Determining whether publishers are shady enough to be cut from the programmatic supply chain means grappling with shades of gray.
But when a publisher is engaged in obviously illegal activity like piracy – and going to great lengths to hide it from programmatic advertisers – then the decision becomes black and white.
Ad fraud detection and verification firm HUMAN recently encountered one of those black and white cases when it investigated a Brazil-based programmatic cashout mechanism for pirated content, which HUMAN dubbed “Camu.”
As part of the Camu scam, publishers trafficking in pirated movies, TV shows and games sold programmatic ads alongside this stolen content while using domain cloaking to obscure the “cashout sites” where the ads actually ran.
HUMAN’s investigation, led by its Satori threat intelligence team, illustrates how disreputable publishers are able to monetize stolen content through programmatic advertising’s convoluted supply chains while avoiding common methods for detecting ad fraud.
As it turns out, outright scammers are taking cues for how to cover their tracks from made for advertising (MFA) sites.
A domain by any other name
The Camu operation, which the Satori team discovered in December and revealed in a report published today, was the largest cloaking operation HUMAN has exposed thus far. At its peak, it was associated with 2.5 billion bid requests per day, mostly originating in Brazil, that were spread across more than 130 domains built to facilitate this deception.
The domains that host pirated content are only accessible when navigated to via piracy hub sites, said William Herbig, director of fraud detection and data operations at HUMAN.
Some MFA publishers do something similar, which is to only display their heavy ad loads when being accessed by paid traffic. However, these ad-heavy pages can also be accessed by manually entering the URL.
In the case of Camu, if an advertiser attempts to do due diligence by navigating to the URLs listed in post-campaign reports, what would load is simply an unremarkable page rather than a page hosting stolen content.
Say, for example, a user visits filmize.tv, a site included in HUMAN’s investigation, to watch the new movie “Deadpool & Wolverine.” When the user clicks the “Watch Online Now” button, the site drops a cookie that allows a URL to load where that user can illegally stream the movie. This page also features several programmatically placed ads.
However, if an advertiser tried to visit the same URL, the browser would load an inconspicuous placeholder site instead. Because the advertiser didn’t click through from a piracy hub, the browser wouldn’t have the cookie needed to load the page where the stolen content lives.
HUMAN’s report on the Camu scam includes a screenshot of a page from the domain “guiacripto.online” that hosts a media player for streaming pirated content. This screenshot also shows ads from Vrbo and car rental company Sixt. However, navigating to the URL manually or clicking a link from a search results page loads an innocuous blog about cryptocurrencies.
This kind of domain cloaking is a classic marker of sophisticated invalid traffic, according to the Media Rating Council.
“We can very firmly call this IVT,” Herbig said. “There’s multiple pieces of misrepresentation going on.”
In addition to cloaking domains and creating different site experiences depending on a user’s route, he said, these publishers are obfuscating the source of referral traffic to make it seem like users arrived at these pages from reputable links or search engines, rather than hub sites entirely devoted to piracy.
Detecting the scam
Making matters worse, scams like Camu are also undetectable using typical means for catching programmatic ad fraud, Herbig said.
“You have real users on real devices who are being served viewable impressions,” he said. “The tricky part is [determining] where the ads are actually being loaded, and that’s not something you can easily do, at least by looking at standard metrics.”
And although scams like Camu have a lot in common with MFAs, they can’t be fought using the same strategies, Herbig said. For example, MFA sites create a separate experience for paid traffic, which makes focusing on paid traffic sources a viable method for detecting MFA activity. But piracy sites have no such emphasis on paid traffic.
However, the fact that piracy sites host stolen content makes it easier to single them out for scrutiny.
Indeed, HUMAN was able to uncover the Camu operation because its Satori team was proactively looking to expose programmatic supply chains associated with monetizing piracy sites, Herbig said. No advertiser wants to monetize stolen content.
The Satori team analyzed HUMAN’s entire data set of more than 20 trillion bid requests per week across three billion unique devices, looking for red flags that could be associated with piracy. It also monitored a range of IP addresses that were associated with known piracy sites in the past to examine what other sites these addresses were visiting and whether anything seems off about them.
“We immediately noticed this pattern between the cashout sites where our customers’ traffic was loading and one of these [known] piracy domains,” Herbig said. “From there, we started tagging different IVT behaviors.”
For instance, HUMAN examined every domain that was also using the known domain’s specific cookie settings and hunted for other domains engaged in the same specific type of referral overwriting.
HUMAN also tracked programmatic supply chains that have monetized known piracy domains to find similar domains. The Camu scam relied on a high degree of reselling by programmatic intermediaries to remain hidden, Herbig said. In many cases, new domains that were created after old domains were demonetized relied on the same sequence of resellers.
Based on these findings, HUMAN was able to introduce seven different pre- and post-bid mitigations over the past nine months aimed at stopping ads from serving on piracy domains. Although the Camu scam is still active, HUMAN was able to cut advertising activity associated with these domains from 2.5 billion daily bid requests to 100 million daily bid requests.
Herbig declined to elaborate on HUMAN’s mitigations, as doing so could give bad actors a playbook for how to avoid them.
Made for IVT
Going forward, HUMAN believes the best way to crack down on scams like Camu is for the industry to reach an explicit consensus that all traffic to piracy sites should be considered IVT, Herbig said.
But unfortunately, going after piracy sites won’t help address the industry’s other big advertising scam – MFA sites.
AdExchanger asked HUMAN to compare Camu to the Forbes MFA subdomain scandal, which blindsided the industry. While the Camu scam and the Forbes situation both relied on having different site experiences depending on the traffic source, “there is no relationship between the Camu operation and previous domain mismatch issues,” a HUMAN spokesperson said.
The Forbes case involved misdeclaring its “www3” MFA subdomain in bid requests, whereas Camu had “no instances of basic root or subdomain domain mismatch,” the spokesperson said. In Camu’s case, “the misrepresentation comes from two completely different sites loading from the same URL based on how the user arrives,” rather than having two different URLs for different traffic sources, they added.
Either way, piracy sites engaging in obviously illegal activity are an easier target for demonetization than MFA sites, which might be gaming programmatic systems, but aren’t necessarily doing anything illegal.
“Domains like this are made for IVT, not made for advertising,” Herbig said. “They are going multiple steps beyond what is in any way acceptable in our industry.”
