Massive bot network is draining $6 million a month from online ad industry, says report

A London analytics firm says it has identified a bot network that is tricking marketers into showing billions of ads every month to phantom visitors. The botnet reportedly relies on more than 120,000 infected Windows computers located in the U.S., and appears to represent a sophisticated scheme to defraud the advertising industry.

The findings were announced on Tuesday by, a firm that specializes in detecting abnormal internet traffic. Spider says it has identified at least 202 websites where the vast majority of visitors are bots rather than normal human visitors, and that that every major brand engaged in automated ad buying has been paying to shows ads to the bots; a visit to one of the affected sites Tuesday morning showed ads from brands like Crest and Bank of America.

Bot networks, which are a collection of virus-infected computers controlled from afar, are not new and have long been used by hackers for malicious activities like password theft or espionage. In this case, however, Spider says this is the first time a bot network has been deployed specifically to target display ads for which unwitting companies have paid.

Working with media technology companies, including Boston-based DataXu, Spider studied traffic patterns and ad activity at numerous websites. Spider, DataXu and ad industry executives from two other companies who did not want to be named explained the motives and tactics of the botnet.

High-tech ad tricks

The world of “ad tech,” where companies use automated platforms to buy and sell ads in real time, is highly complex. It involves massive online exchanges in which publishers invite marketers to bid on their web real estate; the publishers — and various middlemen — get paid whenever an ad is seen or, in some cases, clicked upon.

While the exchanges create a more efficient market, they also make it easier for dishonest participants to enter the ad stream. Since marketers buy millions or billions of ad impressions at a time, it can be hard to verify if the ads appear before real people or in front of bots. As described in a Tuesday AdWeek piece, the ad exchange economy has given rise to “ghost sites” that appear to be normal websites but that may actually be vectors for fraudulent traffic.

According to an ad executive familiar with the Spider investigation, the 202 “ghost sites” that it uncovered include ones that sound like everyday health or consumer sites, like and; many of the sites, which contain a smattering of bare bones news stories, are owned by an ad network (a service that federates ad sales) called AlphaBird. The executive added that, in some cases, the site owners may be unaware of the suspicious activities on the site but that they would at least be aware of the surge in traffic. We’ve reached out to AlphaBird for comment and will update when we hear back.

So how precisely do the bots make money? According to the executive, the scheme is likely based around “re-targeted” ads, which are display ads that show up based on sites a user has visited already. For instance, a department store’s website may place a cookie on a user’s browser in order to show her an ad for a sale while she is looking at an unrelated travel site later on. In the case of the botnet, a bot will first visit the store site in order to trick the store into paying for an ad when the bot later goes on to visit a ghost site.

A visit to, one on the sites associated with the bot network, on Tuesday morning showed ads from major brands like Crest, Bank of America and the City of New York. Here is a screenshot of the ads next to one of the site’s generic celebrity stories (I’ve added arrows pointing to some of the brands paying to be on the site):

Screenshot of ads

In this case, the brands paid to show the ads to a real target — me. But, according to Spider, the vast majority of the time, the ads are being shown to bots instead and the companies are paying for that.

Finding the bots

In its article describing the botnet, Spider says it has been observing anomalous traffic patterns since last December. It says the individual bots that make up the network act like real internet users but that together they look suspicious: Despite the sophistication of each individual bot at the micro level, the traffic generated by the botnet in aggregate is highly homogenous. All the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. The bots visit the same set of websites, with little variation.

Spider, which compares the botnet it found to large-scale botnets that Microsoft took down in February, also has created infographics, comparing regular traffic and bot traffic side by side. The upper slide shows the botnet’s clicks (at left) and mouse movements (at right); their distribution is unnaturally uniform unlike the real human click and mouse activities in the slides below.

BotnetEngagement by spider

Botnet graphic

Spider said the “click-through” rates for ads on the 202 sites was 0.02%, which is a normal figure for ad industry; it said the low click-through rate appeared intended to avoid drawing attention to the scam.

Christian Carrillo, who is VP of Innovation at DataXu, said his company supplied ad data for Spider’s investigation because it wants to help “purify the value chain” of online advertising. “The industry will benefit from efforts by companies like Spider but this is a longtime process,” said Carillo by phone. He also equated problems in online ad exchanges with earlier efforts to clean-up desktop viruses, a process that took years.

Update: For further details about the sites involved and the advertisers who paid them: see More on the botnet scam.

(Image by Lukiyanova Natalia / frenta via Shutterstock)