SPECIAL REPORT: Ad Fraud and the Anatomy of a Botnet


ADOTAS – The hallowed halls of online advertising are no longer safe. The topic of ad fraud has recently forced its way into the spotlight, even though its nefarious practice has been around for decades. Click fraud, pixel-jacking and the rise of botnet traffic, coupled with the industry’s lack of ad viewability, makes ad fraud a topic wrought with controversy, and it’s been this way ever since the rise of unsavory affiliate marketing programs when the online ad industry first exploded on the scene in the 1990s.

Last week, The Wall Street Journal reported on the unprecedented rise of botnets, the hacking and virtual linking of rogue computers to conduct wide-scale Internet attacks and ad fraud from remote locations. Over the last several months, Microsoft investigators have been monitoring online ad fraud activity and launched a plant to cut off communication to a European-based botnet called ZeroAccess, a zombie computer network that combines the power of over 2 million hijacked computers to fraudulently bill close to $2.7 million a month from online advertisers.

In the case of ZeroAccess, hackers build websites and direct hijacked computers to them, giving the appearance of real Internet traffic and then advertisers are lured by the high volumes of traffic and pay a premium to show their ads on the fraudulent site where there really is no really audience. ZeroAccess represents a huge breach for the ad industry, using each of its nearly 2 million bots to click on as many as 48 ads per hour.

Ad fraud has been around for a while — so why hasn’t the industry done much about it?

The answer could lie in the fact that agencies and publishers have been making tons of cash by not addressing the issue. It’s much like the use of performance-enhancing drugs in baseball: If everyone disavowed bad behavior, statistics — and paydays — would go down, but at least it would be a level playing field. It’s the fear that competitors are gaining an unfair advantage that drives others to follow suit.

“The lack of incentive [to stop fraudulent traffic] is quite strong across the entire ecosystem,” said John Battelle, founder and chairman, Federated Media and co-chair of the Internet Advertising Bureau (IAB) Traffic of Good Intent task force. “Buyers have privately said to me they know there’s a lot of fraud, but if they cut that traffic out, their campaign performance goes down.”

As a first step to combat fraud, last week the IAB finally issued a set of best practices for reducing traffic fraud intended to help ad buyers, publishers and the like to avoid non-human traffic.

“When only a handful of companies act to reduce fraud, the criminals win. We need to band together to effectively put a stop to the destruction of our industry at the hands of racketeers,” stated Battelle. “Even the most scrupulous publishers and networks can be hit with non-intentional traffic propagated by criminals. If we want to truly address the problem, it is incumbent upon all stakeholders to embrace uniform levels of vigilance.”

Earlier this year, advertising’s first botnet, Chameleon, hijacked more than 120,00 computers to flood websites with fake traffic, costing online advertisers an estimated $6 million per month by tricking brands into paying for bogus traffic. The Chameleon botnet was discovered by Spider.io and mimics human web activity, clicking on ads at an average rate of 0.02%, inflating the prices of online advertising and impressions. Armed with just a computer and a beef to settle, hackers now have the ability to take down multi-million dollar corporations with just a few keystrokes and the click of a mouse.

Botnet Origins: Same Playbook, Higher Stakes

For those of us who are old enough to remember the world’s first Denial of Service (DoS) attack (Mafiaboy), the idea of targeting e-commerce sites like Amazon.com and eBay.com may seem like nothing new. In 2000, these types of attacks crippled Internet commerce, with the U.S. Federal Bureau of Investigations (FBI) estimating $1.7 billion in damage to those affected sites.

Fast forward to 2013. As Adweek first reported, intelligent advertising software company RadiumOne verified over 1,000 distinct domains used for botnets or “pixel-jacking” a term used to describe the act of rogues hacking browser pixels that marketers use to drive fraudulent ad traffic to inflate ad impressions and prices. Pixel-jacking is the introduction of malicious code to a computer that highjacks consumer web browsers as scale, pushing fake Internet traffic through that identity from a botnet. At the time of the articles, the firm estimated the existence of over 10,000 such sites across the web, relating to a potential fraud spend of $324 Million each year, about 5.4% of all display ad spend. This type of fraudulent traffic raises ad prices, poses a threat to consumer privacy and wreaks havoc on advertisers and agencies that rely on accurate ad data to run their businesses.

In the past decade, the mechanisms and concepts behind hacker attacks haven’t varied wildly from their DoS brethren. However, the leveraging of industry-created technologies like tracking pixels and cookies to inflict damage and emphasis back on the advertising industry is unique. The complexity, frequency and scope of hacking attacks have increased exponentially as both business and technology collide in the digital age and with a virtually unlimited supply of online ads to choose from,  hackers have the potential to inflict greater losses for specific brands as well as the industry as a whole, driving up the cost of display advertising.

It has been just over a decade since the industry’s first “Denial of Service” attacks were first recorded. While different, could it be that the same concepts for today’s ad fraud were inspired by the malicious code from DoS? There are two general forms of DoS attacks: those that crash services and those that flood services. Botnets seem like a natural evolution of preventing users access to a specific online source, often leading to halting everyday activities. A “denial-of-service” attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.

The good news is, there are ways of preventing these forms of attacks. Recently, the advertising industry has been addressing the issue, and with the new IAB ad fraud taskforce, is searching for new ways to address this drastic rise in ad fraud and associated privacy threats. With the alarming progression of computer hacking and virus creation, consumers and the advertising industry at large must understand the potential exposure, and arm themselves with actionable steps to combat impression fraud.

But if history is any indication, these recent news reports presage the evolution of highly specialized computer hacks yet to come.


  1. Richard, I (and my company)have been on this scene for years. We performed the initial click-fraud head-hunting for Yahoo 8 years ago. I should point out that it is the continued development and use of technology, and the growing dependency on technology, that continue to provide opportunities to sleaze and fraudsters. I’m not sure you realize, your article does not point out, that much of this “fraud” is MUCH more complicated than you articulate. Also, keep in mind that much of the problem is more “non-performing” traffic than “illegal”, as many of the bad guys are simply “pushing the envelope”. I’m happy to elaborate. Dick

  2. Hi Richard, I have been researching ad fraud from a technical perspective as well. The recent dramatic rise in various forms of ad fraud is due to the increased use of ad networks and exchanges. As we move from dozens of sites carrying ads to hundreds of thousands of sites carrying ads, it is easy to understand how brands and their media agencies are probably not looking through ALL the data — to see where the fraud is coming from. So it has made it easier and easier for bad guys to sell “ad inventory” into the system, to the point that large unsuspecting buyers are now also subject to the fraud.


Please enter your comment!
Please enter your name here