Presumably, that’s why Willie Sutton robbed banks. So I ask you, somewhat rhetorically, why would anyone defraud advertisers on the Internet. Well, if you don’t know, please refer to the title—that’s what this note is about.
Remember click fraud? That’s the name for illicit activity in which someone or something (a computer executing macros, automated scripts, etc.) emulates the click-selection process on a web advertisement. Why is that fraud? Well for one thing, if you are counting the number of times visitors “select” your advertising, click fraud makes it seem like lots of browsers out there are attracted to your advertising. But it ain’t necessarily so. Even worse, if an advertiser is paying each time a visitor browses the ad—pay per click—that advertiser can pay a significant amount of money for eyeballs that simply aren’t there. While you might think some clever computer hackers or scammers were engaging in this activity for kick (something like a teenager joyriding with the family car), when you find out your competitors are retaining the services of others to engage in that activity, making your advertising seem exceedingly successful and driving up your cost of sales while they are merrily trimming their costs—well that’s why they call it fraud after all.
Solid investigative work, pattern detection, programs designed to sniff out repetitive or rapid clicks and Internet protocol and address tracking—1000 clicks per second from the same address—can’t completely prevent click fraud, but they can make it more difficult, make the insertion companies, publishers and networks more accountable for accurate metrics and payment mechanisms, and can sometimes even lead to prosecutions.
More recently, even more sophisticated schemes have arisen, including fake advertisements, appearing to be for a legitimate company, but that are actually a launching pad for malicious code—capable of phishing or denial of service attacks, or penetrating corporate firewalls to access company networks and systems.
Now this is not a particularly new problem. After Hyundai was victimized, earlier this year, Initiative, the Agency of Record for Hyundai, sent out letters to its business partners, presumably to its publishing and advertising network partners, stating “someone allegedly working for Hyundai, or working at other agencies, has contacted various sites requesting proposals, and have even run a short campaign,” and requesting that they be notified immediately if contact is made “from an e-mail domain address of ‘Hyundai-inc.com’.”
Publicis, one of the world’s largest advertising holding companies and the largest global network within the Publicis Groupe, headquartered in France, has also been warning publishing networks about these fake ads. This past Oct. 5, Digitas, Optimedia, MediaVest, Zenith, and Spark (each of them Publicis companies) sent letters to their media partners [PDF] alerting them to: “rogue software and malicious advertising that is being placed on websites by individuals pretending to represent legitimate insertion requests.”
A recent article in The Wall Street Journal noted yet another scam in web-based advertising: invisible ads. Agencies and media buyers are generally unable to audit banner campaigns when bought through ad networks and purchased on a CPM basis. Now imagine you are paying for ads based on web pages loaded, not clicks. Well, according to the article, Ben Edelman, an assistant professor at Harvard Business School who has been studying Internet advertising, has discovered that these “invisible” ads use computer programming code to make it appear as if the ads are where they are supposed to be. But when you point your browser to the web page where the ad is supposed to be, NOTHING IS VISIBLE. Notice I didn’t say that nothing was there. I said it wasn’t visible. BUT, if you are reading this, pay attention. Take your cursor and highlight the entire blank space above right after the words “ad is supposed to be,” all the way through to “Notice I didn’t say,” the previously hidden text becomes visible. You see, the letters are there, but they are in the same color as the background, so they appear invisible to the reader. A fairly old trick. Now imagine there’s a web-based advertisement on an invisible web page. The browser “sees” the page and acts as if that page is loaded and open—only you can’t see it.
The Wall Street Journal article notes that security experts at Symantec and McAfee, as well as at online verification and audit companies DoubleVerify and Anchor Intelligence, have confirmed the programming code used to create the invisible ads. Code that ultimately causes advertisers, including some major companies and brands, to pay for advertising that is “there,” but not to the user. Just like the text color coded to appear invisible against the background here, these programming codes—normally used to tell the computer how to display a web page when a browser loads the page—make the display (referred to as an “iframe”) invisible, so the user won’t actually see anything within that iframe. Because you can’t see any of the contents, scammers can create multiple invisible iframes, even on the same page. Mr. Edelman reported that he “opened a series of invisible pages on the visitor’s computer with as many as 46 ads”—none of which could be seen.
I suspect that when Congress and regulators refer to targeted advertising, they aren’t thinking about criminals who target legitimate advertisers and publishing networks and ultimately cost them (and you) money. But here at Legal Bytes, and among the lawyers at Rimon, we are! Need to know more about digital advertising, publishing networks, media and marketing online? Call Joe Rosenbaum, or any of the lawyers at Rimon you work with. We are happy to help.