Clever Scammers and Insolent Idiots

Ad fraud. You won’t find this expression on Merriam-Webster, but it is commonly used in the online industry as a generic term for the various tricks used by scammers when billing for advertising. We see these kinds of cases regularly and, to be frank, legal claims in such cases are roughly on par with handling road traffic accidents. Fraud is a criminal offense and the victim doesn’t have to pay the scammer. Period. This is also true on the internet and you really don’t need a law degree to know that.

But these cases are exciting just the same. The budgetary pie for online advertising is big and the German Association of Digital Commerce (BVDW) estimates that, in 2013 in Germany alone, it amounted to approximately EUR 7.2 billion. We can only guess how much of this ends up in the wrong hands through fraud. In any case, it’s easy to get ticket for a piece of the pie: any website operator can join an ad network to earn money from displaying ads on their website. Perfect breeding grounds for professional scammers.

And the cases are complicated; the difficulty doesn’t lie in the legal sphere, but rather in producing practical evidence that someone was actually scammed. Ever increasing advertising budgets attract scammers like moths to the light. And, to some extent, their approach is quite clever, making it so that the fraud often goes unnoticed and can only be detected with a lot of effort. Which raises the question: (1) how do I prove the fraud? And (2) how do I explain the rather technical facts to the judge?

To begin with, there are petty, annoying idiots who proceed rather foolishly. They rent a few servers from which they access their own website a couple thousand times a day, allowing them to charge correspondingly high advertising premiums for the high page views. This can be quickly discovered by checking the IP addresses of the ad requests. I would also place a site operator with whom we have recently had trouble with in the same category. He had simply put multiple iframes with a size of 0 pixels on his page. Each iframe called up an ad (which was not displayed because of the 0 pixel size). The site’s source code was then also nested in such a way that an extremely conspicuous number of advertisements was measured. I still wonder whether we should simply respond to his attorney’s request for payment by filing a criminal charge on behalf of our client without further comment.

However, the clever scammers use botnets, or legions of PCs infected with a virus, the owners of which have no earthly idea what their PCs actually get up to while dad is at work. These botnets can be rented from virus operators so that subsequently real existing PCs of real existing users eagerly call up websites, perform mouse clicks on banner ads, delivering advertising revenue to the site operators. From the advertiser’s perspective, their advertising campaign ends up being about as useful as billboard ads posted in a pitch-black railway tunnel.
And this is not a rare slip-up: Last year, a botnet called “Chameleon” was identified and consisted of 120,000 (!) virus-infected PCs that were being abused by botnet operators to perform fraudulent clicks on banner ads and fake the activity of the user (who wasn’t actually present). The damage for the advertising industry is supposedly around $6 million per month – from this botnet alone!

Another approach is the “dirty websites” trick. Operators of illegal piracy sites usually have a lot of traffic (i.e. high visitor numbers) that they would like to monetize. But reputable agencies would not include such sites in their portfolio and run well-paid advertising from reputable advertisers. So what could be better than creating a second harmless site. For example, a search engine for bank codes, an information portal on rare bird species, etc. The serious site is registered with the advertising agency, and visitors to the dirty site will be displayed as visitors to the harmless site. Technically, this is even a relatively simple process. In contrast to the trick with the bots, the advertising customer still receives advertising for their business that is actually displayed. In exchange, they must deal with legal trouble and may even have to pay fines for advertising on illegal websites.

As such, we can only advise the online advertising industry to guard themselves against this as complexly as possible. This should include good contracts that provide extensive disclosure requirements for site operators and generous rights of retention as long as ad fraud poses a threat. Moreover, hiring specialized service providers should be made compulsory so that professionals can continuously monitor campaigns and immediately intervene in case of abnormality.