Ad stacking is a type of ad fraud where mobile apps or websites stack multiple ads beneath one another in a single ad placement. All advertisers are then charged by the publisher, even though most ads were never seen by a customer.
Marketers pay for "performance" like a share of revenue on successful transactions, but fraudsters falsly claim credit for sales they didn't cause.
Fraudsters automatically reload pages or refresh ads slots to continuously load ads.
Fraudsters deploy tools like Puppeteer or Selenium, which were originally created to help programmers test their work, but they make it simple to write bots that visit pages and click on ads.
Sophisticated bots are able to closely mimic human behaviour. By looking at how users interact with a site, anomalous behaviour that does not fit to the site’s behavioural profile can be flagged.
For fraudsters, bots are the weapon of choice as bots are very good at repetitive tasks. They can run tirelessly and perform tasks much more efficiently than any human ever could. Like clicking a thousandfold on an ad or scraping all the data of a site. And the internet is full of bots. In fact, close to 40% of global internet traffic is generated by bots and fake users – only 60% by actual humans. Pretty much any device with a chip and connectivity can be used as a bot like webcams, thermostats, connected cars, connected fridges, mobile phones etc. As bots are getting more sophisticated, it is becoming increasingly difficult to detect them. Bots used to live only in data centers, now they live on user devices with real user and device IDs. They used to have a robotic click behaviour. Now they replay normal distributions that mimic human behavior. Fraudsters for example record real mouse movements on illegal movie streaming platforms (where real humans go to) and replay it on sites the bot visits to avoid detection.
So where can you purchase fake bot traffic? Easy. Just do a Google search and you’ll find hundreds of sites like Sparktraffic, Hitleap or Zeropark.
Bot Traffic Detection using Analytics
A bot can be indistinguishable from any other web user, but there are ways you can use analytics data to help detect bot traffic. Some indications for automated traffic are unusually high page views, unfamiliar referral traffic, unusually high bounce rates, spikes in traffic from an unusual region, abnormally low time on page, very high or very low average session duration, constant refilling or refreshing of content, anomalous timing of events, frequency of visits from any single IP address (more than 100x visits from a single IP on a given day).
Broken Lookalike Audiences
Lookalike audiences are based on fake traffic causing advertisers to target more bad traffic with no intention of converting.
Cheap laborers or machines are used to engage with ads and install advertiser’s apps.
Click fraud is popular because it’s relatively easy to do. In the past, real human traffic was often used to generate fraudulent clicks by employing hundreds of people in “click farms”. More recently, due to the lower costs and advances in automation, using bots to click on ads has become the preferred method for many fraudsters. By using software that is designed to mimic real user behavior, fraudsters can rapidly generate thousands of fake clicks on any given ad.
Fraudsters trick marketers into paying them a commission even though the sale would have happened anyway by tricking the analytics/attribution platforms and sending fake data into Google Analytics. Fraudsters make it appear as if a user clicked an ad to come to the site, even though no ads were ever run. By doing so, the fraudster claims credit for sales that would have happened anyway. And no ad was ever seen or click on.
Apps load ads in the background when the app is not in use or even the device itself is not in use. Like an alarm clock app that loads ads in the background when the owner is asleep. Maybe the battery dies a little faster or the device is a little slower than usual but that’s it. Some apps also pre-load hundreds of ads, for performance reasons, that never end up getting displayed.
Fake traffic appears alongside your legitimate traffic in your analytics e.g. bots interacting with your CMP consent banner and polluting important stats such as opt-in/opt-out rate.
Fake Form Fills
Bots fill out lead forms with entirely accurate information that was leaked by one of the many data breaches that occured in the past years. Whilst this fake lead infiltrates the advertiser's CRM system, the bot/fraudster is getting paid on a CPL basis.
Fake Sites/Cash-Out Sites
Fraudster set up fake sites that are made only to serve ads to bots. It is usually a three step process whereby a fake website is created as a first step. As a second step, cheap bot traffic is purchased and routed to the new website. The Ad networks see that this site is getting a lot of traffic and include it in their inventory. The third and final step, advertisers buy ad space on the site and the fraudster gets paid. Ad fraud is that easy.
Fake Bid Requests
Advertisers often pay on impression bids won, not on ads served. So fraudsters flood DSPs with fake bid requests. Some of these requests are caught but many go through. Interestingly, no bots are required for the fraudster to cash out as the ad doesn't even have to be loaded.
Marketeers buy ad impressions on a cost-per-thousand (CPM) basis like in mobile display or video ads. However, these ads are shown to a fake audience like bot traffic.
Invalid Traffic (IVT)
Visitors who have no intention of converting into paying customers like bots, click farms etc.
A network of computers, smartphones or IoT devices whose security has been breached and control ceded to a third party, who is using the network to execute malicious attacks.
Naked Ad Calls
Instead of loading entires webpages - from sites that pay bots for traffic, only the ad is loaded to save on bandwidth.
Pixel stuffing is a way of putting many ads on a single page without the customers realizing it. Ads are loaded into small frames of one or just a few pixels in size. The visitor cannot see the ads, but the advertiser is charged for the view.
Ads and more webpages are loaded in Pop-unders - withouth the user activating this themselves and not being visible to any user. Most of this kind of traffic occurs on porn and piracy sites.
Residential proxies allow bot makers to “bounce the traffic” through residential IP addresses and disguise it. If the traffic were obviously from Amazon data centers, it could easily be blocked by fraud detection.
Ultimately a simple scam. Bots are sent to a business’s website in order to get tagged for retargeting ads. Bots are then sent to the fraudster’s website to “look” at the ads that the business is paying to display.