Ad-clicking bots predicted to rip US$7.2 billion from Mad Men

Could it be bots that fall for for those 'One Weird Trick' ads? Here's hoping!


Botnets will inflict a massive US$7.2 billion in damages against online advertisers this year according to research by ad security company White Ops.

Last year the industry was said to have lost US$5 billion, close to the $6.3 billion White Ops predicted in December 2014, thanks to the scourge of botnets that hugely inflate the number of online ad clicks.

The average loss was US$10 million per advertiser with the hardest-hit haemorrhaging a staggering US$42 million.

That earns scammers loads of cash and even more this year, according to the 2015 Bot Baseline: fraud in digital advertising [PDF]

The work is a joint effort with the Association of National Advertisers in which 49 ad companies tagged their online content in August through to September to allow researchers to tell how many bots were clicking ads.

Brands include Playstation, Ford, Unilever, Dell, IBM, and McDonalds among other giants. The amounts lost are not attributed to individual companies.

About nine percent were fake, the researchers say, equating to $10 million in lost revenue per advertiser.

One publisher’s impression volume rose by six percent thanks to bots.

Some advertisers stand to lose tens of millions of dollars this year if they do not move to lock out bots, the report says.

The New York company co-founded by respected security man Dan Kaminsky notes in its report that most bots fleeced programmatic advertising, with a majority hitting more lucrative programmatic video ads.

Publishers buying expensive pay-per-click traffic are the best earners for fraudsters with fresh, undetected bots, while mass clicking low-end ad-men who do next-to-nothing to purge bots are the criminal's last resort.

Advertising fraud botnets remain lucrative for longer than many criminal enterprises, provided new machines can be infected.

Chief executive officer Michael Tiffany says scammers that keep their bots fresh earn the highest revenue.

"Bot operations, then, have a profit window, a period of time from when a computer has been freshly infected until the bot is so widely detected that no one will pay for its impressions anymore," Tiffany says.

"Infections at the leading edge of the profit window, those that are fresh, affect high-CPM (cost per mile) advertising buys.

"Because most systems will not determine that the just-infected machines are now sending non-human traffic, high-CPM direct buys, programmatic private marketplace deals, and buys on top-tier platforms are all affected."

The fraud traffic while resulting from compromised computers can look almost legitimate, Kaminsky says.

"Advertising fraud has the curious status of almost seeming legitimate — you couldn’t expect to get away with raiding a bank account or accessing someone else’s Gmail account, but defrauding advertisers, even by using the host user’s identifying cookies, doesn’t seem nearly as criminal," Kaminsky says.

"While the ecosystem suffers, the end user sees very little impact from the fraud."

The impact to fraud operators is huge, however, and stands only to rise. ®


Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022