Buzzfeed – Ad Fraud Scheme

Buzzfeed – Ad Fraud Scheme

BuzzFeed News Investigation Summary

https://www.buzzfeed.com/craigsilverman/ad-industry-insiders-are-connected-to-a-fraud-scheme-that?utm_term=.vlOMXbjDq#.yy35Pz7ko

 WHAT:

  • Some of the world’s biggest brands were ripped off by a digital fraud scheme to steal what could be millions of dollars.
  • Approximately 40 websites used special code that triggered an avalanche of fraudulent views of video ads. Over 100 brands saw their ads fraudulently displayed on the sites, and roughly 50 brands appeared multiple times.

HOW:

  • Sites deployed a sophisticated method to automatically redirect traffic between websites in order to rack up ad impressions and avoid detection.
  • Once caught in this web of redirects, the sites show a constant stream of video ads that are often barely interrupted by actual editorial content.
  • Once the redirect code is initiated it can bounce between websites without any action required on the part of a human user or bot. This kind of attack is known as “session hijacking.”
  • In many cases, the sites are filled with images and content that has been plagiarized or loosely rewritten from other websites. Others are filled with posts that read like poor translations of actual English.
  • The sites were configured with a “friend or foe” system that only triggered the redirects when a specific URL was accessed. Once triggered, the secret URL would engage what Social Puncher came to refer to as “ad hell” due to the constant display of video ads and very little actual editorial content.
  • Many sites in the scheme would launch, instantly gain traffic and ads, and then see their audience disappear months later. It was the digital equivalent of skimming from a casino.

 WHO:

Using the list of sites that Social Puncher and Pixalate identified, a trail led to major owners/operators of sites who turned out to be Americans with ties to the US digital ad industry:

Matt Arceneaux:

  • CEO of 301 Digital Media, a marketing agency based in Nashville. All sites involved in the scheme used ad technology provided by
  • An owner of Monkey Frog Media, which owned 7 sites exposed in fraud scheme.
  • Monkey Frog Media goes by another name, Happy Planet Media, which had 5 sites involved in the scheme.
  • Market 57 LLC, whose corporate address is listed as 301 HQ, had 5 sites part of the scheme.
  • Orange Box Media LLC, whose corporate address is listed as Arceneaux’s home address, had 5 sites part of the scheme.
  • What he says: After initially denying any relationship between 301 and the other shell companies and being shown evidence to the contrary, Arceneaux said “No one profited from an ad fraud scheme as there was no ad fraud scheme evidence shown in any data that we have collected or seen. We ran all publishers through 3rd party ad fraud detection companies and were not notified of any issues until shortly before they were removed from our platform. We did not observe any attempts to mimic human behaviors or automatically click on ads. The 301network SSP has since notified all publishers that it is ceasing operations and can proudly say that none of the sites that showed this behavior are operational anymore.”

Eric Willis

  • Vice president of Online Media Group LLC (OMG LLC), which owns 7 sites that ran the session hijacking code. Many of the sites appear to have no user comments on their content, and the articles are written in a malformed version of English that suggests they were automatically generated.
  • Some of the traffic being routed through com was directed to Hollywire.com, a site that contained the session hijacking code.
  • Social Puncher documented a loop of redirects that saw Hollywire pass traffic back and forth between HisLife.style and HerLife.style, two sites that historical domain records from DomainTools show were registered by Willis in late 2015.
  • What he says: He told BuzzFeed News he has “no knowledge of any fraudulent activity. The industry as a whole definitely has a big problem with fraud and we do everything possible to prevent this kind of activity.”

Chris Corson

  • Cofounder and EVP of AdSupply ad network, where Eric Willis previously worked.
  • Part owner of an LLC that operates Hollywire.com.
  • Part owner of Focus Marketing LLC. Its website and the website for OMG LLC, the company Eric Willis works for, are exact copies with different company names.
  • What he says: “I do not support or have any involvement in any type of fraudulent activities, and certainly not this ‘scheme’ you have identified from the [Pixalate] article, and to report anything to the contrary would be wildly reckless. I do not have any involvement in the operations of Online Media Group or in any of its advertising activities.”

Katerina Van Derham

  • CEO of KVD Brand Inc., which owns 8 sites in the ad fraud scheme.
  • The company works with both 301 and Willis.
  • The audience behavior on several of Van Derham’s sites provides a good case study of the scheme. Last December, she purchased RecipeGreen.com in an online auction. From January until the end of August it was showered with traffic. Then the visits suddenly stopped. Along with the traffic pattern, another suspicious signal is that the site kept the same content on its homepage, and did not upload new posts at any point since it was purchased. The site’s for-sale listing on Flippa from close to a year ago shows the exact same articles in the exact same order that can be found at the top of the site’s homepage to this day.
  • What she says: Van Derham said she purchased several of the sites from someone in Pakistan, and that after being alerted to the fraud issue by BuzzFeed News she discovered that “malware” was present on them. “We have since then been doing our best to better properly secure the sites from further hacking or malicious attacks.”

WHAT SHOULD YOU DO: This is just another piece of evidence that it is more important than ever to employ a third-party monitoring service to track your digital investments. Do your research and make sure that your tracking partner is certified in detecting sophisticated invalid traffic. DoubleVerify, for instance, has a category to detect “hijacked devices,” which would include the data uncovered in this fraud scheme. Advertisers (and their agencies) should be routinely monitoring site lists and taking note of any suspicious traffic patterns, as well as keeping up-to-date black and white lists. Advertisers (and their agencies) should make sure that any ad networks they work with have full transparency into the sites their ads are running on.

Affected Brands