A larger picture is emerging about an online advertising scam that is reportedly soaking major brands like McDonald’s and Disney for $6 million a month. The scam, which has rattled publishers and the ad industry, came to light on Tuesday after a London analytics firm revealed that a network of zombie computers tricked the brands into paying to show their ads to robots.
It has also resulted in “toothbrushing.net,” a little-known site with oral hygiene news, likely racking up more visitors than famous publishers like The Economist.
Here are some more details, based on sources close to the investigation and other reports, about who is affected and the scale of the botnet.
Millions of “readers” for a toothbrush news site
The “about” section of Toothbrushing.net says the site is dedicated to “toothbrush enthusiasts” and promises the “latest on dental news.” According to a source, the site is displaying 20 million to 25 million ad impressions a month. Since the site shows four ad slots on every webpage, this loosely translates to at least 5 million visitors. Nearly all of these visitors were bots not people but, for marketers, the effect is the same — they pay either way. (The ad slots were empty when I checked today — see the screenshot at right).
To put the traffic of the toothbrush news site in perspective, consider that a site like the Economist had 1.7 million unique visitors in December and the New Yorker had 3.1 million. These figures refer to unique visitors so it’s not an apples-to-apples comparison but, using this crude calculation, there’s a good chance Toothbrushing.net did better than both of them.
And it’s not just the toothbrush site. Other obscure sites touched by bot networks, including Sodabottle.com and Techrockstar.com, likewise served up 20 million to 25 million ads in a month. According to Spider, the analytics firm that discovered the scam, there are at least 202 such sites tied to one bot network called Chameleon. Nearly all consist of little more than a smattering of cheap content you could pay a high-school student to write.
There is also the egregious example of Directorslive.com, an obscure movie site that AdWeek reports enjoys 326 million monthly pageviews. According to a source, the only site on the web to sell more ad impressions is Facebook(s fb).
Who is affected and who is responsible
The list of advertisers that paid to appear on botnet sites include dozens of major brands, and cover a wide range of sectors such as: retail (Snickers, Ziploc, Petco); finance (Citi, Chase, Amex); telecom (AT&T, Time Warner, Sprint); automotive: (Dodge, Ford, Jaguar); services (Zipcar, Seamless).
While advertisers are the direct victims of the botnet, major web publishers are also harmed because marketers lose confidence in the integrity of display advertising and prices drop accordingly.
So who is to blame? An advertising source provided six ad networks it regarded as among those it believed to be “problematic” because their sites receive suspicious traffic. Here are their names along with an example of a suspect websites they control: Alphabird (Driverswhoknow.com); Digimogul (USBuildingDigest.com); Forward Health (Womenshealthbase.com); Precision Media (Toothbrushing.net); HiFi network (Dailyfreshies.com); Relevad Corporation (FFog.net).
(Clarification: the CEO of Spider.io says not all of these networks received visits from the Chameleon botnet but that they may be receiving traffic from other botnets or other “nefarious” sources).
The CEO of Digimogul told AdWeek that allegations of a connection to the bot network were “silly” and that “everything is by the book.” Meanwhile, executives from Alphabird told me that they were surprised by the discovery of the botnet and that they’re working with the London analytics firm to get to the bottom of it. Spider.io’s CEO says that AlphaBird has reached out “via LinkedIn” but that the companies are not working together.
I asked the COO of Alphabird, Justin Manes, how a company staffed by a sophisticated technology and marketing team could possibly remain unaware of the suspicious traffic — especially when the traffic delivered a direct financial benefit to them. Manes responded that Alpahbird works with numerous aggregators to buy website visitors and that the corrupted traffic must have slipped in this way; he also declined to say where the company bought the traffic. As for the company’s prospects in light of the botnet scandal, Manes said he hopes that people will come to see Alphaird was duped too; he also hopes the experience will strengthen the company’s ability to sell tagging and tracking tools in the future.
Fixing the problem: better tools or law enforcement?
The existence of a bot network that hijacks thousands of American computers to perpetrate millions of dollars in fraud appears to be a serious matter. But is it serious enough for a criminal investigation?
I called the Cyber-Crimes division of the FBI to ask if it is investigated this type of activity. A spokesperson provided this response:
“While I cannot comment about the botnet you’re writing about, the FBI’s Cyber Division does investigate botnets. We have had operational successes disrupting botnets used by individuals as well as groups that use malicious advertising as part of their schemes.” The spokesperson also referred to a 2011 investigation known as “Operation Ghostclick” in which the FBI arrested six people for using computers to manipulate the online ad industry.
It’s unclear at this point if the discovery of the new botnet will lead to any criminal investigations. In the meantime, brands and publishers will likely look to self-help solutions to weed out the fraud. There is some encouraging news on this front, as metrics companies like comScore are developing measurement tools to identify and screen-out what the company calls “non-human traffic.”
This story was updated on March 20 at 10pm and March 21 at 11am to provide clarifications from Spider.io’s CEO Douglas de Jager.
(Image by qvist via Shutterstock)