Display Advertisers: Funding Cybercriminals since 2011

[Originally a guest post on Wired]

Before 2011 online advertising fraud was regarded as a solved problem. Then in 2011 a mushrooming botnet ecosystem was born that changed the requirements for preventing online advertising fraud. This ecosystem makes the traditional statistical approaches to preventing online advertising fraud increasingly futile. The ecosystem was born out of the leaked source code of arguably the most infamous botnet malware, Zeus. Display advertisers are inadvertently funding this botnet ecosystem today. And the more display advertisers continue to fund this ecosystem, the more difficult it becomes to prevent online advertising fraud.

Before 2011 online advertising fraud—particularly fraud targeting online PPC advertising—was regarded as a solved problem, or at least a controllable problem. Best practices had been established and processes were in place. Let’s consider how this came to be.

2004 was the auspicious year of Google’s IPO. This was not just the first major technology IPO after the dot-com bubble burst. It was also the biggest technology IPO.

Despite the excitement over Google’s IPO, analysts at the time expressed reservations about Google’s ability to prevent advertising fraud. These reservations were addressed explicitly in Google’s SEC filing: “If we fail to detect click-through fraud, we could lose the confidence of our advertisers, thereby causing our business to suffer. We are exposed to the risk of fraudulent clicks on our ads by persons seeking to increase the advertising fees paid to our Google Network members. We have regularly refunded revenue that our advertisers have paid to us and that was later attributed to click-through fraud, and we expect to do so in the future.”

Google’s CFO, George Reyes, also confessed shortly after the IPO: “I think something has to be done about [click fraud] really, really quickly, because I think, potentially, it threatens our business model.”

Google’s concerns centred initially on automated click fraud, like Michael Bradley’s Google Clique. Then click farms became the pressing concern for Google.

Google acted in earnest on these concerns. A team was put together, headed up by Shuman Ghosemajumder, processes were established, and Google built out what continues to be regarded as the best fraud-prevention framework for online advertising. Despite Google’s efforts, however, Google, Yahoo! and nine other search engines still got caught up in a famous class action lawsuit, Lane’s Gifts and Collectibles. This happened in 2005. The lawsuit is famous because of the size of the settlement fund that was created by Google in 2006: $90m. The lawsuit is arguably more famous, though, because of the report prepared by the expert witness, Professor Alexander Tuzhilin, in which he set out what the industry should regard as best practice for identifying and preventing click fraud. Google posted Professor Tuzhilin’s report online, and the report has remained up ever since. For many in the industry this document continues to serve as the foundation for providing confidence to PPC advertisers.

2011, the Year Zeus Threw Lightning Bolts
In 2011 the landscape for online advertising fraud changed entirely. It was a watershed year.

The change was started by two infamous source-code leaks. First the source code of arguably the most infamous botnet malware, Zeus, was leaked. Soon afterwards the source code of SpyEye was also leaked. These two source-code leaks “democratised cybercrime.”

Before 2011 malware creators used their creations for their own ends—for credit-card fraud, banking fraud, email spam and denial-of-service attacks. When the source code of Zeus and SpyEye was leaked the malware creators became crimeware vendors, enabling less technically savvy criminals to use these diabolical creations and exploit hijacked PCs, phones and tablets across the world.

Today the uninitiated criminal can set up a botnet for US$595, and “you don’t need to know the first thing about coding.” The rewards for doing so are also increasingly appealing. As confessed last year by the operator of a Zeus botnet of ~10,000 hijacked machines: “Today cybercrime is already more profitable than drug dealing and it will grow even further.”

As this botnet ecosystem continues to grow in sophistication, so the traditional approach to preventing online advertising fraud becomes increasingly obsolete.

Before 2011 there were a limited number of IP addresses from which one could generate fake traffic—either fully automated fake traffic or proxied click-farm fake traffic. This made fraud detection an easier problem. With enough data one could use statistical methods to pick out the small number of IP addresses that exhibit anomalous traffic patterns.

Today’s mushrooming botnet ecosystem changes the requirements for preventing online advertising fraud. Earlier this year the number of hijacked PCs—in the US and also worldwide—was reported as being over 30%. According to our numbers, display and video ad impressions are currently being served to hijacked PCs spanning more than 15% of the US IP addresses we monitor. These hijacked machines are predominantly on residential IP addresses, and the fake traffic from the hijacked machines is interleaved with legitimate traffic generated by the unwitting owners of the hijacked machines. Analysing the ad impressions being bought across entire ad exchanges/networks we have found that the median number of ad requests per month from a single cookie associated with a hijacked PC is typically between 1 and 2. The median number of ad requests per month from an IP address on which there is a hijacked PC is typically between 8 and 32.

Because the generation of fake website traffic can be distributed over millions of hijacked machines across the US, where these machines are on residential IP addresses and the machines are also being used by their owners to surf the web legitimately (with the same cookies potentially being used to generate both fake and legitimate traffic), it is becoming increasingly futile to apply coarse-grained statistical methods to try pick out traffic anomalies.

These coarse-grained statistical methods are particularly vulnerable when applied to protect display advertisers because there are so many publishers selling display ad inventory who are financially incentivised to buy dubious traffic. Contrast this with PPC advertising. Over 80% of current search PPC spend in the US is through Google’s PPC ad network and the lion’s share of this spend—at least 70%—goes toward PPC ads which are shown on websites owned by Google. Whilst the incentive for publishers to buy traffic is so strong that some publishers buy almost all their traffic from dubious traffic sources, many publishers simply top up their traffic to satisfy direct-sales agreements with display advertisers. For example, a whistleblower came forward over the summer to show that traffic from the Chameleon botnet was inadvertently being bought by three of the web’s most high profile publishers: “[redacted] was ordering traffic to fulfill on their inventory to advertisers and were getting this traffic from [redacted]… [redacted] found evidence of bots on their site and fired [redacted]… [redacted], [redacted] are two major publishers that have consumed this type of audience from [redacted].” Coarse-grained methods are at their most vulnerable when applied to publishers who simply top up their traffic with purchased botnet traffic.

Funding Cybercriminals
Botnets cost both advertisers and premium publishers money in the short term. Advertisers are being defrauded—and this defrauding is not transparent, so advertisers cannot simply price it in. Advertising spend is also being diverted away from premium publishers to unscrupulous publishers. As a channel, this makes it harder for display advertising to compete with other types of advertising.

Perhaps the most troubling aspect, however, is that advertisers are inadvertently funding the cybercriminals who are creating and operating the botnet malware—cybercriminals who have been identified as hosting, for example, child pornography and phishing attacks. And the more money these cybercriminals earn from their malware, the more resources they throw at developing the botnet malware. This is an arms race and without appropriate action the future will be markedly bleaker than the present.

If this malware continues to be funded and continues to grow, the implications extend far beyond display advertising. The current plight of display advertisers is part of a much larger problem with increasingly sophisticated botnet malware. The severity of this escalating problem led the White House last year to announce “new initiatives to combat botnets – a collection of computers whose security is compromised by attackers – which are believed to pose one of the biggest risks to Internet security.” The Obama Administration created the National Cyber Investigative Joint Task Force (NCIJTF) to provide a framework for these initiatives. “The National Cyber Investigative Joint Task Force is a comprehensive public/private effort [including the DOJ, FBI, NSA and U.S. Secret Service] engineered to eliminate the most significant botnets jeopardizing U.S. interests by targeting the criminal coders who create them.”

Concluding Thoughts
Display and video advertisers are today inadvertently funding the criminals who are developing increasingly sophisticated botnet malware. The more advertisers fund these criminals, the more difficult it becomes to prevent online advertising fraud. Online advertising is just one application of this botnet malware. By funding these criminals display advertisers are also improving the tools being used to commit other cybercrime.