Click fraud: Auto-redirects are costing advertisers and publishers $1.3 billion a year

Anne Freier

In Mobile Advertising. January 16, 2018

According to a new report, auto-redirects are costing advertisers and publishers $210 million each year and another $920 million by enabling click fraud. The study, run by GeoEdge, found that hidden redirects are directly linked to click fraud.
Auto-redirects now make up almost half (48%) of all malvertising. The US accounts for the largest number of auto-redirects (48%), with the majority of them occurring on mobile devices (72%), followed by desktops (27%).

Part of the problem on mobile devices is that users are accustomed to clicking warnings which may pop up on their mobile devices. Malvertisers can take advantage of this by redirecting to pages that resemble popular sites such as Google. More sophisticated schemes are making use of this lookalike effect to make users believe they’ve been redirected to an official site.
The findings by GeoEdge uncovered various types of redirect attacks.
Some attacks involve taking users straight to the app store. However, others are hidden. The mobile browser than opens multiple URLs to complete fraudulent clicks.
One of the redirect attacks was whitelisting premium publishers such as Forbes and The Wall Street Journal.

“The click-fraud scam is highly attractive to hackers, as they can slip into the convoluted labyrinth of the ad tech ecosystem without detection and get a payday,” the report notes.

Click fraud is a growing problem. Back in 2016, a botnet called “Redirector.Paco Trojan” infected 900,000 IPs across the globe.
However, the real challenge is detection. Even if one attack source is identified, there’s a good chance it will simply be replaced. This makes it much harder for ad verification tools to discover them. Hackers are also becoming more sophisticated.
One way how networks may protect themselves is by consistently scanning the performance of their campaign sources.
In addition, GeoEdge provides its own auto-redirect protection which can pinpoint ads that include a redirect script.