Fraud has always been one of the biggest pain points of the $81 Billion advertising industry with up to 20% of all ad traffic accounted to malicious parties and fraudulent bots. Having this in mind, when we released the AdEx platform for everyone in February, we knew there would be some attempts to “outplay” the system and we managed to mitigate many fraudulent attempts on the network. We decided to describe some of the most common types based on our experience in the past two months — this might be useful for everyone working on their own project or just curious about ad fraud.
Bot traffic is the non-human traffic to websites or apps. While the idea of bot traffic generally sounds like something bad, not all bots were created equal. There are some essential bots for the web like the crawlers of search engines and apps like Siri and Alexa and traffic from such kinds of bots is significant.
However, bad bots are also common — they either scrape websites of competitors or generate fake traffic to increase profits on ad networks. The concept is simple: implement an automated bot that browses your website, with the intent of increasing impression numbers on ads on that website. This is most often done through the so-called “headless browsers’’, which are web browsers without a graphical user interface, designed specifically with automation in mind. Fundamentally, bot traffic may look very similar to human traffic, but there are some common heuristics used for detection of bot traffic:
- Abnormalities. Generally all spikes on an ad network should be viewed with suspicion. If the pageviews on a webpage or ads significantly jump all of a sudden, or traffic from a particular location explodes, this is a good indication of possible bot activity. It’s not always that simple, but the important thing is to watch for abnormal patterns.
- Quality. Bots can generate impressions, but their traffic is of low quality. If you notice huge bounce rate or abnormally short session durations (everything below 10–15 seconds), this is bad traffic nevertheless, but most probably it’s bots. Note that unusually long session durations are also a possible indicator of fraudulent traffic.
- Fake conversions. If the conversion goal of an ad campaign is e.g. registrations on an app and all of a sudden all registered users use gibberish names or disposable email addresses, this is perhaps ad fraud targeting CPA models.
At AdEx we have developed internal mechanisms to detect possible indicators of bot traffic early on and this should be a mandatory precaution for every new ad network.
There are well over 1 billion sites on the world wide web and thousands of website domains expire every day. Some of these domains, however, belong to websites that generate some traffic (some of them — significant traffic). They have built good external links or appear on search engines or something else. The so called “traffic miners” automatically buy/release servers from hosting providers until they end up in possession of a server with an IP that used to belong to a website that’s no longer live but still receives traffic. Following that they redirect this traffic to their websites and boost their ad profits. To prevent this, we analyse user engagement and don’t count impressions from users who close the website right after arriving on it.
Autosurfing is a concept that originates back in 2001 and, surprisingly, it is still alive. Back then, marketers came up with traffic surfing as a way to promote websites. Autosurfing operates via traffic exchanges that automatically rotate advertised websites in one’s web browser. Users who own the browsers either receive small payments for “viewing” the ads or free credits to promote their own websites on the exchanges (the original 2001 concept). Nowadays these schemes are also known as paid-to-surf or paid-to-click (PTC). Unfortunately, this traffic is very tough to distinguish from normal traffic, since it’s essentially real human traffic. What makes it fraudulent is that those users are not on your website because they’re interested, but because they’re paid to, meaning that it’s very unlikely that your ads will convert/engage this audience. We strictly forbid this in our ToS, and suspend any publishers who’re doing it. Traffic exchanges occasionally fall into the same category, by providing extremely low quality (unengaged) traffic.
Of course, ad injections also appear on new ad networks. Some families of malware would inject ads at random websites that the user visits. Ad injections were a huge source of ad fraud in the past, but ads.txt and domain verification solved it for most of the cases. For example, we only show ads if the publisher has verified ownership of the given website.
The cat-and-mouse game in advertising is inevitable and never ending. Fraudsters will fraud, and the industry has to unite its efforts against them. We will be sharing our experience with ad fraud and encourage you to share your findings on the topic with us.
Fundamentally, AdEx is in a unique position to protect against fraud: because there are no intermediaries, the validator operators (currently mainly us) have a fully transparent view of the traffic of their campaigns and can quickly identify and prevent ad fraud.