ArchiveOODA Original

Is Digital Advertising the ‘Mother of All Money Laundries?’

With media credibility watchdog NewsGuard reporting that over 1,600 top brands ran thousands of ads on sites that promoted false claims ahead of the 2020 Election and fueled the Capitol riot, the integrity of the digital advertising industry has never been more in doubt.

Are digital advertising agencies abiding by the terms of the insertion orders (IOs) that delineate the media inventory specified by their brand clients? The NewsGuard report, along with recent frauds exposed by ride-sharing company Uber and cybersecurity firm White Ops reveal that the answer to this question is a resounding “no.”

Online ad fraud cost global brands and media companies $42 billion in 2019. Losses are projected to approach $100 billion worldwide by 2023, according to UK-based consultants Juniper Research.

Just as the U.S. Treasury singled out fraud as the leading predicate crime for money laundering in its 2018 National Money Laundering Risk Assessment, proceeds from ad fraud are also reintegrated and rinsed via non-transparent, $336-billion digital media supply chains.

According to advertising analytics firm MediaRadar, 68 percent of the digital media ad industry is programmatic, or purchased via high-frequency automated auctions. But just three platforms, Amazon, Google, and Facebook, control nearly 70 percent of all digital ad spend, according to eMarketer.

Still, the industry is disintermediated by a myriad of different ad agencies, ad techs, ad networks, and other third parties. Given the opacity and complexity of the online media ecosystem, ad-fraud investigator Dr. Augustine Fou has even described this attack vector as the “mother of all money laundries.”

More specifically, Ron Teicher, the chief executive of Israeli anti-financial crime startup, EverC, has called ad fraud the “most insidious entry point imaginable” for transaction laundering (TL) or ‘ghost laundering.’ TL is a laundering scheme that leverages e-commerce and merchant processing to create fictitious transactions that appear legitimate, says Teicher.

Teicher estimates that TL, which generally entails criminals obscuring illegal products they are selling online via the willful misclassification of the merchant category codes (MCC) authorized by credit card companies, is a $200-billion-per-year problem globally. But Teicher’s projections don’t even factor illicit programmatic ad placements.

This portends an increasingly grave threat, because non-ad-tech-related TL alone has been linked to everything from terrorism finance, human trafficking, and illegal drug sales. A series of unresolved legal battles between ride-share company Uber and its former ad agencies and networks have exposed this gaping hole in financial integrity.

Ad Fraud Overview

On a “Marketing Today” podcast recorded last year, Uber’s former head of performance marketing, Kevin Frisch, said that mobile-ad fraud cannibalized at least $100 million, or two-thirds of the company’s $150-million online advertising budget, in 2017.

Ad fraud encompasses scams perpetrated across online-desktop, mobile, and in-app advertising channels. But so-called ‘Over-the-Top’ (OTT) ads, which are programmed to display across smart television sets, present a growing risk for fraud as well and will account for $42 billion in industry losses alone by 2023, according to Juniper forecasts.

In the mobile realm, ad fraud can be classified in one of three categories. The first is ‘attribution’ fraud, a “scheme where networks or publishers seek credit for organic installations and for installations actually attributable to other media sources,” according to a now-dismissed 2017 lawsuit filed by Uber against its former ad agency, Fetch Media, which details the specifics of Frisch’s podcast comments.

Attribution fraud is perpetrated in three ways, according to a second lawsuit filed by Uber in 2019 against four ad networks and 100 unknown entities used by its former agency, Fetch. Ad networks are digital platforms that broker unsold ad inventory between publishers (the supply side) and a pool of advertisers (the demand side) via an automated auction process.

Leveraging economies of scale and programmatic marketplace systems, groups of brands are able to place their digital ads at a much lower price than if they were negotiating directly with media companies.

One misattribution vector is called ‘click spamming,’ where a network or publisher fraudulently reports clicks for users without those clicks actually having occurred. Other forms of attribution fraud include the reporting of fake or malicious websites and ad stacking schemes where a “single mobile inventory placement is filled with several mobile advertisements, even though only one advertisement is visible,” according to the suit.

The last misattribution vector is called ‘metric smoothing,’ according to the 2019 suit, which “refers to the scenario when a network or publisher misreports where advertisements are placed in order to conceal the true placement of the advertisement.”

Fraudulent app installations is the second broad-category of mobile fraud, according to the 2017 Uber suit. The third and final type of ad fraud is known as ‘malvertising,’ where threat actors inject malicious code into ads then pay ad networks to display infected media on targeted websites, exposing every user browsing these sites to potential infection.

To illustrate the mechanics of attribution fraud out in the wild, allegations made in a trio of Uber lawsuits are instructive.

The Misattributed

Initially, Uber sued UK-based Fetch and its Japanese parent company, Dentsu. Following the 2016 election, Frisch said on the podcast that a once-anonymous anti-bigotry Twitter group called Sleeping Giants beganpressuring corporate America to stop buying inventory on conservative media websites like Breitbart.

Uber, along with over 800 other companies, caved to mainstream media outcry against the alt-right. Frisch instructed his ad network vendors to stop purchasing ad space on Breitbart’s site. Despite this mandate, Uber ads continued to display on Breitbart. Frisch then cut his ad spend by 10 percent. But still, there was no change.

Uber decided to probe the matter further, according to court filings, and discovered that “deceptive naming was to blame.” To be specific, “the publisher-reported name of the websites and mobile applications where Uber advertisements supposedly appeared did not match the actual URL accessed,” according to the lawsuit.

The court documents cite one example of metric smoothing, where “one publisher retained by Fetch reported clicks on Uber ads as coming from placements such as “Magic_Puzzles” and “Snooker_Champion.” In reality, those clicks originated from ads placed on Breitbart.com, Uber discovered.

Uber suspended the Fetch campaign in March 2017, when the ad agency was spending millions of its client’s dollars per week on mobile media inventory “purportedly attributable to hundreds of thousands (even millions) of Uber App installs per week,” according to court filings.

If the ads would have been legitimate, Uber contends, the company would have seen a “substantial drop” in app downloads. Instead, Uber observed “no material drop in total installations.”

Uber voluntarily dropped the case against Fetch in December of 2017. But over the Summer of 2019, it refiled charges in two lawsuits against five ad networks and a hundred unknown defendants contracted by Fetch.

Warpath

In 2019, Uber sued the new set of defendants for buying non-existent ads and junk traffic. Ad tech defendants that Uber was able to identify included BidMotion and its parent company, Hydrane SAS, Taptica, YouAppi, Ad Action, and Phunware.

Excluding Phunware, Uber sued all of the defendants above for fraud, negligence, and unfair competition. The ride-share company spotted all Fetch-related fraud through transparency reports authored by TUNE, a mobile analytics and performance marketing vendor that tracks user clicks and their attributable sources.

TUNE is designed to track clicks on ads and then matches the last reported click to user app installations. Last click is the standard compensation scheme in the mobile advertising industry, according to the suit.

One scheme Uber alleged Bidmotion to have perpetrated was omitting Device ID information, a key mobile forensic fingerprint, from TUNE reports. Thus, every attribution that Uber paid the ad network for was based on a “probabilistic fingerprinting method, which is much more susceptible to fraud” than deterministic Device ID logging.

Uber withheld $10 million in payment from the defendants as a result of these charges. But its most serious charges were reserved for Austin,TX-based mobile ad network Phunware.

Hit with the RICO

In its follow-up lawsuit that summer, Uber dropped a bombshell on Phunware, and four of the company’s executives and employees, in the form of civil charges related to the Racketeer Influenced and Corrupt Organizations (RICO) Act.

The lawsuit alleged a “massive, multi-year mobile advertising fraud committed by all defendants,” which “violated the federal criminal wire fraud, interstate transportation of funds obtained by fraud, and racketeering statutes,” and other fraud laws. All told, Phunware defrauded Uber out of some $17 million, according to the lawsuit.

The lawsuit said Uber first began suspecting irregularities with Phunware’s transparency reports in May 2016. “Uber became aware that Uber ads were running on adult sites with auto-redirects to the app store,” according to court documents.

According to the lawsuit, Phunware CEO Alan Knitowski “knew of, approved of and directed continuation of the fraud” against members of his Canada-based team who managed the Uber account.

Uber alleged the scheme involved the purchasing of ad placements that were not real, illegitimate, or prohibited, such as auto-redirects or “ads placed on prohibited sites such as pornographic” websites. Auto-redirects are the automatic rerouting of online traffic to an app store or marketplace, without any intent from the end-user.

Additionally, to spoof Site ID fingerprinting, Phunware employees “wrote and ran masking software known as ‘scripts’ to alter the names of the sites or apps where the ads allegedly appeared in order to trick Uber into believing the advertising was legitimate,” according to the suit.

Uber corroborated these allegations with emails exchanged between three of the defendants and another unnamed ex-Phunware employee’s deposition testimony about an interaction they had with Knitowski where he was made aware of the deceptive scripts.

Knitowski did not respond to comment for this story. Uber charged that Phunware defrauded three other companies using the same scheme. Phunware settled with Uber last year for $6 million, according to an 8-K the ad network filed with Securities & Exchange Commission last October.

Phunware also developed the mobile app for outgoing President Donald Trump’s reelection campaign last year. Facing sizable debt, the company has expressed “substantial doubt about its ability to continue as a going concern,” according to the Associated Press.

In 2018, Fetch countersued Uber, claiming the ride-share company owes it $19.7 million in unpaid invoices. The case is still unresolved. Lawyers for Uber did not immediately provide comment on this case.

Methbot 

Perhaps the most prolific ad fraud case to date, however, is the Methbot scam. In 2016, White Ops “exposed the largest and most profitable ad fraud operation to strike digital advertising to date,” according to a report it published that year.

When U.S. prosecutors in the Eastern District of New York unsealed the indictment against eight Methbot conspirators in 2018, they said the fraud caused U.S. companies to pay roughly $36 million “for ads that were never actually viewed by real human internet users.”

But White Ops researchers spotted the fraud years earlier when they uncovered a ‘bot farm’ scheme that involved Russian cybercriminals, who were “siphoning millions of advertising dollars per day away from U.S. media companies and the biggest U.S. brand name advertisers,” according to the report.

The operation produced massive volumes of fraudulent video ad impressions by “commandeering critical parts of Internet infrastructure and targeting the premium video advertising space,” said White Ops researchers. The report said Methbot counterfeited as much as $5 million in video advertising per day.

The scheme commanded an army of automated web browsers run from “fraudulently acquired IP addresses” to watch as many as 300-million video ads per day on counterfeit websites “designed to look like premium publisher inventory,” according to the report.

According to White Ops, the hackers who executed the scheme farmed out their “operations across a distributed network based on a custom browser engine running out of data centers on IP addresses acquired with forged registration data.” Via forged IP registrations, Methbot operators were able to “evade typical datacenter detection methodology,” said White Ops.

White Ops said that Methbot disrupted the conventional method of bypassing data center detection. The traditional tradecraft entails infecting host machines to run ad-fraud botnets.

Instead, Methbot conspirators used fake identities to “obtain or lease 852,992 real IP addresses, putting them to work generating fraudulent ad calls that appeared to come from legitimate residential Internet providers such as Verizon, Comcast, Spectrum, and others,” according to White Ops.

Additionally, White Ops said Methbot acquired IP “diversity” by running proxy network connections on their servers. While this “single-source” approach is typically detected and blacklisted by IP metadata providers, Methbot evaded discovery by “gaining direct control of large contiguous IP allocations” and spoofing registration entries to look like residential Internet service providers in the U.S., according to WhiteOps.

Some other advanced techniques used by the Methbot scammers include faked clicks, fake mouse movements, and spoofed social network login information, manipulation of geolocation fingerprints, and “special case countermeasures against code from over a dozen different ad tech companies,” according to the report.

These special-case evasion tools are indicative of “inside help,” said San Antonio, TX-based cybersecurityengineer Dan Ehrlich. Some of “America’s largest tech corporations have been compromised by foreign cybercriminals, either through coercion or payoffs,” said Ehrlich.

White Ops said this sophisticated tradecraft was “employed to provide an even more convincing picture of humanity.” For example, scammers faked social network logins to create the appearance of account usage when ad impressions were made.

The counterfeiting of digital fingerprints and use of custom-made web scripts to evade fraud detection mechanisms overlaps with tradecraft applied by professional credit card thieves, said Andrei Barysevich, the chief executive officer of fraud-intelligence firm Gemini Advisory.

All told, Methbot conspirators targeted and spoofed more than 6,000 premium domains to swindle ad networks and media companies out of millions. By the time White Ops uncovered the fraud, the Methbot operation had become deeply “embedded in the layers of the advertising ecosystem,” the report said.

The scam reached its nadir in 2018 when police in various countries arrested three Methbot suspects, including the alleged mastermind, Russian hacker Alexander Zhukov, on an international warrant issued by the U.S. The then-38-year-old suspect was extradited to the United States in January 2019.

Zhukov, known as “Nastra” in the Russian cyber-underworld, and his co-defendants were indicted on 13 counts in the Eastern District of New York related to computer crimes, conspiracy, and wire fraud among other criminal charges. Zhukov has maintained his innocence throughout his legal ordeal.

Last year, Sergey Denisoff, who was not named in the initial indictment, was also apprehended on Methbot-related charges in New York City. Echoing Ehrlich’s claims about inside help, Denisoff, a California resident and the operator of an online ad company that bought and resold junk traffic, stands accused by the feds of instructing Zhukov on how to bypass ad-fraud detection filters.

White Ops was acquired last month from its previous investors and for an undisclosed sum by Goldman Sachs Merchant Banking Division, in partnership with ClearSky Security, and NightDragon.

The Digital Laundromat  

On botnets, ad-fraud expert Fou noted that they don’t “come from Russia or China anymore, but from Asburn, Virginia and Bozeman, Montana.” When it comes to money laundering, Fou said it is “built-in to digital advertising.”

“You can think of digital advertising as both a mint and a laundry,” said Fou. “Scammers can make billions of dollars of illicit money via ad fraud, the literal money “mint.” Then, they can simultaneously launder the proceeds by purchasing billions of dollars of digital ads on millions of websites. This is the laundry,” he said.

Today, Fou said there are roughly 1.5 billion domains registered to some 350-million active websites, many of which monetize their content via advertising. But the vast majority of these sites have a freemium publishing model that enables users to view content without a subscription, notes Fou.

But with many of these domains featuring URLs reminiscent of jumbled, public crypto wallet addresses, marked by randomized strings of alphanumeric code, how many humans are actually accessing these web pages?

“These are all fake domains and apps used solely for ad fraud; they were never intended for human consumption,” said Fou.

What’s more, programmatic ad exchanges, by disconnecting buyers and sellers, have introduced opacity into the media industry, said Fou. Unrestrained by the regulatory oversight enforced in capital markets, this has “led directly to much greater opportunity for fraud and other crimes” in digital advertising, wrote Fou in a recent Forbes article.

While Fou lacks access to bank records and can’t conclusively prove that threat actors are laundering money, he highlighted two stealth ad-fraud-related laundering vectors. In the first case, a criminal group could create a dummy direct-to-consumer marketing company, hawking anything from diet pills to cooking products.

After receiving illegitimate proceeds under a false pretense like ghost laundering or false invoicing with fake e-commerce buyers or phantom wholesale distributors, respectively, said Teicher, criminals could add another layer to the rinse by purchasing digital ad space.

Fou said criminals, leveraging a relationship with a corrupt demand side platform (DSP), which connects programmatic exchanges and publishers, could buy false or non-existent ads and have the DSP route money back to them in exchange for a laundering commission.

“You set up a whole bunch of fake websites to pretend to run billions of impressions. All those impressions will cook the books to make it appear that all the ads you bought were actually placed,” wrote Fou in a blog postlast year.

Alternately, criminals could “vertically integrate” and create their own ad exchange. “The bad guys own the fake sites that pretend to show the ads. The bad guys have their own bots to generate traffic and ad impressions,” wrote Fou.

“They own the ad exchange, so they don’t have to pay Google or Facebook to do their laundry. Basically, the right hand pays their left hand and the money comes out clean!”

With Latin American drug cartels increasingly seeking to enlist hackers to help them launder their money, according to a 2020 report authored by threat-intelligence firm IntSights, ad fraud could thus be facilitating the rinse for much more serious security threats than otherwise unassuming “Silicon Beach” ad tech bros and Russian cyber-geeks.

Despite the lack of regulatory scrutiny over the digital media industry, bank compliance departments should thus consider conducting enhanced due diligence on their ad tech and digital agency customers.

 

Other Recommended Reading for OODA Members:

Is Organized Crime Using Ransomware to Take Real World Competitors Offline?

 

Can Hacker SIGINT Help Buy-Side Firms Generate Alpha?

Cardless ATMs Introduce New Account Takeover Fraud and Money Laundering Risks, FBI Says

Sinaloa Cartel-Linked “Freelancers” Introduce ESG-Friendly Meth recipe to Netherlands, EncroChat Probe Reveals

Tim Lloyd

Tim Lloyd

Tim Lloyd is a risk analyst and threat-finance reporter at Shadow Banker Media, where he is also the CEO. He was previously a financial advisor at Morgan Stanley. Now, he writes about the private fund industry, AML compliance, and cyber-threat intelligence. He has reported on issues such as FBI concerns over laundering risks in private equity and hedge funds and emerging cyber-enabled financial crime risks for Thomson Reuters Regulatory Intelligence, Vice Motherboard, and many other media outlets.