HUMAN discovered a pirate network with 2.5 billion daily ad requests
Publication date: 2024-08-29 | Source: AdExchanger
Determining which publishers are dubious enough to exclude from the programmatic sales chain is often an ambiguous task. However, when a publisher is clearly involved in illegal activities—such as piracy—and goes to great lengths to hide it from programmatic advertisers, the need to combat it becomes apparent.
HUMAN, a company specializing in detecting and combating ad fraud, recently encountered one such clear-cut case. They investigated the activities of a Brazilian pirate project called "Camu."
During the investigation, it was revealed that publishers distributing pirated movies, TV shows, and games were placing programmatic ads next to stolen content. They used domain spoofing mechanisms to hide the real pirate websites where the ads were actually displayed.
Domain spoofing relies not only on the use of cookies but also on analyzing traffic sources. The key mechanism is referral links that allow websites to track where the user is coming from. Additionally, complex server configurations—geo-targeting and HTTP header checks—are applied. This allows more precise filtering of access to different versions of the site depending on the country, device, and even the time of day.
HUMAN's investigation demonstrates how dishonest publishers monetize stolen content through complex programmatic supply chains, successfully bypassing standard methods of ad fraud detection.
Standard methods of detecting invalid traffic (IVT) include using technologies and algorithms to detect suspicious activity on websites. Systems analyze user behavior: too fast or frequent clicks and views may indicate a bot. IP addresses are also monitored—an excessive number of requests from one address may indicate fake traffic. Additionally, referral source data is compared to determine whether the traffic is coming from unreliable or suspicious sources.
It turned out that fraudsters were using methods previously known from Made for Ads (MFA) sites to hide their actions.
A Domain by Any Other Name
In December, HUMAN discovered and reported the largest fraud network to date. At its peak, this network handled 2.5 billion ad requests per day, mostly from Brazil, using more than 130 specially created domains.
William Herbig, director of fraud detection and data operations at HUMAN, explained that access to domains with pirated content is only possible through special aggregator websites.
Some Made For Ads (MFA) sites use similar tactics, showing ad-laden pages only to paid traffic. However, unlike this new fraud scheme, MFA sites can also be accessed manually by simply entering the URL in the browser.
Made For Ads (MFA) sites are web resources that exist solely to display a large number of ads, rather than provide valuable content to users. Such sites often contain unoriginal or AI-generated content, and their main goal is to attract paid traffic to increase ad impressions. MFA sites aim to buy traffic cheaply and sell it at a higher price. They are specifically optimized for ad algorithms to get more impressions and clicks without offering real value to visitors. As a result, advertisers may spend money on ad impressions on these sites, often leading to low-quality traffic and ineffective ad campaigns.
In the case of the new fraud, an advertiser trying to practice due diligence and visit the URL from campaign reports will only see an innocuous page instead of the page with stolen content.
For example, a user visits filmize.tv, mentioned in HUMAN's investigation, to watch the new movie "Deadpool and Wolverine." After clicking "Watch Online Now," the site sets a cookie that allows a URL for illegal viewing of the movie to load. On the page with the pirated content, several programmatic ads are displayed.
However, if an advertiser tries to visit the same URL directly, the browser will load a dummy site. This happens because the advertiser did not come from a pirate site, and their browser does not have the necessary cookie to load the page with the pirated content.
HUMAN's report includes a screenshot from the domain guiacripto.online, where a media player for streaming pirated content is displayed. The screenshot also shows ads for the travel aggregator Vrbo and the car rental company Sixt. However, when visiting the URL directly or clicking on a link from search results, only an innocent blog about cryptocurrencies loads.
Such domain masking is a classic sign of sophisticated invalid traffic (IVT) as defined by the Media Rating Council.
The Media Rating Council (MRC) is an American nonprofit organization founded in 1963 that sets and maintains audience measurement standards, including for the internet. Their goal is to ensure accuracy and transparency in user data so that advertisers can trust this information. In the standard issued in 2024, the MRC updated the requirements for detecting and filtering invalid traffic (IVT), domain and identifier spoofing in CTV, and considered new privacy laws.
"We can confidently call this IVT," Herbig stated. "There is clear deception here."
He explained that in addition to domain masking and creating different versions of websites based on user paths, these publishers hide the true source of referral traffic. They aim to create the impression that users are arriving at these pages via reputable links or from search engines, rather than from websites entirely dedicated to piracy.
Detecting Fraud
Herbig emphasized that the situation is complicated by the fact that fraudsters like Camu cannot be detected using standard programmatic fraud detection methods.
"You have real users on real devices seeing visible ads," he explained. "The challenge lies in determining the actual location where the ad is being displayed, which is difficult to do relying solely on standard metrics."
Despite the apparent similarities between fraudsters like Camu and MFA sites, Herbig notes that combating them requires different approaches. MFA sites, for example, create a specific experience for paid traffic, so analyzing the sources of that traffic is effective for detecting them. Pirate sites, however, do not focus on paid traffic, making it harder to detect them through traditional methods.
However, the presence of stolen content on pirate sites makes their identification and verification process much easier.
According to Herbig, HUMAN was able to uncover the Camu operation thanks to the work of a special team. This team investigated the programmatic sales chains associated with monetizing pirate sites. Herbig emphasized, "No advertiser wants to monetize a pirate site."
After the exit of Western companies like Google, the Russian advertising industry faced a shortage of quality video inventory. This has led many advertisers to "turn a blind eye" to placing ads on pirate sites—one of the few remaining sources of video content. Despite their illegal activities, pirate resources are actively monetized through programmatic systems. This practice has become widespread, although it could seriously damage the reputation and trust in the advertising market as a whole.
HUMAN analyzed its entire data set—over 20 trillion buy-side requests per week on three billion unique devices—in search of "red flags" potentially related to piracy. Additionally, the company tracked a number of IP addresses previously associated with known pirate sites to identify other resources they visited and uncover possible anomalies.
"We immediately noticed a pattern between the monetization sites where our clients' traffic was directed and one of these [known] pirate domains," Herbig explained. "From there, we began identifying various patterns of invalid traffic."
In particular, HUMAN analyzed every domain using the distinctive cookie settings of a known pirate site, as well as searched for other domains employing similar traffic source spoofing techniques.
HUMAN also traced the programmatic ad sales chains monetizing known pirate domains to discover similar resources. According to Herbig, the pirate network uses a high degree of programmatic inventory reselling and the overall opacity of programmatic advertising to maintain anonymity. Often, new domains created to replace demonetized ones relied on the same intermediary chain.
Based on these findings, over the past nine months, HUMAN has implemented seven different pre- and post-bid measures aimed at preventing ads from being shown on pirate domains. While this type of fraud is still active, HUMAN has managed to reduce the advertising activity associated with these domains from 2.5 billion daily requests to 100 million.
Herbig declined to describe in detail the measures taken by HUMAN, fearing that this could serve as a guide for fraudsters.
Made For Invalid Traffic (MFIVT)
According to Herbig, HUMAN believes the optimal solution to the problem is for the industry to reach a clear consensus: all traffic to pirate sites should be classified as invalid traffic (IVT).
However, combating pirate sites, unfortunately, does not solve another serious problem—sites specifically created for ad placements (MFA).
In the context of the article, it's worth looking at MFA sites from a different angle. Despite their negative reputation, such resources may attract a real audience that interacts with ads, even if unintentionally. With effective verification solutions in place to protect against bots and fake impressions, advertising on MFA sites can be a cost-effective and even beneficial option for advertisers. Given the limited advertising platforms and shrinking inventory, using MFA sites with proper verification and targeting may be a reasonable solution to reach the target audience with minimal costs. Perhaps it’s not worth completely abandoning these sites if your goal is cost-effective impressions for real users.
AdExchanger asked HUMAN to compare the new pirate network with the MFA subdomain scandal at Forbes, which shook the industry. Despite both cases involving sites that could change depending on the traffic source, a HUMAN representative stated, "There is no connection between this case and previous domain spoofing incidents."
In the case of Forbes, the issue involved the incorrect reporting of the "www3" MFA subdomain in ad requests. In the situation with pirate sites, according to the press service, "there were no discrepancies with the base root or subdomain." They added that in this new case, "the distortions are related to loading two completely different sites from the same URL depending on how the user navigated to the site," rather than using different URLs for different traffic sources.
Nevertheless, pirate sites engaged in clearly illegal activities are easier to demonetize than MFA sites. While MFA sites may manipulate programmatic advertising systems, they are not necessarily breaking the law.
"These domains are created for generating invalid traffic, not for advertising," Herbig claims. "They grossly violate all acceptable standards in our industry."
