There's more than one way to fleece people using Web advertising. Botnets have been harnessed to generate fake clicks by injecting fake links into search results and to click randomly on webpages the infected computer's user never sees. But fraudsters are starting to get more sophisticated in their efforts to get rich off Web advertising.

As Dr. Douglas de Jager, CEO of Spider.io, reported in a blog post today, fraudulent advertising networks are now acting as middlemen between advertising networks placing Web display ads and those stuffing whole hidden webpages of ads into ad slots on legitimate sites. Instead of using bots, this sort of ad fraud uses real humans to generate the traffic—but it never actually shows them the ads that are served up to them.

Display advertising fraud targets ads that are paid for by pageview rather than by click. The use of real-time bidding to auction ad space on websites through exchanges such as Google's DoubleClick Ad Exchange and Microsoft's AdECN has made it possible for fraudulent ad traders to purchase an ad slot through one exchange and then sell it multiple times across others. They "fulfill" all those ads by putting them onto a webpage that gets served up within an ad slot on a legitimate site—with most of its ads hidden from view.

Because the page is "displayed" within the ad frame (again, even though the ads are invisible to the person viewing the page), the ads are often reported back as viewable to the advertiser, so the fraudulent ad trader gets paid for the impression. This works because some ad networks measure impressions based on whether an ad would be visible within the geometry of the Web browser rendering the page—not based on whether it was in fact visible. The fraud can be scaled up dramatically by stacking multiple nested iframe elements within the page of ads, with ads of different dimensions piled on top of each other. As de Jager demonstrated, one entity currently selling hidden ad slots—YieldZone.com— manages to stack 72 display ads into a hidden page, with 60 of them in position to be reported as "viewable" in a full-screen browser display.

While this is currently less of a problem than the botnet-based click and display fraud that Spider.io attributed to the Chameleon botnet, de Jager said that ad hiding affects at least two percent of the Web advertising in the US.

Hidden ads can also potentially pose a security issue to visitors to the sites that end up delivering them by delivering malicious code in a frame that is concealed within an ad or is overlaid on a legitimate ad that users might click on. An example of another approach to hiding ads pointed to by de Jager is an invisible iframe that follows the user's mouse and captures mouseclicks to redirect the user to another site. This could be used to launch malicious websites as well as for ad fraud.