An elaborate online ad scam that disguised junk traffic as views on reputable sites has been costing advertisers as much as $7m per month.
Fraudsters behind the "Traffic Alchemist" scam dressed junk traffic as quality views originating from Google and Twitter.
They began by buying traffic, typically on porn or torrent sites, known for long viewing times. The long sessions were then split into hundreds of short sessions on "legitimate, lucrative" sites operated by the fraudster.
The path to these pop-under sites was disguised so that the viewers appeared to be arriving organically from Google or Twitter, from legitimate search and social activity rather than views on porn and torrent sites.
The target sites were cloaked to appear reputable when visited directly but were actually cluttered with pop-up ads that are not viewable. The ruse was used as a platform to rack up fraudulent page views, according to specialist anti-fraud outfit Protected Media.
Up to 35 ads were served per user that were refreshed every 15 seconds resulting in 140 ad impressions per minute. The fake websites were clustered together, into groups of 7-10, and traffic was cycled through each site to keep realistic measurements so an alert wouldn't be issued to anti-fraud software.
The laundered traffic was shared with Google Analytics and then reported by reputable third-party platforms, making advertisers confident the traffic was legitimate.
The scam has been running since April 2016 but evaded detection because it involved real users instead of bots, masqueraded traffic, and cloaked fraudulent sites to keep them off the radar. The whole racket burned through $7m a month at its peak and is still operating albeit at a slower rate, according to Protected Media. Batches of sites were set up to run a leg of the scam before being abandoned for a fresh cluster, normally after a few weeks.
"The 'Traffic Alchemist' scam is unusual not because of the sophistication of one single technique but because it combines several methods together to keep the fraudulent activity under the radar," said Asaf Greiner, chief exec of Protected Media. "By looking beyond the technology, and uncovering the mechanism that manipulates traffic attributes, it's possible to detect similar complicated ad schemes that are always in place but with slightly different variations."
An infographic explaining each stage of the Traffic Alchemist scam can be found here. ®
Sponsored: Webcast: Ransomware has gone nuclear