Multiple hacker networks are involved in auto-redirect attacks that cost advertisers and publishers $1.13 billion annually.
The finding is the basis for a report by GeoEdge, an ad verification company, based on the analysis of 650 million impressions. The mechanisms of attack include mobile click fraud, tech support claims, and malicious app installations.
The umbrella term auto-redirect refers to any situation where the user's browser is sent to a location that was not the user's intended destination. In a common ploy, users often encounter purposely confusing web pages designed to trick them into downloading an app or a piece of malware. In other attacks, the redirect spawns a hidden frame or image that, unbeknownst to the user, carries out nefarious tasks that result in click fraud, attribution fraud or cookie stuffing, according to the company, which defines seven distinct types of redirect attacks.
In the case of click fraud, GeoEdge came across instances of a singular mobile browser managing to call upon a range of invisible iframes, including multiple URLs. In this case, a whitelist has been provided by GeoEdge for the domains that are commonly targeted for these attacks.
In terms of cost to advertisers, GeoEdge estimates that auto redirects, which make up 48% of malvertising events, are costing $210 million annually, while click fraud is costing advertisers and publishers $920 million annually.
Mobile devices make up 72% of malvertising, with the Apple iOS constituting 57% of the incidents, while Android users are attacked just 15% of the time.
Mobile users are being duped by messages that look like official notifications of Apple or Google, with the copy fixated on alerting users of device infection and prompting immediate action in downloading malware or dialing a scam number.
Scams maintain their legitimate appearance by redirecting users to a new window instead of a banner ad, lowering instances of being flagged or reported. While hacking a bank is taxing, replicating the home page of a bank in order to attain sensitive user data is relatively easy.
Advertisers can prevent these problems by investing in better incentives from their agencies and ad networks. One of the most common root causes cited by the GeoEdge report comes in the form of cost per install (CPI) which peaked at $1.24 for iPhone and $0.53 on Android in 2017.
Without a clearly defined goal, ad networks tasked with driving app downloads often deploy the tactics cited in this paper in order to drive traffic to an app-download page, banking on achieving single-digit conversion rates.
The onus is on the advertisers to incentivize white-hat best practices from their agencies and ad networks, with penalties on app page bounce rates and an in-depth understanding of the methodology to be deployed for driving traffic.
Demand ultimately determines supply, and it's up to advertisers to partake in the quality conversations and contracts that ensure that their partners do not resort to redirects or phishing scams in a bid to generate app downloads or site visits.