Blog

There has been a lot of hoopla recently about viewability and how advertisers and their agencies are demanding 100% viewable inventory from publishers. This is an ongoing debate backed by a plethora of data and arguments for all sides, but it often overlooks fundamental security issues that bring all data points into question.

For instance, we need to ensure we are measuring against real human activity first. We must, at the very least, answer the following question with 100% certainty: does the browser rendering the ads belong to a real human?

As more advertising dollars shift towards digital media, so are cyber criminals. New releases of malicious software are emerging every day, with enhanced capabilities for defrauding advertisers. The criminals are well-funded and manage an underground economy that employs the best talent and technology available. Nobody in the system is immune, including premium providers. One has to consider real security measures, in the same context as the financial industry for example. Establishing security requires prioritizing the issues, in this order:

1. Real human
2. Viewability
3. Right audience

Let’s not be naïve – we have progressed beyond the era of fraudsters embedding and stacking ads in 1×1 pixels. The current threats lie in sophisticated botnets employing real browsers and accessing user-generated cookies while emulating human behaviour at advanced levels.

However, picturing a modernized version of the ad-stuffing fraud scheme helps put things in a better perspective. In this scheme, a publisher clutters visible (viewable) ads onto pages and then serves these pages directly to bots to view. This allows the rogue publisher to maximize its impression-profit per bot view. Since the pages are designed specifically for bots, and not humans, there is no requirement for content. Viewability simply doesn’t matter while bots are the only viewer.

In a specific scheme we examined, a variant was acting more intelligently. We uncovered a publisher stuffing over 250 ads – distributed over multiple ad vendors – on a single page while driving bot traffic to it. The part that was surprising was not related to the number of ads on the page but that a well-orchestrated harmony of events were working in the background, shifting each ad into view to bypass viewability detection mechanisms. The criminal is getting smarter. This was unlike any threat we have detected and analysed to date.

Video of ads stuffed on a single page and being shifted into view to bypass viewability-detection technology

In a separate but parallel scheme of the same nature, fraudsters decided to move away from 100% viewable impressions – an obvious red flag to current measurement techniques – towards introducing some deliberate “non-viewability” into their inventory. In this scheme, each ad’s slot position was carefully measured and stored in a cookie that was later utilized as more ads were stuffed onto the page and as the non-viewability percentages were calculated and applied. This discovery is a confirmation of advanced schemes and that fraudsters are monitoring the concerns of the ad industry to adjust strategy and avoid detection.

So before delving into the viewability debate and picking a side based on poor data, we must first address the “real human” issue first. We need a battle plan that first addresses fraud, then viewability and target audience to realize value for advertisers. As shown in the aforementioned schemes, even 100% viewable inventory is irrelevant when susceptible to fraudulent activity.

Allen Dillon is President and CEO of Sentrant Security Inc., an internet security company focused on digital ad fraud protection with offices in Fredericton, Montreal and Vancouver. He’ll be sharing how advertisers and their industry partners can combat the threats to digital advertising on Wednesday June 10 at the ACA Executive Forum.