Click here to view original web page at www.forbes.com

Over the years many have wondered “who makes the bots?” and “how do they make money?” There’s a small handful of expert bot makers that maintain vast botnets. These botnets can be used for various purposes — for example, DDoS (distributed denial of service) attacks which overwhelm websites or infrastructure with so much traffic that they fail. But DDoS attacks are usually associated with extortion attempts — i.e. “if you don’t pay up, we will take down your site.” These may be lucrative, but only if the victims pay up. And further, there are better DDoS prevention tools now that detect and stop such attacks.

famous botnets timeline chart
Augustine Fou

In this slide of famous botnets, note the color coding. As you read further to the right, more and more of the botnets are colored green — the color of money — because they are used for ad fraud, the highest margin, most profitable use of botnets [1]. Pointing the firehose of bot traffic at websites that use programmatic ad tech to carry digital ads means these bots could tap the nearly $400 billion in global digital budgets, every year. It’s a veritable oil well that is gushing green gold, instead of “black gold” that you still have to transport, store, and then sell. Digital ad fraud pays out directly in green money.

ad fraud in 4 buckets of digital spend
Augustine Fou

Bots go where the green money is

According to the IAB, there are four main buckets of digital ad spend: 1) CPM - cost per thousand impressions (like banner ads), 2) CPC - cost per click (like paid search ads), 3) CPL - cost per lead, and 4) CPA - cost per acquisition (like affiliate marketing). The first two buckets CPM and CPC account for 92% of digital ad spend. So the vast majority of bot activity is focused on stealing money from these two buckets. And these happen to be the easiest too — in CPM fraud, all the bots have to do is generate the ad impressions, by the trillions, to get paid. In CPC fraud, the bots generate the ads and they click on them, because they have to click, in order to get paid. The bots will do exactly the thing they need to get paid, nothing more.

Also, why do big mainstream publishers’ sites have far less bot activity? Right, bots can’t make money by causing ads to load on good publishers’ sites, that don’t pay for traffic. Bots go to sites that pay them for the traffic. Otherwise, it’s a waste of the bots’ time. Small sites in programmatic exchanges, which have low to no human visitors, buy traffic so they can make more ad revenue. When they “buy traffic” that traffic is not from a bunch of humans who have nothing to do. Besides, how would you get a bunch of humans to come to a specific set of sites in large quantities when you need them to? You can’t. But it’s trivial for bots. You just send one command to the botnet to visit a list of sites, a specific number of times. Bots are reliable this way too. Waiting on humans to visit your site is not a reliable way to make money.

digital ad CPM benchmarks 2020
Augustine Fou

Bots get more efficient at money making

Over the years, bots have become even more efficient at what they do - make money. For example, instead of loading the entire webpage with ads on it, they call just the ad units themselves, to save time and bandwidth. This is called “naked ad calls” [2] and it allows the bots to generate even more ad impressions per unit of time. Bots also flock to higher CPM forms of digital ads — like CTV — which have CPMs that are often 10X higher than display ads. As recent trends have shown, generating fake CTV ads is a favorite activity of these bots.

January 2021 - ParrotTerra CTV Fraud

In all of these CTV fraud schemes, the activities were nearly identical: 1) bots “pretending to be legitimate apps and devices,” 2) bouncing the data center traffic through residential proxies to make it appear to come from nearly 30 million households, and 3) rotating among “3,600 apps and 3,400 internet-connected TV device models” to disguise the fraud [3].

Bots can be made from malware on devices (expensive), or they can be simple headless browsers or mobile emulators spun up in data centers as needed (cheap). Cheaper bots are almost always used for CPM and CPC fraud to maximize profitability; why use more expensive bots if you can already get away with it with cheaper, simpler ones? Only in certain cases does the cost-benefit analysis dictate that more advanced bots should be used. For example, in certain industry verticals where cost per clicks are very high — like banking, pharma, or legal — more advanced bots are needed because more advanced detection is being used. Bots made from malware on devices can record the real human’s usage (e.g. mouse movements, touches, clicks, scrolling speed) and play it back to fool detection. Or the malware can just commingle its activity with the humans’ activity on the device, making it nearly impossible for fraud detection to distinguish the real human from the bot, made from malware hidden on the device.

Even NOT bots are making money via ad fraud

Over the years, even fraud schemes that involved no bots at all could make money. For example, in 2017 “Sports Bot” [4] was reported impacting major sports sites like NFL.com, NBA, MLB, NHL, DallasCowboys.com, and many others. But, there were no bots at all. No botnets were causing fraudulent ad impressions on all these sites. The fraud detection company had mistaken the billions of faked bid requests to mean there were bots on these sports sites. There were none, for the simple reason stated above — bots don’t go to these publishers’ sites because these mainstream publishers were not paying for traffic. Another example happened in 2019, and was dubbed “404 Bot” [5]. Again there were no bots hitting the non-existent pages on mainstream sites. Those webpage urls passed in the bid requests simply didn’t exist — a “404 error” if you tried to load the url in a browser.

Instead in both of these cases, there were no bots going to the mainstream sites. Fraudsters were pumping billions of faked bid requests into the exchanges and declaring the domain or webpage url to be coming from major publishers’ domains, to trick buyers into bidding. They did, and this is simple domain-spoofing con netted the fraudsters more money, without even having to send real bots to any website at all. Highly, highly efficient, wouldn’t you say? Fraudsters were making money while the two fraud detection companies didn’t even understand how the con worked.

So What?

Marketers reading this should simply understand that fraudsters and the bots they use are highly efficient and are experts at doing cost-benefit analysis. They will do just enough to make money, and nothing more. They will maximize profits while minimizing costs. These are the determined and clever enemies you are up against in your digital ad spending. So should you assume your campaigns are “fraud free” even if trade associations and your own agencies tell you “don’t worry about it; we’ve got fraud detection in place?” Have a closer look with analytics.