11 Comments

Summary:

An analytics firm has uncovered a network of more than 200 sites that appears aimed at defrauding the online ad industry. The network tricks marketers into serving billions of “targeted” ads to bots every month.

A London analytics firm says it has identified a bot network that is tricking marketers into showing billions of ads every month to phantom visitors. The botnet reportedly relies on more than 120,000 infected Windows computers located in the U.S., and appears to represent a sophisticated scheme to defraud the advertising industry.

The findings were announced on Tuesday by Spider.io, a firm that specializes in detecting abnormal internet traffic. Spider says it has identified at least 202 websites where the vast majority of visitors are bots rather than normal human visitors, and that that every major brand engaged in automated ad buying has been paying to shows ads to the bots; a visit to one of the affected sites Tuesday morning showed ads from brands like Crest and Bank of America.

Bot networks, which are a collection of virus-infected computers controlled from afar, are not new and have long been used by hackers for malicious activities like password theft or espionage. In this case, however, Spider says this is the first time a bot network has been deployed specifically to target display ads for which unwitting companies have paid.

Working with media technology companies, including Boston-based DataXu, Spider studied traffic patterns and ad activity at numerous websites. Spider, DataXu and ad industry executives from two other companies who did not want to be named explained the motives and tactics of the botnet.

High-tech ad tricks

The world of “ad tech,” where companies use automated platforms to buy and sell ads in real time, is highly complex. It involves massive online exchanges in which publishers invite marketers to bid on their web real estate; the publishers — and various middlemen — get paid whenever an ad is seen or, in some cases, clicked upon.

While the exchanges create a more efficient market, they also make it easier for dishonest participants to enter the ad stream. Since marketers buy millions or billions of ad impressions at a time, it can be hard to verify if the ads appear before real people or in front of bots. As described in a Tuesday AdWeek piece, the ad exchange economy has given rise to “ghost sites” that appear to be normal websites but that may actually be vectors for fraudulent traffic.

According to an ad executive familiar with the Spider investigation, the 202 “ghost sites” that it uncovered include ones that sound like everyday health or consumer sites, like onlinesportskit.com and superstar-gossip.com; many of the sites, which contain a smattering of bare bones news stories, are owned by an ad network (a service that federates ad sales) called AlphaBird. The executive added that, in some cases, the site owners may be unaware of the suspicious activities on the site but that they would at least be aware of the surge in traffic. We’ve reached out to AlphaBird for comment and will update when we hear back.

So how precisely do the bots make money? According to the executive, the scheme is likely based around “re-targeted” ads, which are display ads that show up based on sites a user has visited already. For instance, a department store’s website may place a cookie on a user’s browser in order to show her an ad for a sale while she is looking at an unrelated travel site later on. In the case of the botnet, a bot will first visit the store site in order to trick the store into paying for an ad when the bot later goes on to visit a ghost site.

A visit to superstar-gossip.com, one on the sites associated with the bot network, on Tuesday morning showed ads from major brands like Crest, Bank of America and the City of New York. Here is a screenshot of the ads next to one of the site’s generic celebrity stories (I’ve added arrows pointing to some of the brands paying to be on the site):

Screenshot of ads

In this case, the brands paid to show the ads to a real target — me. But, according to Spider, the vast majority of the time, the ads are being shown to bots instead and the companies are paying for that.

Finding the bots

In its article describing the botnet, Spider says it has been observing anomalous traffic patterns since last December. It says the individual bots that make up the network act like real internet users but that together they look suspicious: Despite the sophistication of each individual bot at the micro level, the traffic generated by the botnet in aggregate is highly homogenous. All the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. The bots visit the same set of websites, with little variation.

Spider, which compares the botnet it found to large-scale botnets that Microsoft took down in February, also has created infographics, comparing regular traffic and bot traffic side by side. The upper slide shows the botnet’s clicks (at left) and mouse movements (at right); their distribution is unnaturally uniform unlike the real human click and mouse activities in the slides below.

BotnetEngagement by spider

Botnet graphic

Spider said the “click-through” rates for ads on the 202 sites was 0.02%, which is a normal figure for ad industry; it said the low click-through rate appeared intended to avoid drawing attention to the scam.

Christian Carrillo, who is VP of Innovation at DataXu, said his company supplied ad data for Spider’s investigation because it wants to help “purify the value chain” of online advertising. “The industry will benefit from efforts by companies like Spider but this is a longtime process,” said Carillo by phone. He also equated problems in online ad exchanges with earlier efforts to clean-up desktop viruses, a process that took years.

Update: For further details about the sites involved and the advertisers who paid them: see More on the botnet scam.

(Image by Lukiyanova Natalia / frenta via Shutterstock)

  1. I love it..Thanks for sharing it. I always say and will that I don’t trust DATA, and this is an example of that! …. Good Job!!!

    Share
  2. It seems the bots are maliciously wasting ad money, rather than redirecting funds to a syndicate. Did I get that right?

    Share
    1. David Turnbull Tuesday, March 19, 2013

      Wasting is a relative term! What’s being described is that the bots are associated with web sites that are set up to generate revenue from ads, i.e. the funds are going to the syndicate.
      All that’s missing is a syndicate run ad brokering site to auction the ad spaces so that they get a cut there too.

      Share
    2. Thomasz Abbott Tuesday, March 19, 2013

      I was of the same mind. It’s not entirely clear, but I felt more towards the end that there was profit being taken.

      Share
    3. There’s definitely a profit being taken. The owners of the bogus sites make money on the ads and they are almost certainly the ones behind the botnet to some extent. It’s not accurate to describe this as draining money from the ad industry though. The exchanges that sell these impressions make money too so it’s really just the advertisers who are being drained. The ad industry is being funded.

      Share
  3. Botnets are an organized attempt create havoc on the Internet. While usually reserved for DOS attacks and other nefarious deeds, it would not surprise me to see these organizations begin to attempt to derive “value” from these mechanisms. That being said, its one more avenue in the digital war…

    Share
  4. Rick Raubenheimer Wednesday, March 20, 2013

    A bit more proofreading of the article would have been a good idea.

    Share
  5. Companies like Alphabird, DigiMogul, BlueLink Marketing, and others that generate significant amounts of volume have been doing this for some time. For them to say they didn’t know is ridiculous. Thats like creating a blog and overnight you generate 20MM impressions… obviously I would be curious as to how and why that would happen. Someone should prosecute these companies for fraud.

    Share
  6. equally merchants are engaged to defraud innocent people .. i know number of dating sites who ask $1 for trail and then charge $300 for automatic renewal which you cannot even cancel …example is edates.de

    also payday loans are equally worse charging 30% for 21 days ..

    these merchants are criminal too..

    internet is total scam these days , and deserve to be shut down .

    Share
  7. This is a possible explanation for a set of similar phenomena that a number of legitimate site owners have observed over the past year + … phantom windows-only traffic with low engagement, no mouse or keyboard events and other suspicious characteristics. I wrote about this a while back here: http://stkywll.com/2012/03/02/annoying-cyborgs-attach-distort-analytics/

    In some of these cases, I wonder if the botnets are using legitimate sites as “cover” to mix in with their drone sites. There would be some reason to do so — it would make the traffic look more legitimate to advertisers.

    It should be noted that any legitimate business experiencing this traffic needs to adjust its analytics — bots like this load a real client, capable of instantiating Google Analytics etc. At my former job we saw measurable changes in things like bounce rate and time of site when a botnet attached to us, and we had to come up with techniques to not count this traffic.

    Share
  8. Has anyone found that in Google Adwords Network display ad campaigns, the clicking is abnormally high and the words that the users click on are irrelevant? I’d be interested in a class action lawsuit. Please contact me if you are interested. info@lawcase.biz

    Share

Comments have been disabled for this post