Blog How fraudsters make money: Everything you need to know about ad fraud

How fraudsters make money: Everything you need to know about ad fraud

By 2022, it is predicted that fraudsters will steal between $44 billion and $87 billion from the digital ad marketing industry every year. It is therefore critical for marketers to understand the threat being posed. This includes the ways in which fraudsters are attempting to steal your ad spend and how this can be prevented. In this article, we explain how fraudsters make money and how preventative tools should be used to protect your budgets, data and reputation.

What is technical ad fraud?

Technical ad fraud is the exploitation of advertising technology for profit. On a global scale, fraudsters are attempting to steal from digital ad marketing budgets through methods such as click spam, install farms and SDK spoofing. Although there are many different ways to commit ad fraud, the basic principle is to manipulate advertising models for financial gain. With more mobile users than ever before, mobile ad fraud has cost companies $5 billion dollars globally as of 2018.

Why is fraud prevention so important?

With different types of ad frauds to combat, it is more important than ever to utilize advanced fraud prevention technology. The overall damage caused by ad fraud amounts to much more than the ad spend stolen from your budget. For example, compromised data can ruin your analytics and lead to a flawed marketing strategy.

How do fraudsters make money?

Understanding how cyber criminals are incentivized is a critical step to keeping your marketing budget safe. Although you will need adequate fraud prevention systems in place to combat ad fraud, it’s important to learn the different methods a fraudsters can use. Here are the most common ways in which fraudsters can steal a company’s marketing budget.

1. Click spam

Click spam, also known as click flooding or click fraud, uses fake clicks to claim credit for an install. This allows the fraudsters to make it appear as though a real user has clicked an ad and consequently installed an app. When a user lands on a web page or app operated by a fraudster, they can execute ad clicks in the background that are not visible to the user. In some cases where the app is constantly active – such as memory cleaners and battery savers – clicks can be generated at any time.

In all cases of click spam, clicks are executed on behalf of the user's device without the user's knowledge, consent or intent. This not only gives revenue to fraudsters but also makes datasets unreliable. For example, click spam will cause organic users to be incorrectly identified as users acquired from your UA campaigns. This creates a negative loop whereby your unreliable data may incentivize you to invest more on campaigns that were nowhere near as successful as you have been led to believe.

This fraudulent technique is a common problem for mobile advertisers. For example, Google removed apps created by major Chinese Android developer DO Global from the Play Store last year after a Buzzfeed News investigation revealed a large-scale click fraud operation. BuzzFeed’s Craig Silverman wrote: “At least six of DO Global’s apps, which together have more than 90 million downloads from the Google Play store have been fraudulently clicking on ads to generate revenue.” This marked one of the biggest bans Google had ever implemented against an app developer.

Click spam: what is cookie stuffing?

With this type of click spam, ad fraudsters can claim payment by adding code to a user’s browser that indicates that a user has visited a particular website. Known as cookie stuffing, this method exploits the process of cookie tracking that connects online sales to the influence of an affiliated partner.

Cookies are classified as first-party or third-party cookies. A first-party cookie is created by the website a user visits (such as login information) while third-party cookies are used to deliver targeted ads and track users. Cookie stuffing, also known as cookie dropping, is when a third party drops several affiliate cookies on a user’s browser in order to claim commission. This can occur when a publisher unknowingly installs malicious extensions.

Click spam: what is ad stacking?

Ad stacking is a form of click spam that occurs when fraudsters stack several ads in one ad placement. Only the ad at the top of the stack will be visible to the user, multiple advertisers can be billed for the impression because the user’s click will be registered for every ad in that stack.

Marketers can identify ad stacking by looking at conversion rates from impression to install. Any campaigns that have been subject to this type of ad fraud will show high impression counts but low CTRs and install rates.

2. Click injection

Click injections are a sophisticated way of stealing attribution from organics and paid channels. In this method, fraudsters generate clicks that did not originate from the users who interacted with advertising. Injecting just one click after the user has decided to download a new app is enough to complete the process and take credit for that install.

Click injection: what are install broadcasts?

When a new app is installed on an Android device, a signal is sent to other apps. This exists to create a better connection between those apps on the user’s device. For example, this makes it possible to use deep linking to streamline the login process.

This method hijacks a user’s device to claim an install. It is important to note that it is only the engagements that are fake, not the install or the device. Just like click spam, this is another way in which organic users can appear to have been influenced by a paid campaign, making your data unreliable. You can learn more about the difference between click spam and click injection fraud here, where Adjust’s Director of Fraud Prevention, Andreas Naumann, breaks down both terms and how they operate.

3. Install farms

Install farms are real locations where real devices are used to manually generate installs. These fraudsters will click on ads and install apps to generate the activity for which they will be paid. This process can be repeated – and the device IP address changed – to make it appear as though many different users are installing a particular app.

4. SDK Spoofing

This type of ad fraud occurs when, due to the use of real device data, fake installs appear to be legitimate. SDK spoofing occurs when a ‘man-in-the-middle attack’ is performed. This is when a fraudster breaks open the SSL encryption between the communication of a tracking SDK and its backend servers. The fraudster can then generate a series of test installs for the targeted app.

Once the fraudster has learned which URL calls represent certain in-app actions, they can learn which parts of the URLs are static and dynamic. This enables them to test the dynamic parts of that URL, giving them the ability to generate fake installs. Once the fraudsters have this information they can repeat the process indefinitely.

For a deep dive into SDK spoofing, watch this break down by Michael Paxman, Product Research Manager at Adjust. Here he explains the principles of SDK spoofing, how you may be vulnerable and what you can do to protect yourself.

Fraud prevention with Adjust

Fraud prevention depends on reliable detection and the development of filters for the characteristics of each fraudulent technique. Adjust clients benefit from our Signature filter, which is a security upgrade to the Adjust SDK that protects you against spoofed installs. Our Malformed AdID filter also protects against device tempering and fake installs. You can also gain greater protection from ad fraud with our Fraud Prevention Suite.

Fraud Prevention Suite

The Fraud Prevention Suite (FPS) offers a set of tools that will block mobile ad fraud in its tracks. This works by rejecting fraudulent signals that are used to steal advertising spend while passing on legitimate traffic and installs. Adjust FPS filters are widely held as the gold standard for Fraud Prevention offering solutions against fake installs, click spam and click injection. For example, Linh Tjian, Senior Marketing Manager at Kongregate says "It’s like getting the best insurance you can have for marketing."

How is in-app bot fraud different to ad fraud?

It is important to know the difference between bot fraud and technical ad fraud. There are several ways a fraudster can use bots to make money online but this does not include attacks on a company’s ad spend (known as technical ad fraud).

In-app bot fraud can be used to abuse an app’s business model. With this method, bots are used to imitate a human's in-app activity, making it one of the most sophisticated types of fraud to detect and prevent. Bot fraud can ruin the user experience for genuine users. Whether it’s setting impossibly high scores in gaming apps or scalping limited offers in e-commerce, bots can cause frustration for real users and even result in uninstalls. This is a widespread issue, with Unbotify’s research showing that prominent mobile apps lose around 10% of revenue to bot fraud.

Unbotify offers a solution for in-app bot fraud. By creating a bespoke machine learning solution for your app, Unbotify is able to distinguish real users from bots. With a deep understanding of human behavior patterns and an extremely low false-positive rate, this is the best way to root out sophisticated bot fraud.

If you would like to learn more about the fight against ad fraud, you may be interested in The Adjust guide to mobile ad fraud. We also have a webinar devoted to learning A common sense approach to mobile ad fraud.

Want to get the latest from Adjust?