In the click fraud list of infamy, HyphBot shows how clever the networks behind ad fraud operations can be. The latest entry in our click fraud hall of fame series looks at the biggest discovery since the Methbot & 3ve takedown.
|Summary||Ad fraud network targeting mostly video impressions.|
Discovered around September 2017 by Adform, HyphBot was first flagged up due to indiscrepancies in websites using ads.txt inventory. It quickly became apparent that the volume of fraud on these ads was huge, with Adform estimating that HyphBot could be around 3 or 4 times bigger than Methbot.
How did HyphBot work?
Using algorithms that detect ads displayed by non-legitimate sellers, Adform realised that there was a botnet displaying ads on unauthorized websites.
The botnet targeted a huge selection of premium inventory websites, including some of the most visited sites on the web.
To get around the ads.txt algorithms, HyphBot used a similar approach to Methbot. A genuine URL would be appended with a nonsensical tail, or a randomized set of letters and numbers.
For advertisers, at first glance, it would look like their ad had appeared on sites such as Forbes or the Economist. But, on closer inspection, the actual URL didn’t exist and the advertiser would have paid out for an impression on a fake website.
Most of the 1.5 billion impressions were of video ads, but 230 million impressions were non-video, most likely display ads.
How did this affect advertisers?
2017 was peak time for big click fraud botnets. Just a year before had seen the takedown of Methbot, the biggest PPC ad fraud network to date. 3ve, which was built by most of the same programmers as Methbot, began to be rolled out around mid 2017.
- HyphBot generated around 1.5 billion ad requests each day.
- It also used around 34,000 domain names and manipulated the ad networks from their SSP data centres.
- The botnet was built on infected desktop computers, the majority in the US but with some also in the UK, Canada, the Netherlands and India.
- For advertisers, it looked like their ads were being displayed on premium websites, with a CPM at around $7-12.
- In fact HyphBot was estimated to be making between $260,000 to $1.2 million each day in fake ad impressions.
Who makes botnets like HyphBot?
Most of these organised botnets are based on existing viral bots that have been busy infecting computers and devices for some time. This means there is already a network of infected devices ready to leverage for whoever wants to use them.
Organised criminals can then hire these botnets to drive traffic to their network of spoofed inventory.
In short, creating an ad fraud network is something that is usually a collaborative effort and one that can be very hard to track down.
Catching those who operate these criminal networks is actually a rare occurrence, with the take down of the team responsible for Methbot and 3ve a rare win in the fight against organised click fraud.
Because this form of fraud is relatively simple for skilled programmers to work around, the news of new ad fraud networks just keeps coming.
Protecting your ad campaigns against fraud
Running PPC ads is part and parcel of many businesses’ marketing strategy, and the issue of click fraud is one that often rears its ugly head. What can marketers do to protect their marketing budget from sneaky fraudsters?
Ads.txt is the main initiative that the industry is using to prevent the selling of ads on unauthorised sites. So, if you’re not using ads.txt yet, or you’re not using it properly, this is definitely something to look at.
Google and the PPC ad networks often have their own way of handling ‘invalid clicks’, as they call any fraudulent click. However, these often miss clicks from botnets or competitors, another key source of click fraud.
Click fraud prevention software like ClickCease works to proactively eliminate clicks from suspicious sources such as bots. With around 20% of all clicks on paid ads being fraudulent, avoid falling victim to the next HyphBot style click fraud campaign and sign up for your free trial today.
Sources used for this article: