressions, like losing or gaining traffic, it may be more of a Google Penguin or Panda update than a jQuery issue. This jQuery issue goes undetected as your ranking will barely change, or you’ll see a negligible impact, and your results will look comparable to prior months of traffic.</li><li><strong>Google Analytics.</strong> Does the traffic volume here match that of the Search Console? The Search Console shouldn’t show more traffic than Google Analytics, especially in regards to <em>organic traffic.</em></li><li><strong>Site Speed.</strong> Has your site gotten slower recently? MosQUito will significantly slow down a site’s speed, or possibly cause the site to stop loading altogether.</li><li><strong>Search Your Site in Incognito Mode.</strong> Check the queries where you rank well and test your sites. When you do, click around like an organic user. If you find yourself being redirected once or more and landing on something other than what you intended, you’re likely infected.</li></ul><p>If you’re more advanced and familiar with code, you can scrub your code and look for anything unnatural. Here, you’ll see that jquery.min.php appears in the <head> code, but can appear anywhere on a website.</p><img src="" alt="Infected jQuery Script with jQuery.min.php (MosQUito)" title="Infected jQuery Script with jQuery.min.php (MosQUito)" class="float-center size75pc" width="615" height="273"><p>Lastly, you can check this static list as our company has already identified over 10,000 of these websites which were infected and, at the time of this report, blocked by our ad fraud filter.</p><h2>What Should I Do If I Suspect I'm Infected?</h2><p>First and foremost, if you suspect you’ve been infected, you’ll want to contact your hosting company to ensure the issue you’re seeing is not part of a bigger problem. Plus, if you’re not incredibly tech-savvy, your hosting company can help you identify and isolate potential issues on your website that need to be remediated.</p><h3>Identify and Delete All Files Containing Malicious Script.</h3> <p>If you’re not well-versed on the backend code, or afraid you’ll ‘break’ something, contact your content management provider for assistance.</p><h3>Perform Updates on Your CMS and Extensions.</h3><p>It’s tempting to ignore the updates to your CMS and website extensions but don’t. These updates often take care of known issues and protect your website. Along with checking to make sure you’re running the most updated version of your CMS, don’t forget any extensions, plugins, or add-ons you’re running. Those should also be consistently evaluated to keep your site secure.</p><p>For WordPress users, this can be identified on the ‘At a Glance’ panel of your Dashboard.</p><img src="" alt="WordPress Dashboard Version Screenshot" title="WordPress Dashboard Version Screenshot" class="float-center size75pc" width="615" height="160"><p>Joomla users can identify their version type on the backend of their website by clicking ‘Information’, then ‘System Info.’</p><img src="" alt="Joomla Dashboard Version for MosQUito" title="Joomla Dashboard Version for MosQUito" class="float-center size100pc" width="820" height="230"><br><em>Source: <a href="" target="_blank">Joomla</a></em><p>A full log of updates with each version can be found <a href="" target"_blank">here</a> for WordPress sites and <a href="" target="_blank">here</a> for Joomla sites. Once you’ve updated your content management system to the most current version, go back through your code to see if jQuery.min.php still exists.</p><p>If MosQUito remains, contact your provider immediately and alert them to your infection. If MosQUito is gone, you’re nearly in the clear. Check back several days later to ensure you have not been reinfected. If you find yourself free of the MosQUito exploit, but then it returns, your content management system is not yet protecting you through their recent version update.</p><h3>Review Your Admin Status.</h3><p>Many compromised WordPress sites were found to have the <a href="" target"_blank">admin user names</a> such as ‘<em>backup</em>,’ ‘<em>dpr19</em>,’ and ‘<em>loginfelix</em>.’ If these are found, revoke admin access. Generally, as good practice, there is rarely a need for more than one person to have admin status. If you have several, protect yourself by assigning one ‘admin’ and replacing the others with more restricted roles, if any role at all.</p><h3>Change Your Passwords.</h3> <p>Simply stated, <em><strong>all</em></strong> passwords impacting your site (e.g. your CMS, any extensions, third-party applications, etc.) need to be changed. Remember, they’ve breached your website and likely can get back in, unless they no longer have the key.</p><p>Remember MosQUito appears in your backend code, so unless you completely break it off and eradicate it completely, it has the ability to continue to infect your website.</p><h3>Get Ongoing Protection.</h3> <p>Site checkers like <a href="" target="_blank">Malwarebytes Anti-Malware</a> and <a href="" target="_blank">Sucuri Malware and Security Scanner</a> can help alert you to issues before they have a larger impact on your website.</p><p>While finding the malicious MosQUito code on your website can be concerning, it’s not fatal and your website can come back from this threat. Follow the recommended steps to rectify the malicious code, use a malware scanner regularly, and keep a watchful eye on what your Google Search Console tells you versus your Google Analytics. Continuous attention to threats that could affect your website will keep not only your site protected but others as well.</p> (Rich Kahn), 19 May 2016 08:00:00 -0400Ad FraudBrand SaferyMosQUito5 Ways Bots Can Cripple and Destroy Your Website<img src="" width="820" height="326" alt="5 Ways Bots Can Cripple and Destroy Your Website" /><p>Previously, we talked about all the different types of bots that are crawling the web. While some bots are actually helpful in catching content thieves and crawling pages for search engines, there are also plenty of malicious bots out there. Bad bots can generate false ad impressions, serve spam and malware, and steal content and information. So, you know these bots are bad, but how exactly are those bots hurting your website?</p><p>Now it’s time to take a more in-depth look at <em>what exactly</em> a malicious bot attack can mean for you.</p><h2>Bots Can Hurt Your SEO Ranking</h2><p>Your website’s SEO ranking is dependent on a lot of things: content quality, reliable backlinks, fast load time, etc. But bots can crawl your website and cripple the functionality and reliability of your website to the point where your SEO ranking plummets.</p><p><strong>They Scrape Your Content and Post It Elsewhere.</strong> All that unique, high-quality content that you craft for your site can easily be stolen by bots and posted elsewhere without your permission or any attribution. In fact, you might not even realize your content has been stolen unless you’re actively searching for it.</p><p>This can kill your SEO ranking because search engines will see it as plagiarised, and your site could be punished for having duplicate content, even if you’re the original author.</p><p><strong>They Can Overload and Crash Your Site.</strong> They’re called DDoS attacks, and they can make your website completely inaccessible. They occur when a number of infected computers band together to attack a single target, exhausting your network connections and server resources, which can cause website outages.</p><br><img src="" alt="1/3 of Downtime Incidents Attibuted to DDoS Attacks" title="1/3 of Downtime Incidents Attibuted to DDoS Bot Attacks" class="float-center size50pc" width="410" height="398"><br><br><em>Statistic Source: <a href="" target="_blank">Digital Attack Map</a></em><br><br><p>Depending on how long your site is down, this can eventually <a href="" target"_blank">hurt your SEO ranking</a>. A short outage won’t affect your rankings, but if your site is the victim of several DDoS attacks over an extended period of time, your rankings could take a serious hit. You’ll want to make sure you <a href="" target="_blank">secure your website</a> as quickly as possible to ensure you don’t fall victim to further attacks.</p><p><strong>They’ll Slow Your Site Load Time.</strong> Bot scripts are hefty chunks of data and extremely invasive, so they slow down the load times of your site. Not only does this frustrates users, but it also hurts your quality score.</p><h2>Bots Can Skew Your Analytics</h2><p>Your site analytics are essential for knowing how much traffic your site gets, how effective your advertising is, and the overall success of your site. Bot interactions can skew these analytics and give you false data.</p><img src="" alt="Bots Will Fill Out Your Site Forms" title="Bots Will Fill Out Your Site Forms" class="float-right size33pc" width="271" height="248"><p><strong>They’ll Fill out Your Site Forms.</strong> Website forms can offer you information on your customer base and the traffic coming to and from the website. But, when bots infiltrate them, you’ll get incorrect information that can alter your customer database. Plus, it’ll look like you have more leads than you actually do.</p><p><strong>They Engage With Your Ads.</strong> More commonly known as click fraud, bots will find your ads and then click on them, which can alter your advertising stats and falsify your CTR. This essentially renders your ads useless, because you’re spending money on advertising that isn’t bringing in converting traffic.</p><h2>Bots Can Infect Your Customers’ Devices</h2><p>If your site is infected with malware or full of suspicious download prompts, then anyone visiting your site is at risk of being infected as well.</p><p><strong>They Inject Malware Into Your Site's Code.</strong> Hackers can use bots to <a href="" target="_blank">inject malware codes</a> or links into the HTML header in your site. Spotting it can be hard, too, because it might not look much different from your site’s code.</p><p>Chances are, you won’t notice the malware on your site until Google detects it. You might see a drop in traffic because Google will warn users about malware before sending them to your site, so they’ll probably choose to turn back and go elsewhere.</p><p>Injected codes can also mean that bots are making it possible for hackers to <strong>steal your traffic</strong>. Your visitors could find themselves redirected to a site they never intended to visit, which is what the <a href="" target="_blank">MosQUito jQuery script</a> does when it infects your WordPress or Joomla-based site. A new example of ad fraud, the MosQUito script <a href="" target="_blank">steals the legitimate traffic</a> coming into your site, either from search or paid advertising and then directs it elsewhere.</p><p><strong>Bots Can Trick You Into Clicking.</strong> It’s called <a href="" target="_blank">clickjacking</a>, and bots will use it to trick you into clicking by making you think you’re actually clicking on something else. Hackers will use bots to change the code of your site and overlay a transparent page over a web page that you’re visiting. So, while you think you’re clicking to win an iPad, you’re actually clicking on a link that automatically donates your money to the hacker.</p><br><img src="" alt="Transparent Overlay Clickjack Attack" title="Transparent Overlay Clickjack Attack" class="float-center size100pc" width="820" height="416"><br><br><em>Source: <a href="" target="_blank">Troy Hunt</a></em><br><br><p>The overlay page looks completely normal, but when you click on something, such as a video play button, you’re actually clicking on the overlay page. These tricky clicks can trigger one-click orders from Amazon, <a href="" target="_blank">activate electronic transfers</a>, deceptively “like” a Facebook or Twitter profile, or even prompt a download of malware.</p><h2>Bots Can Destroy Your Bottom Line</h2><p>The average cost of a website security breach is <a href="" target="_blank">$300,000</a>, and bots amplify security threats because they work much faster than a hacker who tries to bypass security manually. While click fraud can certainly drain your ad budget, there are other ways bots can harm your revenue as well.</p><p><strong>Price Scraping Gives the Edge to Competitors.</strong> Bots will crawl your site and collect information about what you’re selling and how much you’re selling it for, and then report that information back to your competitors. This prevents you from ever having the edge over your competition. They’ll always be one step ahead of you in pricing their products lower.</p><p><strong>You’ll Be Charged More for Advertising. </strong>Bots aren’t only used to just hack into your site; they can also mess with your analytics, which can affect the cost of your advertising.</p><p>For publishers, this means that they can charge more for advertising because higher traffic rates dictate higher ad prices. But for advertisers, this means they’re paying an artificially inflated price for essentially fake traffic. Bot interactions with your ads can also skew A/B test results.</p><p><strong>They'll Collect Your Site Data.</strong> These bots are called data aggregators, and they’ll steal all that research you spent tons of money to gather and then release it for free. This quickly dilutes the value of your data and makes it almost impossible for you to profit from it. Plus, it’s extremely difficult to <a href="" target="_blank">fight data aggregators</a>, which can quickly grow into a multi-million dollar lawsuit.</p><h2>Bots Can Cripple Your Reputation</h2><p>When customers fill out forms and make purchases from you, they’re trusting you with their personal and bank account information. Bots can get into your site and steal that data, leaving your customers at risk and your trustworthiness destroyed.</p><p><strong>They’ll Steal Personal Information.</strong> Giving away personal information to a website, even if it’s a well-known trusted site, is a huge concern for web users. It’s a big concern for website owners, too, who want to make sure they aren’t risking their customers’ trust by misusing sensitive information.</p><img src="" alt="Bots Steal Personal Information" title="Bots Will Steal Website Users' Personal Information" class="float-left size33pc" width="271" height="271"><p>Bots, however, can harvest what information users put into comments and forms, which they can then use for a spam campaign or sell to competitors. Some of these bots can even skim credit card data from your site. You need to be extra careful in making sure bots can’t gain access to this information by constantly updating your site security.</p><p><strong>They’ll Spam Your Site With Poor-Quality Backlinks.</strong> Bots do this by selling links from your site to clients and then commenting on your blog posts with their clients’ poor-quality links.</p><p>Sometimes, the links are harmless, but they usually take your readers back to questionable websites, where scammers are peddling anything from fake pills to malware. Scammers will even use a buffer site so your audience doesn’t realize they’re on a more sinister site at first.</p><p><strong>They Can Get Your Site Blacklisted.</strong> From slowing down your site to injecting malware or clickjacking, all of these malicious activities can break the trust of your site’s audience.</p><p>Bots can load your site with so much garbage that it ultimately discourages any legitimate visits from customers. This could potentially get your site blacklisted and destroy everything you’ve done to develop a trusted site.</p><h2>Bad Bots, Bad Bots, Whatcha Gonna Do?</h2><p>So, how do you spot bad bots and what can you do about it? There are some preventative measures you can take:</p><ul><li><strong>Block Users and Delete Spam Comments.</strong> While not perfect, it’s fairly easy to go in and delete spammy comments on your blog. This way, your readers are at a lower risk for becoming victims of malware downloads.</li> <li><strong>Get a Traffic Filter for Your Ads.</strong> With traffic filtration, you can make sure your ads are only being shown to relevant viewers and not bots.</li><li><strong>Block the Bot's IP Address.</strong> While <a href="" target="_blank">not entirely effective</a>, because most bots use numerous IP addresses, once you identify a bot, block that IP address.</li> <li><strong>Search for Your Site in Incognito Mode.</strong> Try to see what your customers see to help you get a better idea of their user experience, and make you aware of bots lurking behind tricky click prompts.</li> <li><strong>Monitor Your Search Ranking.</strong> If you suddenly see your SEO rank drop, your site might be infested with bots, and you’ll know to check your site’s code and make sure its security is up to date.</li> <li><strong>Test Your Site Speed.</strong> If your site suddenly and <a href="" target="_blank">inexplicably slows down</a>, it could be because hackers are using bots to take over your site’s code.</li> <li><strong>Use <a href="" target="_blank">Copyscape</a>.</strong> It’s quick and easy to use, and it’ll search for copies of your site on the internet. Then you can request that the site remove the copied content so it doesn’t affect your rank.</li> <li><strong>Block the Known Bots From Your Site.</strong> You can copy a <a href="" target="_blank">starter list of bad bots</a> into the <a href="" target="_blank">.htaccess file</a> of your website to block any of the more commonly known bots from accessing your site. You can also continue to add to this list and modify it as you need to.</li> </ul><p>While there’s no foolproof way to block all bad bots all the time, you can take preventative measures to make sure your site’s security is up-to-date and the user experience flows smoothly.</p><p><h3> Related Post: <a href="" target="_blank">What is a Bot?</a></p> (Rich Kahn), 12 May 2016 08:00:00 -0400Click FraudGood Bots, Bad Bots, and What You Need to Know<img src="" width="820" height="326" alt="Good Bots, Bad Bots, and What You Need to Know" /><p>In 2015, internet bots made up for only a little less than half of online traffic. Of that, anywhere from 18% to 29% of the traffic was from <a href="" target="_blank">bad bots</a>, and only 19% to 27% was from <a href="" target="_blank">good bots</a>. Smaller websites tend to think they’re immune to bot traffic, but the harsh reality is, the smaller the website, the higher the chance of being visited by bots, both good and bad.</p><br><img src="" alt="Bot Traffic Varies According to Website Size" title="Bot Traffic Varies According to Website Size" class="float-center size100pc" width="820" height="493"><br><em>Source: <a href="" target="_blank">Incapsula</a></em><br><br> <p>To advertisers, most bots are the nonhuman programs that generate fake ad impressions or serve hidden ads to trick browsers into downloading malware or spreading spam. Now, bots are becoming more stealthy and difficult to detect, and they can do more than just deliver false ad impressions.</p><p>There are both <a href=""target="_blank">legitimate and malicious bots</a> out there. The legitimate ones keep the web running smoothly and ensure that the higher quality content gets seen, but malicious bots do the exact opposite.</p><h2>Legitimate Bots</h2><p>Not all bots are bad; <a href="" target="_blank">legitimate bots</a> are actually helpful to websites. They’ll crawl site pages in order to determine SERP ranking, and they’re what help keep weather, sports, and other news updated in real-time.</p><p>Plus, there are also bots that’ll help you find the best price on a product or discover any stolen content. Good bots ultimately assist in the growth and development of the web.</p><p><strong>Spider Bots.</strong> These are the bots that are used by search engines, such as Googlebot or Bingbot. They explore web pages and analyze the content, organization, and linking, using that information to determine the ranking of pages on a SERP.</p><p><strong>Trader Bots.</strong> Trader bots crawl online auction sites (such as eBay or Amazon) to find the best deals on a product or service. Online retailers will use them to help inch out the competitor by posting a better price or a more in-depth product description.</p><p><strong>Media/Data Bots.</strong> These are the bots that provide real-time updates on the weather, news and sports, currency exchange, and other data. They’re also used to censor online chat rooms and instant messenger programs.</p><p><strong>Copyright Bots.</strong> Copyright bots are the opposite of malicious scraper bots. They search the internet for material that has been copied or plagiarized in order to catch the thieves and possibly gain monetary compensation.</p><h2>Malicious Bots</h2><p><a href="" target="_blank">Malicious bots</a> are designed by hackers and other internet users to generate false ad impressions, serve spam and malware, overtake networks of computers to form botnets, and steal content and information.</p><p>Fortunately, the number of bad bots has declined from previous years. But their actions are becoming more human and advanced, making them harder to detect. Malicious bots are thriving on smaller sites, where there’s less security. While they’re having trouble keeping up with human visitors on the larger sites, where the security and traffic filtration is more prevalent, they’re still making up over a third of the overall traffic.</p><br><img src="" alt="2014 to 2015 Bad Bot Traffic Comparison" title="2014 to 2015 Bad Bot Traffic Comparison" class="float-center size75pc" width="615" height="545"><br><em>Source: <a href="" target="_blank">Incapsula</a></em><br><br><p>Chances are, your website has seen its fair share of malicious bot traffic. However, there are different types of bad bots that you should be aware of.</p><p><strong>Spam/Email Bots.</strong> These bots spread spam content and advertising links all over the internet. They’ll also collect email addresses, phone numbers, and other personal information submitted by users through forms filled out online.</p><p><strong>Impersonator Bots.</strong> These bots are more advanced malicious bots designed to impersonate regular human users in order to bypass site security and carry out the harmful orders of the hacker using them.</p><p><strong>Zombie Bots and Botnets.</strong> Zombie bots take over your computer and run in the background, essentially turning your computer into a “zombie.” Most of these zombie bots attack residential IP addresses, making them difficult to catch. A collection of these “zombie” computers is what makes up a botnet, which is a network that uses these infected computers to perform a variety of malicious deeds, such as a targeted group attack known as a <a href="" target"_blank">DDoS attack</a>.</p><p><strong>Download Bots.</strong> Also known as transfer bots, these bots attach themselves to legitimate web pages and are used to transfer users to a malicious website instead of the web page that the user requested.</p><p><strong>Spy Bots.</strong> These bots are used for surveillance and data mining to collect information about a person, website, or company. Usually, hackers will then sell the information gathered to a marketing firm or rival company.</p><p><strong>Website Scraper Bots.</strong> Scraper bots will steal original content from a site and reprint it on various sites throughout the internet without permission. Usually, victims of scraper bots don’t even know their content’s been stolen unless they’re actively searching for it.</p><p><strong>Click Bots.</strong> Click bots are the ad fraud bots that advertisers have grown to know and despise. These bots set out to intentionally engage with your advertising, therefore skewing your data incorrectly and costing you money for <a href="" target="_blank">fraudulent clicks</a>.</p><p>These bots may cause you to believe that an advertising campaign is doing really well, depending on what metrics you’re measuring, and may lead you to pour more money into a campaign. Rival companies may use click bots to cause a competitor to quickly run through their daily budget, so their ad won’t show for very long. <br></p><br><img src="" alt="Types of Malicious Internet Bots" title="Types of Malicious Internet Bots" class="float-center size75pc" width="615" height="353"><br><em>Source: <a href="" target="_blank">Incapsula</a></em><br><br><h2>Advanced Persistent Bots</h2><p>Malicious bots are growing increasingly sophisticated. So much so that bot detection company Distil Networks gave these bots a new name in their <a href="" target="_blank">2016 Bad Bot Landscape Report</a>: Advanced Persistent Bots (APBs).</p><p>Distil’s report describes three different sophistication levels of bad bots: simple, evasive, and advanced. Advanced bots make up about 46% of bad bot traffic, and of this percentage, 39% are advanced enough to mimic human behavior. Simple bad bots, on the other hand, decreased from 23% to 12% of total bad bot traffic. Evasive bots make up about 42% of bad bot traffic and are more advanced than simple bots because they can disguise their activities by rotating IP addresses or changing user agents.</p><p>APBs have several advanced capabilities that help them mimic human behavior, and they’re much harder to identify because they aren’t noticed by many of the existing security solutions. These advanced behaviors include loading external resources, tampering with cookies, and browser automation.</p><br><img src="" alt="Percentage of Bots Mimicking Humans" title="Percentage of Bots Mimicking Humans" class="float-center size50pc" width="410" height="374"><br><em>Source: <a href="" target="_blank">Distil Networks</a></em><br><br><p>They can also load JavaScript, which many analytical tools use to function. The ability to load JavaScript means they have the potential to throw off-key metrics measured by these tools since a lot of them function with a JavaScript code snippet. Because APBs are able to mimic human behavior more and more, Distil predicts that analytical tools will pass about 53% of bad bots as legitimate human traffic.</p><br><h4>Related Post: <a href="" target="_blank">6 Click Fraud Questions New Media Buyers Should Ask</a></h4><br><p>These advanced bots are also able to use tactics such as dynamic IP address rotation, which allows them to choose rotating IP addresses from huge pools and obscure their origins by distributing their attacks over hundreds of thousands of IP addresses.</p><h2>The Future of Bots</h2><p>While the overall amount of bad bots <em>has</em> decreased, the ones that still exist are getting more and more advanced.</p><p>Recently, chatbots have been gaining more popularity. These are AI bots that are programmed to learn from and respond to humans over online applications, such as <a href="" target="_blank">Facebook Messenger</a>. Most recently, Microsoft had an <a href="" target="_blank">AI named Tay</a> who learned how to act more human from the habits of Twitter users.</p><br><img src="" alt="Microsoft AI Tay Twitter" title="Microsoft AI Tay Twitter" class="float-center size75pc" width="615" height="385"><br><em>Source: <a href="" target="_blank">Telegraph UK</a></em><br><br><p>Tay backfired of course, because Microsoft didn’t double check that Tay knew the difference between what was <a href="" target="_blank">offensive</a> and <a href="" target="_blank">illegal</a> and what wasn’t.</p><p>But, Tay was still a stepping stone for more advanced AI technology. Bots are aiming to become more like humans, and even replace them in some cases. Facebook Messenger is perfecting its <a href="" target="_blank">personal assistant</a> “M,” and many brands online are using chatbots for customer service needs.</p><p>The continued advancement of bots means that bots are becoming more human over time. This is great for the good bots, as they will be able to perform their jobs better and improve the online experience.</p><p>However, that means the bad bots will be better at acting human, too, and these sophisticated bots are much harder to combat. As bot software evolves, websites will have to improve their security and traffic filtration, because it will become that much harder to distinguish a malicious bot from an everyday user.</p><p><h3> Related Post: <a href="" target="_blank">What is a Bot?</a></p> (Rich Kahn), 05 May 2016 08:00:00 -0400Ad FraudFighting Ad Injection: What You Need to Know<img src="" width="820" height="326" alt="Fighting Ad Injection: What You Need to Know" /><p>Advertisers have been dealing with fraud for years. But fraudsters’ latest scheme - <em>ad injections</em> - is giving many advertisers pause.</p><p><a href="" target="_blank">Ad injections</a> are ads placed on websites through browser extensions. Once ads are “injected,” they’re sold by third parties without the owner’s permission. Ad injections are so stealthy, many times advertisers don’t even know until it’s too late, especially if they’re using programmatic advertising.</p><p>While the fraudster is rolling in the cash; the advertiser is left out in the cold, losing valuable ad revenue. To stop the hemorrhaging of money, advertisers need to know who’s behind ad injections, what to look for, and how to best mitigate the fraud.</p><h2>Who’s Performing “the Injecting”</h2><p>So who are the main crooks behind ad injection? <strong>215 Apps</strong>. Using the tactic of switch bait, the group promises consumers a benefit (e.g. download streaming videos) and instead injects ads into sites through a network of browser extensions. 215 Apps’ network of browser extensions go by two names: <strong>Engaging Apps</strong> and <strong>Innovative Apps</strong>.</p><p>Telemetry, an online video security firm, was the first to notice what 215 Apps were up to. Then others caught on -- like Ad Age, who conducted their own experiment.</p><p>Within 10 minutes of being on YouTube, Ad Age <a href="" target="_blank">discovered</a> an injected ad unit featuring ads from high profile brands such as Subaru, Dick’s, Target, Lion King, Nissan, and Harvard Business School. And that’s just the tip of the iceberg when it comes to the ad injection problem.</p><p>On a major publisher’s website, ad fraud detection firm WhiteOps <a href="" target="_blank">discovered</a> ‘injected ads’ accounted for <strong>more than 3% of all impressions</strong>. Likewise, Forensiq surveyed a real-time automated ad auction and saw ad injection accounted for 12.5% of available inventory. And these two examples are just a sampling of the ad injection statistics out there.</p><h2>Why Consumers Should Care, Too</h2><p>Now if you’re a consumer, why should you care about ad injection? Obviously, advertisers are angry because they’re paying for something you aren’t seeing. But consider this: if you have to watch a pre-roll ad to access that coveted video, wouldn’t you rather it be of something that has value to you?</p><p>Injected ads don’t care about relevance, they just want <em>views</em>. So, instead of being retargeted with an ad about shoes -- something you wouldn’t mind watching -- you’re being served with an injected ad for toenail fungus cream. Yuck.</p><p>But more importantly, ad injections can <em><a href="" target="_blank">compromise</a></em> your computer’s security. They can open the door to viruses or malware, as well as, significantly impede the performance and speed of your computer.</p><h2>What to Look For</h2><p>Knowledge is power and knowing the types of ad injections that are occurring is a crucial component in the fight against ad injection fraud. Currently, there are three types of ad injection schemes advertisers (and <em>consumers</em>, too) need to be aware of.</p><h3>1. Layering Atop Existing Ads</h3><p>Ads injected within <a href="" target="_blank">already existing ads</a> is known as layering. Layering can be found not only within display ads like banners but video ads, too.</p><p>Let’s say you go to YouTube to watch the latest trending video. Before you can watch the clip, you have to watch a five-second pre-roll video. While the pre-roll video is playing, you notice another video pops up and plays overtop of the existing video. What you’ve just witnessed is a <strong>layered ad injection</strong>.</p><img src="" alt="Layered Ad Injection" title="Layered Ad Injection" class="float-center size75pc" width="615" height="444"><br><em>Source: <a href="" target="_blank"></a></em> <h3>2. Replacing Existing Ads</h3><p>Sometimes ads that are injected will completely take over, replacing an existing ad. For instance, here’s an injected ad on Google’s search page. It’s highly possible someone else paid to have that spot, and instead, they were replaced by an injected ad.</p><img src="" alt="Poor PC Injection" title="Poor PC Injection" class="float-center size75pc" width="615" height="203"><br><em>Source: <a href="" target="_blank">Microsoft/TechNet</a></em><p>To the searcher, they would have no clue, and there’s a good chance they’ll be like “Hey, my PC performance is poor, I should check this out.” With every click, the fraudster makes more and more money while the advertiser that should be there gets zilch.</p><h3>3. Appearing on Pages Where They Shouldn’t Be</h3><p>Ad injections can appear on pages that shouldn’t have ads, or on pages where they shouldn’t be. Here, an ad for Target appears on Wal-Mart’s page.</p><img src="" alt="Target Injected Ad" title="Target Injected Ad" class="float-center size75pc" width="615" height="394"><br><em>Source: <a href="" target="_blank"></a></em><p>Clearly, Wal-Mart would never put their competition on their own website, but an ad injection fraudster would. This example got a <a href="" target="_blank">ton of press</a> and shed a powerful light on how even a household brand like Wal-Mart can fall victim to ad fraud.</p><p>Now, what would have happened if a less innocuous ad appeared here? Perhaps an ad for porn or something else that’s decidedly not family-friendly. An ill-placed ad injection can have a <a href="" target="_blank">devastating effect</a> on a brand.</p><p>And if you’re a consumer, do you want your 13-year-old seeing an ad for Ashley Madison pop up on Probably not.</p><p><h3>Related Post: <a href="" target="_blank">The Real Truth About Ad Fraud, And Four Ways It's Destroying Brands</a></p><h2>How to Mitigate</h2><p>When <a href="" target="_blank">1 in 20 web users</a> are infected with ad injections, you know you’ve got a problem that can’t be ignored. Google recognizes this and has stepped up to the plate, leading the fight against ad injection fraud.</p><p>Taking a cue from Google, here are three things advertisers and consumers can do to mitigate their risk.</p><h3>1. Know Which Companies Are Affected</h3><p>One way Google is fighting back is by shining a light on the fraud. Instead of letting fraud lurk in the shadows, the company is calling it out <em>publicly</em>.</p><p>Last year, Google conducted research and shared their findings with the masses. They posted the names of those involved with ad injection fraud, and the results were a mixed bag of surprise. No one was shocked to hear SuperFish and JollyWallet were guilty of ad injecting, but they were surprised to hear and’s names on the list.</p><p>Publicly shaming companies will hopefully produce the peer pressure effect, forcing companies to clean up their act. Meanwhile, others can protect themselves by avoiding those who appear on the list.</p><p><strong>Tip:</strong> Advertisers should know which companies are affected by ad injection, and steer clear of them.</p><h3>2. Take Warnings Seriously</h3><p>Google is also <a href="" target="_blank">taking steps</a> to protect their 14 million Chrome users by removing 192 deceptive Chrome extensions and blocking 5 million new installs a day, offering users warnings before an extension is downloaded.</p><img src="" alt="Chrome Warning" title="Chrome Warning" class="float-center size75pc" width="615" height="438"><br><em>Source: <a href="" target="_blank">Google Blog</a></em><p>Consumers who rely on Chrome should heed Google’s warnings. Google is giving users a big red warning. Here, simply avoid ad injections by never downloading a sketchy extension in the first place.</p><p><strong>Tip:</strong> Consumers, don’t hit download. If you see a red warning, don’t download that extension.</p><h3>3. Review Software Policy</h3><p>Google mandates their AdWords advertisers must comply with Google’s <a href="" target="_blank">Unwanted Software Policy</a>. Advertisers should consider working with companies that have similar regulations.</p><p>When reviewing software policies, advertisers (and consumers, too) should look for:</p><ul><li><strong>Simple Removal.</strong> Software should be easy to disable or uninstall.</li><li><strong>Transparent Installation and Disclosure.</strong> Software has a verifiable publisher and easy to understand installation process.</li><li><strong>Clear Value.</strong> Software delivers exactly what was promised to the user.</li></ul><p>If there is no policy, or the policy is limited in scope, that’s a red flag.</p><p><strong>Tip:</strong> Review any software before you partner with or install it, to ensure it’s transparent and user-friendly.</p><h2>Conclusion</h2><p>Like other types of ad fraud, ad injections aren’t going away. So long as fraudsters are making money, they ‘can’t stop, won’t stop.’ But as advertisers become more savvy and vigilant, the problem will hopefully become more manageable.</p> (Rich Kahn), 25 Apr 2016 08:00:00 -0400Ad FraudProgrammatic Advertising: Why We've Lost That Loving Feeling<img src="" width="820" height="326" alt="Programmatic Advertising: Why We&#039;ve Lost That Loving Feeling" /><p>Programmatic advertising, like the infamous Righteous Brothers, serenade on Top Gun, has lost that loving it’s gone, gone, gone, whoa whoa.</p><p>See, as a marketer, we used to love it. It helped us do our jobs faster and allowed us to guarantee ad placement on publisher websites. We were granted unprecedented access to moment-to-moment interactions to stay on top of the industry. Programmatic advertising gave us superhuman strength and made our jobs much easier. We were in love.</p><p>And then that love faded. What was once a shiny, new, and oh so perfect system started to show its flaws, causing marketers everywhere to second guess programmatic’s true intentions? Blinded by all the things it did right, we lost sight of all the things it did wrong. Here are a few examples of why we’ve lost that loving feeling with programmatic advertising.</p><h2>Programmatic Is a Bot With No Feelings</h2><p>Programmatic advertising is built on software that’s only as smart as we have taught it to be. It’s not a human, it has no feelings, and can only be coded to perform functions it’s taught to perform. But here’s the issue with that - 94% of marketers say <a href="" target="_blank">programmatic marketplace quality</a> is a very serious or somewhat serious issue. So, if humans programmed it, and it doesn’t work as we expected, are we the ones to blame?</p><img src="" alt="94% of digital marketers said programmatic marketplace quality was a very or somewhat serious issue." title="94% of digital marketers said programmatic marketplace quality was a very or somewhat serious issue." class="float-center size66pc" width="541" height="304"><p>Well, yes, to an extent. We know that malicious bots attack low-hanging fruit and places they can easily infiltrate with <a href="" target="_blank">little to no retribution</a>. We also know bots have the ability to change rapidly, morphing themselves to learn new tricks to stay undetected. And since we know that bots are cunning and crafty, we’d be remiss if we didn’t think that they would infiltrate software <em>we created</em>.</p><p>Still, we have a ‘trust then verify’ mentality with programmatic, even though we have little faith that the software hasn’t been infiltrated with bots. Still, marketers are quick to turn a blind eye. Why? They’re still making money, and while the bots are too, making a little over nothing still puts you ahead.</p><h2>Money Can’t Buy Love</h2><br><img src="" alt="Robot Pushing a Shopping Cart with a Heart Inside the Basket" title="Robot Pushing a Shopping Cart with a Heart Inside the Basket" class="float-left size25pc" width="205" height="273"><p>Bots are good, <em>really good</em>, at going undetected. They’re taught by their creators to be a sleuth and perform actions and functions exactly as any human would do. If they’re successful, advertisers are happy with their results and spend more money, and the bots continue to thrive.</p><p>That said, bots still haven’t figured out how to complete a purchase. And without completing a purchase, over time, marketers grow suspicious. Their once stellar, growing traffic hits a roadblock and as it fails at the ultimate task - completing a purchase. Without cold hard cash, it's difficult for marketers to continue to love this traffic for long, opening up their results to further scrutiny.</p><br><h2>A Human Mind Is Passionately Curious</h2><p>People are genuinely curious by nature. We like to take things apart and put them back together, see what happens when you do something you shouldn’t, and a “don’t touch” sign sounds more like a challenge than a warning. We’re passionately curious about our surroundings, environment, and our careers - we’re always trying to do something better.</p><p>Curiosity is what causes us to dive deep into data, making associations, and inferences in relation to advertising campaigns. This data helps us understand not only what has happened, but creates guesses and correlations behind what will happen next.</p><img src="" alt="Robot Holding a Green Brain" title="Robot Holding a Green Brain" class="float-right size33pc" width="271" height="271"><p>This innate curiosity is also what helps us review data holistically, seeing patterns develop over time. Humans are good at this, but bots, while they’re intelligent, aren’t trained to appear random. They function on precision and order to be technically perfect in the functions they perform in real-time. Since they focus on getting the short-term perfect, it leaves their long-term game <a href="" target="_blank">open to patterns</a> that raise a red flag for marketers.</p><p>By relying strictly on programmatic software, we remove the ability to be passionately curious about advertising results. Slowly, we become complacent, less curious, setting ourselves up for dismal results. And, while programmatic buys have made a marketer’s job easier, it, unfortunately, perpetuates a bot-buying environment.</p><h2>Save That Loving Feeling Before It’s Too Far Gone</h2><p>It may sound like there’s nothing good at all in programmatic advertising, but that isn’t the case at all. You simply need to be smart and knowledgeable about the process. Like Goose says to Maverick, “you have to have carnal knowledge.” Knowledge of how programmatic works and why it works keeps that loving feeling alive and strong.</p><p>Programmatic isn’t simply set-and-forget. All marketers should have an intimate understanding of advertising placement including where it appears, and what happens every step of the way. By incorporating a well-balanced relationship between human interaction and software, we’ll make stronger, more poignant decisions, keeping that lovin’ feeling burning strong.</p> (Rich Kahn), 20 Apr 2016 08:00:00 -0400Ad FraudPPCProgrammaticProgrammatic AdvertisingHow to Knock Ad Fraud out of the Programmatic Funnel<img src="" width="820" height="326" alt="How to Knock Ad Fraud out of the Programmatic Funnel" /><p>Ad fraud is a constant battle for advertisers, agencies, and publishers alike. We’ve seen <a href="" target="_blank">who commits online advertising fraud</a> and <a href="" target="_blank">where it hides</a>, but how do we get rid of it with the rise of programmatic advertising? In short, <em>you don’t</em>, but there are ways to help mitigate the damage.</p><p>Programmatic advertising has led to the beginning of the end for the traditional manual ad purchasing model. With <a href="" target="_blank">programmatic</a>, exchanges are all digital and completed within milliseconds of a page being loaded on a website, allowing purchase decisions to be made automatically.</p><p>However, with any automated process, there’s a level of uncertainty.</p><img src="" alt="Robot with the text 94% of digital marketers said programmatic marketplace quality was a very or somewhat serious issue." title="Robot with the text 94% of digital marketers said programmatic marketplace quality was a very or somewhat serious issue." class="float-center size75pc" width="615" height="315"><br><em>Source: <a href="" target="_blank">eMarketer</a></em><p>Ad fraud breeds and multiplies when advertising works well. Programmatic advertising brings a tremendous amount of positives to the industry, but it’s a natural alignment for ad fraud to run rampant.</p><p>So how do you keep ad fraud out of the programmatic funnel? <em>You don’t</em>. But you can limit its effects. Here’s how.</p><h2>Domain Identification in the Programmatic Transaction</h2><p>Fraudsters thrive on hiding their identities and morphing themselves into someone they’re not. Some create websites that have a high-volume of bot traffic and others spoof a trusted website to surpass the <a href="" target="_blank">whitelists</a>. In both instances, they can breach the whitelist, becoming a trusted advertiser, until they’re caught and placed on a blacklist.</p><p>This simply stops <em>that source</em> from tricking the system, but doesn’t stop fraudsters’ other domains from continuing to breach the <a href="" target="_blank">programmatic transaction</a>.</p><p>By making the domain known, programmatic buyers can better understand patterns that pop-up with programmatic purchases from certain domains. Since it’s hard to keep up on the rapidly changing environment, sharing this information will help the entire industry weed out the unscrupulous performers.</p><h2>Use Dynamic Fraud Elimination Techniques as a Standard</h2><p>Many advertisers routinely filter traffic through a <a href="" target="_blank">third-party scoring system</a> to identify what’s considered fraudulent traffic. While this is helpful, it’s only as effective as the filter they’re scoring through.</p><p>It’s well known that <a href="" target="_blank">fraud scoring technology</a> can help remove some fraudulent traffic; but what one company considers fraudulent, another might consider legitimate. And since there’s no set standard among these companies, the programmatic funnel passes muddied results right along through the supply chain.</p><p>The digital advertising industry needs to agree on a dynamic fraud elimination standard, and insert it into the programmatic funnel. Once all impressions are judged equally earlier in the supply chain, we can all reduce the bids on fraudulent impressions, taking fraudsters down in the area they benefit the most.</p><img src="" alt="Robot image with three points about what brands can do to help reduce ad fraud in the programmatic buying cycle" title="Robot image with three points about what brands can do to help reduce ad fraud in the programmatic buying cycle" class="float-center size75pc" width="615" height="245"><br><em>Source: <a href="" target="_blank">BuzzCity</a></em><p>For brands, if they’re consistent with asking suppliers about their ad fraud practices, a standard will emerge in time. But this needs to be a consistent conversation, not one brand turn a blind eye to when the metrics are outperforming the standard. The old adage “<em>if it’s too good to be true, it probably is</em>” couldn’t be more true with digital advertising.</p><h2>Include Transparency in Programmatic Supply</h2><p>Programmatic thrives on split-second decision making and automatic placement of advertising on websites. But, how transparent is this process? It’s not, <em>not at all</em>.</p><p>If the process itself isn’t transparent, how are we supposed to understand what’s <a href="" target="_blank">happening in the marketplace</a>? <em>We can’t</em>.</p><p>Brands want that transparency and want to know exactly where their advertising is displayed and what websites it appears on. Think of programmatic supply as one big puzzle:</p><ul><li>Advertisers focus on one section of the puzzle, failing to move forward until that section is complete.</li><li>Publishers rush to provide all the pieces even before the advertisers might need them.</li><li>Brands step back and look at all the pieces of the puzzle, how they’re arranged, and what’s different or missing.</li></ul><p>Brands want the transparency that the advertisers and publishers are missing out on by focusing only on one part of the puzzle. Brands understand that to be truly transparent, they need to know where the puzzle pieces originated, how they fit together, and where the missing pieces lie.</p><h2>Find a Common Ground Between Quality and Convenience</h2><br><img src="" alt="Quote - Given the choice between quality and convenience, convenience always wins." title="Quote - Given the choice between quality and convenience, convenience always wins." class="float-center size50pc" width="410" height="410"><br><em>Source: <a href="" target="_blank">AdExchanger</a></em><p>Paraphrasing Clear Channel’s Bob Pittman at the recent IAB annual meeting, advertisers love the convenience, and given the choice between it and quality, the quality will fall to the wayside every time.</p><p>But advertisers are also the first to point out when quality is not up to par. So what gives? Currently, there’s no common ground between quality and convenience, and there needs to be.</p><p>Using dynamic fraud elimination early in the transactional process will help, but it won’t eliminate any fraud that slips in <em>after</em> this step in the process (e.g. scrapped sites, spoofing, etc.). To best conquer this problem, publishers and advertisers have to meet in the middle:</p><ul><li>Publishers need to take responsibility for providing premium, quality traffic inventory. Fraud-free traffic can drive <a href="" target="_blank">more demand and higher CPMs</a>.</li><li>Advertisers should stop hesitating when investing their ad spend. Once you look at your results, you can (and should) reinvest in true, premium traffic. This will encourage publishers to offer more of this quality inventory.</li></ul><p>Once advertisers hold publishers to a higher standard and demand consistent fraud elimination metrics from third-party providers, ad fraud overall will be reduced. Advertisers must hold quality to as high of a standard as a convenience to help eliminate the ad fraud issue in programmatic, and elsewhere, once and for all.</p><p><h3>Related Post: <a href="" target="_blank">Programmatic Campaigns Need Pre-Bid Solutions</a></p> (Rich Kahn), 19 Oct 2015 08:00:00 -0400Ad FraudOnline FraudProgrammatic AdvertisingOnline Fraud and the Sneaky Places It Hides<img src="" width="820" height="326" alt="Online Fraud and the Sneaky Places It Hides" /><p>In <a href="" target="_blank">part one</a> of our online advertising fraud series, we learned that advertisers waste over $6 billion a year in fraudulent advertising spend. Fraudulent accounts are abundant, and with good reasons: there are no rules, no consequences, and no regulations for their actions.</p><img src="" alt="67% of online bot traffic is from a residential IP address" title="67% of online bot traffic is from a residential IP address" class="float-center" style="max-width: 100%"><p>With 67% of online <a href="" target="_blank">bot traffic</a> originating from residential IP addresses, it’s more likely than not that you, too, have been affected by advertising fraud. In part two of this series, we’ll take a look at where we find ad fraud, and why each form of fraud is so popular with fraudsters.</p><h2>Search Ad Fraud or Click Fraud (CPC)</h2><p>Arguably one of the largest subsets of online advertising fraud is search ad fraud, or click fraud. It takes place when a person or bot mimics a legitimate user, generating a click without having any interest in the result of that click.</p><p>Click fraud is usually prevalent in pay per click programs, where advertisers pay for click performance, with the end goal of converting those clicks. When a bot is present, however, the clicks generally don’t convert and add no value to the advertising.</p><p>Nevertheless, these bots <a href="" target="_blank">cost advertisers</a> 20% of their pay per click budget each year.</p><p>This type of fraud has become particularly popular because it can infiltrate the smallest of publishers and the largest of brands. In a <a href="" target="_blank">recent report</a> by the Association of National Advertisers (ANA), 52% of the traffic from <a href="" target="_blank">premium publishers</a>, who were previously believed to be unaffected by fraud, was found to be fraudulent. That number is often even higher for smaller publishers.</p><p>The use of a <a href="" target="_blank">third party traffic scoring system</a> helps mitigate the damage caused by click fraud by filtering out the fraudulent clicks. But this issue will remain abundant until all third-party systems can agree on what’s considered a “fraudulent traffic signal” and what’s not.</p><h2>Impression Ad Fraud (CPM/CPV)</h2><p>One of the fastest-growing segments of fraud is in the display sector. Advertisers pay for these ads by the view, or by the number of impressions left with a viewer. But what if the ad is <em>never actually viewed</em>.</p><p>The debate on viewability stems from this issue. Can the user see your ad or video? And if so, <em>how long</em> must they look at it before it’s considered ‘viewed?’ While the Media Rating Council (MRC) has <a href="" target=_blank">adopted standards</a> for viewability, this simply established guidelines for how the fraudsters can circumvent the system. Some examples include:</p><img src="" alt="How Fraudsters Beat Impression Ad Fraud - Video Fraud, Ad Retargeting, Fake Sites, Paid Impression Fraud, and Hidden Ad Impression" title="How Fraudsters Beat Impression Ad Fraud" class="float-center size66pc" width="541" height="541"><ul><li><strong>Video Fraud.</strong> Often stacked, layered, or invisible (e.g. one pixel by one pixel), it’s lucrative, with payouts often upwards of <a href="" target="_blank">ten-times that of a banner ad</a>.</li><li><strong>Paid Impression Fraud.</strong> Advertisers pay for additional traffic to their website, but get traffic from known bots. These may go undetected without the use of a third-party traffic scoring solution.</li><li><strong>Ad Retargeting.</strong> Bots replicate highly engaged user behaviors, like someone looking for a refrigerator for their home. The ad retargeting company, who’s a bot, picks up on these engaged users, and serves them <a href="" target="_blank">retargeted refrigerator</a> ads. They make money off the impression, which was <a href="" target=_blank">never viewed</a> by an <em>actual</em> engaged user.</li><li><strong>Hidden Ad Impressions.</strong> For example, small ads can be hidden within a larger ad. Not only does the larger ad show as a viewable impression, but the smaller ad running inside it will, too.</li><li><strong>Fake Sites.</strong> These sites are built for the <a href="" target="_blank">sole purpose of serving ads</a> and have no content that a user would actually want to see.</li></ul> <h2>Domain Spoofing</h2><p>In addition to duplicating the content of your site, fraudsters can also take over your URLs. With a reputable or premium brand, these URLs likely already appear on a whitelist, taking half of the battle out of the fraudsters’ hands.</p><p>By simply <a href="" target="_blank">introducing a line of code</a>, they’re able to make advertisers think their fake websites are worthy, reputable entities. Since premium brands are held in high regard and often appear on whitelists with ease, a larger bid generally comes along with the elite status.</p><h2>Content Fraud</h2><p>A website’s content helps a brand form trusting relationships with its customers. For fraudsters, it's quite the opposite: the content opens an opportunity to capitalize on a brand’s established trust and steal their traffic.</p><p>A <a href="" target="_blank">recent study</a> of content fraud showed at least 1 in 5 sites are affected by site scraping. Fraudsters scrape entire sites in an effort to get advertising on their own site. Since they get paid for the advertising on their site, it benefits them to serve a site that looks legitimate to increase user engagement.</p><p>If you suspect your site has been targeted in part or in whole, there are <a href="" target="_blank">resources available</a> to help you have the infringing content removed (as long as it’s not considered <a href="" target="_blank">fair use</a>).</p><h2>Cookie Stuffing or Affiliate Fraud (CPA)</h2><p>A popular form of fraud with affiliates, this one goes seemingly undetected. With cookie stuffing, a user views a website and receives a third-party cookie -- not from the site they viewed, but from an <em>entirely different site</em>. It’s been dubbed affiliate fraud since affiliates are usually paid when their cookie is associated with the user's purchase.</p><img src="" alt="Example of an affiliate purchase via a search ad" title="Example of an affiliate purchase via a search ad" class="float-center size75pc" width="615" height="619"><br><em>Source: <a href="" target="_blank"></a></em><p>This has been popular with fraudsters simply because it takes time to really detect and capture. Even eBay had to <a href="" target="_blank">work with the FBI</a> to put two of its top affiliate marketers in prison in 2013. While this is an extreme case (the two earned $28 million and $7 million in commissions in just a few years) it goes to show that even the largest brands need help taking down fraud, even if they already suspect it’s happening.</p><h2>Conversion or Lead Fraud (CPL)</h2><p>Until 2010, online form fill-outs were believed to be foolproof and undoubtedly human. But this thought changed when Ben Edelman, a Harvard Business School professor, <a href="" target="_blank">discovered a new form of fraud</a> that actually resulted in <em>real conversions</em>. Edelman proved that fraudsters had written sophisticated software to not only fill out the forms but to look like a genuine real customer that would spend money with advertisers. The bot could then perform ad fraud without arousing much suspicion since sales were being made in the process.</p><p>This once robust form of fraud has been minimized substantially with the use of CAPTCHA forms, which thus far, remain difficult for non-humans to complete.</p><h2>Ad Injections or Adware Fraud</h2><p>Sometimes ads are injected in places where they shouldn’t be. We saw a bizarre example of this in the spring of 2014, when a Target ad was caught <a href="" target="_blank">dead in the center</a> of the Walmart website.</p><p><a href="" target=_blank">Ad injections</a> are advertisements that get inserted into an advertiser’s site without approval from the advertiser. This often happens when a user downloads an app or browser extension that’s bundled with software that injects unwanted ads into the user experience.</p><p>Most advertisers will vehemently disagree with this practice, as it negatively impacts their brand. Would really allow Target, their competitor, to advertise on their site?</p><p>Unlike the other forms of fraud, ad injections aren’t limited to just online advertising. AT&T has recently <a href="" target="_blank">been accused</a> of intercepting Wi-Fi and injecting it with ads, essentially monetizing its Wi-Fi access. This comes on the heels of Google ‘<a href="" target="_blank">tightening-up</a>’ its Chrome extension policy to be more narrow in how they’re used.</p><p>Ad fraud won’t go away so long as people are advertising online and users are looking for information at their fingertips. The best we can do, until there is a cohesive, industry-wide solution, is put solutions in place to help keep the fraudsters at bay.</p> (Rich Kahn), 05 Oct 2015 08:00:00 -0400Ad FraudClick FraudOnline Fraud