How Google's FBI assist will change the ad fraud fight
Ares would then capture widespread media coverage until a newer whitepaper drops, about a different, scarier and more sophisticated form of ad fraud. But as the fraud tactics changed, one thing remained the same: The bad guys would always get away.
Yet that pattern might soon change, as companies that fight ad fraud are now looking to share more quantifiable data to help law enforcement arrest the faceless boogeymen better known as ad fraud. Meanwhile, the biggest players in the digital ad ecosystem seem more willing to work together for this cause.
Earlier this week, the Federal Bureau of Investigation said it indicted a total of eight individuals with running a sophisticated ad fraud scheme. Three of the suspects were nabbed while the rest remain at large. Google assisted the FBI with information, and worked with some 20 different companies, including WhiteOps, to provide data on an ad fraud scam it dubbed "3ve." The information helped bring down the syndicate, which looted some $29 million from publishers and advertisers.
The news was significant, representing a rare instance in which U.S. law enforcement filed charges for the ad industry's multi-billion dollar problem. The bigger question, however, is was the news symbolic or will it prompt change for those who operate in the industry. Experts say there is plenty of work left to do.
"We have no way to know how many bad actors are out there," says Scott Spencer, director of product management at Google. "I don't think anyone here is under the impression that we are now done, that we can close up shop, go home, celebrate and say, 'There's no more ad fraud.'"
Google has hundreds of engineers, developers and thousands of people in operations who are keeping tabs on invalid traffic. "If we identify something else that is similar we may again refer it to law enforcement," he says. "But it is really up to law enforcement to decide how they are going to take that kind of information and what actions to take."
Per Bjorke, senior product manager of ad traffic quality at Google, believes the biggest takeaway from the investigation was how many different companies came together to take down the operation. The ad tech ecosystem is complex, convoluted and different companies coming together for a single cause is not common.
"The challenges and difficulties in industry collaborations is tremendous," Bjorke says, adding that "there is ongoing discussions behind the scenes with industry trade bodies about how we can collaborate and that has been going on for years; most of that has not been very public."
More to come
Other, smaller companies are already starting to adopt Google's playbook by tracking fraudsters, building quantifiable data and sharing with law enforcement.
Devcon, a cyber security company that specializes in ad fraud, is familiar with the FBI: One of the company's top lieutenants is former FBI cyber squad supervisor Michael F.D. Anaya.
"If you are a company that nobody knows about, but you present factual information to the FBI, that will catch their attention," Anaya says. "You have to show something that is growing, is affecting thousands upon millions of people, costing millions or billions of dollars. That is going to definitely warrant the attention of any federal agency, specifically the FBI."
Devcon is now investigating a new case involving more than 30 fake ad networks distributing millions attacks collectively that it intends to bring to the FBI. The company declined to share specifics because it doesn't want to tip off fraudsters as it collects data. Anaya says it is a "near identical case" to that of Google's.
Maggie Louie, CEO at Devcon, believes other ad fraud companies will soon share similar information with law enforcement about their own findings. "The key to getting the FBI's attention is to quantify the attack and get the accounts of where the money is going," she says. "It's like trying to finding a getaway driver; you need the license plate number."
Chris Olson, CEO of the Media Trust, which provides real-time security and first-party data protection, says it's become popular to blame exchanges when it comes to ad fraud, but says the blame should actually be spread out also to agencies, brands and even retailers.
With 3ve, fraudsters took control of roughly 1 million computers, according to Google. Fraudsters can typically achieve this through a number of ways, one of which includes checking under the hood of any given website and gaining access to code that's been dormant for years.
Olson says that by manipulating the code that no one is paying attention to, fraudsters can hijack consumers who visit well-known websites, which in turn allows them to slowly build an army of zombie computers that do nothing but view bogus ads that are paid for by marketers.
"Everyone is part of this process," he says. "There is a driving awareness in the ecosystem to go after the bad guys and I do believe that is going to have a significant impact, but a heck of a lot more needs to be done first."