Your browser is not supported. Please update it.

22 November 2018

Sophisticated botnets drive connected TV ad fraud spike

A 40% spike in US connected TV ad inventory traffic in October was unfortunately caused by the biggest botnet attack yet in that field, rather than a boom in legitimate ad sales. It is a wakeup call for the industry which has naturally been seized upon by vendors of products designed to counter such activity.

Yet casual observers of the scene could be forgiven for thinking that we have been there before and ask why previous solutions, especially ads.txt from the New York based Interactive Advertising Bureau (IAB) Technology Lab, failed to nip the problem in the bud.

Previous botnets have attacked OTT video in general and the recent botnet identified by authentication technology vendor DoubleVerify, targeted connected TV (CTV) inventory. It was also unprecedented in scale according to the firm, with around two thirds of the ad impressions made to look like they emanated from Internet connected TVs and the other third from gaming consoles.

This is exploiting not so much a sudden increase in connected TV penetration, which has been growing steadily for almost a decade to reach around 800 million globally, but in their use to access online content. This is particularly prevalent in the US where the recent attack took place and about 180 million users are now regularly watching OTT content via connected TVs, having switched from desktop PCs and laptops primarily.

Viewers pay more attention to ads on CTV than other platforms according to various surveys, with workflow software vendor Extreme Reach reporting in its Video Advertising Benchmark that average ad completion rate on CTVs in the third quarter of 2018 stood at 95%, 10 points higher than the nearest platform. The report noted that “viewers tend to be committed to the content they choose to watch on connected TV and they often do not have the option to skip the ads.” Marketeers have taken note with CTV now accounting for 38% of video ad impressions in the US. This also reflects consumers’ preference for platforms such as Hulu, Netflix, Roku, Apple TV and Google’s Chromecast during the US prime time slot of 8 to 11 pm.

The connected TV botnet unveiled by DoubleVerify generated fraudulent ad impressions by spoofing the URLs of real publishers and then transmitting signals to ad servers with the false information they came from CTV or gaming devices. The impressions then arrived at fraudulent sites instead of legitimate ones, fooling advertisers into believing that their ad was served on that device.

Online ad fraud has been big business for over a decade resulting in huge revenue losses on the mobile front and the underlying methods involved have now been transposed to connected TVs. Botnets have evolved to exploit programmatic buying through creation of large content farms covering topics considered attractive to advertisers and marketeers, as well as spoofing audiences that do not actually exist. The botnet creators get listed on the buying sites and collect money for the transactions from advertisers until they are discovered and kicked off.

The CTV ad boom has come at a good time for ad fraudsters because progress had been made against online ad fraud generally. According to the Association of National Advertisers (ANA), bot fraud losses in 2017 were down 10% to $6.5 billion as a result of countermeasures, especially the ads.txt initiative which has been strongly backed by Google alongside large brands and ad agencies. The idea is that publishers specify clearly which third parties can sell their ad space, so that advertisers can then identify where they can safely place ads either directly or via programmatic exchanges.

In fact the IAB developed ads.txt as a solution to the growing problem of domain spoofing as programmatic advertising took over. It provides publishers and distributors with a secure tool to make a text file publicly available containing an index of their authorized digital sellers. This creates the required transparency for ads delivery while giving publishers more control over their inventory. It takes account of the fact most large publishers use several sales channels, so ads.txt supports the principal types of vendor relationship. This includes content syndication partnerships, networks that programmatically sell for domain owners, or sales through publishers’ own accounts.

However it relies on widespread adoption on a global basis for ultimate success and so far that has been confined largely to the US. But the most pressing issue for CTV is that ads.txt was not initially designed to work with a lot of the associated inventory. The situation has been confusing because CTV viewing includes two main categories of content from an ad perspective. Firstly there is VoD content where ads are run off a webpage and delivered via a browser, but secondly there is also content delivered via apps.

For the VoD content ads.txt works, since a recognized domain is being accessed. But ads.txt was not designed to cater for ads delivered via apps, which according to BidSwitch, a provider of middleware for programmatic partners, accounts for around 85% of all CTV inventory.

It is true the majority of CTV ad fraud has targeted VoD content so far because with apps there is by definition no domain to be spoofed. However it is possible to spoof apps in the sense of a making an ad look like it came from app A when it was actually from app B and that is now growing fast.

Ads.txt operates through web crawling to extract the information showing who is allowed to sell and check that against the ad request coming in from the seller, but this does not cover in-app trading. This was less of a problem for CTV until the last year or so, but since then the IAB has acted to address the deficiency, leading to publication of a draft solution to the app conundrum in June 2018, essentially detailing separate procedures for the Apple and Android ecosystems.

The underlying point is that for ads.txt to work in the app environment the files containing the information must be hosted on the apps’ web sites, just as happens in the web version. However for that to operate there has to be independent confirmation of the connection between an app’s site and the actual app. Otherwise malicious apps could misappropriate others’ ads.txt files. Alternatively the ads.txt files themselves could misrepresent the apps they are associated with. So although the IAB’s fix would work in principle it requires the support of developers to ensure there is a secure way of associating a URL with an app. This is taking time and will require Google and Apple, as well as Amazon and a few other big players, to insist apps provide an official website domain listed in an app store. Then the app stores would need to give ad buyers a way to access these registered domains.

Meanwhile the CTV ad fraud problem has given scope for security firms such as DoubleVerify to peddle their own defenses against CTV ad fraud while the IAB and app communities get their act together. There are naturally other vendors, such as Adobe, White Ops, and Pixalate, which offer packages incorporating analytics and optimization tools for programmatic buying, as well as fraud detection. The field is also attracting new entrants from the security realm, such as Inside Secure, which is planning to introduce support for ad fraud prevention in 2019.