Some of the world’s biggest brands were ripped off by a digital fraud scheme that used a network of websites connected to US advertising industry insiders to steal what experts say could be millions of dollars, a BuzzFeed News investigation has found.
Approximately 40 websites used special code that triggered an avalanche of fraudulent views of video ads from companies such as P&G, Unilever, Hershey’s, Johnson & Johnson, Ford, and MGM, according to data gathered by ad fraud investigation firm Social Puncher in collaboration with BuzzFeed News. Over 100 brands saw their ads fraudulently displayed on the sites, and roughly 50 brands appeared multiple times.
Documents obtained by BuzzFeed News reveal that the CEO of an ad platform and digital marketing agency is an owner of 12 websites that earned revenue from the fraudulent views, and his company provided the ad platform used by sites in the scheme. Another key player is a former employee of a large ad network who runs a group of eight sites that were part of the fraud, and who consults for a company with another eight sites in it. That company is owned by a model and online entrepreneur who played Bob Saget’s girlfriend on the HBO show Entourage. A final site researchers identified in the scheme is owned by the cofounder of one of the 20 largest ad networks in the United States.
In statements provided to BuzzFeed News by email, all parties deny any knowledge of fraudulent ad activity taking place on their websites. 301network, the ad platform used in the scheme, is now in the process of being shut down and many of the websites that participated have also been deactivated.
This scheme illustrates that while governments and platforms such as Facebook are grappling with online misinformation, the advertising world is in the midst of its own crisis brought on by a multibillion-dollar form of digital deception: ad fraud. This investigation also reveals how seemingly credible players in the ad supply chain can play an active role in — and profit from — fraud.
It's yet another example of how the digital ad industry is being rocked by concerns about quality, fraud, and brand safety. YouTube lost millions of dollars in advertising after it was revealed that ads from major brands were showing up next to extremist videos. P&G, one of the world's biggest advertisers, recently withheld more than $100 million of digital ad spend and found it had little impact on its business. "What that tells me is that the spending we cut was largely ineffective," said CEO David Taylor.
Social Puncher, which publishes ad fraud investigations at SadBotTrue.com, estimates this scheme could have stolen as much as $20 million this year. Pixalate, a fraud prevention and detection company, recently exposed a group of seven sites involved in the scheme as a result of its own independent investigation. It estimated that “a sustained attack [from just one website] could net the fraudsters over $2 million per year.”
Another fraud detection company, Integral Ad Science, reviewed sites that participated in the scheme and found they engaged in fraudulent tactics to generate ad impressions. “Those sites present various degrees of fraud, and they have been flagged accordingly to our customers,” Maria Pousa, the chief marketing officer of IAS, told BuzzFeed News.
“We have stopped the dumb criminals. Now we need to be able to stop the smart criminals.”
Kristin Lemkau, the chief marketing officer of JPMorgan Chase, recently said advertisers are expected to lose $16.4 billion this year to ad fraud, more than double what was stolen in 2016.
Mike Zaneis, CEO of Trustworthy Accountability Group, an anti-fraud initiative set up by the ad industry's key trade groups, told BuzzFeed News some in the industry enable fraud because they look the other way and let it happen, while others actively participate. “There are errors of omission and then there are errors of commission,” he said.
In spite of rising losses and brand concerns, Zaneis believes recent initiatives in the industry have made it more difficult for criminals to make money from ad fraud, which has in turn required them to develop more-sophisticated attacks.
“It was so easy to just turn on the nonhuman traffic and there was no accountability, and that’s no longer the case,” he said. “We have stopped the dumb criminals. Now we need to be able to stop the smart criminals.”
Ads for major brands were fraudulently displayed on approximately 40 websites.
What caught the attention of researchers at Pixalate and Social Puncher, two companies that identified the fraud independently of each other, was that sites in the scheme deployed a sophisticated method to automatically redirect traffic between websites in order to rack up ad impressions and avoid detection. Once caught in this web of redirects, the sites show a constant stream of video ads that are often barely interrupted by actual editorial content. In some cases, the sites showed more than one video ad at the same time in order to increase revenue.
Jalal Nasir, the CEO of Pixalate, referred to the sites in the scheme as “self-driven” because once the redirect code is initiated it can bounce between websites without any action required on the part of a human user or bot. (This kind of attack is known as “session hijacking.”)
“The people profiting from this scheme could have initiated the first visit to the URL, simply to open as many windows or tabs as possible on browsers,” he told BuzzFeed News. “Once that first step had been taken, however, the browsers could have been left open to ‘browse’ all day, ‘mimicking a human.’”
The websites in the scheme focus on niche topics, such as beauty, celebrity news, food, and parenting, that are popular with major advertisers and that can attract high ad rates. They had names such as BeautyTips.online, RightParent.com, HealthyBackyard.com, MomTaxi.com, and GossipFamily.com. In many cases the sites are filled with images and content that has been plagiarized or loosely rewritten from other websites. Others are filled with posts that read like poor translations of actual English.
“Don’t assume rumored baby bump of Kylie Jenner anytime soon,” begins a recent article on StyleFashionista.com. The headline is similarly nonsensical: “Kylie Jenner’s Post Instagram Posts A Fascinating Selection Of Shirts.”
A screenshot of StyleFashionista.com
Many of the sites appear to have been hastily thrown together: Some, such as UpcomingBeauty.com, still contain the default settings of the design template, and have newsletter signup boxes that are not configured. Others, such as StyleFashionista.com, have been online for a year and a half and yet do not appear to have a single user comment. (The “Recent Comments” section on its homepage is empty.)
Pixalate referred to the group of properties it investigated as “zombie sites” because of how they generate ad views without human action, and because it’s unlikely they could attract interest from a real audience.
If any real visitors did happen upon these sites, the scheme was designed to avoid detection by ensuring that a normal user visiting the homepage or regular URL would not be exposed to the malicious behavior. The sites were configured with a “friend or foe” system that only triggered the redirects when a specific URL was accessed. Once triggered, the secret URL would engage what Social Puncher came to refer to as “ad hell” due to the constant display of video ads and very little actual editorial content.
Social Puncher identified the secret URLs and then accessed them in order to verify the fraudulent ad display. For example, this video shows ads from top brands being shown as a small group of sites redirect between each other with no action taken on the part of the user:
Pixalate’s researchers documented the same behavior, as did Protected Media, another fraud detection company that examined the sites at BuzzFeed News’ request.
Along with the secret URLs, the scheme attempted to avoid detection by using a network of different sites to ensure no single property generated enough revenue to risk catching the attention of fraud detection companies, or of the brands being defrauded. Many sites in the scheme would launch, instantly gain traffic and ads, and then see their audience disappear months later. It was the digital equivalent of skimming from a casino.
Using the list of sites that Social Puncher and Pixalate identified, BuzzFeed News began to investigate the companies and people behind them. That trail led to two major owners/operators of sites who turned out to be Americans with ties to the US digital ad industry.
A screenshot of 301network.com
All sites involved in the scheme used ad technology provided by 301network, which is a company connected to 301 Digital Media, a marketing agency based in Nashville. (Pixalate also saw 301’s ad code in the sites it examined.) A cached version of its company page on LinkedIn cited Scripps and Pfizer as clients, and the company is a gold-level sponsor of a digital marketing conference taking place in New York next month.
When first contacted by BuzzFeed News about the presence of its ad platform code across the sites identified in the scheme, 301 CEO Matt Arceneaux said the company was in the process of shutting down its ad platform, and that he was unaware of any fraud.
“We had a few publishers still using our [supply-side platform] and ad server products, but in light of recent clawbacks from advertisers and other SSPs related to Monkey Frog Media and a few other publishers in the network, we decided to accelerate the wind down process,” he said in an email.
“Clawbacks” are demands for refunds, which in this case were made after Pixalate publicly exposed the ad fraud executed by seven sites owned by a shell company called Monkey Frog Media LLC. (The sites were all taken offline shortly after Pixalate’s blog post was published.)
Arceneaux portrayed it as a case of his small ad platform being exploited by unscrupulous players like Monkey Frog. However, documents obtained by BuzzFeed News combine with corporate records and other information to show that Arceneaux is actually an owner of Monkey Frog Media. Tennessee corporate records show that Monkey Frog Media goes by another name, Happy Planet Media. That company had another five sites involved in the scheme, all of which have public domain-registration records that list 301 Digital Media, Arceneaux’s company, as their owner.
Tennessee corporate records also show that two other LLCs with websites in the scheme have connections to 301 and/or Arceneaux. Market 57 LLC, which had five sites, lists its corporate address as the headquarters of 301. One of Market 57’s properties, ViralNewsJunkie.com, also contains the same unique Amazon affiliate code in its source code as two websites owned by 301. (The use of the code means that any products sold via the website earn 301 a commission.)
Orange Box Media LLC, which owns another five sites, is also registered in Tennessee and lists Arceneaux’s home address in its corporate records. (That same address appeared in an early version of the registration for Monkey Frog Media/Happy Planet Media.)
A final sign that these companies share an owner is that on September 8 at roughly noon Eastern the websites belonging to all three companies were taken offline at the same time, according to data gathered by Social Puncher.
Arceneaux initially denied any connection between the shell companies and 301. “Neither 301 Digital Media, 301 Ads nor 301 Network have any ownership in any of the businesses you mention.” He did not reply when asked to clarify if he or his partner, COO Andrew Becks, have personal stakes in the companies. (Becks did not respond to the question.)
Documents show that Arceneaux has been operating the Monkey Frog Media sites since at least 2015. On December 11 of that year, an employee of an ad tech company sent an email to get Monkey Frog’s websites set up as a customer. Arceneaux was identified as the “manager” of Monkey Frog when he signed the contract, and was also listed as the company contact. BuzzFeed News obtained a copy of the email and contract with Arceneaux’s signature.
After being informed of the existence of a Monkey Frog contract with his signature, Arceneaux issued a statement to deny that any fraud took place.
“No one profited from an ad fraud scheme as there was no ad fraud scheme evidence shown in any data that we have collected or seen,” Arceneaux said. “We ran all publishers through 3rd party ad fraud detection companies and were not notified of any issues until shortly before they were removed from our platform. We always make sure any person or publisher running on our network is fully compliant with our 3rd party fraud detection partner.”
He argued that the behavior of the Monkey Frog sites was not suspicious:
“We take real ad fraud very seriously. After reviewing the behavior on the sites in question, we did not observe anything other than auto-advancing pages similar to what YouTube and Pandora do. We did not observe any attempts to mimic human behaviors or automatically click on ads. The 301network SSP has since notified all publishers that it is ceasing operations and can proudly say that none of the sites that showed this behavior are operational anymore.”
This is not the first time Arceneaux has run into problems with fraud on his sites. Shailin Dhar is today the founder of ad fraud research firm Method Media Intelligence, but back in 2015 he was working at an ad network when Arceneaux approached the company to get his Monkey Frog sites signed up. Dhar told BuzzFeed News that that same year he also looked into two 301 Digital Media properties, BridalTune.com and MensTrait.com. Dhar was told by AppNexus, a major ad platform, that its quality team removed the sites from the ad exchange “after they detected and confirmed significant amounts of nonhuman traffic coming through the sites.”
Dhar provided a copy of the email to BuzzFeed News and it can be viewed here.
“While managing supply quality for an ad network client, I regularly saw traffic quality flags with sites from 301 Digital and Monkey Frog,” Dhar told BuzzFeed News. “While these sites fit the mold for getting accepted into ad exchanges, they were repeatedly flagged by AppNexus and other SSPs we used. When I tried to get more insight as to why they were flagged, the platforms simply told us it was an open-and-shut case with nothing to debate over.”
“The content they put out was so light and it was such fluff and had so little value it was hard to believe they were getting so much traffic and revenue on it.”