October 17, 2017 — By: Craig Silverman, BuzzFeed
"Some of the world’s biggest brands were ripped off by a digital fraud scheme that used a network of websites connected to US advertising industry insiders to steal what experts say could be millions of dollars, a BuzzFeed News investigation has found," wrote BuzzFeed News.
The article features insights from Pixalate, which first uncovered a family of sites utilizing session hijacking without malware, a form of Sophisticated Invalid Traffic (SIVT).
"Pixalate, a fraud prevention and detection company, recently exposed a group of seven sites involved in the scheme as a result of its own independent investigation. It estimated that “a sustained attack [from just one website] could net the fraudsters over $2 million per year," wrote BuzzFeed.
The article continued: "What caught the attention of researchers at Pixalate and Social Puncher, two companies that identified the fraud independently of each other, was that sites in the scheme deployed a sophisticated method to automatically redirect traffic between websites in order to rack up ad impressions and avoid detection. Once caught in this web of redirects, the sites show a constant stream of video ads that are often barely interrupted by actual editorial content. In some cases, the sites showed more than one video ad at the same time in order to increase revenue.
"Jalal Nasir, the CEO of Pixalate, referred to the sites in the scheme as 'self-driven' because once the redirect code is initiated it can bounce between websites without any action required on the part of a human user or bot. (This kind of attack is known as 'session hijacking.')," wrote BuzzFeed.
“The people profiting from this scheme could have initiated the first visit to the URL, simply to open as many windows or tabs as possible on browsers,” [Pixalate CEO Jalal Nasir] told BuzzFeed News. “Once that first step had been taken, however, the browsers could have been left open to ‘browse’ all day, ‘mimicking a human.’”
"Pixalate referred to the group of properties it investigated as 'zombie sites' because of how they generate ad views without human action, and because it’s unlikely they could attract interest from a real audience," wrote BuzzFeed.
"Approximately 40 websites used special code that triggered an avalanche of fraudulent views of video ads from companies such as P&G, Unilever, Hershey’s, Johnson & Johnson, Ford, and MGM," wrote BuzzFeed News. "Over 100 brands saw their ads fraudulently displayed on the sites, and roughly 50 brands appeared multiple times." BuzzFeed News worked with Social Puncher to name the affected brands and used Pixalate's existing blog post on the sites in question to corroborate their findings.
"Amin Bandeali, the CTO of Pixalate, said his company constantly comes across websites like the ones involved in this scheme. 'The scale is huge,' he said, noting that it takes no time to create a new website and fill it with plagiarized or sloppily aggregated content," wrote BuzzFeed.
“People have actually built programs called website generators where with one [computer command] they can generate a whole website, including plagiarized content from other websites," Bandeali told BuzzFeed.
Sign up for our blog to stay updated with new stats, trends, and analysis on digital ad fraud.
*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.
These Stories on Thought Leadership
*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.
Disclaimer: The content of this page reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC, “'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC, “‘Invalid Traffic’ is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”