The Quietest Heist of Your Ad Budget [whitepaper]

By Jordan Greene, Partner/Mobile Media, Mella Media

[ADWEEK’s published version is adapted from this full whitepaper.]

Mobile fraudsters are impressively stealing your ad budget, and you likely don’t even know it. Mobile is the undeniable foundation of modern, expanding digital consumption and advertising, but its contemporaneous grifters have significantly evolved their trade even faster. These are technologically advanced magicians. Their potential heist, according to Forrester's projections: $20 billion of budgets just this year alone. 

These nefarious groups know the soft spots to exploit in the revenue-chains, invent new methods to cloak their activities at scale, and understand how to use your individual campaign requirements against you, personally. The 2019 mobile fraudsters are well-organized companies that flood your data feeds with garbage that looks great, which in turn keeps even advanced buyers incorrectly yearning for more. That’s some remarkable trickery.

The purpose of this article is to illuminate several critical types of mobile fraud, and provide actionable tactics to protect your budgets, data and business. This will equip you with strategic understanding, in plain English, and address techniques likely being perpetrated on your advertising programs—right this minute. For any digital advertiser, it is impossible to not buy mobile ads now. And the bigger your budgets, the bigger a target you are. Pulling back this fraud curtain may offer some scary realities for you. However, it will arm you to begin your battle, stop the theft of your budgets, and restore the integrity of your core advertising and consumer data.

The User Acquisition Primer

In order to clearly illustrate three main stages of mobile ad fraud that marketers currently encounter, a fictional content and retail app, “Kaleidoscape,” will serve as the example (although comparable circumstances impact all types of mobile campaigns). In this scenario, company executives have charged the internal marketing team to deliver 1 million paid app customers in six months. For a new app user to become a customer, each needs to complete three key processes: install, registration and purchase. 

To drive consumer actions towards this goal, Kaleidoscape buys advertising space through multiple media partners on a cost-per-install (CPI) basis. In order to track each campaign’s effectiveness, the company contracts with a Mobile Measurement Platform (MMP) and embeds that platform’s code in the published app. This technology solution serves as the centralized data hub for all app campaigns, automatically shares data back with each ad partner, and provides Kaleidoscape with advanced acquisition analytics.

When a consumer clicks on a partner’s ad for Kaleidoscape, she is directed to the appropriate app store for that phone’s operating system (i.e., Apple’s App Store, Android’s GooglePlay) to download the app for use. Upon her first app open, which is referred to as the “install,” device data is sent to the MMP. It matches the ad click data to that of the install, credits the corresponding ad partner in the MMP databases with creating the new user, and then externally shares that data with each respective partner to close the loop. More importantly, this process begins the flow of money.

The CPI money goes from Kaleidoscape to the ad partner to the third-party app that showed the ad. Further, between the partner and the app publisher, there can be multiple players that take their piece of the revenue as well. These include many Supply Side Platforms (SSPs) and ad exchanges. These added ad tech layers provide ideal camouflage for the modern mobile fraudster to steal your money.

Three Stages of Mobile Ad Thievery

Theft Stage 1: Straight Waste

For Kaleidoscape, the simplest theft is the “empty install”. This is where a user installs an app and never initiates a single action beyond opening it once. While this could be just a user who lost interest, it is an easy way for fraudsters to drive giant amounts of install volume if the ad buyer isn’t paying attention. 

There are two popular methods to generate this kind of activity:

• Giant warehouses filled with phones and staff manually clicking-and-installing Kaleidoscape
• Servers with bots to emulate phones installing Kaleidoscape (this approach is more prevalent on Android, with its open operating system)

Regardless, the goal is the same: to get as many chunks of Kaleidoscape’s ad spend sent to the fraud-creating company. On face value, this company’s ad-serving apps or mobile websites look strong, however their strength is in garbage installs. 

The sophisticated modern fraudster owns many actual apps in the market, filled with real and bot users. This combination presents an effective shield to hide their deceptive actions from ad buyers. If Kaleidoscape isn’t aware of these activities, its marketing team could easily waste a majority of its customer acquisition budget and have few real customers to show from it. 

Further, as the install is the beginning of Kaleidoscape’s directly acquired data on its customers, any downstream reliance on this could have further repercussions. So, if teams inside Kaleidoscape make subsequent business decisions influenced by this and other fraudster-created data, it could result in farther reaching economic and developmental damage to the company.

Theft Stage 2: Fake Registered Users

In this scenario, the ad buyer for Kaleidoscape sets an expectation with its ad partners to deliver a 25% registration rate. The partners then share this with legitimate apps to run ads to drive activity, but also, unknowingly, with the fraudsters. 

Kaleidoscape uses a simple and widely-used consumer registration process. Upon first opening the app, the user types in her phone number, and is sent a text message with a registration code. She then enters the code into the app, confirming she is who she says she is. 

For Kaleidoscape, the conclusion of this circuit drives three actions:

1. The registered user can enjoy the app
2. The registration event is recorded by the MMP
3. The registration data is separately recorded in Kaleidoscape’s internal database as the basis for its customer retention marketing efforts

Armed with the knowledge of the expected 25% registration rate, the fraudsters now insert themselves into the process. To drive volume of paid installs across their multiple owned apps, the fraudsters just need to falsify data to get into this targeted range. Their bots and/or low-cost staff install Kaleidoscape and register, accordingly. Considering that these fraudster farms can be located anywhere in the world, they often cover their tracks even further by using Virtual Private Networks (VPNs) to simulate US-based IP addresses. Consequently, any geo-data generated is just geo-trash as well.

The Kaleidoscape ad buyer is quite pleased with these on-par registration rates, and actively buys more installs from these sources. To further complicate the real view of these sources, there may also be purchases by actual users. Or worse, smart fraudsters will make a few purchases themselves to further conceal their activities.

With some early success, now the fraudsters start to get really greedy. They begin to deliver well above expected registration rates, with the goal of getting even more budget steered toward them. This is a well laid trap for the untrained ad buyer. Kaleidoscape sees unbelievable returns on their investments. But the key word is unbelievable. They are active prey with market-visible money buckets. Their apparent mixture of optimism and ignorance creates their Achilles’ heel.

Theft Stage 3: The Big Spoof

Bigger budgets just present bigger opportunities for the fraudster. Why steal small when you can steal at scale? And the “spoof” is the technique for this heightened heist.

Where Stage 2 mobile fraud uses Kaleidoscape’s strategy and expectations against them, Stage 3 expands to directly abuse its technology platforms as well. The first and crucial strike is on the MMP, as it is the data depository and revenue-confirmation engine. The simple spoof just skips key steps in a real user’s app engagement and writes properly formatted, garbage data to the MMP databases. For Kaleidoscape, the result is a large number of spoofed-installs and potentially spoofed-registrations, without ever creating a real user. The spoofed-registration shows the fraudster’s sophisticated understanding of Kaleidoscape’s campaign and data requirements.

The burglar’s method is to disassemble just enough of the Kaleidoscape app to expose access to its API’s—which are the essential pipes for the app to deliver data to the MMP. The fraudster then fills these pipes with their garbage data and starts the revenue flow to themselves.

Once this fake data is written to the MMP, the wildfire is now lit. The spoofed installs are then confirmed to Kaleidoscape’s ad partner for payment. Worse, if there are spoofed-registrations, the ad partner will trust this higher-value-customer data as gospel, and optimize towards these sources, and away from other legitimate sources. Why wouldn’t they? The data is coming “from Kaleidoscape.” The internal marketing team would also be duped, as they would see these false, excellent results in the MMP’s portal and add more budget. Now the brush is fully aflame.

All put together, this sophisticated approach steals budget, fills multiple databases that Kaleidoscape relies upon to make ad spending decisions with fake data, and keeps buyers coming back for more. It’s the perfect digital crime.

Then comes to the pièce de resistance: the heist at scale. For the fraudster, they perfected their craft against Kaleidoscape in one place, so why not do it everywhere they can? The layers of modern ad tech unwittingly now join the fray, aiding and abetting the thieves. 

As Kaleidoscape has its 1 million customer goal, it needs to buy from multiple ad partners. Those companies in turn deliver inventory that they have direct access to, as well as buying on open exchanges. To steal at scale, the fraudster just needs to get their fraud-creating-vehicle-apps on as many exchanges as possible. The exchanges approve them, as they look like good apps with history and strong track records. These apps now have implicit validity and chances to hide in plain sight. With the increased visibility, multiple of Kaleidoscape’s partners start buying the fake traffic and burning up the advertising budget—fast.

This is how the fraudster does their part to keep pushing up the $20 billion market fraud. If Kaleidoscape is unequipped with understanding and expertise, they are unlikely to figure out the issues until well down the line, if at all. Instead, the marketing team will be frustrated by how inefficient its campaigns seem to be. The time of a realistic user conversion is the tremendous ally to the fraudster.

Arm Yourself for Active Battle

The Undercard: Taking Out the Trash

Your best mechanism to fight mobile fraud starts with knowing and using your own data. While there are plenty of external, third party tools built into the different tech platforms you use, their purpose is to broadly defend against ad fraud for every client. You need to solve fraud for your specific app or company, and that is a different goal altogether.

Further, those same ad tech tactics are known by the very companies you are fighting against. This keeps the fraudsters smarter, faster. They are again using your technology against you.

Requirement one is for marketers to acknowledge that they are probably being affected right now. Obviously, Stage 1 empty installs are the easiest to address. The Kaleidoscape marketing team just needs to get granular with their MMP data. They will be able to see the partners, apps and sites that have been delivering large and small amounts of nothing. Zero post-install activity sources are easily cut. But these fraudsters remain impressively clever, which necessitates a deep examination of the data based on understanding the nefarious fraudster point of view. 

Stage 2 fake registered users need to set off alarms, as these indicate the fraudsters using Kaleidoscape’s marketing expectations against them. To identify this, the team needs to scrutinize its data for:

a. Below Target Expectations

• Symptom: few post-install events to prevent zero-activity warnings from being tripped
• Remedy: run site-by-site summary registration analysis and proactively optimize away from these sources

b.     Too Good to Be True

• Symptom: very dangerous area where fraudsters deliver registrations distinctively above expectations or norms. Unaware ad buyers and programmatic systems are immensely susceptible here
• Remedy:  determine characteristics of violating apps and pause accordingly

c. Solid Yet Empty Registrations

• Symptom: registration rates in line with norms, but have zero to minimal purchases occurring 
• Remedy: analysis coordinating multiple data sets. This will be time consuming, the first time, but needs to be done, and set-up for daily monitoring. The fraudsters are counting on this added labor slowing the recognition of their efforts

Kaleidoscape’s hands-on daily monitoring of the campaigns for Stage 1 and 2 fraud will give the marketing team a feel for how the campaigns run. If something begins to just feel off, it likely is. Data and intuition are powerful allies here. Marketer rationalization is what fraudsters count on, and is the beauty of the highly effective theft, Stage 3 big spoof.

The Main Event: Fighting the Big Spoof

As with any battle, legitimate fear introduces itself right up front. Questions arise like, “What if our investigation shows we have been wasting money for months?” or “Are we going to have to stop the company’s paid growth?” Denial will only perpetuate and exacerbate the issue. Finding the problem is the path towards not only stopping the bleeding, but providing Kaleidoscape with new weapons to make their overall campaign much more efficient going forward. They need to hunt for the spoof.

For Kaleidoscape, the first datapoint to build from is its registration process. Since the registration data is recorded with the MMP and internal databases, there are multiple opportunities to live audit campaigns, identify the fraudster’s fingerprints and determine how far the spend theft has spread. 

The highest-level analysis starts with comparing the registration counts against each other. If the tallies are close, it is likely off because of timing. However, when the counts are dramatically different, where the MMP’s registration count is well above Kaleidoscape’s internal list, this is the first indicator that significant spoofing activity is occurring. 

Kaleidoscape now needs to dig down on a per-install basis. This will provide greater visibility to the tactics and characteristics of the fraudster. As they are committing the theft at scale, the MMP’s databases will likely start showing similar attributes and data garbage across multiple ad partners. This is what can be used against the fraudster (as well as justification to clawback budget from ad partners). Fortified with these new data insights, the marketing team can now repurpose their technology, build their shield and take the fight to the fraudsters.

Re-Empowering Ad Tech

Kaleidoscape’s first call needs to be to their MMP, laying out the full spoof. Shrewd MMP’s will acknowledge the issue, as opposed to those who flat out deny it. Together, specific—and non-public—tech fixes can be implemented quickly. The most straightforward tactic is to ensure that only the app (or internal servers) can post data to MMP databases. This stops the flow of fraudulent data circumventing the real operational processes and breaks the chain of the theft of your ad budget following suit.

The next step is to post customer data to the MMP that is seen and known only to Kaleidoscape’s teams. This will speed the identification of future fraud, as the enemy will inevitably get more advanced. Any user record missing this internal, properly formatted data will indicate new fraud, and can be dealt with. These two mechanisms will put Kaleidoscape on equal footing with their thieves, if not slightly ahead for the near future.

The Quietest Epidemic: Next

Despite war stories and projections in the billions of dollars per year, mobile ad fraud remains the quietest digital epidemic. It is complex and will only get more so. Further, this fraud is a stone which will create ripple effects across many types of modern business decisions. Services and products developed based upon these fraudulent consumer digital datapoints will amplify the negative impacts for companies. Advertising will ultimately be just one of the pieces in the larger misdirection, as well as operational and financial issues. Once recognized altogether, we may all look back fondly on the days when we thought this was only a $20 billion problem.

However, understanding the strategy and tactics of the enemy is the first stride towards fighting it globally. There are many more flavors of mobile fraud in the advertising world, affecting virtually every type of campaign. Companies that use the techniques discussed here will inevitably unearth other irregularities in their data, media spends and consequential decisions. The smart ones will use that information to keep building up their defenses, fighting back and staying ahead. The others will continue wasting budget with their heads in the sand and enriching the fraudsters.

ABOUT

Jordan Greene continues to be on the forefront of this evolution of digital marketing, with over 20 years entrenched in mobile. He brings elite level expertise and hands-on experience to help clients smartly exploit the opportunities in the mobile ecosystem. His strategies and advertising programs have yielded billions of dollars in measurable client revenue, and driven millions of new customers efficiently. Companies including IDT Telecom, Johnson & Johnson, Publishers Clearing House, Kochava, and Madison Square Garden benefit from his unique insight and tactical agility.

Mella Media

Partner/Mobile Media

jordan@mellamedia.com

917.847.1713