Malware is Malware… except when it isn’t

So block anomalous activity first and ask questions later (please).

malwareoptions-700x148

As IT professionals (and logical human beings) we have been taught to analyze a situation first and then act based on knowledge gained from the analysis. Acting without an understanding of the full picture is considered impulsive and oftentimes, even foolish.

This is not always the best strategy in today’s fast-paced environment of ever-evolving and growing security threats. When working with malware, security professionals need to unlearn the “think twice” philosophy – they need to act first on qualified intelligence and then, if needed, analyze the data in more detail. This is especially true in the temporal world of the internet where web-based malware needs to be treated like harmful parasites that must be terminated immediately upon detection to stop propagation. Frequently, web-based threats initially present as benign code or operations; however, they easily morph into overt threats without your knowledge.

Going against the grain is a good thing

Today, Google reports more than 495,000 monthly searches for the term malware, producing around 76.4 million results. This should come as no surprise considering that there are nearly 1 million new malware threats detected every day.  

This high level of interest in the topic of malware combined with the aggressive growth of the security software market (valued at $75 billion in 2015) indicate that enterprises struggle to analyze and come to terms with the increasingly complex digital threat landscape. As studies consistently report on this lack of understanding about cybercrime and threats, it is high time that enterprises do something about it.

(Re)Defining Malware

First, let’s get back to basics and clarify the definition of malware:

“Any code, program or application that displays abnormal behavior or that has an unwarranted presence on a device, network or digital asset.”

This means any code or behavior not germane to the intended execution of a web-based asset is considered malware. Malware does not need to be complex, overt or malicious right from the time it is detected.

This definition means annoying or seemingly innocuous behavior, such as out-of-browser redirect, excessive cookie use, non-human clicks/actions or toolbar drops qualify. Most of these behaviors may seem benign now, but a close look at both Indicators of Threat (IOC) and Patterns of Attack (POA) typically suggest another story altogether.    

Don’t question the malware, question yourself  

IT professionals who’ve spent thousands of dollars and hours of learning to develop a knowledge base find it difficult to simply act without questioning and possibly over-analyzing ready to utilize data sources.

Working with qualified intelligence sources will make it much easier to change the “endless analysis” paradigm. If you must ask questions, question yourself and not the malware (at least not before blocking it first).

IT professionals need to reflect on the rapidly evolving web-based threat landscape. On a frequent basis, ask yourself:  

  1. Where are the vulnerabilities in my enterprise network?
  2. Are the tools used to secure my organization effective enough to handle increasingly sophisticated web-based attacks?
  3. What kind of threat intel resources are available? What is our experience with each source?
  4. What does my incident response look like? Is it swift and cost-effective?
  5. Where and how can I increase my operational efficiencies around my threat intelligence strategy?

Block first, ask questions later

The idea is simple, shield yourself against web-based breaches by being more proactive about the enterprise security posture. If and when breaches do occur, you should have at least limited the level of damage caused by loss of data, reputation and business continuity.

Before you spend all your time, money and effort on a full payload analysis of every malware alert, oftentimes, trying to verify the impossible, remember to block it first. What’s the worst that can happen? You block something that an employee needs? Trust me, they’ll let you know.

 

Ransomware and the small/medium-sized enterprise

When the “cost of doing business” is no longer an option.

hand is coming out of Computer screen front

“It’s the cost of doing business.” Over the long holiday season, I heard this phrase several times while socializing with family, friends and business acquaintances. My usually optimistic social group bemoaned the annoying effect ransomware has had (and continues to have) on their day-to-day business.

The topic isn’t a surprise. Around the country, similar professionals at small/medium-sized enterprises (SMEs) echo their sentiments. What surprised me was their passive reaction to the problem. Even the current President Barack Obama and the President-elect Donald Trump recognize the threat of cybercrime to businesses and the public.

It’s not just you, Mr. SME

Ransomware has undoubtedly been on the rise, with some groups such as the FBI claiming 4,000 attacks a day. These high numbers affirm the fact that ransomware is a financially motivated, equal opportunity malware; it wants to lock down any device that has an owner, whether the owner is a teenager, a global business tycoon or a small business owner.

Unfortunately, ransomware can be debilitating for small/medium-sized businesses (SMEs) whose viability hinges on access to customer lists, financial records, product/service details, legal contracts and much more. Most SMEs don’t have the resources or a sophisticated technology infrastructure to adequately secure their business. In fact, almost a third of SME don’t employ an information security professional. And, considering more than 70% of businesses actually pay up, ransomware is the perfect exploit for SMEs.

Clearly, it’s a big problem that needs a big solution, right?

Backups, backups, backups

From hospitals and medical offices to accounting firms and ecommerce shops, ransomware has proven to be a successful criminal endeavor, with many paying more than $10,000 for each incident to regain access to their business data. And, SMEs seem to have learned to accept it as a cost of doing business.

“It’s not a big deal, Mark. We just do more frequent backups.” Yes, this was an overwhelmingly common approach to the problem. It seems my discussion partners spend several hours a week making backup copies of files. When asked about the costs (storage, time resources, duplicate systems, access to backups, energy usage, etc.) the response was a casual shoulder shrug. Really? Frequent backups is your security strategy? At a time when businesses are getting leaner in every way, spending time and resources on backups isn’t a good use of ever-thinning IT budgets or the scarce security talent.

Beyond backups – seal the entryway

Backups are good, but they are just one piece of a more holistic security strategy against ransomware. The biggest challenge is helping my fellow IT professionals understand that ransomware—and any malware for that matter—can penetrate the best of defenses. The key is knowing how it enters: basic everyday Internet usage at work (think about email, websites, apps, out-of-date software/patches, etc.

“We use anti-virus software, blacklist the typical non-business sites, installed ad blockers, and repeatedly train staff about the perils of email links and attachments. What else is there?”

First, anti-virus (AV) and blacklisting isn’t enough as these defenses assume the bad guy is known; his signature is captured and stopped from executing. With thousands of new malware variants entering the digital ecosystem each day it’s nearly impossible for AVs to keep their protection levels up. Blacklisting is good for general business purposes. (I mean, if coworkers need to access porn, gambling or gaming during the work day you’ve got bigger problems!) But this doesn’t mean that all other websites are good, even the Alexa 1,000. Some of the largest web-based attacks occur on legitimate, premium websites.

Second, enterprise ad blocking isn’t all it seems. You may think that all ads are blocked, but this isn’t true. Large advertising networks pay a fee to whitelist their ads in exchange for agreeing to fit a stilted format. Media website owners (Facebook anyone?) are adopting technology to detect ad blockers and then re-insert their ads or content.

“Well, dammit, what should we do?”, you ask.

All is not lost – A new year has dawned

Now’s the time to take stock of your business’s information security plan. Conducting a full-scale audit can be daunting. To kick-off the process, I recommend the following initial steps:

  1. Identify all data sources (employee, vendors, customer). Increasingly, enterprises are asking their partners about security processes as part of their own security governance.
  2. Document how data is collected, used and stored. This includes mapping data input sources, e.g. website forms, emailed contracts, customer portals, payroll, etc.
  3. Estimate costs to collect and store data.
  4. Assign an owner to each data element, e.g., financial information to Finance, marketing data to Sales/Marketing, legal information to Contracts/Finance, etc.
  5. Score data value. On a scale of 1-100 assess the data’s criticality to business, e.g. if it’s lost what is the impact from financial, brand, relationship perspectives.
  6. Consider a Threat Intelligence Platform (TIP) to streamline data management and terminate threats before they penetrate the business.

Once you have this information you can then start to evaluate weaknesses, reinforce existing security processes and align IT budgets accordingly.

Ransomware isn’t as hard to tackle as many SME information security teams think.


 

Chasing the Revenue Dragon

While chasing the smoky revenue dragon, publishers miss a different monster: Data Leakage.dragon-fotolia_34730412_s

In October The Guardian’s Chief Revenue Officer revealed[1] that numerous ad tech providers in the ad supply chain were extracting up to 70% of advertisers’ money without quantifying the value to the brand. Yes, this revenue loss situation is eye opening, but it’s not the only activity affecting your bottom line. Protecting your data assets is critical for maintaining and maximizing revenue. Inability to control digital audience data within the supply chain is a catalyst for revenue loss. The looming General Data Protection Regulation (GDPR) regulations, that take effect in May 2018, makes the case for data protection that much stronger.

Data: a Publisher’s lifeblood

Every digital publisher intrinsically knows that one of their most valuable assets is their audience data – it drives a publisher’s stickiness with lucrative advertisers, their inventory value, and ultimately their brand image.

Data leakage is the unauthorised transfer of information from one entity to another. In the digital ad ecosystem, data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorisation. Today, this scenario is much more convoluted due to the volume of players in the digital advertising landscape, causing data loss to steadily permeate the entire digital ad industry.

Publishers lose when they can’t control their valuable consumer data:

1. Depleted market share: With your audience data in their hands, advertisers and ad tech providers can always go to other publications and target the exact audiences, thereby devaluing your brand.

2. Reduced ad pricing:  When advertisers or ad tech providers can purchase your audience at a fraction of the cost it decreases the demand for your ads, thus devaluing your ad prices.

3. Exposure to regulatory penalties & risk mitigation: Collection and use of consumer data is a publisher’s prerogative, but protection of this data is a weighty responsibility. Inability to safeguard data gathered from your website leaves a publisher vulnerable to running afoul of government regulations. Saying the penalties under GDPR are severe is an understatement. The repercussion of noncompliance is losing up to 4% of your total global turnover or €20 million, whichever is greater.

4. Reputation loss: Ultimately, data loss and any news of noncompliance could negatively affect consumer trust and brand reputation.

The hands behind data loss

On average, The Media Trust detects at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and at times more than 100, depending on the size of the campaign, type of ad, and so forth. The contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, DMPs, CDNs and other middlemen who actively participate in the delivery of the ad as it traverses from advertiser to publisher. Any upstream player, including the advertiser or original buyer, has access to a publisher’s proprietary audience data if not monitored for compliance.

The advertising ecosystem isn’t the only offender. The bulk of third-party vendor code that executes on the publisher’s website goes unmonitored, exposing the publisher to excessive and unauthorised data collection. In these cases, a publisher’s own website acts as a sieve leaking audience data into the digital ecosystem.

Ending the chase

Resolving revenue lost from data leakage isn’t an unsolvable conundrum, but one that can be addressed by applying the following:

  1. Data Collection: Get smart about the tools used for assuring clean ads and content. Your solution provider for ad quality should check for ad security, quality, performance and help with data protection. Reducing excessive data collection is the first step in addressing data leakage.
  1. Data Access: With GDPR, EU-US Privacy Shield, and many more such timely regulations and programs, the onus is on the publisher to understand what data activity their upstream partners engage in via advertising. Instead of today’s rampant mistrust, the supply chain must move to accountability for non-compliant behavior.
  1. Governance: Publishers absolutely need to start adopting and enforcing stricter terms and conditions around data collection and data use.

Ultimately, every publisher needs to monitor and govern third-party partners on their website to close loopholes that facilitate data leakage before pointing fingers at others.

The Great Data Leakage Whodunit

Safeguarding valuable, first-party data isn’t as easy as you think

If your job is even remotely connected to the digital advertising ecosystem, you are probably aware that data leakage has plagued publishers for many years. But you are most likely still in the dark about the scope and gravity of this issue. Simply put, data leakage is the unauthorized transfer of information from one entity to another. In the digital ad ecosystem, this data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorization. Today, this scenario is much more complicated due to the sheer number of players across the digital advertising landscape, which causes data loss to steadily permeate the entire digital ad industry, and leading to a “whodunit” pandemonium.

Surveying the Scene

On average, at The Media Trust we detect at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and in some cases more than 100, depending on the size of the campaign, type of ad, and so forth. The other contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, CDNs and other middlemen that actively participate in the delivery of the ad as it moves from advertiser to publisher. Just imagine the cacophony of “not me!” that breaks out when unauthorized data collection is detected. To make matters worse: few understand how data leakage impacts their business and ultimately, the consumer. As a result, an unwieldy game of whodunit is afoot.

Sniffing out the culprit(s)

To unravel this data leakage mystery, let’s get down to brass tacks and build a basic story around just four actors: Bill the Luxury Traveler (Consumer), Brooke the Brand Marketer (Brand), Blair the Audience Researcher (Agency), and Ben the Ad Operations Director (Publisher).

data-leakage-who-dunnit

Bill the Luxury Traveler

Case File: As a typical consumer, Bill researched vacation package for his favorite Aspen resort on a popular travel website. He found a great bargain but wasn’t ready to make the final booking. As he spent the next few days thinking about his decision, he noticed ads for completely different resorts on almost every website he visited. How did “they” know he wants to travel?

Prime Suspects: Bill blames his favorite resort and the leading travel website for not protecting or, even worse, selling his personal data.

Brooke the Brand Marketer

Case File: Brooke is the marketer for a popular Aspen luxury resort. She invested a sizeable percentage of her marketing budget on an agency that specialized in audience research and paid a premium to advertise on a website frequented by consumers like Bill. To her dismay, she realized that this exact target audience is being served ads for competitive resorts on several other websites. How did her competitors know to target the same audience?

Prime Suspects: Brooke questions her ad agency leaking her valuable audience information to the ad ecosystem and also fears the leading travel website does not adequately safeguard audience data. What Brooke does not suspect is her own brand website, which could by itself be a sieve that filters audience data into the hands of competitors and bad actors alike.

Blair the Audience Researcher

Case File: With a decade of experience serving hospitality clients, Blair’s agency specializes in market research to understand the target audience and recommend digital placements for advertising campaigns. However, one of Blair’s prestigious clients questioned her about the potential use of the brand’s proprietary audience data by competitors. How does she prove the client-specific value of her research and justify the premium spend?

Prime Suspects: Blair is concerned about the backlash from her clients and the impact on the agency’s reputation. She now has to discuss the issue with her trading desk partner to understand what happened, but she is unaware that she is about to go down a rabbit hole that could lead right back to her client or the client’s brand website as the main culprit.

Ben the Director of Ad Operations:

Case File: Ben is the Director of Ad Operations for a premium travel website. As a digital publisher, the sanctity of his visitor/audience data directly translates to revenue. In this scenario, he suffered when his valuable audience data floated around the digital ecosystem without proper compensation Almost every upstream partner had access to his audience data and could collect it without permission. When his data leaked it devalued ad pricing, reduced market share and customer trust, and also raised data privacy concerns. How does he detect data leakage and catch the offending party?

Prime Suspects: Everyone. Publishers like Ben are tired of this whodunit scenario and the resulting finger-pointing. While ad exchanges and networks receive a bulk of the blame for data collection, he is aware that many agencies, brand marketers and their brand websites play a role in this caper, too.

And at the end of the day, consumers, people like Bill whose personal data is stolen, are ultimate the victims of this mysterious game.

Guilty until proven innocent

While the whole data leakage mystery is complex, it can be cracked. The first step is accepting that the entire display industry is riddled with mistrust and every participant is guilty until proven innocent. Several publishers, responsible DSPs, trading desks, exchanges, marketing agencies and brands have already taken it upon themselves to solve this endless whodunit. To bolster their innocence, these participants need to carefully review:

  1. Data Collection: Get smart about the tools used for assuring clean ads and content. Your solution provider should check for ad security, quality, performance and help with data protection. Reducing excessive data collection is the first step in addressing data leakage.
  1. Data Access: With the General Data Protection Regulation (GDPR), EU-US Privacy Shield, and many more such timely regulations, the onus is on every player in the digital ad ecosystem to understand what data their upstream and downstream partners can access and collect via ads. Instead of today’s blame game, the industry should slowly see accountability for non-compliant behavior.
  1. Governance: Every entity across the ad ecosystem should adopt and enforce stricter terms and conditions around data collection and data use. This is especially crucial for publishers and brands – the two endpoints of the digital ad landscape.

Ultimately, every participant in the digital advertising ecosystem first needs to monitor and govern their own website in an attempt to close loopholes that facilitate data leakage before pointing fingers at others.

Malvertising: Is this the beginning of the end?

TAG Malware Scanning Guidelines

Decoding TAG malware scanning guidelines for tactical use 

Note: View webinar at https://www.themediatrust.com/videos.php 

The advertising industry’s crackdown on malvertising has begun. TAG’s recently-released malware scanning guidelines clearly state that every player in the digital advertising ecosystem has a role in deterring, detecting and removing malware.

TAG Webinar Registration Malware Scanning

However, these guidelines need to be translated into action plans. As with many cross-industry initiatives, the TAG guidelines serve several different groups across the digital ecosystem while also introducing security concepts to advertising/marketing professionals. The use of words such as: interdict, cloaking, checksum, and eval(), may baffle many ad ops professionals just like defining “creative” as a payload may baffle security teams.

The good news is that The Media Trust’s existing malware clients are already 100% compliant with the guidelines. Other ad ops teams at agencies, ad tech providers, and publishers, will need to translate the best practices into tactical actions in order to bring their operations into compliance.

What is clear: Scanning is in your future

Every entity that touches or contributes code to the serving of an ad plays a role in malware deterrence – this much is clear. Agencies, ad tech providers and publishers alike are, therefore, expected to proactively and repeatedly review their ads for malware.

Specifically, the guidelines state that:

  1.    Ads and their associated landing pages must be scanned for malware
  2.    Scanning should be performed before an ad is viewed by the end consumer
  3.    If initial scanning detects malware, then the ad must be rescanned until malware-free

Read between the lines: Reap what you sow

The complexities of the digital ecosystem make it almost impossible to explicitly state what each player in the advertising ecosystem should do. Typically, the amount of scanning required is directly proportional to the risk of serving a malware-infected ad or directing to a malware-infected landing page. While there are some directional tips, the guidelines also present a few abstract recommendations:

  • Scanning frequency

Ad formats, demand types, consumer reach and access to an ad as it traverses from advertiser to publisher, affect the frequency of recommended scanning.

For instance, a publisher with a campaign using hosted, static ads, targeting a small number of impressions does not have as robust a scanning requirement as a publisher running campaigns with rich media served programmatically. And, an ad contaminated by malware needs to be scanned more frequently than one that doesn’t set off alarm bells during the initial scan. And, an ad that changes mid-flight—modifying targeting, increasing number of impressions, introducing rich media—requires additional scanning.

  • Proof of scanning

Claiming an ad is scanned is not sufficient. As a best practice, all parties should document proof of scanning and this proof should contain creative id, tag specifications, date of initial and subsequent scans and scanning results. In addition, each party in the advertising value chain should establish a point of contact for reporting malware and communicate it to their upstream and downstream partners. 

  • Know your partner

A critical factor that informs rescanning cadence is the provider’s confidence in their upstream partner(s). Long-standing relationships with reputable, responsive partner(s) infers a reduced likelihood of malicious activity, as opposed to a newly-formed partnership with a one-man shop based in a foreign country. And, the provider should also track and document if their partner adheres to the scanning guidelines, too.

Look ahead: This is just the beginning

The guidelines clearly set the stage for optimizing ad quality and its resulting effect on the user experience, with an emphasis on security. A 100% malware-free advertising experience can’t be guaranteed, but everyone agrees it can be greatly improved. Future steps will undoubtedly address data privacy, ad behavior and more.

While these guidelines provide the impetus to tackle malvertising, it’s a safe bet that industry leaders will push to make them standard a la TAG Certified Against Fraud and Certified Against Piracy programs. And, in order to standardize, a certification and evaluation or audit process will be needed.  

Stay tuned.

Learn more
The Media Trust hosted three informative webinars presenting specific direction to publishers, ad tech providers and agency/buyers. To view, visit https://www.themediatrust.com/videos.php

You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

To mock or not to mock?

Avoiding fraudulent advertising campaign verification is critical for publishers

ad-mockup

That is the question frequently asked by media publishers trying to meet advertiser demands related to digital campaign success. The industry’s intense focus on viewability and transparency issues associated with ad fraud hijacks the limelight from another vital area of interest for advertisers: Are campaigns actually running as contracted?

What the advertiser wants, the advertiser gets

To justify the millions (and millions!) of dollars spent promoting products, advertisers rightfully demand proof that their campaigns execute as promised.

From expected ad rendering on the page to accurate targeting by geography and behavior profiles, advertisers want to know that the right ad has been served in the right way in the right location on the right page to the right demographic. In fact, when considering the average spend of a large-scale national campaign flight, many advertisers will assert they deserve to know their campaign is performing as promised.

Authenticated ad inventory yields benefits

The advertising ecosystem is a dynamic environment processing millions of ads covering billions in spend at any one time. Considering that 5% of display and mobile ads are served incorrectly at launch and countless more break during flight, publishers need to actively monitor and protect their ad-generated revenue channels.[i]

Authenticated ad inventory helps publishers secure ad revenue by avoiding pre-planned delivery overages to compensate for anticipated discrepancies. In addition, it also reduces the frequency of misfiring campaigns, thus minimizing instances of “make good” campaigns.

Ad verification is more than good looks

Reputable publishers recognize the value of their high-quality inventory and demonstrate it by providing proof of ad delivery according to established terms. This is a complicated prospect in an age of large-scale campaigns incorporating ads of varying formats (i.e., HTML5, pre/mid/post-roll video, native, etc.) through multiple platforms (i.e., display, tablet, smartphone, gaming consoles, etc.) across increasingly granular targeting segments.

A Photoshopped “mock-up” or full-page capture of the ad on a screen is a start, but it isn’t enough. Presenting a “mock-up” of how an ad should look could be considered fraudulent as it’s not a true representation of how an ad performs across all formats, devices and geographies. In fact, several industries (Tier 2 automotive, pharmaceutical, etc.) and countries (especially those in Latin America) regulate advertising-based billing processes and require third-party verified screenshots upon invoice presentation.

Beyond the visual of “how” an ad looks on a device, publishers must prove that each ad is delivered as contracted with the advertiser. Continuous monitoring of campaigns at launch and throughout flight will quickly detect errors associated with targeting, creative and device-specific issues that impede optimal campaign execution.

Authentication of possibly hundreds of ad combinations—by size, format, device and geography—is used by publishers to substantiate inventory value and by advertisers to audit and measure campaign ROI.

Consider this

To verify accurate ad placement, execution and targeting, a publisher must consider these five factors:

1.    Legitimacy: Screenshots of ads in a live environment truthfully demonstrate that an ad is delivered to the right target. A “mock-up” or “test page” may display how an ad appears on a site, but in reality it provides a false sense of security for how the ad is actually executing. It also infers that the ad will render the same across all devices, OS, formats and geographies.

2.    Accuracy: Mock-ups can’t prove ad placement as many ad units only occur behind paywalls or require an IP address in order to serve the correct messaging to the individual user.

3.    Automation: Imagine scaling the manual process of verifying ads across the overwhelming number of devices, browsers, user profiles, formats, sizes and geo-locations. Without automation, the task is almost impossible. Leverage technology to streamline the process.

4.    Costs: Carefully consider the total cost of ownership when deciding between an in-house or outsourced process. While in-house resources are easier to control, it is difficult to secure funding and keep the staff engaged. On the flip side, outsourcing requires integration, training, probable coordination with targeting vendors, and continuous oversight which could ultimately be more costly than anticipated—not to mention the complications of managing a remote team, in a case of choosing a non-local entity if a non-native entity is selected.

5.    Quality Assurance: Reliance on mock-up designs to certify campaign execution will not catch errors that occur at launch or throughout the campaign flight.

Ad verification is a complex, yet critical endeavor for publishers looking to highlight inventory value. Don’t mock it.

 

[i] The Media Trust analysis of millions of ad campaigns verified over the course of 10 years.