Products
- Products
  
  Insights & Alerts
  
  Bot Intercept
  
  Audience & Placement Protection
  
  Technology
  
  AI Bot Detection
  
  Integrations
  
  Usercentrics
  
  Solutions
  
  For Marketing Managers
  
  For Web Analysts
Plans
Success Stories
Resources
- Latest Whitepaper
  
  Unmasking the Shadows: Invalid Traffic 2024
  
  Learn everything you need to know about Invalid Traffic in 2024 based on our customers’ data. Including a breakdown into marketing channels, industries and much more.
  
  Free Download
  
  Resources
  
  News
  
  Blog
  
  Whitepaper
  
  Webinars & Videos
  
  FAQ
  
  Glossary
Company
- Company
  
  About
  
  Career
  
  Schedule Demo

March 2022
Blog

Ad fraud cases of the past years

Oliver Kampmeier

Cybersecurity Content Specialist

The question we are most often asked is, “How big is ad fraud, really?”

While it’s hard to give exact numbers, estimates suggest that advertisers will lose over $100 billion to fraudsters in 2023.

In this article, we’ve compiled over 60 cases of ad and click fraud. This will give you an idea of the scale of what is arguably the biggest fraud of the modern era.

Finally, we would like to point out: All the cases listed here have been uncovered. In reality, there are many, many more cases and scams that continue to operate in secrecy, or where the fraudsters have gotten away with it.

Year:

2021

December 2021

LeoTerra - 20.5 million unique CTV devices spoofed per day

The LeoTerra scam was first uncovered in July 2020, but made news again with the start of the 2021 holiday season. Similar to RapidFire and ParrotTerra, LeoTerra is a server-side ad insertion (SSAI) fraud scheme in which the fraudsters set up fake SSAI servers and then create non-existent CTV inventory across an unlimited number of applications, IP addresses and devices. At its peak, LeoTerra was faking up to 20.5 million connected TVs (CTVs) per day – more than twenty times the volume detected at the end of the fourth quarter of 2020.

Type of fraud:

Fake ad impressions via spoofed apps, IP addresses and devices

Affected devices:

Connected TVs (CTVs)

Damage:

Faking more than 20.5 million unique CTVs per day

20.5 million

fake devices per day

December 2021

CelloTerra - 2.4 million unique CTV devices spoofed per day

CelloTerra was first uncovered in March 2020 but, much like the LeoTerra ad scam, experienced a revival during the 2021 holiday season. The fraudsters used mobile apps to run ads in the background, pretending to be a connected TV. At its peak, CelloTerra spoofed nearly 2.4 million CTV devices per day.

Type of fraud:

Mobile apps running background ads and pretending to be CTVs

Affected devices:

Mobile apps and Connected TVs (CTVs)

Damage:

Faking more than 2.4 million CTVs per day

2.4 million

fake devices per day

September 2021

RapidFire - $20 million per month with spoofed CTVs

The RapidFire ad fraud consisted of a five-person team of former advertising tech professionals who operated an ad network called “HyperCast” and created a registered company in Nevada that posed as a seemingly legitimate business. The fraud itself is very similar to the ParrotTerra ad fraud scheme: RapidFire used server-side ad insertion (SSAI) to spoof connected TV inventory across numerous apps, IP addresses, and devices. The fraudsters used automation tools – a simple Python script – to generate bid requests in JSON format across multiple SSPs and create “phantom ad requests.” The system was named RapidFire because the term reflects the speed at which this process can be sent to the server.

Type of fraud:

Fake ad impressions via spoofed apps, IP addresses and devices

Affected devices:

Connected TVs (CTVs)

Damage:

It’s estimated that the scheme is costing advertisers $20 million per month

$20 million

per month

September 2021

GriftHorse - Android malware steals millions after infecting 10 million phones via Google’s Play Store

The GriftHorse malware was delivered to over 10 million Android devices through Google’s official Play Store using over 200 trojanized Android apps. Once installed on a victim’s phone, the malicious apps gained access to their mobile phone number, which it used for prize alerts that tricked unsuspecting victims into subscribing to premium SMS services at high rates of €30 per month in charges.

Type of fraud:

Subscribing victims into premium SMS services

Affected devices:

Over 10 million Android devices from over 70 countries

Damage:

It’s estimated that the total amount stolen could be well into the hundreds of millions of Euros.

10 million

Android devices

August 2021

SmokeScreen - $6 million per month with fake ad impressions with a turned-off screen

SmokeScreen hides its malicious intent behind an innocent-looking screensaver application that can be easily downloaded to every connected TV. It then generates a constant stream of fake ad impressions in the background that are never visible to any human – even when the screen is turned off.

Type of fraud:

Fake ad impressions

Affected devices:

Connected TVs (CTVs)

Damage:

$6 million per month with more than 300 million ad requests

$6 million

per month

April 2021

Octobot - Over $5 million a month with spoofed apps

Between November 2019 and April 2021 the seven variants that make up the OctoBot scheme have generated billions of ad calls and spoofed apps on millions of devices. The criminals got users to install fraudulent apps on their devices, then began selling non-existent connected TV inventory to buyers. But instead of running the ads, the apps would only fire the ads tracking pixels, generating fraudulent ad impressions to be counted.

Type of fraud:

Fake ad impressions

Affected devices:

Connected TVs (CTVs)

Damage:

Billions of ad requests with over $5 million a month in damages

$5 million

per month

April 2021

Pareto - 650 million ad requests per day with Android devices pretending to be connected TVs

The Pareto botnet accounted for an average of 650 million daily bid requests and infected several devices – among other things over 1 million Android smartphones, Apple TVs, Amazon Fire TVs, LG Smart TVs and Google Chromecast players – through several malicious apps which were present in the official app stores. The apps were able to spoof the phones to look like a connected TV and requested to show an ad every 30 seconds. Instead of showing the ads, the apps would simply just call the specified APIs and indicate that the video ad has been shown.

Type of fraud:

Fake ad impressions

Affected devices:

Connected TVs (CTVs), Android

Damage:

An average of 650 million ad requests per day

650 million

ad requests per day

February 2021

eGobbler & Nephos7 - Up to 6% of all display advertising on the internet was fake

Starting in 2017, eGobbler and Nephos7 leveraged JavaScript fingerprinting to target different types of operating systems including iOS, Android, Windows and Mac OS X. By incorporating malware in online advertising and using commercial ad servers and CDNs (e.g. Cloudfront and Fastly) the malicious code was waiting to be activated on victims’ devices. After activation, the victims were first presented with fake messages from Amazon, their ISP or mobile phone carrier, inviting them to enter their credit card information to confirm their non-existent prize. Beginning in 2019 the victims were also presented with the “Holcus Installer” adware by using the old “Flash Player is outdated – Please update” scam game. Via the adware, eGobbler and Nephos7 accounted for up to 6% of all display advertising on the internet on certain days.

Type of fraud:

Gift card scams, carrier-branded scams and adware downloads

Affected devices:

Windows, Mac OS X, Android

Damage:

Up to 6% of all display advertising on the internet

of all ads on the internet

February 2021

ScamClub - Gift card scams by exploiting Safari browser security bugs

Exploiting browser security bugs with malicious ad code, ScamClub was able to redirect victims to websites where they were presented with various gift card scams.

Type of fraud:

Gift card scams

Affected devices:

Safari browsers (macOS, iOS & iPadOS)

Damage:

16 million malicious ads served per day

16 million

ads per day

January 2021

ParrotTerra - $30 to $50 million damages in ad spend

ParrotTerra used server-side ad insertion (SSAI) to generate fake CTV inventory across numerous apps, IPs and devices, spoofing 3.7 million devices and 2.7 million IP addresses per day. With ParrotTerra, the perpetrators set up a network of servers that impersonated SSAI by creating spoofs that made automated ad buying systems think they were transacting on real video ad inventory, with spoofs of internet addresses, household data, devices and apps. A buyer would think they were receiving commercial space in a popular media app, but they weren’t. It bilked advertisers and publishers out of $30 to $50 million in ad spend.

Type of fraud:

Fake ad impressions through spoofed apps and devices

Affected devices:

3.7 million connected TVs (CTVs)

Damage:

$30 – $50 million in ad spend

$50 million

in ad spend

January 2021

Grinch - 25 million ad impressions for malicious gift card and lottery scam pages

Behind several layers of fingerprinting, back and forth client-server chatting and several client-side traps and obfuscation, Grinch was able to forcefully redirect victims to gift card and lottery scam pages. This was done by inserting malicious code into the ads that were served by publishers.

Type of fraud:

Gift card and lottery scams

Affected devices:

Mobile devices (iOS & Android)

Damage:

25 million ad impressions

25 million

fake ad views

2020

December 2020

StreamScam - $14.5 million damages due to spoofed apps and devices

StreamScam took advantage of the server-side ad insertion (SSAI) technology, which smoothly injects commercials into apps that are viewed on Roku, Amazon Fire TV, Apple TV and other connected TV devices. StreamScam generated traffic that was spoofed, based on 28.8 million U.S. households, spoofing 3,600 apps, and impersonating 3,400 different device types. It’s estimated that the fraud led to $14.5 million in misspent ad budget.

Type of fraud:

Generating ad impressions through spoofed apps and devices

Affected devices:

Connected TVs (CTVs)

Damage:

$14.5 million

in ad spend

December 2020

Adrozek - Malware infecting browsers on Windows

Adrozek was a malware targeting all major browsers on Windows and controlled over 30,000 devices a day, with hundreds of thousands infected devices overall worldwide. Users would unintentionally install the malware because of drive-by downloads, visiting a tampered website or opening an email attachment. The malware added browser extensions, changed browser settings to insert unauthorized ads into web pages and even stole credentials.

Type of fraud:

Malware inserting fake ads into web pages

Affected devices:

Browsers on Windows

Damage:

Over 200,000 infected devices

200.000

infected devices

October 2020

Weasel - Fake privacy-focused messenger in Microsoft’s Windows store

The Weasel fraud exposed the fraudulent actions of a company called Wease.IM, which was running secondary auctions within display ad units via PreBid.JS. They devised custom code to alter PreBid.js requests and obfuscate the location of the iframe, hiding the true identity of the app. Wease was a Windows desktop application and was available only via the official Microsoft Windows store, disguised as a privacy-focused messenger.

Type of fraud:

Altering PreBid.js requests

Affected devices:

Windows 10

Damage:

Unknown

September 2020

MultiTerra - $1 million per month with spoofed connected TVs

MultiTerra was one of the many components that made up the OctoBot fraud, which was detected beginning of 2021. It targeted mostly connected TVs (CTVs) due to the high ad rates. MultiTerra spoofed various IP addresses and devices without ever displaying a single ad to any human. The botnet generated up to 3 million fake ad requests per day.

Type of fraud:

Fake ad impressions

Affected devices:

Connected TVs (CTVs)

Damage:

$1 million per month

$1 million

per month

August 2020

Terracotta - 2 billion fake ad impressions from malicious Google Play Store apps

Terracotta operated by uploading apps on the Google Play Store that promised users free perks like sneakers and coupons if they installed the applications on their devices. The apps downloaded and ran a modified version of WebView – a slimmed-down version of Google Chrome – in the background. It then launched the modified WebView browser, hidden from the user’s view, and performed ad fraud by loading ads and gaining revenue from fake ad impressions. Terracotta led to up to 2 billion fake ad impressions from over 65,000 infected smartphones per week.

Type of fraud:

Fake ad impressions

Affected devices:

Android smartphones

Damage:

2 billion ad impressions per week

2 billion

fake ad views per week

July 2020

Chartreuseblur - Over 3.5 million fraudulent photo app installs via Google Play Store

The Chartreuseblur malware was found in 29 apps which were downloaded in total over 3.5 million times from the Google Play Store. The apps in the fraud network, most of which were photo tools, would load malicious code in the background, designed to serve ads and call up fake browser pages. The ads would display when phones were unlocked or while the phone was charging and victims could not remove the apps or close them in the background, as the applications removed their icons from the home screen and launcher.

Type of fraud:

Fake ad impressions

Affected devices:

Android smartphones

Damage:

Over 3.5 million fraudulent app installs

3.5 million

app downloads

June 2020

AndroidOS_HiddenAd.HRXJA - Fake ad views in barcode scanner apps from Google Play Store

The fraud AndroidOS_HiddenAd.HRXJA was found in over 50 barcode scanner apps from the official Google Play Store. In total, the infected apps were downloaded more than 1 million times and generated ad views in the background, even when the screen was turned off.

Type of fraud:

Fake ad impressions

Affected devices:

Android smartphones

Damage:

Over 1 million app installs

1 million

app downloads

June 2020

Beauty and the Beast - Over 20 million fraudulent app installs via Google Play Store

The “Beauty and the Beast” fraud is named after the focus of its malicious apps on beauty. Most of them pretend to be selfie apps that add beauty filters to pictures, while showing ads out of context and making it nearly impossible to remove the apps themselves by hiding the app icon on the home screen and app launcher. A total of 38 apps were associated with the scheme, which rendered ads out of context, in the background and also redirected users to various URLs.

Type of fraud:

Fake ad impressions

Affected devices:

Android smartphones

Damage:

Over 20 million fraudulent app installs

20 million

app downloads

April 2020

Facebook sues LeadCloak for helping scammers run deceptive ads on its platform

Facebook sued the company LeadCloak, alleging that it was helping scammers run deceptive ads on its platform and Instagram by selling “cloaking” software to them. The software fooled the ad-review system by showing it a harmless website, while real users would see an entirely different website that could violate Facebook’s guidelines. The software had been used by scammers related to coronavirus, cryptocurrency, pharmaceuticals and fake news pages to flood user newsfeeds.

Type of fraud:

Cloaking

Affected devices:

Facebook users

Damage:

Unknown

April 2020

IceBucket - Connected TV fraud generates 1.9 billion ad requests per day

The Icebucket fraud was the largest case of server-side ad injection (SSAI) spoofing that has been uncovered until the beginning of 2020. At its peak, the botnet impersonated more than 2 million people in over 30 countries and was responsible for around 1.9 billion ad requests – or 28% of total CTV ad impressions – per day. It spoofed mostly connected TV devices, but also some Android smartphones and called the reporting APIs indicating the ads have been shown.

Type of fraud:

Fake ad impressions

Affected devices:

Connected TVs (CTVs / Roku, Samsung Tizen Smart TV, Google TV) and Android

Damage:

28% of total CTV ad impressions per day

28%

of total CTV ad impressions

March 2020

Tekya - Malware in game apps for children with over 1 million downloads from Google Play Store

The Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the “MotionEvent” mechanism in Android to imitate the user’s actions in order to click ads and banners. The malware was found in 24 children’s games and 32 utility apps. The applications were soon removed from the Google Play Store, but were already downloaded in total over 1 million times.

Type of fraud:

Fake ad clicks

Affected devices:

Android smartphones

Damage:

Over 1 million fraudulent app installs

1 million

app downloads

March 2020

Monarch - Exploited passive Roku apps display ads

Monarch led advertisers to believe they were buying video ads on Roku connected TV (CTV) devices, but instead the ads actually showed up on passive viewing apps, such as screensavers, virtual aquariums and fireplaces. The fraud infiltrated some of the most popular apps on the Roku Channel Store and bypassed Roku’s prohibition on ads appearing on apps like screensavers because the apps were instead classified as “special interest”. The exploited apps all used Monarch Ads, a subsidiary of Barons Media, as the inventory monetization platform.

Type of fraud:

Exploited passive viewing apps

Affected devices:

Roku connected TVs

Damage:

Applications among the 4% most popular apps on the Roku Channel Store

February 2020

404bot - $15 million with spoofed domains

The 404bot scheme was active between 2018 and throughout 2020, generating more than $15 million in ad spend from 1.5 billion video ads. The fraud was done by “domain spoofing” – impersonating a publisher’s web page – and leveraging the fact, that buyers don’t always check the ads.txt file with bots that generate fake browser data and create fabricated URLs in order to pilfer media spend.

Learn more about ads.txt.

Type of fraud:

Domain spoofing

Affected devices:

All devices

Damage:

$15 million from 1.5 billion video ads

1.5 billion

fake video ad views

February 2020

Cheetah Mobile & Kika Tech - Google removes 600 Android apps for click injection and disruptive mobile advertising

The apps from Chinese companies Cheetah Mobile and Kika Tech had been removed from Google Play Store after an investigation revealed, that they practice “click flooding” and “click injection”. With the click injection, the apps listened for when a user downloaded a new app via the Google Play Store. As soon as a new download was detected, the apps looked for active install bounties available for the app in question and sent off clicks that contained the relevant app attribution information to ensure Cheetah and Kika won the bounty — even though they had nothing to do with the app being downloaded. The removed apps were quite popular and had over 2 billion downloads in total in Google’s Play Store.

Type of fraud:

Click Flooding and Click Injection

Affected devices:

Android

Damage:

Fraudulent apps with over 2 billion downloads

2 billion

app downloads

February 2020

Haken & Joker - Malicious apps mimics user clicks and signs victims up for expensive premium services

The Haken malware mimicked user clicks on ads and utilized native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration. Some apps also included the Joker malware, which subscribed victims in a hidden WebView to premium services by having access to the notification listener and the permission to send SMS.

Type of fraud:

Fake clicks on ads and hidden subscriptions

Affected devices:

Android

Damage:

Fraudulent apps had over 50,000 downloads

January 2020

DiCaprio - Spoofing banner ads on Grindr for Roku video ads

With the DiCaprio fraud, fraudsters bought regular banner ads on Grindr’s Android app and then attached malicious code that disguised the Grindr banner ad to look like a Roku video ad slot. The cheap banner ad space was used on programmatic advertising exchanges to resell more expensive video ads.

Type of fraud:

Spoofing banner ads for video ads

Affected devices:

Grindr Android app

Damage:

More than 10 million downloads for Grindr app

2019

November 2019

$100,000 a month with fake news websites

BBC revealed how fake news websites make over $100,000 a month using bot traffic to click on ads. Web designers create websites, use scraped content from real news publications and send bot traffic to them in order to click on ads. Each year, the advertising industry is losing several million dollars due to these fake news websites.

Type of fraud:

Fake websites with bot traffic

Affected devices:

All devices

Damage:

Over $100,000 a month per fake website

$100k

per month

September 2019

iHandy - 49 apps removed from Google Play Store due to their violation of its policies for deceptive or disruptive ads

Google removed 49 apps from Chinese developer iHandy from its Play Store for violating Google’s policies for deceptive or disruptive ads. It’s unclear what kind of malicious ad activity was detected in the apps, but the removal happened around the same time as the removal of the first Cheetah Mobile and Kika Tech apps, that leveraged click injection and click flooding.

Type of fraud:

Deceptive or disrupting ads

Affected devices:

Android

Damage:

More than 100 million downloads in total for all iHandy apps

100 million

app downloads

September 2019

AdBlock and uBlock - Cookie stuffing from malicious adblockers

Two fake adblocker apps – namely AdBlock by AdBlock Inc. and uBlock by Charlie Lee – had been removed from Google’s Chrome Web Store for using “cookie stuffing”. In this fraud scheme both apps dropped affiliate cookies for various online services, without the user being aware of it.

Type of fraud:

Cookie stuffing

Affected devices:

Google Chrome browser

Damage:

More than 1.6 million weekly active users for both apps

1.6 million

weekly active users

August 2019

LionMobi and Jedimobi - Facebook sues app developers for click fraud

Facebook sued two app developers (LionMobi and Jedimobi), alleging that they engaged in a fraud to hijack victim’s phones with malware that fraudulently clicked on ads from Facebook’s advertising system in their apps. The apps were distributed via Google Play Store with a total of over 100 million downloads and targeted Android smartphone devices.

Type of fraud:

Fake clicks on ads

Affected devices:

Android

Damage:

Over 100 million downloads of malicious apps

100 million

app downloads

July 2019

CooTek - 440 million downloads from Google Play Store with malicious adware plugin

More than 60 apps from Chinese app developer CooTek were removed from Google’s Play Store for violating its policies for malicious and deceptive behavior, as well as disruptive ads. The apps contained an adware plugin – BeiTaAd – that triggered disruptive ads whenever the smartphone was asleep, locked or the CooTek apps were not in use. On top, users were not able to answer calls or interact with other apps, rendering the smartphones nearly unusable.

Type of fraud:

Malicious and deceptive ad behavior and disruptive ads

Affected devices:

Android

Damage:

Over 440 million downloads of malicious apps

440 million

app downloads

May 2019

VidMate - 500 million installations with hidden ads, fake clicks and purchases

VidMate, an Android app that enables users to download videos from YouTube, Vimeo and other video platforms, has been displaying hidden ads, generating fake clicks and purchases and installed other suspicious apps without the user’s consent. The app itself had more than 500 million downloads and was hugely popular in countries such as India and Brazil. The blocked transactions alone could have cost users more than $150 million in unwanted and unauthorized mobile subscriptions.

Type of fraud:

Displaying hidden ads, generating fake ads and installing other suspicious apps

Affected devices:

Android

Damage:

More than 500 million downloads for VidMate app

500 million

app downloads

April 2019

DO Global - Google Play Store apps with over 90 million downloads committing various types of ad fraud

Six apps from Chinese app developer DO Global with more than 90 million installations from Google’s Play Store were committing various types of ad fraud, including fake clicks and attribution fraud.

Type of fraud:

Fake clicks and attribution fraud

Affected devices:

Android

Damage:

More than 90 million downloads for DO Global apps

90 million

app downloads

March 2019

Hidden video ads in banner ad slots

Twitter’s MoPub ad platform had been hijacked in an ad fraud scheme where fraudsters bought cheap banner ad slots in various apps and resold the ad spaces for more expensive autoplaying video ads. The video ads were of course never shown to the users and one banner ad slot was stuffed with multiple video ads, draining the user’s battery and mobile data.

Type of fraud:

Spoofing banner ad slots for video ads

Affected devices:

Apps with ads from Twitter’s MoPub ad platform

Damage:

At least 60 million ad calls per month

60 million

fake ad views per month

2018

November 2018

3ve - Generating $30 million from fake clicks on fake websites

The 3ve operation was one of the largest ad fraud schemes ever seen. The botnet infected at least 1.7 million computers, counterfeited over 10,000 websites and generated between 3 and 12 billion ad requests per day. The sophisticated system exploited various techniques such as infecting victim’s computers, remote controlling hidden browsers and stealing corporate IP addresses. With the hidden browsers, 3ve was able to generate fake clicks on ads on its fake websites, taking in ad revenue from about 60,000 digital advertising accounts. The scale of the operation was enormous and even led to an FBI investigation.

Type of fraud:

Fake clicks on ads

Affected devices:

Both desktop and mobile devices

Damage:

Over $30 million in fake ads

30 million

in fake ads

October 2018

We Purchase Apps - 127 apps, millions of downloads

The company “We Purchase Apps” specialized in acquiring semi-popular Android apps used by actual human users. After the purchase, the fraudsters then studied the behavior of the apps’ users and created bots to mimic the action patterns. These bots are then used to generate fake traffic within the specific apps, which in return earns additional ad revenue. The company was quite successful with its acquisitions – including the popular EverythingMe app – totaling in to over 115 million app downloads.

Type of fraud:

Fake traffic and clicks on ads

Affected devices:

Semi-popular Android apps

Damage:

Over 115 million app downloads

115 million

app downloads

June 2018

Zacinlo - Fake VPN turns out to be rootkit-based malware

The Zacinlo adware ran covertly since early 2012 and infected mostly Windows 10 devices. As a rootkit-based spyware, it protected itself as well as its other components very well also from antivirus software. The malware among other things did fraudulent browser redirects, created fake clicks on online ads in hidden windows and also changed ads loaded naturally inside the victim’s browser with the attacker’s ads, so they could collect the ad revenue. Zacinlo was downloaded disguised as a fake VPN named “s5mark”.

Type of fraud:

Fake clicks on ads in hidden browser windows

Affected devices:

Windows 10

Damage:

Unknown

May 2018

Facebook purges 1.3 billion fake accounts

Facebook’s efforts to clean its fake accounts led to the purge of more than 1.3 billion fake accounts that were created with the intent of spreading spam or conducting illicit activities such as scams. Of the remaining accounts, between 3 and 4 percent (66 – 88 million) are likely fakes.

Type of fraud:

Fake accounts for spreading spam or conducting illicit activities

Affected devices:

Facebook users

Damage:

Over 1.3 billion fake Facebook accounts

1.3 billion

fake accounts

April 2018

Fake ad blockers with over 20 million downloads in Chrome’s Web Store

Five fake adblocker browser extensions were downloaded over 20 million times via Google’s Chrome Web Store. The extensions sent back information about the victim’s browser behavior to the attacker’s server. The extensions itself contained only harmless malicious code, but through the connection to the attacker’s command & control remote server this could have changed at any time and could have been used for fraudulent techniques such as cookie stuffing.

Type of fraud:

Possible cookie stuffing

Affected devices:

Chrome browser

Damage:

Over 20 million extension downloads

20 million

extension downloads

March 2018

Twitter purges fake accounts with over 3 million followers

In an effort to clean its user base and reduce automated tweets and retweets, Twitter purged several accounts with a total of over 3 million followers from its platform for violating Twitter’s spam policy. The accounts were notorious for mass-retweeting each other’s posts and artificially creating viral tweets.

Type of fraud:

Artificially creating viral tweets by mass-retweeting

Affected devices:

Twitter users

Damage:

Purged accounts with more than 3 million followers

March 2018

RottenSys - Infecting 5 million Android devices and generating fake ad traffic

With its 316 variants, RottenSys infected over 5 million Android devices since 2016. The adware was disguised as a Wi-Fi security app and downloaded other components after installation. It was able to display ads on the device’s home screen and through its abuse of MarsDaemon, RottenSys was able to ensure that its operations resume even if its process was force-stopped.

Type of fraud:

Fake traffic and clicks on ads

Affected devices:

Android

Damage:

$350,000 per month

$350k

per month

March 2018

Newsweek Media Group - Revenue for ads that were not in the user’s viewport

Malicious code that was designed to interfere with third-party measurement systems to determine how much of a digital ad was viewable during a browsing sessions was detected on several websites from publisher Newsweek Media Group. This fraud did not include any bots or fake clicks on ads, but the publisher wanted to get revenue from ads that were placed on the web pages, but not in the user’s visible area.

Type of fraud:

Malicious code to track ad views that were not in the user’s viewport

Affected devices:

All devices

Damage:

Unknown

February 2018

Lotame purges 400 million bot profiles

Lotame, an exchange platform for third-party data, purged 400 million profiles after identifying them as bots or otherwise fraudulent accounts. Lotame CEO Andy Monfriend estimated that 40% of all web traffic is fictional.

Type of fraud:

Bots disguised as real humans

Affected devices:

All devices

Damage:

Over 400 million bot accounts

400 million

fake accounts

January 2018

Zirconium - 1 billion ad impressions and various scams from fake ad agencies

Between 2017 and 2018 the Zirconium group created and operated around 30 fake ad agencies to distribute malvertising campaigns, delivering an estimate of 1 billion ad impressions and building relationships with 16 ad platforms. The frauds Zirconium used were among other things auto-redirects and fingerprinting, leading victims to various scams including fake antivirus software and Flash Player updates. They bought traffic from legitimate ad platforms and resold it to affiliate marketing platforms.

Type of fraud:

Auto-redirects and various scams

Affected devices:

All devices

Damage:

1 billion ad impressions

1 billion

fake ad views

January 2018

$1.13 billion damage annually via auto-redirects and fake ad impressions

Beginning of 2018 the scheme of hidden auto-redirects blew up to account for 48% of all malvertising activities, leading advertisers to lose over $1 billion. The redirects opened invisible iFrames and went on clicking on ads automatically. 72% of auto-redirect attacks targeted mobile devices.

Type of fraud:

Hidden auto-redirects and fake ad impressions

Affected devices:

All devices

Damage:

$1.13 billion per year

>$1 billion

damage per year

January 2018

Malicious Chrome extensions with over 500,000 downloads

Four Chrome extensions with over 500,000 downloads were discovered that were part of a click-fraud scheme. The extensions contained malicious code that allowed the attackers of proxy browsing through the victim’s browser.

Type of fraud:

Fake clicks on ads

Affected devices:

Google Chrome

Damage:

$350,000 per month

$350k

per month

2017

December 2017

Ozy.com - Fake bot traffic increased ad impressions and sponsored content views

The news site Ozy.com bought cheap traffic to sponsored posts from several of its partners including JPMorgan Chase, Amazon, VISA and KFC just to find out that the traffic was actually not coming from real humans but from bots. The system automatically loaded specific web pages and redirected traffic between participating websites to quickly rack up ad impressions and sponsored content views.

Type of fraud:

Fake ad impressions and sponsored content views

Affected devices:

All devices

Damage:

Around 2 million fake visits

2 million

fake visits

December 2017

1 billion fake ad impressions per month with pop-unders on porn sites

Like many other frauds, this one also started on porn sites. It opened hidden pop-under windows behind the victim’s main browser tab as soon as the user clicked anywhere on the site and started a redirect chain to numerous other websites at timed intervals, racking up views and ad impressions. The amount of fake traffic that was created by this scheme is astounding and was way beyond one billion per month.

Type of fraud:

Redirect chains in order to rack up ad impressions

Affected devices:

All devices visiting porn websites

Damage:

Over 1 billion ad impressions per month

1 billion

fake ad views

November 2017

HyphBot - $1.3 million per day with bot traffic on fake websites

HyphBot was one of the largest bot networks to be discovered in digital advertising. It was generating up to 1.5 billion requests per day with fake traffic from more than 34,000 domains. The operation started in November 2016, but gained most of its traction in August 2017. HyphBot created fake versions of established websites and then sent bot traffic to these domains in order to rack up ad impressions.

Type of fraud:

Fake ad impressions

Affected devices:

All devices

Damage:

Between $300,000 and $1.3 million per day

$1.3 million

per day

October 2017

MySpace - Ad fraud scheme involving page refreshes and redirect chains

Fraudsters used the social network MySpace to steal money from advertisers by autoplaying multiple video ads, refreshing the page several times and redirecting the users to other domains in order to rack up ad impressions. During the five months the MySpace site was live, it generated 9.7 million visits through bots that generated over 450 million page views.

Type of fraud:

Bot traffic, page refreshing and redirect chains

Affected devices:

MySpace users

Damage:

450 million page views

450 million

fake ad views

June 2017

Fireball - 250 million infected devices generating fake ad impressions

Fireball was a Chinese malware that was able to infect over 250 million computers worldwide. The malware came bundled with a lot of freeware tools like “FVP Imageviewer”, took over victim’s computers and was able to download any file or malware and also hijacked and manipulated the web traffic in order to generate ad revenue.

Type of fraud:

Fake ad impressions

Affected devices:

Windows OS and macOS

Damage:

Over 250 million infected devices

250 million

infected devices

June 2017

Chinese click-fraud gang used hundreds of real smartphones as botnet

Three Chinese nationals conducted click-fraud with hundreds of real smartphones in order to increase clicks on ads over the period of several months.

Type of fraud:

Fake clicks on ads

Affected devices:

Real smartphones with bot software

Damage:

Unknown

May 2017

Judy - Adware in Google Play Store apps was downloaded over 36 million times

Judy was an auto-clicking adware which was found on 41 apps developed by a Korean company. It was one of the biggest Android ad frauds ever, with all apps having in total over 36 million downloads from Google’s Play Store. Once installed, the apps would secretly open fake websites in the background and automatically click the ads on them. It’s estimated that the attackers generated about $300,000 every month via this fraud.

Type of fraud:

Fake clicks on ads

Affected devices:

Android

Damage:

Over 36 million downloads of infected apps

36 million

app downloads

May 2017

WannaCry - Demanding ransom payments for encrypted data

The WannaCry ransomware attack lasted only seven hours, but had devastating impacts: In this short amount of time the ransomware was able to infect over 230,000 computers in over 150 countries, encrypting their data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) and targeted older Windows systems.

Type of fraud:

Ransomware

Affected devices:

Windows

Damage:

Over 230,000 infected devices

230k

infected devices

March 2017

Skype - Users hit by malware through malicious in-app ads

Skype users were presented with a fake ad, asking them to update their Flash Player. After downloading the malicious software, it would trigger obfuscated JavaScript that started a new command line, then deleted the application that the user just opened and ran a PowerShell command in order to download a JavaScript Encoded Script (JSE). Due to the fact that the malware was actively communicating with the attacker’s command and control server, it could have done various things with the infected devices, including carrying out click-fraud and malvertising campaigns.

Type of fraud:

Malware carrying out click-fraud and malvertising campaigns

Affected devices:

Windows OS

Damage:

Unknown

February 2017

Pop-unders on porn sites responsible for 1.3 million ad impressions

Various small porn sites were found guilty of displaying pop-unders with advertisement to their users. The pop-unders continually refreshed and reloaded ads so that thousands of ad impressions could be tracked even though the ads were beneath the users’ main browser tab and therefore were never actually seen by any human.

Type of fraud:

Pop-unders with constant reload to increase ad impressions

Affected devices:

Small porn sites

Damage:

1.3 million ad impressions

1.3 million

fake ad views

2016

June 2016

Criteo vs. SteelHouse - Click-fraud leading to wrong click attribution

Criteo filed a lawsuit that alleges rival firm SteelHouse ran a counterfeit click-fraud scheme over the period of several weeks. Criteo’s analysis revealed that during a head-to-head comparison, numerous clicks attributed to SteelHouse landed within seconds after clicks attributed to Criteo. In essence, SteelHouse loaded an invisible, short-lived web page underneath its clients’ web pages that falsely recognizes clicks for SteelHouse.

Type of fraud:

Click-fraud with wrong click attribution

Affected devices:

Desktop and mobile devices

Damage:

Millions of US Dollars

1.3 million

fake ad views

June 2016

Methbot - $5 million per day with fake ad impressions

Methbot was one of the largest and most profitable fraud operations to strike digital advertising. During the course of several months, the fraudsters used a botnet consisting of over 500,000 reals IP addresses to fake views of as many as 300 million video ads per day, generating between $3 to $5 million in revenue for the attackers.

We’ve written an in-depth article on Methbot and how it worked. You can read it here: Methbot – How the king of fraud made $3 million per day

Type of fraud:

Fake video ad impressions

Affected devices:

Desktop and mobile devices

Damage:

300 million video ads per day

300 million

fake ad views per day

Share this article