As someone who works monitoring ad network traffic at a large ad-tech company (not FAANG, but just below), let me just say: everyone does fraud.
Some don't need as much of it (e.g., Google), but quite literally saying "there's fraud in my online traffic" is like saying "there's tomato sauce in my spaghetti". It's quite literally such a normal thing that I've become immune to even getting roused by it (and remember, again, I work to find ad-fraud daily).
Does this make it right? No, absolutely not. But is this ever going to change, absolutely not. Too many people are making too much money from this. Just you try to tell an L2 that they can't hit their Q4 Revenue OKR because "we're doing something really immoral by allowing fraud".
Beyond this, ad spend ASSUMES some level of fraud. It's baked into your ROI numbers, at least for performance advertising.
Probably the main people getting stiffed are the publishers who are offering real traffic, and getting a smaller share of dollars relative to the incremental value they deliver.
Can you point me towards credible work determining ROI for online advertisement? Whats the current state of the art?
edit: I should rephrase, this sounds hostile. I know there is wide work in influencing people to buy stuff when influenced in person. The interpersonal dynamics are widely studied. I also know, that chumming content and goating works to gather more views, but that can only be turned into a ROI by people paying for ads to serve those viewers. There is also the segment of ads, which offer a discount, but what about all the rest? Does banner or clip advertisement actually provide a measurable return of investment? Does online advertisement offer brand recognition, and does it provide a ROI? Are the adverse effects studied, so that people actively despise brands for offensive ads? What are the going rates for views and reactions to online advertisement vs traditional marketing?
In short, what is the state of the art of research into online advertisement?
There are two distinct areas of online advertising: performance marketing, and brand advertising. I'm a performance marketer. I make a profit only when ads result in conversions - usually sales or signups for trial offers, but in some cases we do lead generation campaigns for clients as well. We spend high 5/low 6 figures per month, mostly on Facebook ads, with a monthly ROAS (return on ad spend) that beats Berkshire Hathaway's annual returns. The idea that online advertising cannot work is absurd.
The schemes mentioned in articles like this are almost exclusively targeted at brand marketers. My guess is the problem lies in the way that large brands incentivize the people running their campaigns, because the technology exists to knock out the vast majority of this type of fraud. Companies like Coke hire ad firms that send them reports about impressions, and they are thus incentivized to not pay attention to traffic quality, and just maximize impressions. That has to be the problem, because just my internal traffic quality tools that I have written would have shutdown ad delivery on the sites sending such obviously bad traffic within a few clicks from each referrer - and I don't claim to have written the most sophisticated filter out there. There are many ways to do reality checks on traffic, on a per-referrer basis, and cut out much of this stuff. Webview traffic (the kind being taken advantage of here) is among the easiest to detect.
As to your question about measuring ROAS it's simple for performance marketers. Take your ad spend and compare it to revenue. I'm not sure that brand marketers have a reasonable way of determining ROAS, either online or in the physical world. I suppose they could take brand recognition surveys and compare before/after a given campaign, but that is hardly an exact science.
Very interesting presentation. The question your research is attempting to answer is certainly a valid one for major sites, where people might be on the site anyway without having clicked on a given ad. In my specific case, most of the sites/offers we market through Facebook ads wouldn't have attracted many organic visitors, let alone conversions, on their own, so it's not a question I need to answer. These sites rely almost entirely on paid traffic, and if they don't get it they are out of business.
The importance of being able to figure out what actually led to conversions is not lost on me though. One unique technology I created allows us to do something that I have never seen anyone else in the online marketing world do: track conversions back to the initial click and ad campaign, even if someone just texts, emails, or uses an instant messenger to send the URL to a friend. So let's say someone visits the site, sees that the offer isn't for them but texts it to a friend. A month later, that friend finally gets around to looking at it, but decides it isn't for them either but knows someone else who might be interested, and they email it to someone else, who ultimately converts. We can track that conversion and all the steps in between back to the initial click and attribute it to the initial ad campaign, which gives us a much better sense of what each ad campaign is actually producing. The technology also lets us create custom Facebook audiences of anyone that has shared a link from the site - regardless of how they shared - text, email, Facebook - doesn't matter. We can then customize campaigns to encourage those people to share again.
If close to 0 of your traffic is organic, then you don’t have to care too much about the whole correlation vs. causality problem, yes.
What you describe is certainly interesting. I guess you are building a graph of unique IDs, with each shared URL containing the ID of the parent as a query param or something like that?
Something like that, yes. When you visit any URL on the site, we use javascript to rewrite the URL in the location bar with a shortened, unique, trackable URL. So we know both what URL you came in through, and the new URL that we then assigned to you. With this we can track every click all the way back up through the tree to the initial click, even if you just copy/paste the URL or hit the button on your phone to text the page to a given contact. Where possible, we also track any link preview engines that visit the URL, so we can usually tell not just that you shared, but how you shared (skype, telegram, iMessage, gmail, facebook, twitter, etc.).
I initially wrote this system so that I could retarget through Facebook ads people that had previously shared viral news articles, but now we have found great applications for it in ecommerce and lead gen as well.
You wouldn’t know who shared until someone doesn’t actually visit the shared link, right? Unless I’m misunderstanding something. Also I don’t see how you would build a custom audience on FB for the people who shared, e.g. by copy-pasting the URL from the location bar. I see how you would do it on some javascript event (e.g. page load, click on share button, etc.), but that’s not the same.
Correct, we don't know who shared until someone visits the link. But, we can build a custom audience after the fact because the Facebook retargeting pixel lets you pass an arbitrary ID of your choosing with each pixel load (the variable name is "extern_id" [1]). So when a click comes in on a given URL that we know had to have been shared, we know what extern_id we gave to Facebook for the original user that shared the link on the pixel fire back when they first visited the site. We can then build a custom audience using a list of those extern_id's for only people that have shared, after the fact.
Booking Holdings, for example, spent $4.1 billion dollars in 2017 on performance advertising. This would generally mean they had an ROI target (e.g., each dollar of spend should return $1.2 in revenue). The method of measuring this would generally come from an agreement between the marketing team and the finance team — it might require some assumptions on things like LTV or the value of certain actions, but the finance team would be major participants in determining this value.
There's no way Booking or similar massive advertisers are spending billions of dollars without a very very clear POV on the return they're receiving.
I think a lot of the "state of the art" that you're asking for won't be shared with the public by these companies.
As pointed out elsewhere in this thread, however, there is a big difference between performance marketing, where it's relatively easy to track conversion, vs brand marketing.
In fact, a huge reason Booking is so successful is because their sites convert at a higher rate than their competitors (which they themselves attribute to an early and maniacal focus on A/B testing), and thus they are able to bid more for travel-related search terms on Google as each click is worth more to them. It's pretty easy for them to track what percentage of Google AdWords click-throughs result in a completed booking.
Brand advertising, though, has much fuzzier metrics, and the incentives for brand advertisers is to show that they have a larger impact than they actually do.
I dont think its surprising, that people are involved in scams when it comes to advertisement.
We know possible targets try to scam the system, this article shows so. We know, that certain parts of advertisements are trying to sell stuff to people they dont need. As naive as it sounds, most advertisement isnt there to inform us of stuff we dont know of and would want to buy if we knew. And if you pay people to make other people act against their own interests, it is not unreasonable, that they would do the same to the people hiring them. And not just the same, but alot more. I think its only reasonable to assume, that professional scammers would not just try to scam the people, they are payed to scam, but also the people who pay them in the first place, who offer a much larger payout.
Why wouldnt advertising agencies not put alot more effort in convincing potential customers of their own, that they need their advertisement, then trying to influence the potential customers of their customers on the abstract level of brand awareness.
If brand awareness is not a matter of ROI but bullshit and just a matter of triggering interpersonal marketing mechanisms. "Your competition is spending this amount on brand awareness" and all the other true and tested mechanisms. Marketing your advertisement services to companies for brand awareness sounds like just another sales gig. And one where the methods are true and tested. Be it selling used cars or selling you your appearal as your image or selling the concept of creating a brand throguh digital ads.
Lobbying works for a reason in politics. My question was, if there is a reason to not assume the same for online banner marketing for brand awareness.
> Probably the main people getting stiffed are the publishers who are offering real traffic
Unless you're a large premium publisher like say a NYT, a Techcrunch, or even a Forbes, more of your traffic probably wont be real, and you have little to no control over that. The online ad/traffic buying game is so mind-blowingly convoluted, you can be a small publisher (foo.com), having your site spammed, and what little revenue you've made via your supply completely wiped out (i.e., clawed back by your upstream partner - even large publishers don't operate by themselves), and your reputation takes a hit.
The main people getting stiffed are the web users, and the advertisers. But it doesn't seem like either of them care enough about it to do something that can have a lasting effect
I guess I don't think the advertisers are getting stiffed — yes, they pay a CPM for 1000 impressions where some meaningful percentage are fake, but that should be baked into their models. The effective CPM for whatever the real number of impressions is is still ROI positive.
I would love to hear John Gruber opinion about that. His advertised funding model is sponsorship without agressive ad and without passive tracking.
https://daringfireball.net
So yes I totally think that current bonus for add fraudster is not helping a "new John Gruber" to emerge.
This month we got two unrelated emails (one from Bangladesh, the other from Turkey) with the same scam: "We have hacked your email account, we're emailing you from it, your password is xyz deposit $800 USD in bitcoin or else".
These guys just send a bunch of emails using known leaked accounts, and a few of these people are going to be scared because they reuse the same password. Since they ask for bitcoin, anyone can see the transactions of their wallets: roughly $6-12,000 USD each attempt.
The risk-reward ratio is ridiculously low, I guess that's the same with ad fraud. Companies would fight a company-sized rat, but not thousands of rat-sized companies.
It’s not that they do it. It’s that they allow it. Not outright, but they don’t go out of their way to suppress/stop it anymore more than anybody else.
If you're removing 700,000 apps a year from your store for violating your own policies, it's fair to say your system is not only not perfect, it's horribly broken.
37% fraud-rules breaking rate is pathetic. Maybe they should spend time vetting these things before allowing malware-infested spyware out into the "ecosystem."
Another way to look at it is their submission process fails to catch problematic apps. Making it necessary to pull them from the store after they have been published.
When it comes to email spam or fake email accounts, Google not only allows it, they enable it. One scammer can setup thousands of gmail accounts and google doesn't blink an eye. Gmail also allows "scammer+1@gmail.com" and "scammer+2@gmail" to be the same account. I've reported obvious gmail abuse to Google through their channels, but nothing. Same scammer keeps coming back with new email accounts.
>Gmail also allows "scammer+1@gmail.com" and "scammer+2@gmail" to be the same account.
This is a well-documented feature that has many legitimate uses. If you're trying to stop fraud, clip any gmail addresses after the +. For example, I believe Facebook does this.
I do clip it. I have to do many other things too (spending time and money) to counteract scammers usage of google's services. Given google's ability to track people, they'd could do more against fraud, instead of letting scammers use their services freely (hence my comment of them enabling scammers).
No, my point is Google allows and/or enables fraud and they could be doing more to fight it. Source: the article we are discussing, "How a Massive Ad Fraud Scheme Exploited Android Phones to Steal Millions". And my experience with scammers using Gmail.
1. It has been a vector for viruses / malware / cryptocoin mining
2. It tracks users activities on the internet without their knowledge to form a picture of their 'online personality'
3. It can invade a users privacy by keeping records of personal and / or intimate details of their online activities
4. It often uses more bandwidth than the content of the site it's on
5. auto-play videos
6. unexpected audio
7. As per rayvy's comment "everyone does fraud"
As the Joker said "this town needs an enema".
Given that "all the smartest people in the world work for advertising" it's a remarkable collective of all kinds of failure. And yet it continues to make a shit-ton of money because it's pretty much the only game in town.
What's the alternative? Word-of-mouth? That requires a product that's good and useful both now and into the future; not a fad. The growth-rate can also be glacial for a long initial phase, which needs commitment and passion from it's developers and management over the long term.
I can't see any revolution on the horizon though. It's going to take an impossibly sized critical mass of society to protest, and given the number of people still on Facebook... 'Brands' aren't going to stop advertising for fear of competitors getting more eyeballs.
I'm going to start an advertising company called Raypenpillidge Sleepwell.
Footnote:
Point #3 is separate to point #2 because tracking and privacy invasion should be considered separately - tracking could be done more openly with user consent which would mean the level of privacy invasion could be chosen by the user.
Half serious suggestion: Could we somehow enable individuals themselves conduct auctions to allow advertisers to access? Imagine being able to say: "I will accept 10 ads today - you guys figure out what you want to show me".
Timeshare sellers are an excellent example, as they're typically scummy, underhanded, and will try to back out on their already dodgy payment if you don't take the bait.
I seems to me that - besides the specific fraud scheme in the article - there is something else to be worried about.
From the article:
>The revelation of this scheme shows just how deeply fraud is embedded in the digital advertising ecosystem, the vast sums being stolen from brands, and the overall failure of the industry to stop it.
And, more relevant:
>Pixalate’s latest analysis of in-app fraud found that 23% of all ad impressions in mobile apps are in some way fraudulent.
Now, if the numbers are correct and 23% of ad impressions is fraudulent, it should mean that either:
1) the firms/brands/whatever that are paying for these ads cannot measure with a sufficient degree of accuracy the results of these ads
2) they perfectly know that more than 1/5 of their ads expense is having "null" results but overall they are ok to spend the 100% price for less than 80% "real" impressions
If the first hypothesis is true there is some incompetence around, if the second, it's business as usual.
I believe more likely the #2 to be true, and since the companies/brands/etc. insist on it, this 20-25% "surcharge" is a "standard" of sorts.
So,hypothetically , if these frauds would be completely eradicated and the companies would continue to invest the same amount of money in ads, we are doomed to see 20-25% more ads than we do now.
I think those buying advertising know that the ad networks' metrics are hopelessly broken, that fraud is rampant, and that their actual impressions are far less than reported. But the problem is pervasive and spans the entire ad industry, so what are they to do, other than throw in as much money as possible and hope for the best?
I recently saw a comment (can't remember where) from someone involved in an advertising startup ostensibly focused on serving unintrusive ads with accurate reporting, and the response has been overwhelmingly positive: ad buyers expressed profound relief at seeing ad metrics that actually made sense.
I don't think we can make too many assumptions about how spending would change if ad metrics were actually accurate, simply because the current metrics are so bad, and the impressions so fraudulent, that the current ad spending is largely uninformed. If the metrics were accurate, ad buyers might very well end up spending less while getting more for their money, because they can suddenly make informed decisions.
Really the only people hurt are those buying, eg Google stock based on ad impression numbers. The advertisers have already priced the fraud into their bidding. Other than that, the only people who care about impression numbers are google investors. Even then, they’re probably more concerned with the aggregate ad spend, which is likely unrelated to the percentage of fraud since it’s more a result of marketing budget than anything else.
It probably hurts publishers (the entities hosting the ads). If the expectation of fraud renders ad impressions less valuable, then the publishers get a slice of a smaller pie.
That, or they cram even more ads onto their sites to compensate, and users throw up ad blockers or go elsewhere.
#2 is true but not exactly for the reason you specify, basically every company I've ever dealt with has an advertising budget, they spend it and they monitor how much they spend and how sales change based on that (and ad types and ad channels etc). If you have ever seen an advertisement for a Data Scientist at an online retailer this is what they will do, day in and day out.
As long as the revenue gain (and resulting margin) is more than the advertising spend, it is a winning strategy. Meanwhile, every ad network has a 'beta' value which is the ratio of ad spend to revenue increase, ad networks with a low beta either have more fraud or they are hitting the wrong demographic, either way dollars are shifted away from that network to one with a higher beta.
Publishers already stuff as many ads in the space they have as viewers will tolerate, so it's unlikely that a reduction in fraud will result in consumers seeing more ads. If anything they'll see fewer ads, since the existing ad space will become more valuable. The fact that ad space is primarily sold in the form of real-time auctions, and advertisers can track end-to-end results online (e.g. "we generated $10 in new sales per 1000 impressions last month") ensures that the price goes down when there's more fraud and up when there's less. Undetected impression fraud leads to publishers earning less for their legitimate impressions, not advertisers paying a premium.
If A$ = B impressions = C clicks = D sales then the amount of fraud is irrelevant it's just a question of A$ = D sales from the advertisers perspective.
Coke still "just" cares about sales, they simply can't directly measure it as well and thus use impressions as a proxy for sales. It’s clicks they don’t nessisarily care about.
Every single brand still cares about impressions at some level, even if everyone knows they're broken. C-level likes to see that spend was $100k, we had 12.5MM imps, and drove $600k in revenue.
It's a known fact that the digital advertising industry is rifled with lies and overpromised goals. Everyone knows it, or at least suspects it, but there doesn't seem to be a way out. One third of web traffic is fraudulent. Google tries to track it and remove it from the bottom line but what the rest of the industry does is uncertain.
As for your conclusion you can see it another way. If fraud disappears perhaps ads efficiency rates would also drop. Because ad fraud isn't only about ads that never show to their indented audience. A lot of times is about fraudulent clicks. So while you think your ad had a 2% CTR in reality it could be half that. You can never know who actually clicks on your ads. What you can know and measure is the conversion, aka how many actually bought your product. But if your product isn't sold online, like say packaged consumer products which are sold in super markets and all you aim with advertising is brand awareness you can't even track that. So you're siphoning millions to a black hole and you just pray that your analytics data are correct. Chances are, they aren't but no one will bother telling you. So eventually you might start seeing less ads because companies will realize there's no reason to keep their budgets at current levels.
And then there is the fact that there are a lot of actors involved in fraud, either directly or indirectly. Take video ads for example which have a higher CPM. It's in the platform's interest, aka the publisher, to produce as much views as possible to pocket the money. It's not like the fraud is performed from some shady character who lives in the underground. A lot of the times it's the networks themselves who will try to rob clients from their money.
Bottom line, there are a lot of angles to this issue.
It’s defintiely 2. But ads are priced on value to the advertiser. If someone reduced fraud to 0% they would just charge 20% more, and that money goes from fraudsters to advertisers, not more ads. This exists already, networks that filter out fraud better can charge higher rates.
>So, hypothetically, if these frauds would be completely eradicated and the companies would continue to invest the same amount of money in ads, we are doomed to see 20-25% more ads than we do now.
Nope. Advertisers would charge their clients 20-25% more to serve us ads. Digital ads are like real estate - every available piece gets rented out at some price, because otherwise it'll sit empty and make no money instead. The only question is what price is market-clearing: quantity of ads served is completely irrelevant.
> they perfectly know that more than 1/5 of their ads expense is having "null" results but overall they are ok to spend the 100% price for less than 80% "real" impressions
Don't ad companies charge fees as a function of spend? The chumps in this chain are (a) shareholders and (b) the managers hiring the agencies.
(Counterfactual: if this spend is that useless, it should be possible to start a competitor that focuses on high-ROI advertising.)
> Counterfactual: if this spend is that useless, it should be possible to start a competitor that focuses on high-ROI advertising.
Exactly! And that's where online ads, user tracking, online-to-offline came in. The whole reason why it gained so much traction in the past 20 years is that it began to offer better tracking and results than other forms of advertising.
If Google (or Facebook, or anyone else) stands still and lets fraudsters abuse their ad networks, the return on their ads will drop, opening space for their competitors.
So controlling ad-serving quality is a competitive advantage.
> If Google (or Facebook, or anyone else) stands still and lets fraudsters abuse their ad networks, the return on their ads will drop, opening space for their competitors.
I wish corporations would be so forward looking, but they are mostly short-sighted, worrying about the next quarters results.
2. seems likely. There are parallels in the real world. Put up a billboard and maybe 25% of the people seeing it will never need your service. Is that 25% wasted? Yes. But you just build that into the price.
Its not quite the same as fraud, since offline you can always argue about brand-building even among non-customers, but the end result is the same, money spent on ads that won't result in spend.
While the specifics are new, the issue of churn and waste in advertising very much isn't. John Wanamaker famous quote, “Half the money I spend on advertising is wasted; the trouble is I don't know which half" is from the 1900s.
If you want to check your own device if you have any apps that contain the code used by this botnet, the latest release of our AppBrain Ad Detector app will scan for it. It's available on Google Play here: https://play.google.com/store/apps/details?id=com.appspot.sw...
I’m kind of amazed how much money can be tied up in things that are not well understood by the vast majority of people who fund those things.
Ad networks. Various products from financial institutions. Cryptocurrencies. Heck, even app stores (as a developer, if your app was sold to somebody and Apple/Google’s system was simply broken and somehow they made their cut but you didn’t, how would you even know?).
At a certain point, it sure seems that people rely on popularity as proof of proper functionality (i.e. “lots of people seem to use this just fine” = “nothing can go wrong”). In reality, we should be expecting a lot more: asking harder questions, demanding more proof of activities, expecting extremely reliable support, etc. And frankly, a lot of these things should have open-source implementations to make it even easier to ensure that they work the way they claim to.
> This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems.
So the fraudsters essentially did what Google is best at -- tracking and making 'use' of the information.
How silly of you to assume one can deliver 2kb of text without running thousands of lines of blackbox-javascript on your device and contacting dozens of servers. Besides, do you have anything to hide? Not running JS would suggest so, and possible help identify you online as the one guy that doen't run JS from your IP range. Welcome to the future.
While this point of view is a neat idea and part of me really likes it, I'm afraid those people just want to make as much cash as possible. Also, if they make 750M$, that's 750M$ they deprived other parts of society of (e.g. app developers who could have had about 5000 more employees).
Gosh I don't know who to feel worse for, the brands who will do anything to stick their bullshit into my eyeballs or the shitty ad networks that enable it.
That article is an example of outstanding journalism.
It probably required tremendous amounts of writing ability, knowing the subject matter, spending hours and hours of research, being familiar with the industry, etc. Doesn't see this much these days. Too bad a lot of journalism died in 2008/2009 when journalists lost their jobs and newspapers were either bought by big players or simply went out of business.
Well, it's Buzzfeed. They have the relative unique business model with their listicles and other clickbait crap financing their high-quality investigative journalism.
IMHO it makes sense for Buzzfeed - the quality stuff makes readers go to the website, and then the reader can be led to the stuff like "21 Unintentionally Hilarious Knock-Off Halloween Costumes That Are Just MAYBE Better Than The Real Thing" in the "Read On" section.
I have mixed feelings about the ad market. Automated ads is a very nice business model, compared to trying to get users to pay for your content. Running ads basically automates your whole sales organization, you do not even need a sales organization. On the other hand, I forget what's the term in game theory, but it's a lose-lose game, where the one with the most ads wins, not necessary the one with the best product. - Forcing competitors to also spend money on ads. And because it's fully automated - it's easy money for bad actors.
Wow, it's like the way I move my mouse isn't a legit Turing test.
What a shocker.
The real problem is using stupid methods to identify real users. This adversarial run is reaching it's end state, and you can't tell apart humans from machines there.
How do these "bots" work? Is there like a big room with lots of Android phones hooked up to some automated robotic finger for tapping and scrolling? Or are they using VMs to run some Android emulator and do everything in software?
A simple ad system shows an ad in an app or page, and when you click on it, sends a request off to the ad server which causes some ad credit (money) to change hands - the advertised company gets charged for a click, intermediaries get a cut, and the app or site owner gets their share.
Unsurprisingly, a site owner is heavily incentivized to click on their own ads, or have others click on them, in order to pay themselves. To avoid this the ad server will want to check that the click came from a real human. They can check by IP (e.g. clicks coming from AWS boxes are probably fraud, excessively fast clicks are rejected, etc.); by user activity (monitoring mouse clicks, keyboard entries, dwell time, and a host of other factors); and by statistical measures (is the ad statistically likely to be clicked on by the source, based on e.g. language, prior ad preferences, etc.)
The news article makes it sound like the bot owners are gathering usage data to simulate real human behavior, which they can then pass off as being real human inputs prior to clicking an ad. Of course, one wonders why they don’t just instruct these millions of phones to click on ads directly (e.g. in the background), which would give them access to a huge legitimate pool of IP addresses.
TL;DR: Some company acquires apps to track those apps' users' activities so that the company can simulate the activities in a farm of bot-controlled ad-enabled phones?
1. Why don't they just show the ads to real users?
2. If the real users don't really get to see the ads, isn't this a win for everyone (except advertisers)?
(I'm not saying I agree with their practices, but just trying to think how they rationalize their moral decisions).
I'm always curious how exactly the fraud detection happens. Is Pixalate doing network analysis? App Analysis? Could I do the same thing myself with wireshark on my home network?
Basically all "spyware" traffic is encrypted, you can however see which IP's users of your network connects to (and some meta-data such as domain name, protocol and hand-shakes) using for example Wireshark or tcpdump. My guess is that the fraud is detected by monitoring the traffic on the ad server, see that a "impression" is registered from their test phone's IP, and by looking at the phone they affirm that no ad was displayed.
It is functionally trivial to rotate IPs from the "test phones". There are shady brokers who will sell you Residential IP-based proxy servers (hacked home machines which will proxy your calls and make them appear to come from homes all around the world).
I mean in an audit, the test person can install the app on a device he/she has physical access to. And conclude that his/her phone was registered on the ad agency logs, yet no ad where shown. The fraudsters could however make it so the phone only sends fake impressions after a certain amount of engagement, so that audit/test person would have to play "my little pony" eg the child game - for one week ...
Quite alot of it is done be measuring the rate of clicks vs views and simple statistics. If people actually click on the ad, its a red flag and likely fraud.
> userIDs fields on the network requests you will replay with Math.random()
Isn't this _why_ you'd need domain expertise? Random User IDs would be detectable - a French user suddenly clicking on English ads and following East Coast time would be a red flag.
the beauty is that everyone want to do re-attribution, so they can buy cheap and sell expensive.
if I send a bid to google with a random browser id, it will assign a new user on the spot (we wont be lucky to match a valid user as in your example) and all goes on normally.
Some don't need as much of it (e.g., Google), but quite literally saying "there's fraud in my online traffic" is like saying "there's tomato sauce in my spaghetti". It's quite literally such a normal thing that I've become immune to even getting roused by it (and remember, again, I work to find ad-fraud daily).
Does this make it right? No, absolutely not. But is this ever going to change, absolutely not. Too many people are making too much money from this. Just you try to tell an L2 that they can't hit their Q4 Revenue OKR because "we're doing something really immoral by allowing fraud".
Don't make me laugh XD