On 18th of November Mediapost, an advertising industry mouthpiece wrote a story on Pixalate’s findings and the alleged Xindi botnet costing companies $3 billion by end of 2016. This led to what seems like parroting of the original story widely in media, including leading security press. The paper anyhow is not research, but marketing and Pixalate is not a security company, but a sales company. Under closer inspection, Pixalate’s war on Xindi turns out so secret, that even after it became public, nobody knows anything about it.
“Full. Spectrum. Goddam. Cyber.”
That is the phrase used by respected information security researcher @da_667 in his blogpost covering the infosec point-of-view on Pixalate’s Xindi Botnet.
You can read DA’s post here: https://blindseeker.com/blahg/?p=647
I can’t find much better words to describe the situation the adtech industry, and specifically, the anti-fraud segment of it finds itself with the alleged Xindi Botnet and the events that relate to reporting it widely in the media without any basis of substantial facts.
What is especially hard to understand in this case, is what was Pixalate thinking, being so ill-prepared, yet aggressively pursuing the attention of Chief Information Security Officers. This is what prompted some of the most respected security researchers to pay closer attention to Pixalate’s claims, and what has turned out an almost complete absence of any evidence.
What unfolds here, is a series that covers my involvement in botlab.io’s investigation into Pixalate’s alleged Xindi Botnet. As you will later find out, while we had made several attempts to get sample data from Pixalate on the alleged Xindi botnet, it is very likely that without the contribution of @da_667 and other researchers on this matter, Xindi would have become part of the programmatic storyline. This does not mean researchers or key technical decision makers bought into the report’s claims, I have spoken with a few who all said something along the lines of:
“the findings of the report do not make sense to us” or “the alleged vulnerability is not relevant in our system”.
It is very important to understand the difference between the two. Where as “the findings of the report do not make sense to us” clearly demonstrate an understanding of the lack of substance the report exhibits. Where as “we’ve already fixed it long ago” implies that the vendor in question was not able to call the bs in the report, or are not committed to transparency and disclosure of important information about the issues in the industry.
Why should you take what I say very seriously about this topic?
I work as the lead researcher for botlab.io, the only research foundation focused on ad fraud research. I authored the WFA’s Guide to Programmatic Media, and am the co-chair of I-COM Data Science Board. WFA’s Guide to Programmatic Media is considered by many to be the most important, and the most critical analysis of the programmatic media market.
I’ve spent over 20 years researching the internet and advocating better practices based on my research. Having first-hand experience as an innovator in the programmatic industry, I’m one of the only researchers who is widely recognized to intimately understand even the most technical aspects of advertising technology and its use.
As a point of recent reference, here is what Trustworthy Accountability Group’s CEO Mike Zaneis said about my and ARF’s Dr. Fou’s individual contributions on the topic of ad fraud:
Not only as a testament to my contributions in this subject matter, it is this kind of co-operative spirit Mike exhibits, that is needed in the industry in order for us to see a reduction in ad fraud. Even when we don’t agree on all things, it is important that we agree to the extent where we can see each other’s good qualities and the contributions that are being made in the fight against ad fraud.
Now let’s let the story speak for itself.
And really what we have is a story, which tells about the publishing of sensational findings and having a lot of people panic, without providing substantial evidence that has the effect of backing up the made claims. The people who panicked were the CISOs and CMOs of large advertising companies. They were wrongly told that not only they will lose tremendous amounts of money, but it is their exposed systems that is causing it. It appears that the report was heavily marketed.
Why security researchers matter to ad fraud research?
In botlab.io, as it is an organization of researchers and is setup to support research initiatives, one of our goals is to make ad fraud research more attractive to security researchers. It might not be like selling ice to eskimos, but it’s not easy.
The main issue we see with the current state of ad fraud research can be explained in three points:
- Ad fraud is a cybersecurity problem
- Cybersecurity researchers have poor understanding of ad fraud
- Ad fraud researchers have poor understanding of cybersecurity
The conclusion in our analysis has been that unless there is some convergence between the fields of cybersecurity research and ad fraud research, things will become much worse. By this, I mean that the society we all live in will become worse. Ad fraud is already by far the largest cybercrime, with annual revenues somewhere between $10–$50 billion.
The other way of looking at this, is to ask what are the causes of safe society? It seems fair to argue that four axioms can be established:
- security of adtech security vendors is a cause for security of adtech vendors
- security of adtech vendors is a cause for security of adtech
- security of adtech is a cause for security of the internet
- security of the internet is a cause for security of society
If we can agree that these four are true, then it is clear that the behavior of those companies that present themselves as “adtech security vendors”, is intimately connected with security of society. We don’t have to like this point, but it does seem like a strong argument with the information we have.
Why security researchers matter to ad fraud research?
Let’s be honest with ourselves. It’s not like security researchers were fighting for being part of solving advertising technology’s most pressing problems. Our starting point before Pixalate was complicated.
What has happened since the report was published, adtech’s own anti-fraud vendor Pixalate made it to the 2015 FULL SPECTRUM CYBER DOUCHERY KRAMPUS LIST. Listed together with ~200 others, including Hacking Team and Anonymous, only one of the listed have more entries than Pixalate’s five. This is a list by an influential researcher, with other influential researchers as contributors.
Before we move on to covering everything botlab.io’s research led to in this matter, there is something I want to say to the guys at Pixalate:
At the moment there is a resentment within the information security research community towards advertising technology and topics associated with it. This is not helping to slow down the process where by our estimates, in 2025 there will be more annual ad fraud profit than there will be annual cybersecurity profit. More information can be made available to support this scenario as not only realistic but with the current trends, likely.
What we have with Pixalate’s Xindi report, is the opposite of convergence of the two fields of research. Not only the integrity of the research have been seriously questioned by very influential security researchers, but also the vendor has entirely failed in satisfying any of the concerns researchers have voiced out.
As far as I’m considered, the mistakes related to the report covering Xindi Botnet, on behalf of the vendor and media, mark the greatest single set back in this early stage of the fight against ad fraud.
Don’t take my word for it, not even after the reading everything that this series will cover. Go and do your own research, find your own facts. See if you can get to a different result. If you can do that, I will be very happy 🙂
This story is the first part 0f a 10-part dossier that provides unprecedented insight into the workings of a vaporware adtech verification company.