Tag evasion is one of the advanced techniques employed by 3ve operators to avoid detection.
3ve was one of the most sophisticated advertisement fraud operations witnessed by the adtech business, siphoning over $29 countless from the ecosystem. Tag evasion is one of the techniques employed by 3ve operators to prevent detection.
In here, we’re going to explore what’s tag evasion and how can you prevent yourself from being a victim of these schemes in the future.
If you’re wondering if you should care about this rare, lesser-known technique, 3ve counterfeited 10k+ websites and such operation could raise again replicating exactly the very same techniques (mentioning the success of the first one).
Before getting any further, you want to know about 3ve. 3ve was one of the complex advertising fraud operations dismantled by White Ops and Google in 2018. Eight persons about the operations were indicted by the DOJ and it had three sub-operations working parallelly to spoof domains, fake impressions, and sell bot traffic.
Of three, 3ve.2 is a botnet operation designed to sell fake inventories and dodge ad fraud detection by’label evasion’.
Thus, what is tag evasion?
Tag evasion, as the name suggests, is a technique used by advertising fraudsters to block the advertisement fraud detection or any other undesirable scripts from executing or rendering. If the scripts aren’t executed, you can’t detect the presence of advertising frauds with the resources.
You ad fraud detection tags would not get a request (HTTP GET) let not implement.
How does tag evasion work?
Let us take 3ve example and see how the whole thing happened. 3ve used two methods to evade tags.
Regular expression matching to block unwanted assets.
String blacklist fitting to prevent executing unwanted scripts.
1. Regular expression matching technique:
3ve.2 used a regular expression (regex) fitting technique to find and replace the undesirable assets on the page with”none” so that the script will not be implemented at all.
If the regex expression found a match, the function would return 1 and the resources will be obstructed. If there’s no match, the function would return , thereby enabling the resources to render customarily.
2. String blacklist:
This sub-operation used another method to evade the tags. String blacklist was made based on the resources utilized in the list of blacklisted strings (in 3ve, it is called bbb_j_m c2 factor ).
If any of these strings were identified within the resource of any page visited by the 3ve.2 botnet, the respective resources (HTML or JS) wouldn’t be executed or rendered.
*The operation prevented crypto-jacking because it might lead to the detection of malware. If the user noticed that the computer is running slower, hotter or noisier, it will lead to unwanted attention.
How can you prevent your websites?
Sounds simple? The last research states that more than 80% of the ad requests created by the 3ve operation were unauthorized. In other words, the publishers did not list the vendor as approved in their ads.txt file. If the advertisement exchanges stopped buying from unauthorized sellers, 80% of the fraud operation would have been stopped.
If you don’t have an ads.txt document , create one right away.
Update the ads.txt file regularly and watch out for the errors using an ads.txt validator.
Enforce the advertising exchanges and buyers to purchase only from authorized sellers.
— Traffic acquisition
It’s common to spend on getting traffic from legible social networking sites and search forums. But don’t fall for the quixotic promises. High viewability, engagement, but lower acquisition costs? It’s likely a botnet or fraudulent traffic.
Scrutinize your acquisition stations and make informed decisions.
— Dynamic and adaptive IVT technology
3ve scheme churned 40,000 IPs daily and avoided detection tags. This pushes us to go beyond the ordinary fraud detection methods. SSPs and DSPs with dynamic and flexible IVT filters along with anomaly-based detection will ensure you’re being protected.
It is time for us to employ a layered approach where in-house technology acts as the final line of defense.
— Proactive ad fraud detection spouses
Last but not least, ensure your SSP has a committed team and technologies either 3rd party or proprietary, to stop and detect you of IVT or unauthorized selling. For instance, we’ve partnered with 3rd parties to make certain publishers we work with, are shielded from advertising fraudsters and spoofers.