The Frontlines in the War Against Bad Ads: An Ad Lightning Interview

It’s one thing to talk about the war against fraudsters and their malicious ads from a distance. But it’s entirely different to gain the perspective of what it’s like being on those frontlines every day. That’s exactly why I recently sat down with Ad Lightning’s own Drake Callahan – to better understand what it takes to be so effective against a clever, driven, and shape-shifting enemy.

Building Ad Lightning’s ad quality suite from the ground up, Drake knows better than anyone what it’s like to go toe-to-toe with bad actors and their destructive trade. As co-founder and CTO of Ad Lightning, he’s responsible for ensuring our technology continues to be a best-in-class solution for publishers, platforms, and the ecosystem as a whole. To that point, I spoke with Drake about the ongoing battle against ad fraud, what that battle entails for his team, and what to expect down the road.

Is it possible the ad industry still underestimates what the fraudsters are capable of?

In certain corners of the industry. Since fraudsters are a faceless enemy, I think it’s easy for people to forget just how intelligent they are. These aren’t wannabe middle school hackers that we’re going up against. They’re extremely educated people, many with advanced degrees, that just happen to be in an area where there aren’t a lot of jobs in their field. Under different circumstances, these are the same folks that would be leading R&D for tech firms across Silicon Valley. And, of course, the fact that it’s a multi-billion dollar criminal industry provides plenty of motivation for fraudsters to stay on the cutting-edge.

How does that intelligence play into what you and your team see every day?

Well, if we look back at what we were seeing just a couple of years ago, those techniques seem like child’s play compared to the bad ads and techniques we see today. There’s a constant barrage of new tricks from fraudsters, so their tactics tend to evolve extremely fast. They’re never in the same place for long. And when they decide to move on, the next threat is always more sophisticated. Bad actors never go backwards. They’re always moving forward and changing their strategy. And multiplying, of course. The money involved is so staggering, it’s attracted a lot more fraudulent players into the fold over the last few years.

Read Next: What Are Bad Ads? Why Do They Matter? & How Can You Block Them?

I assume that means your team is highly-trained to identify different signals quickly since the bad ads you’re fighting are always morphing.

Yeah, being able to identify investigation paths in the data is really important. We don't always know where an investigation is going to take us. It's often easy to see bad behavior, but much more complicated to unwind the multiple tactics that fraudsters are using to hide and execute something. We never really know where our investigations are going to take us, so we have to be ready for anything. This means having multiple inputs into our system so that we are prepared, no matter what the fraudsters come up with to evade detection.

It’s kind of like seeing just a small loose thread and incrementally unraveling it until we get to the source. Sometimes that starts with something simple like a recently registered domain. If we find a new domain with redacted registration data that is serving obfuscated script, it immediately kicks off a more thorough investigation. But other times, it's much more complicated than that, and is based on a variety of machine learning techniques or an unusual error report we see from our wrapper data.

Okay, in that case, what would you do from there?

Well, it depends. We look for atypical patterns or behavior, decode hidden script, or look for the use of unusual techniques to load and execute additional script. Ultimately, our goal is to reproduce the malicious behavior and understand the techniques that are employed.

So, to answer your question, different potential threats require different actions. Behaviors replicated with scanning require different investigations than data mined from our wrapper. And both of those paths are different than other automated processes that identify things like new domains or the use of CDNs. We use various techniques to dig deeper and unwind the methods that these bad actors are leveraging to get around detection. And that’s really what I mean when I say that we unravel this thread. Fraudsters are always trying to obfuscate their payload so we can’t be exactly sure what they’re up to, at least early in the process. A lot of times, they’ll call multiple scripts from various other domains to pull in other parts of a code. So it’s like putting a puzzle together where they’re pulling in pieces from all over the environment in real-time.

We then have to extrapolate what they’re doing and think through ways that fraudsters can modify something to identify similar existing patterns. Or get ahead of ways they can modify technique to use in the future. A good example is when we identified that fraudsters were actually looking for live code for our wrapper, trying to find a way to disable it or not-execute when it's present. We had to build systems to ensure that they aren't able to do that going forward.

I’ve seen the whack-a-mole analogy used a lot to describe what it’s like to combat these bad actors. Where you knock a bad ad or a technique down and another one pops up somewhere else.

Exactly. But it’s just a matter of new patterns triggering our systems, following the clues, and continuing to dig deeper. At some point, we find commonalities and related code. They could be using multiple new domains to hide their various payloads. Or they're using multiple domains and providers to run multiple campaigns at the same time. They always segregate things so that if one campaign gets taken down, another one can stay active.

What are some of the more common techniques you’re seeing right now? And what do you see happening in the future?

The most common factor is that fraudsters have gotten good at hiding their code, which gives them a few different directions to head toward. I mean, there are always going to be niche holes for them to exploit, so fraudsters will take what the environment gives them. For example, all browsers have some degree of security issues, so that will definitely continue to be a point of concern in the future.

And the same goes with malicious browser extensions. Since a few solutions are getting so good at blocking even their newest techniques – and Ad Lightning’s the perfect example of that – I imagine it will be easier for fraudsters to convince a user to download and install a malicious program rather than always trying to find and exploit new weaknesses. Once the user installs that program, then the bad actors can serve ads in hidden iframes or serve sketchy, low quality ads on top of legitimate ones. And they can do that because they have access to the browser itself after the user download.

So is that your prediction for the future of bad ads? That browser extensions will be the new big thing for fraudsters?

Not necessarily. I’m sure that browser extensions and other downloadable programs will be a part of their arsenal, at least until browsers lock down extension permissions. But it's really challenging to project what might or might not be happening in the future. And that goes back to the flexibility and agility that Ad Lightning focuses so much on. This way, it doesn’t really matter what the fraudsters try to pull because we can quickly and seamlessly pivot in that direction. So instead of guessing what we think they’ll do, we’re hyper-focused on making sure we have the tools to get faster and smarter about the ecosystem as a whole.

That’s also why we place so much value in tracking key metrics like blocked volumes, signatures, and protected impressions. We know that fraudsters aren’t retiring or going on vacation. So seeing a drop in the number of unique signatures we block against in a month is a key signal that fraudsters are probably switching things up. That’s when the flexibility in our technology really shines. We see that tactics are changing through the metrics and then act accordingly.

I know that we’ve seen some pretty extraordinary results, at least from our own customers, in terms of blocking ads and keeping their sites safe and secure. But in the bigger picture, what is it going to take to make the ecosystem feel like things are really turning the corner?

Well, you're absolutely right. The publishers that have implemented Ad Lightning’s solutions really place themselves at a big advantage. But it’s a massive, complicated ecosystem out there with too many publishers, advertisers, and networks to count. So while we can provide them with the tools they need to make a real difference, it’s not like we can force everyone to use Ad Lightning. Or any ad quality solution for that matter.

But that doesn’t mean I’m pessimistic about the health of the industry down the road. We know what we bring to the table and what we provide to the publishers and platforms that are tired of dealing with these malicious ads. And just like most things, it’s ultimately going to come down to money. Publishers obviously need ad blocking solutions because they’re the ones that are directly affected by bad actors. But as soon as upstream partners start to feel the squeeze on their revenue, I think that’s when we’ll really start seeing a difference. Publishers don’t want to work with partners that just make their lives harder, and I don’t blame them.

What would you say differentiates Ad Lightning from other blocking solutions? Or, put another way, why should a publisher choose us over some of the other tools out there?

Well, from a technical perspective, I’ll take our technology and team over anyone and anything else. I’m not saying that everything we do is completely different or light years more advanced than other solutions. But we really place an emphasis on that flexibility I spoke of. Wherever the fraudsters go, we'll be right there. And that incredible agility is probably the biggest differentiator between us and everyone else.

Ad Lightning also seems to focus on transparency as well. Much more than the other ad blocking solutions out there.

That’s a good point. We understand that our solution doesn’t operate in a vacuum. Because it’s easy to block something and then just simply say, “take our word for it – that was a malicious ad.” But there are repercussions to blocking an ad. That means the publisher must now fill that ad slot or risk losing revenue. And blocking an ad doesn’t reflect well on the platform that it came from. So we don’t want to indiscriminately block something and then just move on. We’ve always been transparent with our methodology and justification for our actions. We want our partners to understand why we’re blocking an ad, and that’s something that just isn’t a norm in the industry.

Some of our competitors will just block higher risk platforms altogether, I guess because it’s easier that way and sort of foolproof. But just because it’s a higher risk platform doesn’t mean that every ad coming from it is malicious. Now we give our partners the option to block those higher risk platforms, too, but that’s definitely not the norm for us. Usually, when we block something, it’s because it contains a certain domain or signature and not just the fact that it comes from a particular platform.

If you were to give the industry a word of advice or even encouragement, what would you say?

I’d say that this is absolutely a winnable battle against ad fraud. There are tools out there, really effective ones, that make a huge difference. But you have to choose the right ones. A solution that only concentrates on one area isn’t really a solution at all. You have to use comprehensive tools because we’re going up against very skilled, very smart people. And that’s why we take a more holistic approach here at Ad Lightning. Scanning alone isn’t enough. Neither is blocking. We use both, along with some other really advanced and formidable features, because that’s by far the most effective way to combat ad fraud. And that’s not even an opinion. It’s just a fact.

Download: The 2020 State of Ad Quality Report

In terms of encouragement, I point to how much things have changed in the last couple of years. Everything has really accelerated and grown in complexity from the fraudsters because what we’re doing is working. If we weren’t making a significant, tangible difference, then bad actors would never have to change their techniques. They wouldn’t have to. But we’ve seen the exact opposite recently, where fraudsters are having to really step up their game. So as long as the entire ecosystem starts to take ad quality seriously and uses the right tools, there’s no reason to think that the future won’t be safer for everyone. The solutions are already out there. Companies just need to embrace them.