WhiteOps, a U.S. cybersecurity company, says it has uncovered the biggest online advertising scam ever, operated from Russia and making between $2.6 million and $5.2 million a day – as much as four times what the New York Times makes from advertising. The announcement should be a warning to anyone entrusted with a corporate budget to spend on online marketing: There’s a good chance your wares will never be seen by a human.
Much was made recently of garage operations in Macedonia generating fake news about the U.S. election to exploit Google’s AdSense feature that allows the owners of small sites to earn ad revenue. Google later moved to exclude fake news sites from the AdSense program. But the fraud WhiteOps has dubbed Methbot seems much more sophisticated.
It acquired almost 600,000 IP addresses, worth $4 million, and ran fake browser sessions impersonating human internet users. The fraudsters essentially wrote their own browser, in which they imitated various “human” features. They inserted cookies purportedly representing surfing histories and making “targeted” advertising possible; they imitated clicks and cursor movements, and they interrupted and restarted video ads at random, pretending a real person was watching them. To deceive anti-fraud software, they reverse-engineered it and provided behaviors the software would find believable.
That brilliant “demand-side” operation was matched by similarly imaginative work on the supply end. The Methbot administrators spoofed thousands of legitimate websites, pretending they were, for example, cnn.com or facebook.com, and pretending to serve ads from these websites for bots to see. That’s a crucial element of the scam: Posing as quality media allowed Methbot to charge advertisers premium rates for the ad impressions. Methbot’s average CPM, or cost per thousand contacts with the audience, was, according to WhiteOps, $13, almost twice as high as Facebook’s.
In a nutshell, Methbot imitated the entire chain of an online advertising interaction – from the sale of inventory on a site to the individual ad watcher’s actions. This was possible because of the way the online ad industry is structured: Corporations that buy advertising inventory mostly don’t deal directly with the websites that sell it. So-called programmatic advertising accounts for about two-thirds of the U.S. digital display ad spending and about 56 percent of digital video ad spending. In programmatic advertising, sellers and buyers connect to a digital exchange where inventory is instantly auctioned. That’s how Methbot managed to sell ads on behalf of just about every premium media site in the U.S., at their high rates, without even bothering to write any fake news stories like those Macedonian amateurs.
The scam is still running. No one, including WhiteOps, knows how to defeat the software. The security company, which says Methbot is “controlled by a single group based in Russia and operating out of data centers in the U.S. and Netherlands,” has released a list of the IP addresses used so ad exchange operators can block them. This will cost the Methbot operators some time and money to obtain new addresses and set up new servers at data centers, pretending to be home internet providers. But it will not stop this massive scheme — or numerous smaller scams that aren’t making millions of dollars a day, but merely commandeer ordinary users’ computers and run fake browser processes in the background on their home or work machines.
To the online advertising industry, the discovery of Methbot is a reason to beef up security, or at least talk about it. WhiteOps will probably get new customers and extra income from existing ones. That, however, won’t solve a fundamental problem. Few people want to see ads; about 26 percent of desktop computer users and 15 percent of mobile users resort to ad blocking software. And yet massive budgets are dedicated to producing and selling them, and huge companies, such as Google and Facebook, not to mention most of the media industry, would be dead without these budgets.
That’s why viewability standards, which determine an ad has indeed been shown to a user, are ridiculously lax. A video, for example, is considered viewed if at least 50 percent of its pixels were visible in an in-focus browser tab for at least two continuous seconds — and not necessarily the first ones of the clip. These criteria are technically met in a vast variety of situations where a human user doesn’t even catch what flickers on the screen. Money changes hands, but no real impression, no real contact is made.
Even under these standards, there aren’t enough eyeballs to consume all the available ad inventory or even all the sold inventory. The industry needs bots to survive and continue growing. That, in part, is why Facebook, for example, only pretends to fight fake and anonymous accounts. I know, because tens of thousands of them “follow” me, and new ones are added to that number every day.
The Association of National Advertisers, in partnership with WhiteOps, predicted that $7.2 billion would be lost globally this year to online advertising fraud. That’s about 10 percent of the projected U.S. digital ad spend – a convenient number that doesn’t delegitimize the whole industry but is alarming enough to worry budget-holders and media. It would be more correct to say that the digital advertising market as it stands now is made for fraud, and would be far less lucrative without fraud. An operation such as Methbot simply exploits the setup without paying a penny to ad inventory owners.
Ad-based business models in the digital sector are protected by the silent consensus of ad buyers and sellers that humans and their reactions to advertising matter little. It’s a shaky foundation; companies, especially media outfits, would be smart to develop other revenue sources such as subscriptions, rather than relying on income from ads no one ever sees.
Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.