GeoEdge has identified a rising trend of brand infringement across the Japanese advertising ecosystem. Brand infringement is classified as ads for fraudulent, low-quality products, or non-existent products and services. This includes counterfeit products and campaigns that impersonate brands or businesses by referencing or modifying the brand content in an ad, URL, or destination, or campaigns that misrepresent themselves as brands or businesses. These clickbait ads and landing pages typically promise premium products at unusually low prices.
Throughout October 2020, local news channels across Japan reported that a deceptive online attack had been uncovered across the web. The attackers used various methods to lead online users to think that their website is an official distributor of Dyson in Japan. With a design similar to Dyson’s official webpage and a domain that is almost identical to the official domain, many web users believed that they were visiting Dyson’s official website. The webpage displayed generous discounts to Dyson’s most desired products, which led to hundreds of online orders placed through credit card payment. Not surprisingly, none of these users received the products and no record of the purchase could be found in Dyson’s website.
When trying to retrace their actions, consumers discovered that a standard web search could not find the fake domain. Those who managed to locate the domain found that its content had been completely erased and was no longer available. One thing is common to all of these users – they were exposed to the fake Dyson domain through programmatic ads served on reputable websites.
Figure 1: Fake Dyson ad flagged by GeoEdge’s security engine
The Evolution of Deceptive Ads
“Deceptive online ads have been going through big conceptual changes over the last couple of years” says Liran Lavi, Head of Security Research at GeoEdge. “Traditionally, when bad actors wanted to get users to engage with their content, they would use aggressive methods to push them to a landing page, usually through forced redirection. This type of behavior is effective in creating traction and yields high conversion rates, however, it’s invasive and attracts much attention from publishers. These days bad actors realize that this type of attention is not sustainable in the long term and are constantly looking for more subtle ways to engage end-users with their malicious content.”
Less intrusive attacks require a different approach which, instead of pushing users to the malicious content, uses psychological methods to encourage them to engage with it willingly. Fake brand ads are one of the most common examples of such a method. All it takes to pull such a scam off is for the attacker to design attractive banners promising generous discounts on famous brands and create programmatic distribution channels on self-serve ad platforms. Once users engage with a banner by clicking on it, they are willingly redirected to the landing page, which is the same result caused by auto redirects without attracting the publisher’s attention.
Figure 2: Three examples of Fake brands detection by GeoEdge’s security engine
Identifying and Classifying Brand Infringement
According to Liran Lavi, GeoEdge’s Head of Security Research, “These fake brand ads are what we refer to as deceptive ads. Although less intrusive and harmful to the user experience than forced redirects, these ads can be more harmful to the end-user. By clicking on these deceptive banners, the user is showing interest in the content and, therefore in many cases, has high interest and intent to further engage with the content in the landing page. Moreover, it’s tricky for ad platforms and publishers to detect these ads as there’s nothing in the creative to suggest that the content is deceptive. Behind each attack, there’s usually a team of web designers, digital advertising experts and engineers. Such a team has the capacity to distribute their content on various channels, create and optimize campaigns, and operate a large number of landing pages. Many of the practices they use are similar to the ones which legitimate media buying teams use.”
In 2019, GeoEdge’s security team began optimizing its security engine to accommodate threats unique to the Japanese digital ecosystem. In 2020, following an increase in deceptive ad attacks in Japan, a dedicated engine was designed to detect and block such ads. The new engine relies on data points collected from over 100 billion monitored impressions to execute a complex set of reviews for each creative. This ensures robust real-time detection despite the attacker’s tendency to switch creative designs and domains.
2021 Fake Brands Trend
– 50,000,000+ million blocked impressions
– 1,000,000+ blocked creatives
– 1,000+ malicious landing page domains
– Most blocks in a single day: 1,534,577 (nov 18)
Blocking Fake Brands Across the Japanese Ecosystem
These figures suggest that no blocklist or manual review can prevent these deceptive ads from displaying on a publisher’s website. In many cases registered in 2021 the attacks were active for just a few hours, which means that only a real-time detection and blocking mechanism will be able to mitigate these threats in time.
Liran claims “it’s a challenge adopting our detection to new types of deceptive ads. We are constantly reviewing impressions monitored in Japan and looking for the next generation of attacks. GeoEdge has already established a wide coverage in the market so when a new attack is detected on one of our clients, we are immediately prepared to block it across our ecosystem. We are now working on expanding the success of dealing with deceptive ads to other categories such as low quality and misleading content that publishers often do not approve.”