Bot Network's $6 Million Monthly Take From Online Advertisers
Photograph by Daniel Schoenen
A London analytics firm says it has identified a bot network that is tricking marketers into showing billions of ads every month to phantom visitors. The botnet reportedly relies on more than 120,000 infected Windows computers located in the U.S.
The findings were announced on Tuesday by Spider.io, a firm that specializes in detecting abnormal internet traffic. Spider says it has identified at least 202 websites at which the vast majority of visitors are bots, rather than normal human visitors, and that that every major brand engaged in automated ad buying has been paying to shows ads to the bots. A visit to one of the affected sites on Tuesday morning showed ads from brands such as Crest (PG) and Bank of America (BAC).
Bot networks, which are collections of virus-infected computers controlled from afar, are not new and have long been used by hackers for malicious activities such as password theft or espionage. Spider says this is the first time a bot network has been deployed specifically to target display ads for which unwitting companies have paid.
Working with media technology companies, including Boston-based DataXu, Spider studied traffic patterns and ad activity at numerous websites. Spider, DataXu, and ad industry executives from two companies who did not want to be named explained the motives and tactics of the botnet.
The world of “ad tech,” in which companies use automated platforms to buy and sell ads in real time, is highly complex. It involves massive online exchanges in which publishers invite marketers to bid on their Web real estate. The publishers—and various middlemen—get paid whenever an ad is seen or, in some cases, clicked upon.
While the exchanges create a more efficient market, they also make it easier for dishonest participants to enter the ad stream. Since marketers buy millions or billions of ad impressions at a time, it can be hard to verify if the ads appear before real people or in front of bots. As described in a Tuesday AdWeek piece, the ad exchange economy has given rise to “ghost sites” that appear to be normal websites but that may actually be vectors for fraudulent traffic.
According to an ad executive familiar with the Spider investigation, the 202 “ghost sites” it uncovered include ones that sound like everyday health or consumer sites, like onlinesportskit.com and superstar-gossip.com; many of the sites, which contain a smattering of bare bones news stories, are owned by an ad network (a service that federates ad sales) called AlphaBird. The executive added that, in some cases, site owners may be unaware of the suspicious activities on the site but that they would at least be aware of the surge in traffic. (We’ve asked AlphaBird for comment and will update when the company responds.)
So how, precisely, do the bots make money? According to the executive, the scheme is likely based around “re-targeted” ads, which are display ads that show up based on sites a user has visited already. For instance, a department store’s website may place a cookie on a user’s browser in order to show an ad for a sale when the user later visits an unrelated travel site. In the case of the botnet, a bot will first visit the store site in order to trick the store into paying for an ad when the bot proceeds to visit a ghost site.
A Tuesday morning visit to superstar-gossip.com, one on the sites associated with this bot network, showed ads from major brands such as Crest, Bank of America, and the City of New York. Here is a screenshot of the ads next to one of the site’s generic celebrity stories (I’ve added arrows pointing to some of the brands paying to be on the site):
[image 1 attached]
In this case, the brands paid to show the ads to a real target—me. According to Spider, the ads are being shown to bots most of the time. Advertisers are paying for that.
In its article describing the botnet, Spider says it has been observing anomalous traffic patterns since December. It says the individual bots that make up the network act like real Internet users—but that together, they look suspicious: Despite the sophistication of each individual bot at the micro level, the traffic generated by the botnet in aggregate is highly homogenous. All the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. The bots visit the same set of websites, with little variation.
Spider, which compared the botnet it found to large-scale botnets that Microsoft (MSFT) took down in February, also has created infographics that compare regular traffic and bot traffic side-by-side. The upper slide shows the botnet’s clicks (at left) and mouse movements (at right); their distribution is unnaturally uniform, unlike the real human click-and-mouse activities in the slides below.
[image 2 and 3 attached]
Spider said the “click-through” rates for ads on the 202 sites was 0.02 percent, which is a normal figure for ad industry; it said the low click-through rate appears intended to avoid drawing attention to the scam.
Christian Carrillo, vice president of innovation at DataXu, says his company supplied ad data for Spider’s investigation because it wants to help “purify the value chain” of online advertising. ”The industry will benefit from efforts by companies like Spider, but this is a longtime process,” he says. He also equates problems in online ad exchanges with earlier efforts to clean-up desktop viruses, a process that took years.
Also from GigaOM:
Sector RoadMap: SQL-on-Hadoop Platforms in 2013 (subscription required