The Internet is a busy, busy place, full of cat videos and many other things. While many people may assume that the vast majority of traffic across the Internet consists of people, actual humans, watching those very cat videos (and, you know, other stuff too), they’d be mistaken.
In fact, Imperva’s last report on this very subject put human traffic at 51.5%. So, what’s the deal with the other 48.5%? Where does nearly half of all Internet traffic come from?
These bots can be broken down into two, distinct groups: good bots and bad bots.
Good bots are usually run and operated by organisations looking to gather information both on and about the web. They are an important part of its natural evolution and progression.
Bad bots, conversely, are the rubbish that clog up the Internet. They swarm the web, looking for sites to hack, people to scam and defraud, spy on companies and much, much more. The people behind these bad bots are the cybercriminals of the online world and the range and power of the weapons in their arsenal is great.
Bad bot traffic and the digital ad industry
Wherever there is money to be made, there will be people doing anything and everything they can to cheat, manipulate the system to their advantage and digital advertising is no different.
If you’re reading this you’re probably already at least vaguely familiar with the main elements of digital advertising, but to summarise very quickly: for a digital ad network (like Adcash) the customer base is split into two main groups – Advertisers and Publishers. Advertisers, being people who have ads they want to run and Publishers being the site-owners where those ads will appear.
For Adcash and many other ad networks out there, the challenge when it comes to online bot traffic is, primarily, from bots being used by fraudulent Publishers to artificially inflate clicks or impressions. If left unchecked, this kind of scam can have a serious impact on both the Advertiser running those ads and the ad network serving them.
At Adcash, we have a team, dedicated to hunting and shutting down those responsible for these kind of scams (and many others, too – but for the sake of this article, I’ll stick to just Bad Bots). The core team is split into two groups: analysts and developers.
The analysts look at the data, identifying any unusual patterns of behaviour that should be flagged or investigated. If they detect something, they ensure the relevant action is taken. The developers take these patterns and, along with the data science team, feed them into our anti-fraud tools, to help the analysts crush the bot traffic.
And, it looks like they’re doing something right. Currently, 91.8% of our traffic is “clean”. What’s more, if you compare Adcash traffic to the Internet as a whole, it looks like we’re doing something right, for sure.
It’s also interesting to look at how bot traffic impacts different verticals, as well as its country of origin.
As of last month, top of the bot traffic charts, was Shopping, with 21% and then Games with 12%. So why are Shopping and Games towards to the top of the list? Well, one possible explanation is that these are verticals that see a lot of ad spend and so, unfortunately, it’s likely to see more aggressive scamming attempts from cybercriminals.
In terms of the country of origin of this botnet traffic, perhaps unsurprisingly, we see South Korea topping the list, with 16.8%, closely followed by the USA with 15.8%. These countries generate a lot of bot traffic because, typically, they have a lot of people with computers, connected to the Internet, that have been targeted and compromised so they now running bot software which is used to generate this fake impressions.
This is one way bots can be used to generate fake ad impressions or clicks: you visit a site, you download and run something bad, your PC gets infected, “bad actors” then take control of your PC, to do anything from running DDoS attacks to producing fake ad impressions and clicks.
TOP TIP: If you’re a site owner looking to get more traffic, avoid sites claiming to “deliver real users to your site”. It’s likely that they’ll be using a botnet to send fake traffic your way. And if our systems (or the systems of any other network for that matter) detect this then you could fall foul of the terms and conditions, meaning you could have your account suspended!
If you have any questions about botnets, fake conversions, malware and what we’re doing about it, feel free to give us a shout in the comments down below and I’ll be happy to answer them.
What is malvertising?
The name “malvertising”, comes from combining two words: “malicious” and “advertising”. So far, so obvious. But what does that really mean? Well, fundamentally, malvertising involves an unscrupulous individual (read: criminal), posing as a legitimate advertiser, inserting a malicious or malware-infected advert into a legitimate ad network and ultimately, websites.
The first recorded instance of a malvertising ad campaign was detected back in 2007. It exploited a vulnerability in Adobe Flash and impacted several large platforms, including MySpace, Excite and Rhapsody. Since then, malvertising has really exploded, with attacks growing in complexity and scale. The first half of this year alone saw a spike of 260%, compared to the same period last year and in 2013 the Online Trust Alliance logged over 12 billion malvertisement impressions.
Malware found on ad networks (source: The Verge)
Malvertising isn’t something that is unique to smaller ad networks, it’s an industry-wide problem. In September of this year alone, AdWords was hit by a fake BSOD malvertising campaign and the Forbes website was found to be serving malware-infected ads.
There are two main types of malvertising campaign. Firstly, the more simple type: a malicious advertiser creates an ad campaign, with a creative that directs the user to a landing page. When clicked, that landing page then triggers the installation of some kind of unwanted software (virus, malware etc), either automatically or by prompting the user to click on something by deceiving them into thinking it’s legitimate.
The second, and more complex type, the type which has seen probably the most widespread impact in recent years, involves the ad creative itself containing some kind of malicious code. This code can exploit vulnerabilities in a user’s web browser, plugins and more to silently install almost anything, all without any interaction from the user. Last year, YouTube fell victim to a malvertising campaign where, essentially, you just needed to watch a video with an infected ad and the malware would be installed.
What is Adcash doing about malvertising?
Right now, we’re playing a cat-and-mouse game with the criminals that run these campaigns. But that’s not to say there’s nothing we can do. First and foremost, when campaigns are initially submitted to us for validation, we check them before allowing them to be displayed on our network. We have a rigorous validation process that ensures, at the submission stage, that all our campaigns are compliant.
All campaigns are validated by a person: someone will physically check that the campaign is compliant and that it is safe to run on our network. At the same time, the campaign is checked with a series of tools, both of our own creation and 3rd party systems.
The most challenging task that we’re facing at the moment is being able to dynamically and continuously monitor landing pages. Once an ad campaign has cleared the validation stage and is running on our network, the creative itself cannot be changed (unless the campaign itself is resubmitted) however a malicious advertiser can make changes to the landing page that mean it is no longer compliant.
Keeping a constant eye on those pages can be difficult, not least because of the huge number of sites involved, but also because of the myriad ways a site could, potentially, be changed. Right now, we’re partnered with GeoEdge and use the Google Safe Browsing API to help with that task. The GeoEdge malvertising detection platform allows us to scan a vast number of ad campaigns, in real-time and automates the campaign deactivation process. If GeoEdge detects a malvertising campaign, it puts a stop to it and alerts as of the source, so that we can take the appropriate action.
Right now, we’re looking into yet more tools and options to help us keep malvertisements off our network.
How can you avoid malvertising?
There’s been a lot of chatter about ad blockers in the online ad industry lately, particularly in the context of using it as a means of protection from malvertising, malware, virus infections and potentially all manner of issues. Which leads us to a difficult crossroad: obviously we want users to have the very best experience online, people take their online experience very seriously (in fact, here in Estonia, where we’re based, Internet access is actually a human right and has been since the early 2000’s), but at the same time online advertising is what we do.
And some people may claim that the only way to ensure complete protection from these attacks is through adblockers, but this misses the fundamental issue at the heart of most, if not all, malvertising campaigns: software security flaws. It’s these flaws that allow the attackers to carry out their criminal activities.
Using an ad blocker only pours fuel on the fire: they’ll block all the ads, regardless of their legitimacy, meaning the publishers, the people creating the content you enjoy reading and watching, lose revenue. But those vulnerabilities are still there. If there’s an unpatched security flaw that a criminal group can exploit, chances are that they will. Whether that’s by ads or other means.
Keeping your software patched and up-to-date, running some anti-malware software and regularly updating your antivirus library is the best way to avoid falling prey to these kind of attacks.
What can you do if you think you’ve found a malvertisement on our network?
If you’re an Adcash publisher and you suspect that a malvertisement has been displayed on your site, tell us! You can get in touch with the team and they will immediately stop the campaign and launch an investigation to determine the source.
At Adcash, we promote a culture of full disclosure; we will actively investigate reports of malvertising appearing on our network, whether that comes from an internet user who suspects something, a white-hat or a security firm. If you have any information that could help us, you can send an email to [email protected] and we will work to resolve the issue as quickly as possible.
What do you think about malvertising? Is there something more we and other ad networks can do to help tackle it? If you have any thoughts or feelings on this subject, as always, let us know in the comments below.