Ad fraud attack vectors

Ad fraud attack vectors

The path of advertiser dollars to publishers is circuitous not only because of the multiple layers of middlemen but also due to various sophisticated schemes of fraud. Ranging from complex technical tricks to purely disruptive user experience, ad fraud strains the advertising ecosystem and puts pressure on all participants to safeguard the advertiser trust, the publisher revenue, and the user experience. Below is a list of the most harmful types of ad fraud.

Domain spoofing

Domain spoofing is a sophisticated technique for masking the real domains where ads appear. Fraudsters use it to cover the real sources of traffic and to falsely attribute them to reputable premium inventory. This technique is used by websites, ad networks and exchanges that take advantage of the intermediary architecture of the advertising industry and the widely accepted practice to resell or manage third-party traffic.

The Methbot and Hyphbot

The Methbot and Hyphbot operations are essentially domain-spoofing brought to an entirely new level. While technologically simple to design, those two attacks were unprecedented because of the financial scale at which they were performed. Rather than relying on malware to infect machines and execute their ad fraud, the organisations behind those attacks invested in entire data centres and in the acquisition of large batches of IPs in premium geolocations to perform custom-built domain spoofing on their own machines so that they could defraud ad networks.

Reselling traffic and arbitraging

Reselling traffic and arbitraging involve publishers driving traffic to their properties by using ad networks, often with native formats, that require less stringent checks. Publishers hope that buying the traffic will cost them less than the revenues they generate from advertising to that same traffic (hence the name "arbitraging"). Users then end up on pages with little content and multiple ads that provide very unpleasant user experience infested with malware and inappropriate ads.

Invisible and hidden ads

Invisible and hidden ads are used by malicious publishers to report impressions for ads that are actually invisible to humans. This is done in 1x1 pixel iframes, outside of the viewport area, or by stacking several ads in an iframe loaded in a single ad slot.

Device ID reset fraud

Device ID reset fraud is powered by bot farms. Device ID resets are responsible for artificial inflation of app installs that skew the cost per install and trick advertisers into wasting their budgets by paying for acquiring the same users over and over again.

Hijacked ads and devices

Hijacked ads and devices generate revenue for an attacker instead of a legitimate publisher by injecting the publisher’s content with the hijacker’s ads. It can be achieved by compromising the user’s device or the publisher’s servers.

Geolocation masking

Geolocation masking affects campaign geotargeting by altering the geolocation of the inventory offered for sale. Like domain spoofing, geolocation masking exploits advertisers who are willing to pay extra for specific audiences. It defrauds them by selling them traffic from completely irrelevant locations.

Click farms

Click farms leverage simulated or real clicks to squander advertising dollars at scale.


Malvertising - the advertising industry is full of platforms willing to push the boundaries of what is acceptable. There is no better illustration of this sad reality than the multitude of malware attacks carried through ads by platforms that allow third-party scripts. They lead to malicious results such as identity theft and ransomware and are sometimes performed by very elaborate technological and legal structures.

Accidental and unintended clicks

Accidental and unintended clicks result from strategically concealed ad placements in popups and layovers. Such fake metrics plague advertising campaigns and challenge the sources of inventory to carefully monitor user activity and attribution. Usually, such activity is limited to certain bad players whose properties offer sub-standard user experience coupled with shady means of acquiring traffic.

Ads with unknown sources

Ads with unknown sources put pressure on publishers and buying platforms to better control who uses their services. Reputable advertisers are increasingly concerned that they inadvertently become party to fraudsters. Bad advertisers also disrupt the user trust in publishers and make them less reputable sources of information. This is particularly true in the context of promoted posts and native advertising, where the adverts visually appear like trusted content on platforms such as Facebook and Google.


Other well-known examples include mobile app install hijacking (claiming the reward for another publisher’s work), ad stacking (stacking multiple ads so that their call-to-action buttons would be triggered simultaneously), retransmission fraud (reclaiming the reward for the same click multiple times), and others. All these various forms of ad fraud indicate a high level of sophistication of fraudsters who stay well ahead of the rest of the ecosystem. In addition, the current state of the advertising industry populated by intermediaries further favours ad fraud by making it difficult for everyone to independently check their end of the transaction. Overall, ad fraud is estimated to cost advertisers and publishers approximately 19 billion USD in 2018, up from 16.4 billion in 2017.