We’ve devoted several inches of this space in recent weeks to the marketing-killing phenomenon of ad blockers being installed by the millions on people’s PCs and mobile devices. For now, their effect is primarily confined to small publishers dependent on programmatic ad revenue for sustenance. Meanwhile, a new botnet has been uncovered that’s affecting leading publishers and Fortune 500 companies, one that could swallow up $3 billion in fraudulent ad impressions in the coming year.
Fraud protection company Pixalate claims to have discovered Xindi, a botnet that takes advantage of the Amnesia Bug in the Open RTB protocol that is the standard for programmatic buying. Unlike most ad fraud bots that arrive at their ill-gotten gains via clickjacking—getting ads served to bogus websites—the Xindi leeches practice impression fraud. They imitate legitimate users by repeatedly loading a page to chalk up multiple, seemingly high-value, impressions.
Pixalate contends that Xindi has infiltrated six to eight million machines at 10% of the Fortune 500 companies, 1,500 universities, and 200 financial institutions. Organizations rated by Pixalate to have infiltration risk scores of 90% or higher include Citigroup, General Motors, Marriott International, and Wells Fargo. Their networks generally enjoy good reputations and generate high CPMs in ad buys.
Accessing the Amnesia Bug enables Xindi to conceal the true status of an ad transaction, causing bidding engines to bid on more impressions per compromised host than originally intended. Xindi lets the bad guys hoard multiple ad markups, hold them back, and then replay them in a burst. Because so many impressions are released at the same time, fraud cautions such as frequency caps aren’t able to block the bogus ones.
Pixalate found that, in ad campaigns infiltrated by Xindi, fraud was up by a factor of 3x. It projects that the botnet will siphon off a minimum of $2.4 billion from programmatic ad spending in 2016 and potentially as much as $3.6 billion.
Xindi can be held at bay, Pixalate asserts, by implementing a reasonable time-out for an ad after the creative is served on a user’s machine. Any creative rendered after the time limit is most likely the handiwork of Xindi and should be considered non-billable. Pixalate will be releasing a list of IP addresses that have shown to be the most vulnerable to this latest—and perhaps most diabolical—botnet.