SPECIAL REPORT: Ad Fraud And The Anatomy Of A Botnet


The hallowed halls of online advertising are no longer safe. The topic of ad fraud has recently forced its way into the spotlight, even though its nefarious practice has been around for decades. Click fraud, pixel-jacking and the rise of botnet traffic, coupled with the industry’s lack of ad viewability, makes ad fraud a topic wrought with controversy, and it’s been this way ever since the rise of unsavory affiliate marketing programs when the online ad industry first exploded on the scene in the 1990s.

Last week, The Wall Street Journal reported on the unprecedented rise of botnets, the hacking and virtual linking of rogue computers to conduct wide-scale Internet attacks and ad fraud from remote locations. Over the last several months, Microsoft investigators have been monitoring online ad fraud activity and launched a plant to cut off communication to a European-based botnet called ZeroAccess, a zombie computer network that combines the power of over 2 million hijacked computers to fraudulently bill close to $2.7 million a month from online advertisers.

In the case of ZeroAccess, hackers build websites and direct hijacked computers to them, giving the appearance of real Internet traffic and then advertisers are lured by the high volumes of traffic and pay a premium to show their ads on the fraudulent site where there really is no really audience. ZeroAccess represents a huge breach for the ad industry, using each of its nearly 2 million bots to click on as many as 48 ads per hour.

Ad fraud has been around for a while — so why hasn’t the industry done much about it?

The answer could lie in the fact that agencies and publishers have been making tons of cash by not addressing the issue. It’s much like the use of performance-enhancing drugs in baseball: If everyone disavowed bad behavior, statistics — and paydays — would go down, but at least it would be a level playing field. It’s the fear that competitors are gaining an unfair advantage that drives others to follow suit.

“The lack of incentive [to stop fraudulent traffic] is quite strong across the entire ecosystem,” said John Battelle, founder and chairman, Federated Media and co-chair of the Internet Advertising Bureau (IAB) Traffic of Good Intent task force. “Buyers have privately said to me they know there’s a lot of fraud, but if they cut that traffic out, their campaign performance goes down.”

As a first step to combat fraud, last week the IAB finally issued a set of best practices for reducing traffic fraud intended to help ad buyers, publishers and the like to avoid non-human traffic.

“When only a handful of companies act to reduce fraud, the criminals win. We need to band together to effectively put a stop to the destruction of our industry at the hands of racketeers,” stated Battelle. “Even the most scrupulous publishers and networks can be hit with non-intentional traffic propagated by criminals. If we want to truly address the problem, it is incumbent upon all stakeholders to embrace uniform levels of vigilance.”

Earlier this year, advertising’s first botnet, Chameleon, hijacked more than 120,00 computers to flood websites with fake traffic, costing online advertisers an estimated $6 million per month by tricking brands into paying for bogus traffic. The Chameleon botnet was discovered by Spider.io and mimics human web activity, clicking on ads at an average rate of 0.02%, inflating the prices of online advertising and impressions. Armed with just a computer and a beef to settle, hackers now have the ability to take down multi-million dollar corporations with just a few keystrokes and the click of a mouse.

Botnet Origins: Same Playbook, Higher Stakes

For those of us who are old enough to remember the world’s first Denial of Service (DoS) attack (Mafiaboy), the idea of targeting e-commerce sites like Amazon.comand eBay.com may seem like nothing new. In 2000, these types of attacks crippled Internet commerce, with the U.S. Federal Bureau of Investigations (FBI) estimating $1.7 billion in damage to those affected sites.

Fast forward to 2013. As Adweek first reported, intelligent advertising software companyRadiumOne verified over 1,000 distinct domains used for botnets or “pixel-jacking” a term used to describe the act of rogues hacking browser pixels that marketers use to drive fraudulent ad traffic to inflate ad impressions and prices. Pixel-jacking is the introduction of malicious code to a computer that highjacks consumer web browsers as scale, pushing fake Internet traffic through that identity from a botnet. At the time of the articles, the firm estimated the existence of over 10,000 such sites across the web, relating to a potential fraud spend of $324 Million each year, about 5.4% of all display ad spend. This type of fraudulent traffic raises ad prices, poses a threat to consumer privacy and wreaks havoc on advertisers and agencies that rely on accurate ad data to run their businesses.

In the past decade, the mechanisms and concepts behind hacker attacks haven’t varied wildly from their DoS brethren. However, the leveraging of industry-created technologies like tracking pixels and cookies to inflict damage and emphasis back on the advertising industry is unique. The complexity, frequency and scope of hacking attacks have increased exponentially as both business and technology collide in the digital age and with a virtually unlimited supply of online ads to choose from,  hackers have the potential to inflict greater losses for specific brands as well as the industry as a whole, driving up the cost of display advertising.

It has been just over a decade since the industry’s first “Denial of Service” attacks were first recorded. While different, could it be that the same concepts for today’s ad fraud were inspired by the malicious code from DoS? There are two general forms of DoS attacks: those that crash services and those that flood services. Botnets seem like a natural evolution of preventing users access to a specific online source, often leading to halting everyday activities. A “denial-of-service” attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.

The good news is, there are ways of preventing these forms of attacks. Recently, the advertising industry has been addressing the issue, and with the new IAB ad fraud taskforce, is searching for new ways to address this drastic rise in ad fraud and associated privacy threats. With the alarming progression of computer hacking and virus creation, consumers and the advertising industry at large must understand the potential exposure, and arm themselves with actionable steps to combat impression fraud.

But if history is any indication, these recent news reports presage the evolution of highly specialized computer hacks yet to come.

Richard L. Tso  

Categories: Digital Advertising


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Technology news, trends and analysis covering mobile, big data, cloud, science, energy and media

The healthy rawr chic

You must be willing and determined to achieve a state of mind, body, and soul beyond what this world imagines could be possible. —Mayra Mejia BA MS

Brand Leadership Blog

The leading forum worldwide for executives and researchers addressing the challenges of building and sustaining great brands


Intelligence for Brand Marketers

Digital Buzz Blog



Startups, entrepreneurs, ideas. Let's make it informal

Brian Solis


HubSpot Marketing Blog




Marketing Pilgrim - Internet News and Opinion




Posts from the Econsultancy blog



Simple, effective and affordable small business marketing consulting

Get Elastic Ecommerce Blog


%d bloggers like this: