A massive ad fraud scheme that Google acknowledged stole close to $10 million from its ad networks and partners has been shut down after BuzzFeed News revealed its existence last week. But as of today more than 30 companies that unwittingly helped the fraudsters earn money won’t comment on how many fraudulent ads they sold, or say the amount is small or nonexistent.
The fraud operation exposed by BuzzFeed News last week involved more than 125 Android apps and websites that tracked real human users and used this data to program bots to mimic their behavior as a way to evade fraud detection systems. These bots opened apps and loaded webpages in order to generate fake ad views, and therefore revenue for the fraudsters. The affected apps and websites were distributed among a web of shell and front companies to hide their true owners and obscure the scale of the operation.
BuzzFeed News contacted 36 companies that carried ad inventory for the affected apps and sites, or otherwise helped them monetize at some point. Almost none shared specifics about how much money was stolen via their platforms, or whether they will be issuing refunds. Ultimately, the money is stolen from the brands and other companies who bought ads on the affected websites or in apps.
Experts say this lack of transparency is endemic in the digital ad industry, which has a large and growing fraud problem that sees criminals steal billions of dollars a year from advertisers. Many brands now grudgingly accept that a certain amount of the money they spend on digital will be lost to fraud. But when fraud is discovered, as in this scheme or in multiple BuzzFeed News exposés published in the past 12 months, almost no one wants to talk about where the money went, or who stole it.
“The companies don’t reply to your investigations out of complicity and a fear that too much poking around will expose too much. Nobody knows how bad it is and nobody wants to know,” said David Carroll, an associate professor of media design at the New School’s Parsons School of Design.
As of now, 22 of 36 companies have responded to BuzzFeed News. Of those, only four said they had identified money that will be refunded to advertisers. (You can read the responses, or lack thereof, from the companies in full here.)
The total amount of fraudulent ad sales cited by companies other than Google is roughly $300,000 — far less than the amount Google said was sold by it and partners it works with.
This summer, an anonymous source using an email address from one of the companies active in the fraud scheme said the total amount stolen was likely hundreds of millions of dollars. Separately, Pixalate, a fraud detection company that first revealed one aspect of the scheme, estimated that one app in the scheme could steal $75 million per year.
But as of now just $10.3 million has been acknowledged by companies who helped brands buy fraudulent ads. (There is no evidence any of these ad networks or other ad tech companies knew the apps and websites were engaged in fraud.)
It ultimately falls on the brands to press for answers and refunds, according to Mike Zaneis, CEO of the ad industry’s Trustworthy Accountability Group, which works with publishers and ad vendors to fight fraud.
“It really is up to each marketer to protect themselves,” he told BuzzFeed News.
“I’d be willing to bet 90% of the impacted brands won’t take any real action other than sending an angry email to their agency, and then with very little follow-up.”
Carroll said the lack of public disclosure about the ongoing theft of advertising budgets is part of the industry’s effort “to stave off law enforcement and lawmakers.”
But now law enforcement and lawmakers are applying scrutiny to the digital ad industry, and to criminal behavior within it.
After reading BuzzFeed News’ investigation, Virginia Sen. Mark Warner sent a letter to the Federal Trade Commission last week to express his “continued concern with the prevalence of digital advertising fraud, and in particular the inaction of major industry stakeholders in curbing these abuses.” Warner also sent a letter raising the alarm about ad fraud back in 2016.
Meanwhile, the FBI is currently engaged in a criminal investigation into media buying practices that could touch on refunds issued for fraudulent ad sales.
This increased scrutiny could help explain why companies contacted by BuzzFeed News largely offered general statements about their commitment to fighting fraud, or didn’t respond at all.
“We’re not going to disclose specific numbers, but [the impact of this scheme] was extremely low thanks to our publisher on-boarding and fraud detection processes,” said a spokesperson for AdColony, an ad network that saw its technology loaded onto at least 22 apps connected to the scheme. (Google removed many of the apps from its Android Play store, so BuzzFeed News was only able to examine ad networks integrated into apps still available for download.)
A few companies cited dollar figures. PubMatic, a platform that facilities digital ad buys, said by email that “Less than $25 thousand of spend was identified on the PubMatic platform and, as per our policy, these are subject to refunds to the impacted buyers. All domains and apps are blocked from monetization.” It said that amount was based on analysis going back to July.
Similarly, the video and mobile ad platforms operated by Oath, the media company owned by Verizon, said it reviewed the past 90 days and found it facilitated “less than $300,000” in ad buys on apps and sites in the scheme.
“We are removing the inventory from our platforms and evaluating affected buyers for refunds,” a spokesperson told BuzzFeed News. They added that looking back 90 days was standard for the industry.
Zaneis of TAG says in fact there is no industry standard for how far back a partner should look when calculating refunds.
“It doesn’t matter if it’s 90 days or three years — the marketer should be protected all the time. There should be no statute of limitations on ad fraud,” he said.
Most of the company statements sent to BuzzFeed News did not cite specifics. Some examples:
- “We’re actively investigating this issue and to date, we’ve found an extremely small impact to Facebook Audience Network,” said a spokesperson for the ad network run by Facebook, which is integrated in at least 19 active apps.
- “Our platform is designed to filter out fraud upon detection. We investigated this matter and can confirm our fraud prevention measures worked as designed,” said a spokesperson for AppLovin, a mobile marketing platform.
- “With regard to your specific question, we conducted a forensic audit of our system against the list you provided us and are pleased to report that our rigorous process detected this fraud and filtered it out some time ago, before it reached our demand,” said a spokesperson for Telaria, a platform that helps monetize video content.
- “InMobi is leading the charge on driving accountability in advertising by instrumenting proactive checks for fraud prevention and detection across all stages of the impression value chain,” said a statement from InMobi, a monetization platform.
Carroll said the industry tries to minimize perceptions of its fraud problem by using technical jargon and quietly issuing refunds when required in order to keep things quiet.
“The industry uses telling language to paper over its fraud problem — ‘invalid traffic, non-human impressions,’ etc.,” he said in a message. “It reveals their attitude of overlooking the theft and criminal enterprises defrauding them for unknown purposes.”