Let’s get real: Detecting fraud takes a holistic approach

11/03 By Alan Krumholz

AdExchanger recently released an article with the headline DoubleVerify And SpotX Flag New Type Of Ad Fraud: ‘Verification Stripping’, in which DoubleVerify claims to have detected a new form of fraud. At the IAS Threat Lab we have a different perspective on the real cause of this anomaly. Moreover, this is something that is not new to our team of data scientists, engineers, and resident hackers.

Discrepancies between impressions counts from two or more sources have been a significant pain point in our industry for years.  Which is why every player in the ecosystem, from agencies to publishers to vendors, are quick to check for data variances. As a matter of fact, detecting discrepancies is fairly easy. Therefore, fraudsters don’t focus their effort on taking advantage of “verification stripping”, as it’s incredibly easy for advertisers to spot numbers that don’t match and they would never get paid. If this were a successful way to profit from fraud, every bot would already exclude all verification vendors today.

So what has DoubleVerify run into?

Here at the Threat Lab, we have a few thoughts as to what has happened. We have noticed the same “verification stripping” behavior in the past while running tests with our customers. In those tests, the behavior was explained by:

  • Numerous financial firms, governmental agencies, and the military have security appliances on their networks. A consequence of this practice is that some tags that frequently occur on web pages, including verification vendors’ tags, are sometimes misidentified as malware and are stripped.  
  • Ad blocking VPNs, plug-ins, or WAN accelerators (possibly attached to VPN) on some legitimate corporate, education, or government registered IP address blocks also triggering this “verification stripping behavior.” 
  • “Ad block recovery” services that are sold by leading CDN services allow for ad creatives to pass when an ad blocker is active on a consumer’s web browser. This type of serving sometime results with the ad blocker blocking calls to known verification companies but letting an ad server’s pixels go through.

How do we solve for this?

If fraudsters were, in fact, trying to strip out verification, IAS has an additional fail-safe that deploys our advertiser verification technology using an IAS Firewall tag. Stripping out this tag would cause the entire ad call to fail and the resultant ad would not load – this would not be beneficial to anyone attempting to make money on ad fraud. By contrast, a simple pixel in the ad server can be stripped without affecting the ad being loaded.

Whenever we find discrepancies in our network, we conduct thorough discovery and analysis to identify the real cause behind the data variance. If it is indeed a new form of fraud, our team will spend time and resources developing models to keep our customers protected.

If it’s not fraud, our R&D teams will work in partnership with external web-security vendors to determine why our tags are misidentified. They work closely with relevant parties to ensure our tags won’t be blocked so advertisers can continue to benefit from our technology and reach consumers across the web.

And as new capabilities such as anti-ad blockers and plug-ins are introduced to the market, we design options so that they do not inadvertently impede the valuable services we are providing.

Final thoughts

At the IAS Threat Lab, our team works diligently around the clock to identify and address real threats to actively protect our customers. We measure billions of impressions a day and we see the impact of named and unnamed bots on our industry. That’s why IAS invests heavily in data science, machine learning, behavioral and network analysis, browser and device analysis, and targeted reconnaissance including deconstruction of malware.

We take what we do seriously, and strive to accurately quantify issues, and focus on helping our customers mitigate risks associated with online buying. Our goal is to build solutions for the industry, regardless of the name of the botnet operation. So we are careful to not irresponsibly classify activity as fraud and alarm our customers and partners. Specifically when there are numerous other reasons or factors that indicate the activity is not due to malice.

With over 500 billion media quality metrics analyzed a day, we have the largest scale and coverage in the marketplace and the most accurate data to inform our fraud models. To further help clients invest with confidence and stay protected, IAS will soon be delivering new fraud alert whenever our systems see spikes. Please stay tuned for this announcement and more details.  

For more insights on ad fraud, visit our Threat Lab.