Determining whether publishers are shady enough to be removed from the programmatic supply chain requires dealing with shades of grey.
However, when a publisher engages in blatantly illegal activities, such as piracy, and goes to considerable pains to disguise it from programmatic advertisers, the decision becomes clear.
HUMAN, an ad fraud detection and verification service, recently discovered one of those black and white examples when investigating a Brazil-based programmatic cashout mechanism for pirated content known as “Camu.”
As part of the Camu fraud, publishers that trafficked in pirated movies, TV episodes, and games sold programmatic ads alongside the stolen content, employing domain cloaking to hide the “cashout sites” where the ads actually appeared.
READ MORE: Spectrum Cable TV And Internet Customers Are Being Targeted With A New Scam
HUMAN’s analysis, conducted by its Satori threat intelligence team, demonstrates how unscrupulous publishers can monetise stolen material using programmatic advertising’s complicated supply networks while circumventing typical ad fraud detection methods.
As it turns out, brazen scammers are learning how to hide their tracks from made-for-advertising (MFA) websites.
The Camu operation, found by the Satori team in December and reported in a study published today, was HUMAN’s greatest cloaking operation to date. At its peak, it was responsible for 2.5 billion bid requests each day, the most of which came from Brazil and were dispersed among more than 130 domains created specifically to enable this fraud.
According to William Herbig, director of fraud detection and data operations at HUMAN, domains hosting pirated content can only be accessed through piracy hub sites.
Some MFA publishers follow a same strategy, displaying their huge ad loads only when sponsored traffic arrives. However, these ad-heavy pages can also be reached by simply entering the URL.
In the case of Camu, if an advertiser seeks to conduct due diligence by visiting the URLs specified in post-campaign reports, what appears is an unremarkable page rather than a page containing stolen content.
Assume a user enters filmize.tv, a site included in HUMAN’s analysis, to see the latest film “Deadpool & Wolverine.” When a user selects the “Watch Online Now” button, the site sends a cookie that loads a URL where the user can illegally stream the movie. This page also contains numerous programmatically placed advertisements.
If an advertiser attempted to visit the same URL, the browser would display an unobtrusive placeholder site instead. Because the advertiser did not click through from a piracy hub, the browser did not have the necessary cookie to view the page containing the stolen content.
The HUMAN report on the Camu scam includes a screenshot of a page from the domain “guiacripto.online” that contains a media player for streaming pirated content. This screenshot also includes adverts for Vrbo and Sixt Car Rental. However, manually entering the URL or clicking a link from a search results page brings up an uninteresting blog on cryptocurrency.
According to the Media Rating Council, this type of domain masking is a reliable indicator of sophisticated invalid traffic.
“We can very firmly call this IVT,” Herbig stated. “There’s multiple pieces of misrepresentation going on.”
READ MORE: 63K Instagram Accounts Associated With Sextortion Scams Are Removed By Meta
In addition to cloaking domains and creating different site experiences based on a user’s route, he claims that these publishers are obscuring the source of referral traffic to make it appear that users arrived at these pages via reputable links or search engines, rather than hub sites solely dedicated to piracy.
To make matters worse, Herbig stated that schemes like Camu are undetectable using standard methods for detecting programmatic ad fraud.
“You have real users on real devices who are being served viewable impressions,” according to him. “The tricky part is [determining] where the ads are actually being loaded, and that’s not something you can easily do, at least by looking at standard metrics.”
And, while scams like Camu share many similarities with MFAs, Herbig believes they cannot be combated using the same tactics. For example, MFA sites provide a distinct experience for bought users, making focusing on paid traffic sources a possible way for detecting MFA activity. However, piracy sites place no focus on bought traffic.
However, the fact that piracy sites host stolen content makes them easier to target for investigation.
Indeed, HUMAN discovered the Camu business because its Satori team was vigilant in exposing programmatic supply networks related with monetizing piracy sites, according to Herbig. No advertiser wishes to monetize stolen material.
The Satori team evaluated HUMAN’s whole data set of over 20 trillion bid requests per week over three billion distinct devices, seeking for red indicators that could indicate piracy. It also tracked a list of IP addresses previously associated with known piracy sites to see what other sites they visited and if anything seemed strange about them.
“We immediately noticed this pattern between the cashout sites where our customers’ traffic was loading and one of these [known] piracy domains,” Herbig told me. “From there, we started tagging different IVT behaviors.”
For example, HUMAN analyzed every domain that shared the known domain’s unique cookie settings and looked for other domains engaging in the same type of referral overwriting.
HUMAN also tracked programmatic supplier chains that had monetized known piracy sites in order to identify comparable domains. Herbig explained that the Camu fraud relied heavily on reselling by programmatic intermediaries to remain concealed. In many situations, new domains created after existing domains were demonetized used the same sequence of resellers.
Based on these findings, HUMAN was able to implement seven different pre- and post-bid mitigations during the last nine months to prevent advertising from appearing on piracy domains. Although the Camu scam remains operating, HUMAN was able to reduce advertising activity related with these domains from 2.5 billion to 100 million daily bid requests.
Herbig declined to explain on HUMAN’s mitigations, fearing that doing so might provide bad actors with a blueprint for avoiding them.
Moving forward, HUMAN feels that the best way to crack down on scams like Camu is for the industry to develop an express consensus that all traffic to piracy sites should be deemed IVT. Herbig spoke.
Unfortunately, targeting piracy sites will not help address the industry’s second major advertising scam: MFA sites.
A source asked HUMAN to compare Camu to the Forbes MFA subdomain incident, which shocked the industry. While both the Camu fraud and the Forbes incident rely on various site experiences based on the visitor source, “there is no relationship between the Camu operation and previous domain mismatch issues,” according to a HUMAN spokeswoman.
The Forbes example involves misdeclaring the “www3” MFA subdomain in bid requests, whereas Camu had “no instances of basic root or subdomain domain mismatch,” according to the representative. In Camu’s situation, “the misrepresentation comes from two completely different sites loading from the same URL based on how the user arrives,” rather than having two different URLs for different traffic sources, they explained.
In any case, piracy sites that engage in clearly unlawful behavior are an easier target for demonetization than MFA sites, which may be manipulating programmatic systems but aren’t necessarily criminal.
“Domains like this are made for IVT, not made for advertising,” Herbig informed the audience. “They are going multiple steps beyond what is in any way acceptable in our industry.”
Radiant TV, offering to elevate your entertainment game! Movies, TV series, exclusive interviews, music, and more—download now on various devices, including iPhones, Androids, smart TVs, Apple TV, Fire Stick, and more.