Let’s talk about an insane, criminal problem in digital media that gets no real media scrutiny: ad fraud. $19 BILLION will be stolen this year. Not wasted on ads that didn't work — straight up stolen by crooks!
My latest investigation, and a thread: buzzfeednews.com/article/craigs…
My latest investigation, and a thread: buzzfeednews.com/article/craigs…
Background: tons of digital ads are bought using automatic or tech-faciliated placements, aka programmatically. The process includes a glut of middlemen & players who take their cut. This opacity breeds confusion, which is perfect for criminals. Example:
Let’s break down one part of the scheme I exposed with help from @PixalateInc, Protected Media, @Malwarebytes. It starts with an email to a developer who built the Emoji Switcher Android app. This person says they want to buy his app. They agree to pay up front in bitcoin. Done. 
This happened over and over again to developers. I spoke to 5 of them. Once acquired, the apps are listed as being owned by different shell companies in the Google Play store. Here’s a company called Atoses Digital. Most of the employees on its site use stock images for pics.
They also have fake customer testimonials, like this one for a company called TapTap Video that claimed to help monetize three of the apps in the scheme. they stole the pic from a real woman.
Shell companies help you distribute your risk. If you get caught using fake traffic to inflate your ad revenue then it's the shell company & its specific publisher account that get banned. Just wait a few months, set up a newco, get new ad network account, and boom you’re back.
In this case, once an app was acquired, the fraudsters secretly tracked the behavior of human users. Then they programmed an army of bots to mimic the same behaviors. Creepy, yes. Here’s the flow to explain it. The key is making fake traffic indistinguishable from actual humans.
My investigation led me to identify +125 Android apps and websites linked to the scheme. They were spread out among like a dozen shell companies in Malta, Bulgaria, British Virgin Islands, Cyprus. etc.
Google investigated after I contacted them, and found the scheme had accounts with *88 different ad exchanges*. One insider claimed they stole hundreds of millions of $$. But by spreading it all out via different apps, websites, and companies, nobody saw the big picture.
The fraudsters were smart. They created high quality fake traffic. They spread the money around to avoid attracting attention. But they were also sloppy.
Along identifying their fake employees and customers, I was able to connect all these apps, sites, and companies via corporate registrations, domain ownership and DNS data, Play store listings, and other publicly available info. (#OSINT FTW)
Let’s look at one app.
Let’s look at one app.
It’s called Surprise Eggs - Kids Game. In the Play store and on the app’s site it says it's owned by a company called Visont. But the whois for its site says Quaret Digital. So right away we have one app, two companies.
Both of their corporate sites were recently removed after I started making inquiries. Quaret also had an employee on LinkedIn with a photo stolen from actor Sarah Ellen @Sarah3llen.
Those two companies link it to other apps. But even more important is that the app’s website was registered with the email lorentsen@yandex.ru. It was used to register a whole bunch of other websites for apps and companies that turned out to be in the scheme:
The site for Surprise Eggs - Kids Game also used the same SSL certificate and IP address as a whole bunch of other companies and apps in the scheme. So with just one app, we now have so many leads and connections. (And then the traffic analysis found common fake traffic.)
I followed the trail all the way to identify the key beneficiaries of the scheme. Read the story to meet them. And let's think about how much better off media would be if $19 BILLION went to real companies with real audience — instead of criminals /end
buzzfeednews.com/article/craigs…
buzzfeednews.com/article/craigs…
