Fraudsters Are Masquerading As Real DSPs

The first rule of ad fraud: If it can be spoofed, it will be spoofed.

Bad actors are pretending to be legit, demand-side platforms to try and fool partners and blend in with real ad calls as a way to purvey malware and litter the web with forced redirects.

“They weasel their way onto the exchanges,” said Craig Chinn, VP of customer success at PubMatic.

Which can be dishearteningly easy to do. Once the bogus buyer passes muster, usually by promising access to primo demand, it’s up to the supply-side platform to act as the last defense, and that’s often difficult to do at scale.

In one recent example, a company calling itself Amobi Inc. pretended to be Amobee, complete with a fake website using Amobee’s brand colors and bogus LinkedIn profiles for its “employees.” (The profiles and Amobi’s LinkedIn company page have since been taken down.)

Last month, Ad Lightning, a company that helps publishers detect bad ads, noticed an ad acting suspiciously across multiple partners. The hijacked ad, which happened to be for Claritin, appeared to be infected with malware and resolved to an odd-looking domain: amobiinc.com. After Ad Lightning placed the ad on its block list, it popped up on multiple publishers.

“We’ve caught a few of these before, but this one was relatively sophisticated,” said Scott Moore, Ad Lightning’s CEO and founder. “The fraudsters, whoever they are, were spoofing a respected DSP and using a well-known brand’s creative, neither of which had anything to do with this, to deliver malware.”

After making its discovery, Ad Lightning alerted OpenX and PubMatic, both of which had been victimized by the exploit, so that they could block Amobi, and contacted the real Amobee, which was already aware of the matter. Amobee told AdExchanger that its fraud prevention system had detected and blocked the interloper “early on.”

Since catching Amobi in September, Ad Lighting has blocked the offending Claritin ad more than 500,000 times.

OpenX told AdExchanger it has encountered this form of fraud five times since February. For PubMatic, Amobi was the first sighting. Amobi was neither a client nor a partner of OpenX or PubMatic.

But how did the misspelled Amobi even make the cut in the first place?

Negligence … or something more?

In the Amobee/Amobi case, the unnamed DSP may have been a little too eager to get the business and so didn’t stop to ask questions. A mixture of naivete, greed and willful ignorance made it easy pickins for a fraudster packing what seemed to be real advertiser creative.

Chris Hallenbeck, director of traffic quality operations at OpenX, got the story of what happened directly from the DSP, which tried to minimize its role. (Hallenbeck declined to share the DSP’s name publicly.)

According to the DSP, a buyer approached right before Labor Day claiming access to premium brands, including Claritin and Casper, and requested to run specifically on OpenX. That should have been a red flag right there, Hallenbeck said.

“You never hear DSPs ask to reach people through a certain platform,” he said. “Not to mention that it’s very unusual for big national bands which spend a lot across better-known ad exchanges, like DBM, to all of a sudden siphon off spend to a little-known or obscure DSP that’s not even located in the same country as their target audience.”

So, who are these guys?

It’s hard to know exactly who was behind Amobi Inc. or how much malware they were able to seed before they got shut down – or whether, as is likely, they’ve already turned their attention to some other form of fraud. But one thing is clear: A basic vetting of its domain would have turned up a lot of fishy clues.

For one, Amobi’s website is littered with poor English grammar: “Ensure agencys’ revenue.”  “Promoting advertising to target population by data using and tech supporting.” “Amobi uses Cookie to help you personalize your online experience. … You can accept or reject Cookie.”

The fake company’s address is listed as “228 Park Ave S #79525,” which is the exact same address as an assortment of dubious-looking entities, all of which were registered with the New York State Department of State between June and August to Chinese individuals.

One of these shadowy companies, Vtools Inc., distributes a tool called Windows Cleaner that is allegedly a Trojan Horse for malware.

Most of the others appear to be dead-end shell companies, a tangled web of weirdness that scatters when the light gets turned on and then promptly regroups in a different dark corner of the web.

“Amobi got shut down, but I guarantee that the people behind it stood up another one and that they’re doing it or something like it again now,” said Ad Lightning’s Moore. “We’ve seen ads that really do look quasi-legit, like yahoo-google.com, so you have to work really hard to figure out what’s going in.

What’s the fix?

Working with third-party verification partners and developing internal vetting technology are table stakes at this stage. There’s no anti-fraud easy button, but vigilance and cooperation go a long way toward rooting out bad actors, said PubMatic’s Chinn.

“Something like this hurts the entire ecosystem and there’s no real penalty for doing it,” he said. “SSPs and DSPs in this situation shouldn’t be adversaries – we should be working together toward the same goal.”

More transparency into the supply chain would also be a big help, perhaps a program a bit like Ads.txt, but for the buy side.

“The challenge, though, is always adoption,” Moore said. “Unless everyone is using a system end to end, it’s not going to be perfect.”

The Trustworthy Accountability Group, for example, does have a “certified against fraud” seal that companies can apply for to get verified as a trusted party, but scale is an issue. It’s been three years since the seal launched and there are only 106 companies listed in TAG’s registry.

 

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>