On Monday morning, the torrential rains and flooding caused by tropical storm Harvey gave Houston residents plenty to worry about. Yet that didn't seem to keep them from using photo-filtering and music-discovery apps between 4 a.m. to 5 a.m. local time—largely the same rate as did people who were out of harm's way some 1,500 miles northwest in Bozeman, Mont.
At least that's what it looked like when programmatic digital buys were placed across 18 exchanges early Monday in a test conductged by cybersecurity researcher Augustine Fou of Marketing Science Consulting Group. Buys in the two cities went to the exact same group of 15 apps, despite the very different circumstances.
The data, however, turned out to be false.
Fou says the test showed all the geo-located traffic he bought to display a forest-fire public-service announcement was fraudulent. Even though he didn't specify by type of device, 100% of the buys came from Android mobile apps. The traffic was proportional to the relative populations of Bozeman and Houston despite all the power, cellular service and evacuation issues in the latter. And none of the ads generated a single click, despite the fact that accidental "fat thumb" clicks always occur when human traffic is involved, Fou says. "Common sense," he adds, "says this cannot be real."
Further investigation found all the traffic came from fake devices through data centers such as Amazon Web Services and Microsoft Azure, but using proxies indicating it had come from various residential IP addresses.
The point, says Fou, is that geo-location gives brands and agencies false security about fraud, but that it's just as easy to fake location as other audience data. "You're paying an extra CPM for geo-targeted, even though it can be just as fraudulent," he says.
Fou declined to say which apps were involved because it would potentially tip off fraud perpetrators. But they were a collection that, while ranging up to 10s of million of users, fall outside those recently reported among the top 30 in the U.S.
Major fraud-detection services are designed to operate with desktop systems, not mobile apps, Fou says, even though a growing share of ad dollars is going into mobile.
"Bad guys," says Fou, would never install fraud-detection software development kits that allow third-party verifiers to detect fraud on mobile. "Mobile has become another complete black hole where fraud-detection doesn't have visibility."
That's not to say all geo-location is fake, he says, citing Google Maps, Facebook and Foursquare among apps providing trustworthy data.