Updated: 'RedEye' fraud op suspected to exploit digital ad industry in China

Adbug, a third-party verification company tracking ad fraud in China since the end of 2016, believes it has collected enough data to claim discovery of what it calls China’s largest ad fraud operation to date. In a report detailing its findings, Adbug outlines the steps that the operation, which it dubbed 'RedEye', uses to threaten advertising effectiveness for brands.

The name stems from some text embedded in fraudulent sites, as seen above.

According to Adbug, over 100 brand advertisers have incurred losses from fraudulent RedEye ad impressions, with their ads displayed beside inappropriate soft-porn content or on unwanted websites (see examples of video evidence here).

Among the brands victimised, according to Adbug: Proctor & Gamble brands Olay, Safeguard, Whisper and Tide; luxury goods makers such as Dior, Chanel and Bulgari; food and beverage brands such as Oreo, Master Kong and C'estbon; skincare brands L'Oreal Paris, Lancome and Maybelline; infant formula brands Abbott, Wyeth and Friso; car manufacturers Buick, Ford and Lincoln; and even high-tech brands such as Apple.

None of the ad placements shown by Adbug are authorised ads placed by the brands themselves. Rather, the materials used are from past campaigns—all publicly available.

The RedEye operation works by using iframes to embed this material in its network and generate fake views, according to Adbug. The operation also connects a number of 'traffic exchanges' that generate non-human traffic for thousands of digital publishers (mostly small websites like kx1d.com, guntian.com or uyooo.com).

Most of the URLs indicated in the Adbug report are not registered websites under the Ministry of Industry and Information Technology (MIIT) of the Chinese government. “It is easy to cheat and build an illegitimate website by various means to attract traffic and earn advertising revenue,” said Martin Zhang, Adbug CEO.

More than 300,000 URLs and mobile apps are involved in complex layers of up to 99 different nodes. Visiting a node loads an iframe that automatically generates botnet traffic (and therefore fraudulent ad impressions) for other nodes in the RedEye network.

Even when a publisher in the RedEye network is blacklisted by an advertiser and its corresponding iframe is blocked, other nodes in the network are not affected, stated Adbug, as the operators of RedEye can easily recruit more nodes to strengthen the network.

Because iframe embed codes are implemented at the publisher side, AdBug recommends brands to trace the trails of ad fraud on their own according to relevant media plans from the past three years.

The Adbug investigation also claims that many ads in the RedEye network were accompanied by fraud-detection code from leading ad-verification firms in the Chinese industry. However, these codes usually failed to discern any unusual activity, Zhang said.

"The pixel-tracking technology used by most Chinese measurement firms is unable to detect whether an ad is embedded in RedEye's code," Zhang said in a statement. “Meanwhile, the Chinese ad industry is often guilty of negligence. Agencies, DSPs, SSPs and ad exchanges tend to turn a blind eye to fraudulent practices, as there are no incentives to monitor true traffic.”

Pixel tracking is meant to help expose abnormalities in advertising results. However, even if it highlights questionable results, most brands are unable to pinpoint tangible proof of fraud, according to Zhang. Pixel tracking has limitations, and cybercriminals are able to come up with counterstrategies over time, he added.

An iframe is essentially a container that can embed or nest webpage elements from one site into another. The nested target, that is, the object referenced directly from within the iframe, can be a webpage containing an advertisement, or ad-tracking pixels, or a picture, or a video player, for instance.

The ad tracking pixel, a 1x1-pixel imvisible image, once loaded, may count as one ad exposure.

This diagram from Adbug shows how the alleged fraud network embeds pixel-tracked material into fraudulent sites.

In this video example, a well-designed iframe container has embedded an iQiyi video player showing ads by Pandora, Abbott, and Tide, onto a vulgar website.

The nested target can also contain fake parameters (such as device ID, MAC address, referrer, user agent, etc.) designed to “blindside” and “deceive” the tracking pixels, Zhang said, so that the view seems to come from a legitmate user.

Thus, Adbug maintains that a pixel-tracking solution can only record ad delivery data, which can be falsified or spoofed, without the ability to verify its authenticity.

"In addition, financial-rebate partnerships between publishers and agencies create a lack of transparency, which is exacerbated by a general reluctance to involve fraud-detection firms," Zhang posited. "There have even been instances of media agencies colluding with measurement companies and fabricating data in order to solicit new business."

The questionable ad environments shown in Adbug's report cannot be reproduced today for verification, to some media agencies’ dismay. Fraud technology has evolved so much that domain spoofing and the distribution of fraudulent traffic can be automated—which are already basic skills of fraudsters, Adbug pointed out.

Based on Adbug’s “conservative” estimations (see below), RedEye is costing brand advertisers at least US$3 million (RMB20 million) per day spent on counterfeit inventory. The sum is said to be calculated by extrapolating from the proportion of defrauded, pixel-tracking advertisers that are also Adbug’s clients.

Much of the evidence shown is screenshots of ads appearing on unsafe sites, so some industry watchers feel that the captured examples are unrelated to iframe-embedded fraudulent traffic.

To this, Adbug’s explanation is: the only aim for RedEye’s iframe-nesting tactics is to redirect adverts (along with their tracking pixels) to where there is traffic, like unsafe sites or apps. Web traffic is concentrated in these places, making them the most convenient tools for ad fraud.

The risks of brand safety and fake traffic go hand in hand and cannot be separately discussed, stated Adbug, in defence of criticisms that its report exaggerates the situation.

“In our humble opinion, the scale of the RedEye fraud operation could be much larger,” added Zhang. “If there are collective efforts from different parties to fight against it, we believe there will be fewer losses for advertisers, which is also our intention behind releasing this report. All the visual evidence is a real but painful reminder that we shall have to all face the problem, in order to drive a healthier advertising market.”

Editor’s note: We removed this article from the website temporarily in response to questions raised by multiple industry parties. We have now replaced the article after doing additional reporting and adding clarifications that address the issues raised.