News

'The paradox of fraud detection is that the more you reveal ... the easier it is to evade'

Sizmek's study claims 8% of traffic from regulated app stores is malicious

Advertisers are increasingly shifting their media spend to mobile with many hoping the relatively regulated app store ecosystem will help mitigate the risk of fraud, but this is increasingly a false hope. The Drum investigates further.

Yesterday (December 13) Sizmek published a study warning advertisers of the risks involved when purchasing ad impressions from mobile apps, as it discovered that over half of all Android and iOS apps not from the official Apple App Store or Google Play contain a “staggering amount of malicious traffic”.

Sizmek’s Advertising Fraud in Mobile Apps paper goes on to state that commonly used anti-fraud software suite AVG detected only 22% off all malicious app traffic – such as generating fraudulent traffic or serving invisible ads – during the study, and more worrying was that 8% of all traffic generated by apps from certified outlets contained similar characteristics.

The Drum took the time to probe the study further with Zach Schapira, Sizmek’s global product strategist, to find out more about the issue that is increasingly coming under the microscope for advertisers.

How do uncertified apps get into circulation if they do not emanate from outlets such as Apple App Store or Google Play. Can you provide us with specific examples?

To access uncertified apps, users will usually either download an alternative app store onto their mobile phone and install apps from there, or seek out apps on third party websites, and download them directly to the device.

The ‘8% figure’ was concerning. What is Sizmek’s opinion on how such fraudsters can continue to evade the quality control aspects of such app store providers? For instance, are you able to offer insight to any of the common tactics to escape fraud detection?

The paradox of fraud detection is that the more you reveal about what you know, the more you tip your hand [sic] to the people committing ad fraud and provide them with a feedback loop to iterate on their tactics. And the more they know about how specifically quality control is conducted, the easier it becomes to find ways to evade it. It’s worth noting that overall, the app stores have done a relatively successful job monitoring fraud within their own ecosystems – you can never expect a 100% success rate.

We constantly see releases from anti-fraud vendors celebrating their latest solution, but equally we also see releases detailing the prevalence of the problem. Can Sizmek offer an assessment of how such fraudsters are continually able to siphon money off from the legitimate players in the advertising business, despite these ongoing initiatives?

Fraud has always been a game of cat and mouse, and it’s been a truism throughout history that wherever there is an opportunity for profit, you’ll find immense amounts of effort to capture it. Part of the problem is that whereas other types of financially-motivated crime carry heavy consequences such as custodial sentences, the most common consequences for perpetrating ad fraud don’t have nearly the same deterrent power – typically your app gets removed, your traffic gets blocked, your website gets blacklisted. Like most cyber-crime, ad fraud has no borders, so law enforcement in this area is more difficult and would typically involve collaboration between multiple governments.

What efforts would Sizmek highlight as being particularly notable in tackling the issue of fraudulent traffic? In particular, what's your thoughts on the Payment ID initiative taking place (in the US at least) under the direction of trade body TAG unit?

The Payment ID initiative is the most prominent anti-fraud programme in the industry, and we wish it all the success in the world. Ultimately you have to follow the money – it’s been the key to fighting terrorism, organized crime and white-collar crime, and it’s going to be the key to overcoming ad fraud.

Examples of other key initiatives include TAG’s Fraud Taxonomy, the MRC’s codification of GIVT and SIVT, and JICWEB’s Good Practice Principles – all of which aim to codify types of fraud and aid legitimate actors in detecting them. Finally, individual efforts by members of the supply chain such as SSPs and exchanges have been helpful in reducing the amount of downstream ad fraud.

Some in the UK industry bemoan a lack of serious action to take similar steps compared with their US counterparts* - what does Sizmek suggest as a possible remedy for more comprehensive action?

We suggest the following three recommendations:

1) The efforts outlined above are a step in the right direction – particularly the two-step verification process proposed by TAG and supported by prominent players in the industry. We hope to see the success of these initiatives continue.

2) Secondly, advertisers need to be more assertive in demanding accountability from their agencies and media partners. Ultimately, it’s their dollars that are lost through fraud, and they have the strongest incentives to take action.

3) While companies can take steps to protect themselves against fraud, there are few resources devoted to finding and prosecuting the individuals committing the crime – this needs to change.

*Click fraud will continue to thrive unless the industry agrees to fund a solution

SL

sean larkin

All by sean