What is Ad Fraud: An Easy Yet Comprehensive Guide

What is Ad Fraud. An Easy Yet Comprehensive Guide
Reading Time: 10 minutes

The only guide to ad fraud you’ll ever need. Understand what is ad fraud, the different ad fraud types and how to tackle it. 

Ad fraud is any revenue or attempted revue generated fraudulently from digital advertising. This revenue is usually illegally generated from fake clicks, phony installs, simulated in-app actions or falsely inflated impressions. 

Ad fraud is the second-largest organized crime. Second, only to drugs. You might not be able to tackle drugs, but with a 1-2 hour setup, you can start to significantly reduce your fraudulent traffic. Including real-time fraudulent traffic. In 2019, H1, The Drum estimated that $2.3 billion was siphoned from marketing budgets globally, due to mobile ad fraud alone (not including desktop ad fraud). Thus, the problem is cumbersome, but the solution does not have to be.

What’s in this article/


What is Ad Fraud

Ad fraud can generally be categorized into two forms: desktop and mobile ad fraud. Desktop ad fraud is when illegal revenue is generated from desktop advertising campaigns, such as programmatic, native advertising, display, and CPC or impression campaigns. 

Mobile ad fraud is when illegal revenue is generated from mobile campaigns. These campaign types are usually app-based and are on a CPI (cost per install) or CPA (cost per action) model. 

Many different methods generate this fraudulent ad fraud revenue. Therefore, there are different ad fraud types you should know. These will almost always involve fooling or hacking MMPs or attribution networks into misattributing genuine paid, or organic installs (attribution fraud), or simply faking advertising events that never happened. 

Essentially, ad fraud attacks the advertising cycle, as it is happening live and tricks the advertisers into paying for clicks, installs and impressions that either:

      1. Never happened
      2. Were organic
      3. Were paid, but should be attributed to another source

This is ad fraud in a nutshell. However, as mentioned previously, there is a wide array of techniques and ad fraud types. Understanding these is crucial to detection and prevention. We will discuss this below. 


The Different Types of Mobile Ad Fraud

SDK Spoofing

Imagine you’re trying to break into a secret night club that is only for orcs. To get in, you need to tell the bouncer the secret password (which is of course, in a secret orc language). You stalk the orcs entering into the night club, learn the language. You then put on your best orc mask, mimic the orc language, and if the bouncer is fooled, BOOM, you’re in! That is a rudimentary metaphor for SDK spoofing. 

SDK spoofing is when hackers listen to essential signals and communication between MMPs and ad networks and app stores, then mimicked. Then this signal is replicated (with any necessary or desired alterations) and those signals are sent to the MMP. This signal often simulates real installs, perhaps post-install actions, registrations, anything the hacker or spoofer desires. The only limitation to SDK spoofing is their coding and hacking ability. SDK Spoofing is one of the most challenging forms of ad fraud to detect, as it mimics human behavior. 

These codes can usually be created simply using notepad and can be sent millions of times from perhaps a simple residential computer, and hacked into the MMP or attribution tool. This might seem like an advanced form of ad fraud, that is perhaps a rarity, however, our 2019 Q2 report shows that SDK spoofing accounted for 20% of fraudulent mobile traffic. 

An additional layer of threat is that once SDK spoofing is mastered, it can easily be replicated for all other app campaigns that use the same MMP. 

Click Spamming

Click Spamming is as the name suggests. Clicks, and many of them. The fraudster will send large volumes of fake clicks to the MMP or attribution tool and wait for an organic install to happen. Then that organic install will be mistakenly attributed to the fake click as a paid install.  If this happens the fraudulent click will receive the advertiser’s money for that click or install. The chances of this happening are quite low, as it relies upon an organic install taking place. Thus, this method is successful when the clicks are sent in large volumes. We’re talking, millions. 

This is one of the earliest and simplest forms of ad fraud, and thus, is one of the easiest to detect. Interceptd has our own click spamming alarm, which uses metrics such as click-to-install time distribution to detect click spamming. 

Click Injection

Click injection is yet another click-based ad fraud. The aim is to steal the attribution of organic or paid installs by being the last click associated with that install. The fraudster will simply send fake clicks to the attribution tool after an install began. Thus, the MMP may attribute the install to the fake click as it was the last click it received associated with that install. 

How are these click injection clicks sent? Through a few methods. A common method is when a genuine device is unknowingly hosting malware or another kind of malicious app or software. This usually happens when the genuine user downloads a genuine-looking app from the app store, which is actually adware, malware or other kinds of malicious software. Again, this might sound like it is a rarity, however, Google Play deleted over 700,000 malicious apps in 2018 alone. 

Bots and Emulators

Remember the days, when you used your computer to emulate that it was a Nintendo Advance, so you could play your favorite Zelda or Pokemon games on the elegance of your big PC screen? You were using emulation software. There are a host of devices, such as bots, phones, and PCs that can be used as tools for ad fraud.

Emulators can be used to make any device look like a mobile phone, to simulate an install that looks real. Obviously, if the app installs, says it comes from a desktop, it is obvious it will be ad fraud. Thus, fraudsters use emulators. 

This is not necessarily another category of mobile ad fraud, however, it can be a technique or tool used to perpetrate other mobile ad fraud types, such as click spamming, SDK spoofing and so forth. 

Device Farms

Device farms are a collection of devices (usually outdated androids and iPhones) that are all programmed to install, and then reset and repeat. The fraudulent device owners are farmers, and they plant the fraudulent devices and collect a handsome yield in the form of fraudulently generated ad revenue from their device crops.

With the number of phones, overtaking humans, there is certainly an easy source to obtain these ad fraud tools to create a significant device farm. 

We have a device farm alarm, and some methods of detecting this type of ad fraud are activities such as mismatched device IP, or if the operating system is outdated and not compatible with the app. 


What is Ad Fraud: An Easy Yet Comprehensive Guide [Infographic]
What is ad fraud? These are two of the most common forms of ad fraud and mobile ad fraud known as click spamming and click injection.

The Different Types of Display Ad Fraud

Cookie stuffing is a form of impression and CPA (cost per action) attribution fraud. This mimics a similar technique to click spamming. The difference is that click spamming targets install-fraud rather than impression-based fraud. How does cookie stuffing occur? A genuine user’s browser will be overstuffed with cookies. This will likely not alarm the user or browser, as cookies are common. These cookies might even be from sites that are not related to or advertising. Once an organic or paid purchase or impression happens, there is a chance that the attribution tool or MMP might mistakenly attribute the paid action or organic impression to the fraudulent cookie stuffer. This is because there is always a chance for technical error or missing information. If this is the case, then the fraudulent cookie can take advantage of that hole, and steal the attribution and get paid. 

Click Farms/Device Farms

Click farms are much similar to device farms, however, the main fraudulent activity produced are clicks, and it generally targets impression ad fraud. This ad fraud type is one of the oldest and least sophisticated. Click farms rely upon large volumes of clicks, performed repetitiously by sometimes manual labor, or programmed devices. The manual labor might be a group of individuals working either in the same location or perhaps remotely. A click or device farm was recently taken down in Bangkok, Thailand in 2019. 

Ad Stacking

This is also known as “invisible ads” and is a type of impression ad fraud. Ad stacking is a stack of ads, clever name, huh. Because the ads are stacked on top of each other, the audience only sees the top ad, which obscures the ads stacked underneath it. However, the ads stacks underneath still get counted as achieving a successful impression or view. It is the scammer’s version of killing two (or 2,3,5,10,100, etc) birds with one stone. Sneaky. 

Pixel Stuffing

Pixel stuffing follows a similar method to ad stacking. Many ads all receiving payout for impressions, however, only one is truly being seen by the audience. The difference is the method of concealment. Unlike ad stacking, which stacks ads on top of each other, pixel stuffing merely reduced an image to a size undetectable by the human eye and places it within an ad. Thus, the ad is truly there, you just can’t see it. This is yet again, a form of impression ad fraud. 

Domain Spoofing

Domain spoofing is another type of impression ad fraud. This is when fraudsters show their site as a premium site, although the opposite is true. This is achieved by modifying ad tags and malware ad injections. For example, a genuine user might unknowingly download a malware app, then the malware may start generating its own code in the user’s internet browser and begin injecting ads into their browser’s screen. 

Fraudsters obtain access to the code in the ad tag and then imitate any property. Advertisers will, therefore, think that their ads are published on premium sites, however, they are featured on low-quality properties.

Ad Injection

This is a type of impression ad fraud that injects ads on any website without the user’s or the website owner’s consent. These ads can be displayed in sections of the website not designed for ads, or perhaps cover another ad. Fraudsters often achieved through malicious toolbar or adware plugins that genuine users unknowingly download onto their web browser. Read below how to detect malicious apps and plugins. 


Tips to Prevent Ad Fraud In-House

      1. Hire a data scientist
      2. Analyze your business intelligence data. Does the revenue match with the MMPs data?
      3. Always cross-check data
      4. Ask for refunds from Ad networks (tricky process, but it is possible)


How Does Interceptd Prevent Ad Fraud

Without getting too technical and giving away our unique machine learning algorithms, here is our mobile ad fraud prevention and detection method in a nutshell. Below is a table of some, but not all indicators we use to detect and prevent various ad fraud types. All of these indicators are used in either a probabilistic or deterministic way. This means that some indicators are taken as certain evidence of ad fraud, whereas others are seen as troubling, and alerts our machine learning algorithm to notice that potentially fraudulent sub-publisher or ad network. 

Essentially, probabilistic tells our machine learning system “this is MAYBE ad fraud”, deterministic says “this is DEFINITELY ad fraud”. Having a blend of these two methods is vital to catching a wide array of ad fraud types, as methods, tools, and techniques vary and change over time. It is also important to not producing too many false-positives (over-blocking). 

Here are some of the indicators and data points, our complex machine learning algorithms use, to keep your marketing budgets safe: 

Ad Fraud Type Indicators (some but not all, we cannot give away all of our expert secrets)
Click Spamming CTIT Distribution, Conversion Rate, IP Entropy, IP Quality
Click Injection Install Referrer, CTIT
SDK Spoofing Country mismatch, Duplicate IP, High conversion speed,  IP Entropy, Missing Install Referral Time, SDK version mismatch
Bots and Emulators Country mismatch, IP Quality, IP Entropy, IP Reputation, App Version Mismatch
Device Farms Country mismatch, Conversion Rate, Duplicate IP, IP Entropy, IP Reputation, OS Version Distribution


How do Fraudsters Make Money From Ad Fraud

Fraudsters do make money. A lot of money. To achieve this, they must be a sub-publisher in an ad network. Not a good one, but a sub-publisher nonetheless. Through a variety of the aforementioned methods (SDK Spoofing, click injection, etc) they trick MMPs or attribution tools to attributing paid events (installs, clicks, etc) to the fraudulent sub-publisher. The advertiser then pays for it. 


How to Detect a Malicious App or Plugin or Adware?

The reason why the genuine user might unknowingly download a malware or adware app or plugin is that they are often disguised as legitimate. Some examples might be a simple flashlight, photography or notepad app or perhaps a grammar, screenshot or time-zone plugin. Often these malicious apps perform their advertised function, thus, they do not alarm the genuine user. 

Additionally, these malicious apps often purchase fake reviews. Thus, one calling-card of a malicious app is if there is a lot of 1 -star and 5-star reviews. This does not follow a normal distribution pattern and is an indication of fake reviews, which often malicious apps will use. Additionally, you can check the reviews, to see if they appear to be genuine. Fake reviews will often not include many specific details and will be shorter. Also, check the 1-star reviews. If there is a lot of reviews that seem to contradict the 5-star reviews, this is also an indication of a potentially harmful plugin or app. 

Try to only install and download plugins and apps from reputable sources. Check their other apps. Many malicious developers will make many unrelated simple apps or plugins. Another calling card is apps that do not work. If any reviews are claiming that the app merely does “nothing” and does not work, this is a strong sign it is a malicious app. Unfortunately, once installed, many malicious apps and plugins have in-built methods to evade deletion and un-installs. Additionally, these malicious apps often drain the user’s battery due to the additional hidden evergreen functions they run in the background. 


Final Thoughts

Kylie Minogue once sang “It’s better the devil you know”. This is not the case for ad fraud, as the ones affected are often reluctant to accept and act and awareness is still dangerously low (see infographic below). The hegemonic view is that “it is somebody else’s problem”. Once you factor in the cost of ad fraud, which siphons about 30% of ad budget to ad fraud, there is very little budget left for sustainable growth. 

One might assume the problem is insurmountable. Not so. 

The solution is simple, fast and affordable. At least with Interceptd, it is the case. Yes, I know this sounds super sales-y, however, these are facts.  


      • Intuitive dashboard – easy to use.
      • Works without your input.
      • A consultant will onboard every client.
      • No SDK required.
      • Can integrate with any MMP


      • Only adds an extra 5 millisecond to the advertising speed
      • Only 1-2 hours to get started
      • Prevent fraud in real-time. Before you pay for the fraudulent traffic


      • The estimated savings tab shows money saved and ROI is easily calculated. Most customers achieve an ROI within the first month. 
      • Optimize your clean traffic with our AI-based algorithms
      • Block low-performing sub-publishers. 

There is truly no better test than a free trial. Click the button below to begin your 2-week free trial. We’ll contact you with one of our friendly consultants to give you a bespoke ad fraud prevention experience to fit your needs.


Did you like this article? Have a question you’d like answered? Leave your comments below! We are also working on extending this into an e-book, so any suggestions, comments, and questions will help shape that future content. 


Leave a Reply

Your email address will not be published. Required fields are marked *