Online marketing secrets that the hackers behind Methbot don't want you to know

A lot of the responses to Methbot have been along the lines of hey, look, a squirrel! So here are a few of the non-squirrel things to think about.

Methbot does two interesting things. Adtech is fixing one of them.

White Ops published some good info on two Methbot capabilities.

  • Spoof data center IP addresses as residential

  • Work around anti-fraud software

Almost all of the news about Methbot is focused on the first one. But look at the original White Ops report (PDF) and skip to page 24.

The White Ops security research team found traces of analysis code where Methbot developers dissected the logic of the most widely adopted fraud detection vendors on the web. It’s apparent that they spent some time reverse-engineering these capabilities, manually running portions of measurement code inside legitimate browsers to learn what its output looks like, and then porting the logic to spoof those values in Methbot execution context.

And page 25.

In addition to code specifically designed to defeat viewability measurements used by specific vendors, White Ops found routines for spoofing industry-standard measurements. In particular, flash VPAID events are expected and handled.

Methbot impressions are more viewable than human impressions. Methbot is a more skillful Web user than the average CMO. Augustine Fou writes,

To put it bluntly, bad guys don't even care to find out the actual secret sauce of the various fraud detection companies because they have already A/B tested their bots and know for sure they get by various detection platforms. In fact they openly sell "fraud vendor compliant" traffic on a CPM/CPC basis.

When you pay for anti-fraud technology, you're just paying for the software testing that fraud hackers are using to build better bots. White Ops CEO Michael Tiffany told AdExchanger, The ultimate source of truth about where an advertising opportunity is happening is in the browser—but if you carefully rig the browser to lie about that, there is almost no defense.

There is one defense. It has two parts, tracking protection and flight to quality, and we'll hear more about it in 2017.

Methbot didn't cost advertisers any money.

Advertisers already know about adfraud in general. Methbot was just one ambitious example. Other fraud rings are still doing what they do. If you got an Internet of Things device for Christmas, it might already be running a bot. Methbot's IP addresses are no more, but the anti-anti-fraud code lives on.

When enough players in a market know about a problem, it's priced in. And adfraud has been priced in to the online ad market for a long time. (This is why the recommendations at Shortin' Adtech are bogus. Advertisers and investors can flee web advertising, but have no incentive to, because publishers pay for fraud. Publishers can't flee, because online is displacing print, but they have every incentive to if they could. An important reason for the "print dollars to digital dimes" problem is that everyone is used to paying the fraud-adjusted price.)

For every dollar that adfraud costs advertisers, they save a dollar or more in lower costs for legit ads. For every dollar that adfraud takes out of the game, publishers lose more. This is pretty basic economics, and explains why advertisers are willing to talk but not take action on the adfraud problem.

Data-driven can turn into bot-driven.

Advertisers do pay for adfraud, but not in money. When you're running a data-driven organization and the data comes from bots, then you're making decisions based on bots, not customers. Some kind of Ground truth on your online data—checking anything from the Internet against a trustworthy data source—is needed.

This is especially true for connecting ad and social data to sales. Attribution models are subject to gaming, but the Criteo/SteelHouse lawsuits were dropped, so instead of waiting for the techniques to come out in discovery we're going to have to dig some more to see how the fraud hackers are doing it. Happy new year.

Don Marti · #