How to identify and kill an ad fraud operation

An ad fraud operation is not a single player or system. To protect systems against malicious traffic from an ad fraud operation, one needs an Industry collaboration, as demonstrated in the takedown of the “3ve”.

While ad fraud traditionally has been seen as a faceless crime in which bad actors don’t face many risks of being identified or consequences for their actions, the actual takedown of the 3ve operation shows that there´s is a way to identify and kill an ad fraud operation.

Overview of an operation

overview eve ad fraud operation
Operating on a significant scale

This 3ve operation controlled over 1 million IPs from both residential malware infections and corporate IP spaces primarily in North America and Europe.

The takedown involved disrupting related infrastructure to make it hard to rebuild any of operations

stopping eve ad fraud operation
Successful takedown of infrastructure related

As the graph demonstrates, declining volumes in invalid traffic indicate that the disruption thus far has been successful, bringing the bid request traffic close to zero within 18 hours of starting the coordinated takedown

Source: Google Security Blog – Takedown “3ve“