story.

OWASP Automated Threat (OAT– 003) Ad Fraud

Ad Fraud – False clicks and fraudulent display of web-placed advertisements.

What is Ad Fraud?


Ad fraud is an automated security threat that involves false clicks and fraudulent display of web-placed advertisements. Falsification of the number of times an item such as an advert is clicked on, or the number of times an advertisement is displayed. Performed by owners of websites displaying ads, competitors, and vandals.

Ad Fraud is also known by terms such as advert fraud, adware traffic, click bot, click fraud, hit fraud, impression fraud and pay per click advertising abuse.

The Symptoms of Ad Fraud


OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of ad fraud. These include,

  1. Common patterns – such as the same referrer or user agent – in click or impression spikes (peaks)

  2. Low conversion rates during the spikes

  3. Unusual peaks in the number of clicks or impressions

  4. No increase in the number of conversions during peaks in impressions or clicks

  5. Drop in the number of page views during peaks in impressions or clicks

  6. Higher bounce rate during peaks in impressions or clicks

Sectors Targeted by Ad Fraud


Ad fraud attacks are aimed at a variety of sectors including entertainment, financial, health, retail, technology, and social networking industries.

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, says ad fraud includes the falsification of the number of times an item such as an advertisement is clicked on or the number of times an ad is displayed. It's performed by owners of websites displaying ads, competitors, and vandals.

Ways to Prevent Ad Fraud Security Threat


OWASP suggests several possible countermeasures to address the threat of ad fraud. These include,

  1. Limiting the maximum benefit offered in defined time periods, using multi-touch attribution instead of the last click, not hosting advertisements in some parts of applications, documenting all types, locations, revenue methods and any providers of advertising and refining logging requirements that capture sufficient information for thorough analysis of conversion and familiar patterns.

  2. Identify and restrict automated usage by fingerprinting and using it as a factor in determining click or impression quality and requiring identity authentication, re-authentication or some other increased authentication assurance in areas where advertisements are displayed so that clicks and impressions can be more easily attributed.

  3. Enterprises can build limitations in liability on fraudulent clicks and impressions in contractual and commercial terms and define actions to be taken in the event an ad fraud attacked is detected.

All of the above proactive measures fight back against malicious users, without causing harm to the legitimate users. But some dedicated fraudsters will go beyond the lengths to straighten their ad fraud effort.

Online businesses can also opt for a bot mitigation solution that prevents ad fraud and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

These security measures help you build a more significant defense against ad fraud and other automated threats.