Keypoints
- Automation and accessible tooling have lowered barriers for fraudsters, increasing the scale of ad fraud operations.
- Ad fraud artificially inflates performance metrics, resulting in an estimated $100 billion in losses by end of 2023.
- Sophisticated campaigns (e.g., Methbot and 3ve) relied on robust bot infrastructures that mimicked human activity to generate fake impressions and leads.
- Consequences include distorted analytics, inaccurate targeting, deceptive lead submissions, and reputational risk for ad-tech intermediaries.
- Stakeholders are urged to adopt automated solutions to detect and block invalid traffic (IVT) and to integrate threat intelligence into ad spend monitoring.
- AI is expected to play a growing role both in enabling more sophisticated fraud and in improving detection and prevention capabilities.
MITRE Techniques
- [T1071.001] Web Protocols – Fraud bots generate and manage HTTP(S) traffic to simulate user interactions and inflate ad impressions (‘establishment and maintenance of formidable bot infrastructure capable of imitating human activity’).
- [T1588] Acquire Infrastructure – Ad fraud actors leverage readily available automation solutions and services to build scalable fraud operations (‘increasing accessibility of automation solutions has lowered barriers to entry for fraudsters’).
- [T1036] Masquerading – Fraudulent entities and bot traffic are presented as legitimate users or publishers to deceive ad platforms and advertisers (‘inflation of performance metrics through automated bot software and tools’).
- [T1110] Brute Force (or credential misuse) – Automated tools may use credentialed or semi-credentialed access patterns to submit deceptive leads or interact with ad endpoints, skewing targeting and reporting (‘deceptive lead submissions’ and manipulated analytics).
Indicators of Compromise
- [Domain/URL] Report and source domains – https://go.recordedfuture.com/hubfs/reports/cta-2023-1113.pdf, https://www.recordedfuture.com/improving-automation-accessibility-drive-ad-fraud-losses
- [Domain] Related CDNs and resources used as references/images – cdn2.hubspot.net, services.google.com, cms.recordedfuture.com (image and whitepaper links)
- [Operation Names] Known fraud campaigns – Methbot, 3ve (referenced as examples of sophisticated bot-based ad fraud)
- [File] Report PDF – /hubfs/reports/cta-2023-1113.pdf (downloadable analysis referenced in the article)
Ad fraud operations scale by deploying automated bots and purchasable tooling to generate large volumes of synthetic ad impressions and form submissions that mimic human browsing patterns. Operators set up and maintain distributed bot infrastructure that issues HTTP(S) requests to ad endpoints and publisher inventory, allowing them to inflate metrics such as impressions and clicks and to submit deceptive leads; these behaviors distort analytics and ad spend attribution. High-profile examples like Methbot and 3ve illustrate how coordinated bot fleets and fake publisher ecosystems can be used to monetize falsified traffic at scale.
Mitigation requires automated IVT detection integrated into programmatic pipelines, continuous ingestion of threat intelligence about known campaigns and infrastructure, and behavioral analysis to distinguish genuine user interactions from scripted bot activity. Deploying AI and machine-learning models can improve detection of anomalous traffic patterns (rate, user-agent inconsistencies, navigation timing), while cross-referencing domains, resource signatures, and campaign telemetry helps attribute and block fraudulent sources. Proactive strategies include monitoring ad spend efficiency, validating publisher inventory, and applying realtime filtering rules to reduce exposure as fraud techniques evolve.
Read more: https://www.recordedfuture.com/improving-automation-accessibility-drive-ad-fraud-losses