Cybersecurity Content Specialist
The digital advertising market is a rapidly growing market, with over $378 billion in 2020 and an expected growth rate of over 15% per year. It’s not very surprising that scammers also want a piece of this pie.
In the following blog article, we will introduce you to seven tools and techniques that fraudsters use to commit advertising fraud.
One thing first: we do not recommend you to imitate any of the things presented here under any circumstances.
The first and most common way for fraudsters to make money from ad fraud is to buy fake traffic coming from bots in order to increase ad impressions and clicks.
The fake traffic can originate from a variety of sources, including cloud services like AWS and Google Cloud, physical devices of the fraudsters or even physical devices from all over the world that were infected with malware. This is also known as a “botnet”, where the victim’s computer is controlled without their knowledge and performs actions unnoticed in the background.
The possibilities by using fake bot traffic range from simply visiting websites to increase ad impressions to more sophisticated tasks, including click fraud.
This mostly depends on the quality of fake traffic the fraudsters acquire. Higher “quality” means the bots are harder to detect by fraud detection systems, simply because they fake more things like rotating IP addresses, residential IP addresses from real devices all over the world, varying the time spent on the website, scroll behavior, mouse movements etc.
If you do a Google search for “buy traffic” you will be presented with tens of thousands of websites willing to sell you traffic. Prices range from $0.0002 to $0.012 per click and more. As fraudsters are mostly engaged in simple arbitrage, they buy traffic at a lower CPM than they can sell their ad impressions via “cash-out sites” and pocket the difference.
The amount of fake traffic you can buy online is just about unlimited. One vendor – which even has a 4.6 rating on Trustpilot – lets you buy 10 million page views for just under $840.
But even legitimate publishers sometimes rely on bot traffic. Some websites guarantee their buyers a specific amount of traffic and therefore ad impressions. If they are running behind on their numbers at the end of the month, they turn to bot traffic to fulfill their obligations.
This is called “end of month traffic fulfillment” and can be observed by a traffic spike during the last days of a month.
An alternative to fake bot traffic are so-called “traffic exchange platforms” like Hitleap. Webmasters can add their own website and surf other websites to get more traffic in return.
“Each participant visits other members’ pages and receives their own hits in the exact same way. To make it easier, HitLeap even provides a convenient browser displaying the sites you should view to reach your goals.” (Hitleap)
You basically trade visits to other websites for visits to your own. The quality of the traffic is still poor because no other member of the traffic exchange platform is really interested in your website. This is purely to whitewash the Analytics numbers.
The damage done to the ad industry by bot traffic and botnets is tremendous. A single botnet participating in click fraud can generate well over $20 million a month of profit. For more information, we have compiled an article with the biggest cases of ad fraud in the last 5 years, which also includes several cases of ad fraud through botnets and their astronomical damages.
The “residential proxy” technique is often used in connection with botnets. Proxy services like Bright data, Oxylabs and Smartproxy offer their clients rotating residential IP addresses, so the bot traffic does not obviously originate from data centers like Amazon or Google and can easily be blocked.
Fraudsters can run a headless browser in their AWS or Google cloud, use a proxy service to mask their IP address and send massive amounts of bot traffic designed to click ads.
Also, advertisers are unable to optimize campaigns based on location and language, since proxies prevent advertisers from viewing locations or provide them with false proxy locations.
Prices for residential proxies depend on the amount of traffic and range from $8 to $15 per gigabyte.
Fake traffic does not always have to come from data centers or botnets. Tools like “Simple Traffic Bot”, “TrafficBotPro” or “Diabolic Traffic Bot” offer free bot traffic and fake ad clicks from any computer at home.
Once installed, most tools operate using different proxies or VPNs and promise the user not to be detected as bot traffic by having multiple evasion techniques implemented like changing the User-Agent, varying the time spent on site and browser emulation. A lot of them even allow the user to rotate among different referrers, so the traffic does not show up as direct page views in analytics reports.
As the name suggests, these tools are mostly used to click on ads on websites operated by the fraudsters. But also the sugarcoating of traffic of a client or pushing the numbers of an article on a third-party website are possible use cases.
In the following video, you can get an insight of how the “Simple Traffic Bot” works, together with the proof that the fake traffic shows up as real visitors in Google Analytics:
Depending on the device running these software programs, up to several hundred requests per second can be performed.
If you do a Google search for “autoclicker software” you will find hundreds of different tools offering almost the same functionality. However, keep in mind that many of these tools are distributed by shady websites that may contain malicious code.
Paid-to-click (PTC) websites are booming, especially since COVID-19. These sites pay hundreds of thousands of people all over the world to view and click on ads. Workers can earn between $0.0015 and $0.05 per click, though most providers are a bit shady and the pay is on the low end.
To differentiate themselves from traditional click farms and encourage competition, a lot of PTC websites have leaderboards with daily, weekly and monthly top earners. Based on their own claims, the top sites have paid out several million dollars to their users for viewing and clicking on ads.
|PTC Service||Dollars paid out to members|
Source: official numbers on PTC websites
It’s also worth noting that these ad views are not by desired customers and you will get no leads out of them. Also, due to the low income, most users come from Asia or Latin America and oftentimes do not have the geographical ability to access them. Instead, they are using VPNs to hide their true location.
Click farms are the even more shady predecessors of PTC websites. Click farms consist of a large group of low-paid workers hired to click on advertisements, like, share, comment, subscribe or follow any social media account and are usually located in developing countries, such as China, India, Indonesia, and Bangladesh. Workers are paid, on average, one US dollar for a thousand clicks.
Unlike botnets, click farms involve real people sitting at physical devices and clicking on ads, often using a VPN to access ads outside their geographical location. Because click farms want to be active 24 hours a day, most click farmers work a three-shift system in miserable working conditions, operate hundreds of pieces of equipment at once, and are not allowed to listen to music.
Although there are no government regulations that render click farms illegal in many countries, click farms violate the Terms of Service (ToS) of many advertising and social media networks. Occasionally, they also violate other local laws, as the example of a click farm discovered in Thailand in June 2017 shows. Three Chinese men used about 500 smartphones and 350,000 SIM cards to sell views and likes for the Chinese messaging app WeChat. The scam is punishable in China, as only one phone may be connected to a WeChat account.
You can get an impression of a click farm in the following video:
While the previously mentioned methods were aimed at generating money for the fraudsters, bots can also be used to harm competitors. Several marketplaces promise their customers the ability to block competitor ads from appearing by simply exhausting their daily limit or using up so much money that the company has to stop advertising completely.
Providers of such marketplaces are often hackers and operators of a botnet and get paid in advance via cryptocurrencies. The costs range from $10 for 10 advertising spaces in a 24-hour period to $1,000 to make one’s competitor disappear from the scene once and for all.
The aforementioned autoclicker software can also be used for this fraud. Instead of clicking ads on their own websites, the software is simply unleashed on competitors’ PPC campaigns.
Captchas. The invention of the internet to exclude bots and find out once and for all “if you are human”. But as it is with all security measures, there are also providers for captcha-solving who promise to be able to bypass them automatically.
Some of the so-called “captcha-solving farms” rely on real people, while others use only optical character recognition (OCR) to determine the content of the images provided by the Captcha. Prices range from $0.4 to $7 for solving 1,000 captchas, with each Captcha taking between 1 and 10 seconds to be solved.
Similar to click-farms, people working for captcha-solving farms live mostly in developing countries such as Venezuela, Indonesia, Vietnam, and India.
By using the API of these services, it is possible to code bots that automatically create fake accounts on various platforms. The following video shows the fully automated creation of an account on Reddit using a headless Chrome browser (via Puppeteer) and the captcha-solving service 2Captcha:
In connection with advertising fraud, such services could be used, to let an autoclicker software on websites that have classified the traffic as suspicious and displayed a captcha to block it.
In conclusion, there are several methods fraudsters use to commit advertising fraud. It is worth mentioning that all tools and techniques presented in this article violate the Terms and Services of most advertisers. Google for example explicitly warns against using clicks bots or providing users incentives to click on ads in their Help Center:
“There are many services out there that can increase traffic to your site, including pay-per-click solutions to connect advertisers and publishers, as well as search engines and directory sites. However, we’ve found that some of these services actually send artificial traffic to websites, despite their appearance. To deliver the traffic levels that their customers expect, these services often generate clicks and impressions using click bots, or by providing users incentives to visit sites or click on ads. For this reason, we strongly urge you to use caution when partnering with third-party traffic services.”
If you are serious about your advertising, do not use any of these tools and techniques under any circumstances.