Attack of the Zombie Web Sites, owned by 301 Network, Monkey Frog, Market 57, Orange Box, Arceneaux, Becks, AdSupply, Focus Marketing, Lepton Labs, Willis, Corson, VivaGlam, RecipeGreen, Van Derham | BuzzFeed

Attack of the Zombie Websites; Craig Silverman; In BuzzFeed; 2017-10-17.
Teaser: <snip>actual reporting, by an actual reporter</snip> how seemingly-credible players in the ad supply chain can play an active role in — and profit from — fraud.


Whereas the article buries the lede way way down under the fold…
  • 301network Media, allied “dbas”; Matt Arceneaux, Andrew Becks.
    Monkey Frog Media, Market 57, Orange Box Media
  • AdSupply, allied “dbas”; Eric Willis, Chris Corson.
    Focus Marketing, Lepton Labs
  • KVD Brand Inc.; Katarina Van Derham.

Original Sources

  • Social Puncher, an research boutique, operated as
  • Pixelate, opined; claims independent discovery.
  • Protected Media, opined, as commissioned, from BuzzFeed.
  • Integral Ad Sciences (IAS), opined, as commissioned, from BuzzFeed..


  • “self-driven”
  • “session hijacking”
  • “friend or foe” system
  • “ad hell”
  • <quote>It was the digital equivalent of skimming from a casino.</quote>
  • “Clawbacks”
  • “In-human traffic,” “non-human traffic”
    because nobody in the trade wants to say “robot.”


The Offenses
  • “Approximately” 40 websites.
  • “Over” 100 brands [what's a brand?]
  • “roughly” 50 brands “appeared multiple times.” [what does that mean?]
The Tease
  • <quote>the CEO of an ad platform and digital marketing agency is an owner of 12 websites that earned revenue from the fraudulent views, and his company provided the ad platform used by sites in the scheme.</quote>
  • <quote>That company is owned by a model and online entrepreneur who played Bob Saget’s girlfriend on the HBO show Entourage.</quote>
  • <quote><snip/>a former employee of a large ad network who runs a group of eight sites that were part of the fraud, and who consults for a company with another eight sites in it.</quote>
  • <quote>A site in the scheme is owned by the cofounder of one of the 20 largest ad networks in the United States</quote>.


  • 301network, a marketplace (“an ad platform”) and allied “dbas”;
    Matt Arceneaux, Andrew Becks.
  • AdSupply, various “dbas”;
    Eric Willis, Chris Corson.
  • KVD Brand Inc.;
    Katarina Van Derham.
  • Matt Arceneaux, CEO, partner, 301 Digital Media.
  • Andrew Becks, COO, partner, 301 Digital Media
  • Eric Willis, vice president, OMG LLC
    is a man,
    ex-staff AdSupply,
  • Chris Corson, founder of AdSupply,
    is part owner of an [unnamed] LLC that operates
  • Katarina Van Derham,
    • is a publisher,
      is an online publisher,
    • lives in Los Angeles,
    • has performed as a model
    • has fame,
      has fame from playing Bob Saget’s girlfriend on the HBO show Entourage.
    • owns KVD Brand Inc.
301 Digital Media
  • a marketing agency
  • Nashville, TN
  • LinkedIn page [existed]

    • Scripps
    • Pfizer
  • gold-level sponsor, Digital Marketing Conference, New York, 2017-11.


  • Integral Ad Sciences (IAS) → $20 million in 2017.
  • Pixelate → $2 million per year.”
    Which is it?

The Validation

Re-checking the work of the Social Puncher staff
  • Integral Ad Science (IaS)


  • Ford
  • Hershey’s
  • Johnson & Johnson
  • MGM Resorts International
  • Proctor & Gamble (P&G)
  • Unilever
  • Charmin
  • Olay
  • Oral-B
  • Orgullosa
    [is that really a brand? yes. Spanish, translation proud
    <quote>Orgullosa is for women who don't settle for walking the same path, but instead make a new one every day.</quote> <quote ref="presser">P&G’s Orgullosa Launches the Nueva Latina Campaign to Celebrate and Showcase the Unique Experience of the Bicultural, Modern Latina </quote>]
  • Secret


  • Matt Arceneaux, CEO, 301 Digital Media
    listed as a perpetrator.


For color, background & verisimilitude…
  • Amin Bandeali, the CTO of Pixalate
  • Shailin Dhar, (now) founder, Method Media Intelligence.
    Method Media Intelligence is a research boutique
  • Mary Hynes, director of corporate communication, MGM International
  • Kristin Lemkau, chief marketing officer, JPMorgan Chase.
  • Jalal Nasir, CEO, Pixalate.
  • Maria Pousa, chief marketing officer, Integral Ad Sciences (IAS).
  • Marc Pritchard, chief brand officer, Proctor & Gamble (P&G)
    honorific: the consumer products giant
  • Vlad Shevtsov, director of investigations, Social Puncher
  • David Taylor, CEO, Proctor & Gamble (P&G).
  • Mike Zaneis, CEO, Trustworthy Accountability Group


The location of the fraud
    well, there’s your problem… the TLD online just feels sketchy, doesn’t it?
    • uses automated [robot] content generation scheme
      “100% Fully Automated Videos – You won’t have to worry about new content. Comes with a custom plugin with your own license,” via blurb at Flippa,
    • 2016-12, purchased by Katarina Van Derham, for $59 in an auction
    • 2017-01 → 2017-08, was “showered” with traffic, then none.
    • branded Viva Glam,
    • operated by Katarina Van Derham since 2012,
    • not purchased from Pakistan or elsewhere.


  • Monkey Frog Media LLC.
    • is a shell company [a holding company]
    • exposed for fraud “at seven sites”, by Pixelate [WHEN?]
    • Owned by Matt Arceneaux
    • d.b.a. Happy Planet Media
    • Has five more web sites
      whose domains are registered as being owned by 301 Digital Media, which is [owned?] by Matt Arceneaux
    • earlier [WHEN?] Matt Arcenaux’s home address for registration.
    • since 2015; as evidenced by 2015-12-11, Matt Arceneaux signs a contract as the “manager” of Monkey Frog Media.
  • Market 57 LLC
    • which had five sites
    • Same asddress as 301 Media
    • failing
    •, uses 301 Media’s Amazon affiliate code
    • earlier [WHEN?] Matt Arcenaux’s home address for registration.
  • Orange Box Media LLC
    • owns five sites
    • filing
    • uses Matt Arcenaux’s home address.
    • Observed by the Social Puncher staff: at circa 2017-09-08T12:00 EDT, all sites were unavailable simultaneously
  • Something about Facebook.
    Facebook is bad.
  • AppNexus was trading 301 Network Media’s media.
  • Online Media Group LLC (OMG LLC)
    • A shell company [a holding company]
    • owns seven sites
    • ran session hijacking code
    • Eric Willis, vice president, OMG LLC
      is a man.
  • AdSupply, seemed clean, maybe;

    • Chris Corson, cofounder, executive vice president, AdSupply.
    • Chris Corson, is part owner of an LLC that operates, a site that contained [the] session hijacking code.
      • is longstanding
      • produces some original content
      • has a YouTube channel, “close to” 2 million subscribers.
    • Focus Marketing. LLC,
      Chris Corson is the part owner.
    • Lepton Labs LLC,
      • purveyors of AllDaySlim, a weight-loss elixr.
    • Chris Corson is the part owner.
  • KVD Brand Inc.
    • eight sites
    • performed in the session hijacking scheme.
    • owned by Katarina Van Derham
    • bought the sites & their business from “someone in Pakistan.”
      • uses automated [robot] content generation scheme
        “100% Fully Automated Videos – You won’t have to worry about new content. Comes with a custom plugin with your own license,” via blurb at Flippa,
      • 2016-12, purchased by Katarina Van Derham, for $59 in an auction
      • 2017-01 → 2017-08, was “showered” with traffic, then none.


Hosted at

  • Something, of
  • Something, maybe an article, from
  • Something, maybe a “website,” of Focus Marketing. LLC
  • Something, maybe a “website,” of OMG LLC (Online Media Group, LLC)
  • Something, maybe a “product page,” for AllDaySlim, a weight-loss elixr.

Hosted at

  • Media Kit of, as archived circa 2015-02-17T06:33:42.

Hosted at

Hosted on

Hosted on

Previously filled.

How Much of Your Audience is Fake? | Bloomberg

How Much of Your Audience is Fake?; Ben Elgin, Michael Riley, David Kocieniewski, and Joshua Brustein; In Bloomberg Business; 2015-09-23.
Teaser: Marketers thought the Web would allow perfectly targeted ads. Hasn’t worked out that way.

tl;dr →traffic fraud is everywhere and nobody cares; chum bucketers: Taboola, Outbrain; exemplar MyTopFace, Boris Media Group buys from Viant, MySpace who sourcemake it.


  • Google
  • Yahoo!
  • programmatic
  • audience buying
  • Ford Motor
  • Metrics
    attributed to Ron Amram, Heineken on $150M yearly spend

    • Return on Ad Spend (ROAS)
      • Digital → 2:1
      • TV → 6:1 ($6 increase in sales for $1 advertising spend)
    • Viewability
      • 20%
    • Non-Human Traffic (NHT)
      • 11% of view are bots,attributed to WhiteOps.
      • $6.3B/year
  • Association of National Advertisers (ANA)
  • <quote>Consumers, meanwhile, to the extent they pay attention to targeted ads at all, hate them: The top paid iPhone app on Apple’s App Store is an ad blocker.</quote>
  • Bonnier
    • Swedish
    • media conglomerate.
    • 21-years old
    • Who
      • Sean Holzman, chief digital revenue officer.
      • Paul Maya, global head of digital
    • operates
      • video sites
        • Outdoor Life,
        • Popular Science.
        • Saveur
        • Working Mother
    • <quote>About half of’s home page is taken up by a player that automatically plays videos with simple kitchen tips. In early September, the spots (How to Stir a Cocktail, Step One: “Hold the spoon between pointer and middle finger …”), were preceded by ads from Snapple and Mrs. Meyer’s household cleaning products.</quote>
  • Chum Bucketers
    • purchased traffic
      generated traffic
    • Exemplars
      • Taboola
      • Outbrain
    • 2% CTR
  • DoubleVerify
  • Buying & Selling TRAFFIC; a forum on LinkedIn
  • SiteScout
    • traffic protection estimation
    • <quote>locks several of these new Bonnier sites for “excessive nonhuman traffic.</quote>
  • SimilarWeb
    • traffic protection estimation
  • Techniques of Low-Quality Traffic
    • popups
    • tab-unders
    • video autoplay
    • a traffic supplier
    • Sherman Oaks, CA.
    • Daniel Yomtobian, chief executive officer
  • Benjamin Edelman
    • activist
    • advice
    • professor, School of Business, Harvard
  • Boris Media Group
    • Owner
      • Boris Boris
      • age 28
      • wife
      • son, age 1month
      • Ukraine
    • makeup advice
    • Pricing
      • $0.73 →$10 CPM
    • Inventory
      • stale content
      • milled content
      • video (autoplay)
    • Advertisers
      • American Express
      • Hebrew National Hot Dogs
    • Traffic Sources
      • MySpace
      • Facebook (at 100x cost, so … not much)
    • Quality
      • 94% bots
      • <quote>Bloomberg BusinessWeek asked two traffic-fraud-detection firms to assess recent traffic to MyTopFace; they agreed on the condition that their names not be used.</quote»
  • MySpace
    • Viant, owner
    • relaunched in 2013
    • video
      • exclusives
      • commissioned work
      • milled content
      • user-generated content
    • Chris Vanderhook, chief operating officer
    • Affiliate Program
      • video player syndication
    • Claim
      • syndicated video player shows blocked content preceded by ads
      • blocked content of MySpace plays
        • Hitboy
        • Surfing
    • Advertisers
      • Chevrolet
      • Kozy Shack pudding
      • Procter & Gamble
        • Always
        • Tampax
      • Unilever
  • Telemetry
    • fraud detection
  • Sovrn Holdings
    • an ad exchange
    • Walter Knapp, CEO



For color, background & verisimilitude.

  • Ron Amram
    • Heineken, USA
    • ex-media director, prepaid cellular, Sprint
  • Fernando Arriola, vice president for media and integration at ConAgra Foods.
  • Perri Dorset,press relations, Bonnier.
  • Jim Kiszka, senior manager for digital strategy, Kellogg’s.
  • Walter Knapp, CEO, Sovrn Holdings,
  • Sean Holzman, chief digital revenue officer,, Bonnier.
  • Paul Maya, global head of digita, Bonnier.
  • Chris Vanderhook, chief operating officer, Viant
  • Eileen Wunderlich,press relations, Chrysler.
  • Daniel Yomtobian, chief executive officer,

Why Do Nigerian Scammers Say They Are From Nigeria? | Herley

Cormac Herley (Microsoft); Why do Nigerian Scammers Say They are from Nigeria?; In Workshop on the Economics of Information Security (WEIS); 2012; 14 pages; landing.


False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing.

This allows us to view the attacker’s problem as a binary classification. The most profitable strategy requires accurately distinguishing viable from non-viable users, and balancing the relative costs of true and false positives. We show that as victim density decreases the fraction of viable users than can be profitably attacked drops dramatically. For example, a 10× reduction in density can produce a 1000× reduction in the number of victims found. At very low victim densities the attacker faces a seemingly intractable Catch-22: unless he can distinguish viable from non-viable users with great accuracy the attacker cannot find enough victims to be profitable. However, only by finding large numbers of victims can he learn how to accurately distinguish the two.

Finally, this approach suggests an answer to the question in the title. Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select.


  • a theoretical treatment
  • Receiver Operator Characteristic (ROC)
  • Optimal Operating Point (OOP)
  • Attacker Model
    • Targeted Attacker with per-user effort.
    • Scalable Attacker with per-population effort.
  • 419 Fraud
    • advance funds fraud
  • Advanced Persistent Threat (APT)


  • Fraud at [some blog?].
  • 419 Eater.
  • A. Odlyzko. Providing Security With Insecure Systems. In Proceedings of WiSec, 2010.
  • L. Ahn, M. Blum, N. Hopper, J. Langford. Captcha: Using Hard AI Problems For Security. In Proceedings of the 22nd International Conference on Theory and Applications Of cryptographic Techniques, pages 294–311. Springer-Verlag, 2003.
  • S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. In ACM Transactions on Information and System Security (TISSEC), 3(3):186–205, 2000.
  • C. Dwork, M. Naor. Pricing via Processing or Combatting Junk Mail. In Proceedings of Crypto, 1992.
  • D. Florêncio, C. Herley. Is Everything We Know About Password-stealing Wrong? In IEEE Security & Privacy Magazine. To appear.
  • D. Florêncio, C. Herley. Sex, Lies and Cyber-crime Surveys. In Proceedings of WEIS, 2011, Fairfax.
  • D. Florêncio, C. Herley. Where Do All the Attacks Go? In Proceedings of WEIS, 2011, Fairfax.
  • Ford R., Gordon S. Cent, Five Cent, Ten Cent, Dollar: Hitting Spyware where it Really Hurt$. In Proceedings of NSPW, 2006.
  • D. Geer, R. Bace, P. Gutmann, P. Metzger, C. Pfleeger, J. Quarterman, B. Schneier. Cyber insecurity: The cost of monopoly. Computer and Communications Industry Association (CCIA), Sep, 24, 2003.
  • J. Grossklags, N. Christin, J. Chuang. Secure or insure?: a game-theoretic analysis of information security games. In Proceedings of WWW, 2008.
  • H. R. Varian. System Reliability and Free Riding. In Economics of Information Security, 2004.
  • C. Herley. The Plight of the Targeted Attacker in a World of Scale. In Proceedings of WEIS 2010, Boston.
  • J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, L. F. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of Usenix Security, 2009.
  • L.A. Gordon, M.P. Loeb. The Economics of Information Security Investment. In ACM Transactions on Information and System Security, 2002.
  • N. Fultz, J. Grossklags. Blue versus Red: Toward a Model of Distributed Security Attacks. In Proceedings of Financial Crypto, 2009.
  • R. Anderson. Why Information Security is Hard. In In Proceedings of ACSAC, 2001.
  • R. Anderson. Security Engineering. second edition, 2008.
  • R. Boehme, T. Moore. The Iterated Weakest-Link: A Model of Adaptive Security Investment. In Proceedings of WEIS, 2009.
  • S. Schechter, M. Smith. How Much Security is Enough to Stop a Thief? In Proceedings of Financial Cryptography, pages 122–137. Springer, 2003.
  • H. L. van Trees. Detection, Estimation and Modulation Theory: Part I. Wiley, 1968.

Via: backfill.

DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps | Liu, Nath, Govindan, Liu

Bin Liu, Suman Nath, Ramesh Govindan, Jie Liu; DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps; In Proceedings of NSDI (NSDI); 2014; 15 pages.


Ad networks for mobile apps require inspection of the visual layout of their ads to detect certain types of placement frauds. Doing this manually is error prone, and does not scale to the sizes of today’s app stores. In this paper, we design a system called DECAF to automatically discover various placement frauds scalably and effectively. DECAF uses automated app navigation, together with optimizations to scan through a large number of visual elements within a limited time. It also includes a framework for efficiently detecting whether ads within an app violate an extensible set of rules that govern ad placement and display. We have implemented DECAF for Windows-based mobile platforms, and applied it to 1,150 tablet apps and 50,000 phone apps in order to characterize the prevalence of ad frauds. DECAF has been used by the ad fraud team in Microsoft and has helped find many instances of ad frauds.


Bin Liu, Suman Nath, Ramesh Govindan, Jie Liu; DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps; Technical Report 13-938; Viterbi School of Engineering; University of Southern California; 2013; 15 pages.

AdRob: Examining the Landscape and Impact of Android Application Plagiarism | Gibler, Stevens, Crussell, Chen, Zang, Choi

Clint Gibler, Ryan Stevens, Jonathan Crussell, Hao Chen, Hui Zang, Heesook Choi; AdRob: Examining the Landscape and Impact of Android Application Plagiarism; In Proceedings of MobiSys; 2013-06-23; 14 pages.


Malicious activities involving Android applications are rising rapidly. As prior work on cyber-crimes suggests, we need to understand the economic incentives of the criminals to design the most effective defenses. In this paper, we investigate application plagiarism on Android markets at a large scale. We take the first step to characterize plagiarized applications and estimate their impact on the original application developers. We first crawled 265,359 free applications from 17 Android markets around the world and ran a tool to identify similar applications (“clones”). Based on the data, we examined properties of the cloned applica tions, including their distribution across different markets, application categories, and ad libraries. Next, we examined how cloned applications affect the original developers. We captured HTTP advertising traffic generated by mobile ap plications at a tier-1 US cellular carrier for 12 days. To associate each Android application with its advertising traffic, we extracted a unique advertising identifier (called the client ID) from both the applications and the network traces. We estimate a lower bound on the advertising revenue that cloned applications siphon from the original developers, and the user base that cloned applications divert from the original applications. To the best of our knowledge, this is the first large scale study on the characteristics of cloned mobile applications and their impact on the original developers.


Clint Gibler; AdRob: Examining the Landscape and Impact of Android Application Plagiarism; On YouTube; 2013-04-11; 4:17.

ViceROI: Catching Click-Spam in Search Ad Networks | Dave, Guha, Zhang

Vacha Dave, Saikat Guha, Yin Zhang; ViceROI: Catching Click-Spam in Search Ad Networks; In Proceedings of the Conference on Computer and Communication Security (CCS); 2013-11-04; 12 pages.


Click-spam in online advertising, where unethical publishers use malware or trick users into clicking ads, siphons off hundreds of millions of advertiser dollars meant to support free websites and apps. Ad networks today, sadly, rely primarily on security through obscurity to defend against click-spam. In this paper, we present Viceroi, a principled approach to catching click-spam in search ad networks. It is designed based on the intuition that click-spam is a profit-making business that needs to deliver higher return on investment (ROI) for click-spammers than other (ethical) business models to offset the risk of getting caught. Viceroi operates at the ad network where it has visibility into all ad clicks. Working with a large real-world ad network, we find that the simple-yet-general Viceroi approach catches over six very different classes of click-spam attacks (e.g., malware-driven, search-hijacking, arbitrage) without any tuning knobs.


  • <quote>Viceroi could look for higher than expected revenue per user for a given publisher.</quote>



  1. For each publisher-user pair, Viceroi computes the log of the sum of ad click revenues generated by the given user on the publisher’s site.
  2. For each publisher, Viceroi sorts the per-user log-revenue sums and retains a vector of N quantile values. Recall that quantile values are sampled at regular intervals from the probability distribution function (PDF) of a random variable. In our evaluation we found N = 100 to offer good performance before diminishing returns kicks in.
  3. For the baseline, Viceroi computes the point-wise average of the quantile vectors for the given set of ethical publishers.
  4. Finally, for each publisher Viceroi computes the point-wise difference between the publisher’s quantile vector and the baseline quantile vector. The publishers click-spam score is simply the L1 norm of the difference vector (i.e., sum of the N point-wise differences). Given a threshold τ (which characterizes the width of the band around the baseline), if the click-spam score is higher than N τ the publisher is flagged, and all quantile points where the point-wise difference exceeds τ is recorded for use in the online component.
  5. In the online component, whenever an ad is clicked, Viceroi checks if the publisher is flagged and the user clicking the ad falls in the flagged quantile region. If so, the click is discounted.



Via: backfill