By Kostiantyn Novofastovskyi

Year after year, a big part of internet traffic is generated by bots, not people. Bots intrude not only by means of active development of real-time personalization systems and the internet of things, but also by means of avalanche-like growth of possible fraud in networks.

Today, the majority of advertisers want to pay not for ad impressions, but for clicks, conversions and revenue share. That has led advertising fraudsters to complicate the mechanics in order not to reduce their revenue. Here are the most common methods of fraud affecting various advertising key performance indicators.

Fraudulent ad impressions

Fraudulent ad impressions are oldest method of fraud, but the game has received an upgrade with the development of video advertising and real-time bidding technologies. It is usually carried out by means of attracting casual users, who must install special software on their PCs. The software penetrates the tasks server and uploads a web page in the compromised browser with needed geo-targeting and ad- or video-blocking. After a predetermined time that is unique for each ad message, a banner is uploaded in the user’s software. The user gets a little cash back from the ad site for watching every ad. Sometimes botnet malware is installed with the original download, and all the actions are performed behind the back of the user without paying him.

It is also worth pointing out that fraudsters sometimes employ one-pixel banner impressions and other tricks visitors can’t see.

To commit RTB-impression fraud, ad views are generated by virtual private server systems with an installed browser emulator. The scheme relies on interaction between the emulator and fake websites loaded with codes from popular RTB marketplaces to convince networks ad views actually occurred.

Such fraud is traced by systematic analysis of click-through ratios for each ad, comparing claimed views to what might be expected as “normal.” A variety of factors should be part of the analysis, including where the ad impression was made, whether the page is uploaded in iFrame, how many mouse clicks occurred and whether the alleged user scrolled through the page, plus a few more complicated mechanics.

Click fraud

Click fraud must be divided into two big blocks: programmed botnets and “misclicks.” As with impression fraud, the goal of botnets is not to earn while not running too high a click-through rate. Many botnets perfectly emulate the behavior of legitimate visitors and are identified only by abnormal activity compared to what might be expected from the geographical region or at a particular time of day.

Botnet click fraud is aimed primarily at ad sites, sometimes by a competitor or other buyers trying to reduce the target’s return on investment to the level of unprofitability by driving the offer out of the market. Currently, the largest percentage of click fraud is facilitated by so-called “comparative intelligence services” like AdPlexity that spy on the analytics of new creatives.

Misclicks work by surreptitiously forcing a user to click a link he didn’t intend to click. Sites may place misclick targets above the elements of website navigation, or, for example, above a video player. The idea is to place the click target in such a way that users click it accidentally while attempting to click something else. Fraudsters sometimes only show the misclick target to portions of the audience, like users who have been on the website for a certain period of time or users who perform certain “trigger” actions.

Click fraud is detected by comparing the total number of visitors with the number of visitors who have been waiting for website elements like JavaScript or images to download. Evercookies and e-fingerprints also help to identify multiple visits by a single user for comparative analysis.

Programmed botnets often make mistakes when unforeseen details arise. That’s why tracking all possible JavaScript events for comparison with traffic from trusted source is a good idea.

Conversion fraud

Most conversion fraud is accomplished manually and calculated by detailed analysis of conversions sent by a webmaster affiliate. Often, fraudulent conversions come from different IP addresses, browsers and cookies, but all actually reside on the same device. Evercookies help in identifying the trick.

Revenue share fraud

Revenue share fraud usually involves “cookie stuffing,” particularly iFrame cookie stuffing and toolbar cookie stuffing. In the iFrame method, affiliates “steal” a page’s audience by automatically overwriting cookies with their own referral link. Affiliate revenue for subsequent purchases or rebills by those end-users goes to the cookie stuffer.

In the case of toolbar cookie stuffing, an unwanted toolbar is installed in an end-user’s browser, often as malware attached to an app download (although “drive-by” installations also are possible in unpatched browsers). The toolbar automatically substitutes the cookie stuffer’s affiliate links for legitimate affiliate links on sites with which the fraudster has an affiliate relationship.

To prevent cookie stuffing, monitor iFrame sources and sizes. Also, track referral click-throughs inside sessions to determine whether they are organic or from a paid source.

Advertising fraud may be analyzed and stopped using trackers, web analytics systems, log analyzers and custom JavaScript codes. Specialized services als can help users identify and prevent potential fraud.

The analysis and stopping the fraud may be carried out individually, using the trackers, web analytics systems, log analyzers and additionally written javascript-codes. There are also the specialized services, that help the users by identification and prevention of possible fraud. One of these services I work in is ScroogeFrog.com.

Kostiantyn Nofofastovskyi is the chief technology officer for ScroogeFrog.com, a traffic auditing system designed to detect ineffective traffic sources and ineffective keywords, in addition to preventing malicious adware and click fraud.

Image © Redbaron.