• by Kevin Lyons , February 4, 2014

A “bot” is a piece of software designed to automatically and repeatedly perform tasks that are impossible or overly tedious for a human being. There are “good,” well-behaved bots such as Googlebot, that collects all of the information that makes Google searches possible. And there are “bad” bots that try to hide their identities, some in very sophisticated fashions, to advance activities such as click fraud, impression fraud, and false retargeting. In these cases, the bots are trying to appear and be counted as human for illicit gains.

While the digital advertising industry has been on an onward trajectory, and spending is at a high, upwards of 20% to 30% of all online ads are affected by suspicious activity by cybercriminals. 

According to Spider.io, a single botnet dubbed “Chameleon” generates up to $6.2 million per month of fraudulent revenue through bogus ad impression inventory, having infected over 120,000 computers. 

Last year, SophosLabs researchers published atechnical paper about ZeroAccess, a botnet that had managed to infect, over its lifespan, 9 million PCs around the world.  According to the report, it is now actively infecting 1 million computers mostly based in the United States. Sophos estimated at the time ZeroAccess was making almost $3 million USD per month.

At the core of the problem is the fact that fraud is prevalent in the industry and can be easy to commit. It is one of the biggest threats to our digital media ecosystem today, and it affects as many reputable sites as lower quality ones; and malicious bots can wreak havoc.  

What’s troubling is that there seems to be a lethargic search for solutions to the fraud issue. In many cases stakeholders choose to simply ignore fraudulent activity. Why? The reality is that fraud actually creates the appearance of a higher-performing campaign.

This lethargy is also troubling because, in general, bots are often relatively easy to find.  They are in ad exchanges, ad tech middlemen and real-time bidding (RTB) software. 

Botnets can create fake ad inventory. They can also take down a competitor’s website through a Distributed Denial of Service Attack (DDoS), create impression fraud, false retargeting and spam. This can be done for as little as hundreds of dollars per day. 

The harsh reality is, as many as 22% of all clicks are illegitimate.  As this piece notes, it seems likely that at least some publishers know exactly what’s going on and are prospering from the revenue. 

Agencies, brand marketers and publishers, the time to act is yesterday. Fortunately, there are many industry leaders that share my sentiments. 

The Interactive Advertising Bureau (IAB) has created the Traffic of Good Intent Task Force with the mission “to identify, understand and raise awareness of the issue of non-intentional traffic.” It also has the IAB/ABCe International Spiders & Bots List, though lists such as these can actually do more harm than good as blacklists can signal cybercriminals to change their approach.

Few companies can fix the problem all on their own, but if we all play our small parts, change can happen. How?  Learn as much as you can. Part ways with publishers who are perpetuating or ignoring the issue.  Be aware of traffic patterns and activity that looks “off,” and investigate them proactively. 

Unfortunately, cybercriminals are becoming ever more sophisticated themselves, programming their bots to behave more and more like human beings. Common techniques includes “jitter,” which introduces random inter-click time delays as well as taking into account the geographical location of the bot, ramping up click-fraud during peak Internet usage times. 

So, it’s a cat and mouse game that requires constant vigilance and investment. Fraud should not be considered business as usual. We need to band together to do something about it. The first step is raising awareness among our industry. Wouldn’t you agree?