Beware: Ad Fraud is Not a Harmless Crime

By Ken Brook On May 7, 2019

Ad fraud impacts real people with real lives, sometimes putting them in mortal danger, and we should be paying more attention to this reality. We typically think of ad fraud as click spamming, SDK spoofing, device farms, and bots delivering fake impressions—stuff that causes brands to lose money (lots of it), but ad fraud can be much more nefarious.

Brands are often construed as the main victims of ad fraud because they have the largest at stake. No doubt, this is a giant issue and one that, in full disclosure, my company MetaX seeks to address. Juniper estimated that ad fraud cost brands $19 billion in 2018, a number that is predicted to grow to $87 billion worldwide by 2022. A report from the World Federation of Advertisers forecasted that ad fraud could become one of the biggest markets for organized crime by 2025.

Cybersecurity Concerns Grow as IoT Adoption Increases

As IoT continues to take-off, more devices will become vulnerable to wireless attacks. Stuxnet, a malicious computer worm discovered in 2010, is considered the first example of a digital weapon. Believed to have been developed by American or Israeli military forces to damage Iran’s nuclear program, it causes nuclear centrifuges to spin out of control and destroy themselves.

In 2012, hackers tampered with a railway signal system, disrupting service for hundreds of people in the Pacific Northwest. Though no one was hurt, the event exposed the possibility of hacks to public utilities. University of Michigan conducted a study in 2014 in which they successfully hacked into nearly 100 traffic lights. The researchers acquired city permission, but, if left unprotected, a bad actor changing traffic lights could have caused accidents and potential loss of life. Medical devices such as insulin pumps, nuclear power plants, water and electrical systems, and any smart device, including fridges, toasters, and personal assistants are all potentially susceptible to cyberattacks and could put human lives at risk.

Bad Actors Don’t Need to Hack When They Can Just Use Ads

As dangerous as hacking is, bad actors don’t need to hack to carry out a disastrous attack. Criminals can deliver malware and ransomware via ads containing malicious code served on legitimate websites. This is distinct from phishing campaigns that attempt to dupe individuals into clicking on email links containing viruses.

Techniques used include malvertising, wherein malicious content is concealed within seemingly legitimate content, and sniper targeting used to zero-in on specific individuals using IP addresses. Malware can be hidden in images, called a steganographic attack, and activated only when real humans view them. Finally, attackers could gain access to major ad platforms simply by buying access to user accounts.

Such strategies are leveraged to siphon billions of ad dollars from brands each year, but these same techniques can also be used to target hospitals to demand ransom, break through the firewalls in government buildings, and attack individuals in their homes. The scariest part is that, unlike in a hack, devices can be infected just by “seeing” an ad.

The risk to real lives should motivate those in the ad tech industry to step up their security game to ensure their technology is only being used in the manner intended and not to attack hospitals, government buildings, and individuals.