Ad fraud and ad threats are heavily conflated issues, Maggie Louie, founder and chief executive officer of Devcon, told the audience at the Local Reader Revenue Symposium that INMA co-hosted with Mather Economics as part of Media Innovation Week. Ad fraud is a familiar topic for publishers, Louie said, but clarified what is meant by ‘ad threats.’

“Hackers and criminals have weaponised the ad tech,” she said. “So the advertising pipe becomes a distribution channel, and they use that to infect ads and distribute malware through publishers’ sites.”

Users may experience this on a small scale when a pop-up redirects them to another Web site, but Louie said this includes more malicious acts as well, such as inserting data miners into the ads.

Maggie Louie shared four key revenue impacts security gaps present for publishers at INMA Media Innovation Week on Wednesday.
Maggie Louie shared four key revenue impacts security gaps present for publishers at INMA Media Innovation Week on Wednesday.

The underlying vulnerability is third-party javascript, she explained, adding that third-party javascript accounted for two of the five largest data breaches of 2018. E-mail fraud accounts for .01% of phishing attacks. Louie said most companies would never let their marketing teams handle this type of threat. But in current newsrooms, she added, marketing and ad ops teams are being expected to handle these attacks in their ads.

“But the fact is that 1.5% of all ads are distributing malware,” she said. “So your consumers are 150x more likely to be attacked by one of your ads than by a phishing attack.”

Hackers know companies have their own code under control. They would not try to access servers directly but instead are looking for security gaps. That security gap lies in third-party partners’ javascript. Digging deeper, Louie said each partner has five or six third-party partners of their own.

Louie listed four key revenue impacts these security gaps present for publishers.

1. Direct revenue loss: “We measured for two years the financial impact of stopping the exploit ads...What we found is that overall an average of 30% of revenue is recovered by stopping the bad ads."

2. Operational overhead: “If anyone’s had to deal with this, it’s a nightmare.”

3. Brand reputation: “Getting someone back after they’ve been hit maybe even twice in one day is brutal for your brand.”

4. Regulatory and legal penalties: “But then the piece that we haven’t really talked about or hit on yet are the regulatories.”

Louie called attention to two major incidents in the last year that were caused by security gaps in third-party javascript: Ticketmaster and British Airways. British Airways was fined about US$1,000 per person affected by the data breach. The financial implications are serious, Louie said, and it requires careful consideration of partners.

“No much how much your developers review the code before it’s live, it can change as soon as it goes live,” she said.

Something publishers can do proactively is connect their marketing and cyber security teams and start a dialogue.

“You don’t want your marketing team managing a security gap,” Louie said. “You don’t want your security team blocking your revenue. You want these teams working closely.”

Furthermore, publishers must reframe security as an innovation opportunity and take precautions to remove risk for customers before code goes live: “You have to embrace the security side of this as an innovative, sexy thing that we’re doing that’s exciting.”