We’ve already explored Google’s influence on what you see on the Web, but its YouTube site was itself the victim of more malign attention, as the ads it displayed were hijacked by a plugin.
Online ad fraud has been an unfortunate feature of the Web ever since advertisers first started paying for clicks. From botnets that use thousands of compromised computers to falsely view billions of pages and adverts (one single botnet dubbed “Chameleon” was estimated to cost display advertisers $6m a month), to cookie stuffing, ad “stacking” and 1×1 pixels, fraudsters continue to develop innovative new ways of cheating advertisers out of their advertising dollars.
Earlier this month, London-based security firm spider.io revealed a new browser plugin which changed the ads displayed on YouTube. Users who downloaded the innocent-sounding “Easy YouTube Video Downloader” or “Best Video Downloader” had an additional layer of advertising superimposed on the genuine YouTube inventory.
This new superimposed inventory was then sold, through mainstream ad networks, to premium advertisers such as Amazon, BlackBerry, Kellogg’s, Marriot and Toyota, and even to ‘malvertisers’ – malicious online advertisers that use ads to spread malware to new users.
This is a major issue for the industry, as these injected ads:
- deprive publishers of revenue, which is diverted by the plugin;
- reduce or eliminate the targeting of brands’ advertising and hence distort ROI;
- undermine trust and credibility in legitimate advertisers, and in the ad networks; and
- distort ad prices.
While it’s likely to be impossible to stamp out the problem of ad fraud altogether, there are ways in which advertisers and publishers can minimise its effect:
- avoid using simple KPIs like CPM to measure performance as these are far too easy to exploit;
- instead, rank your paid advertising channels by return on investment and prioritise your spending based on that list; and
- use reputable ad networks with well maintained blacklists that can avoid displaying your ads to dubious and potentially hijacked IPs.
- analyse and monitor your site traffic for patterns to assess whether it is genuine human traffic, or something else. For example, the click co-ordinates and mouse traces from human visitors are likely to be fairly similar to each other, whereas a botnet will be significantly more random.
- if you receive a sudden spike in traffic, don’t rest on the comforting assumption that your content has become unexpectedly but compellingly more interesting – it may just be that a botnet has you in its sights…