Tools and Techniques That Bad Guys Use For Ad Fraud

There is so much easy money in digital advertising waiting to be ripped off, and bad guys have made so much money for so long, they can afford better tools. They've upgraded from basic bots that are commonly known -- web automation tools like phantomJS, webdriver, Selenium, Puppeteer, etc. These tools repeatedly loaded webpages to generate more ad impressions out of thin air. Bad guys also use mobile emulators to download and run mobile apps. For example, by running a mobile casual game 24/7 they can generate far more ad impressions than if they let a human play the game for 3-4 hours a day.

These days, fraudsters don't even need to make their own bots. There are folks that already maintain vast botnet. The bad guys only need to do what is necessarily to get away with it -- i.e. get paid. They won't work harder than necessary. So if an ad exchange is not doing basic checks for bots that say they are bots, bad guys can just use the most rudimentary, and cheapest, forms of bot traffic based on this web automation tools mentioned above. Sometimes it's also as easy as passing a faked mobile app name, and the CPM bids they get are higher, because there's more demand for mobile apps from ad buyers. If ad exchanges don't check or don't enforce ads.txt, there are further loopholes bad guys can exploit, like domain spoofing (i.e. pretending to be a well known site so they can get higher bids).

Bad guys are also very good at optimizing -- i.e. maximizing profit while minimizing work or costs. In the early days they built fake websites to run ads. They bought traffic to generate pageviews and ad impressions to sell. Then they realized they could get more ad impressions per unit of bot activity by calling just the ad, without the webpage. By doing "naked ad calls" they could save time and bandwidth and therefore make even more money. More recently they have been observed just faking the bid requests. they don't even need to wait for the ad to serve and load; they can generate trillions of bid requests and flood the exchanges. Even if the good guys' algos catch most of it, even a percent on trillions of bid requests that get through yield large sums of money for the fraudster.

Sample Traffic Seller -- Low Prices, Lots of Features

To make this more concrete for you, here's an example of a traffic seller -- the features and pricing of the packages they sell. Fraudsters are engaged in simple arbitrage - “buy low, sell high.” They buy traffic from these services; as long as the traffic costs are at a lower CPM than the ad impressions the sell, they pocket the difference. They will use the more expensive traffic (more advanced bots) when they need to -- e.g. when targeting high value advertisers like pharmaceutical companies and financial institutions paying tens or hundreds of dollars on CPMs.?Carefully read the features below to see what they can fake.

Residential proxies used to disguise bot traffic

In addition to just traffic, the bots are also good at avoiding detection. They can either block the detection tags or disguise themselves. When they block the detection tags of the large fraud verification companies, they can't measure them. So when they report less than 1% IVT to you, you should interpret that to mean they failed to detect anything wrong with the other 99%, not that there's only 1% fraud. A large portion of the other 99% could simply be "no detection" due to their script being stripped out or blocked by the bots.

The other way bots hide is by disguising themselves. An example of this is the use of “residential proxies.” These allow the bot makers to “bounce data center traffic” through residential IP addresses to disguise it. If the traffic were obviously from Amazon data centers, it could easily be detected and blocked. By making the traffic appear to come from millions of different residential IP addresses, the fraudsters avoid getting blocked, so they can continue making money from selling fake traffic and ad impressions.?In other words, this is enough to reliably defeat the detection of the most widely used fraud verification services.

So What?

Does this mean you need super advanced tech to detect the advanced bots? The answer may surprise you. No. You don't need super advanced tools to detect the bots. If we get into a technology arms race against the bad guys. They will always win. They will always have the advantage of speed (find a work around the moment their bots stop making money) and the advantage of not playing by the rules, any rules.

How can you defeat advanced bots without any specialized tools? Common sense, detailed data, and a bit of effort. Years ago I showed clients how to detect bots using just Google Analytics -- by getting detailed charts (hourly, not daily) -- they could see sources that sent them traffic in the overnight hours, or the exact same quantity of traffic hour after hour. That was enough for common sense to tell you it was not traffic from real human visitors. After all, most humans sleep at night and humans cannot coordinate their behavior so the visit your site the exact same number of pageviews every hour.

In the slide above you see another example where common sense can tell you what's bad. If you get detailed reports from your DSP (bids that you won) and your ad server (ads that served), by domain, you can see discrepancies. Typically, for every bid you win, there's supposed to be an ad served -- a one-to-one relationship. As you can see below, for legitimate sites, the discrepancy is small. But in some cases the discrepancy between bids won and ads served is up to 100% (no ads were even served). Remember the point above about bad guys optimizing for efficiency?

Hopefully the above gave you a glimpse of what I've seen bad guys do to commit ad fraud and get away with it for the last 10 years. Hopefully are you also inspired to go look more closely at your own campaign reports to spot the fraud and reduce it yourself, without needing any advanced and expensive fraud detection tech (which actually doesn't catch the above). You common sense and a little bit of effort will go a long way. If you need help, just ask me. If you want to use the tools that I use (and that I built), ask me. The article below shows you a bit more about FouAnalytics and Why It’s Hard for Bots To Avoid FouAnalytics Detection