Ad-Fraud Operation Fools Detection Companies, Nets Millions

Scheme Went on for Months, Hitting at Least 75 Advertisers

By Published on .

It's a familiar story with a nasty twist.

A sizable ad fraud operation was recently discovered sticking websites running lucrative video ads inside nearly invisible windows and placing those windows on legitimate sites via dirt cheap banner-ad buys. This allowed the fraudsters to piggyback off the traffic of real sites.

Those behind the operation skimmed tens of millions of dollars from advertisers, according to online security firm Telemetry, which uncovered the fraud. And the twist: They got away with it for months, in part, by fooling a number of anti-fraud products into believing they were seeing something legitimate.

"This is the first time we have seen an attempt to molest each ad-quality product individually and with a unique approach per product," said Telemetry CEO Anthony Rushton.

The operation is the most significant instance of ad fraud seen to date by Telemetry, Mr. Rushton said, who co-founded the firm in 2009. It hit the most advertisers, the most exchanges, and importantly, earned the most revenue of any operation Telemetry has witnessed. In all, at least 75 advertisers -- including Ford, Coke and McDonald's -- spent money on these ads. In the past month alone, at least $10 million was wasted, according to Telemetry.

In an interview, one advertiser admitted to losing over $1 million per month over the past two months.

The operation is still running.

All-clear signals
With the industry's fraud problem getting more attention, many companies have turned to anti-fraud products to keep their dollars from being wasted. But in this case, those products were of little use.

Those behind the operation, according to Telemetry, downloaded these products' code and wrote mutated versions meant to send the "all clear" if their sensors arrive. A sensor from Tremor Video, for instance, would be told the ads were viewable in 100% of cases, according to Telemetry. If the sensor asked if the ad was in an iframe -- a window within a window -- it would be told "no," meaning there would be little concern that the ad was running anywhere but the site the advertiser was told.

Similar doctored sensors were present for products from, Integral Ad Science and others. The fraudsters set up the doctored sensors to delete the legitimate ones and send the "all clear" nearly immediately.

"All sites associated with [the fraud] have been removed from the exchange," said an spokesman. "As you probably know, it's very easy to create new sites/shell companies, so it's important to actually make the tech smarter to detect the fraud than actually go after individual sites. We are working with our partners on that as well, and we've made good progress."

"Fraud is a cat-and-mouse game and perpetrators of fraud are creative," said Integral Ad Science Chief Data Officer Kiril Tsemekhman. "Even if we weren't able to label these ads as fraudulent at first, in most cases we classify them as low quality with a low TRAQ score [Integral's metric for ad quality] due to other metrics that we measure (ads measured as not viewable, high clutter and, possibly, the size of ad frame)."

Tremor did not immediately respond to requests for comment.

Magic refresh
In a visit to Telemetry offices last week, Ad Age observed the fraud in action. After a Telemetry engineer expanded one of the tiny windows -- spanning 1x1 pixel -- ads from major brands began playing on a loop. After about five minutes, the ads stop running and the video player reverts to a normal looking website with a typical looking url. (See video above)

This scenario occurs each time a tiny window goes live, said Telemetry Exec VP Geo Carncross, who explained it as a way to trick those checking where their ads ran.

These sites -- including,, and -- all have prominent video players at the top, so if someone checked the anti-fraud products' reports, they would find the prominently placed video ads described in the reports.

"If you look at the numbers and then you go to the site, it's believable," said Mr. Carncross.

Telemetry found over 400 sites connected to the fraud. And, when checking the SSL certificates -- used to verify the site is secure -- Telemetry found they were registered in bundles with some domains registered by Knowlera Media, a video content creator.

When contacted by Ad Age, Knowlera COO Will Jerro said these domains were handed to a publisher partner immediately after creation, meaning the company never had control of them. The partner, Mr. Jerro said, had an existing relationship with Knowlera and, over a year ago offered to maintain and drive traffic to a network of sister sites, if Knowlera gave permission.

"They were in essence, licensing the name," Mr. Jerro said. " and are the only sites we've ever owned and operated."

A spokesman for the partner, which declined to be named, said the traffic running on the sites was purchased from third party traffic vendors.

Mr. Jerro said the partner is one of hundreds working with Knowlera. After being contacted by Ad Age, he shut down all the domains the partner owned.

Red flags
Though the people behind the fraud took pains to show advertisers their ads were running on "real" websites, some of the sites should have raised immediate red flags.

Take, for instance. The site contains three basic elements: a large video player, a handful of content categories and, of course, advertisements. The content categories, 10 in all, contain just three articles each.

"You go to one of these sites, you look at it, do you believe that they could deliver tens of millions of visits in a month?" said Mr. Carncross. "No way. They're just okay."

Most Popular
In this article: