Botnet creators: These
are programmers or hackers who specialize in writing malware or
virus software they distribute via websites, email and online ad
campaigns. This malware infects users' computers and lets the
botnet creator control the browser -- usually without the user's
knowledge. Once enough computers have been infected, the botnet
creator has a "drone army" or "drone pool" that can be rented to
others who wish to direct a large group of web browsers to execute
attacks or create ad fraud
scams.
Traffic Exchanges: These
groups aggregate botnet traffic and sell it to a variety of
bidders. Also known as "botnet monetizers," they rent or buy drone
pools from botnet creators and are experts in selling this traffic
to shady publisher networks or traffic multipliers. They'll
typically operate under multiple names and rep tens or hundreds of
websites, often partnering with many other traffic exchanges to
resell each other's traffic. Search Google for "purchase web
traffic" and you'll see some of these traffic exchanges.
Traffic Multipliers:
Traffic multipliers specialize in buying traffic from traffic
exchanges and in recruiting quasi-legitimate publishers to work
with them by offering a seemingly harmless proposition: "Insert
some of our code on your site and we'll pay you per user." Once the
publisher has been recruited, every time a user (either a "botnet
user" or a real user) comes to its page, a series of pop-under
windows are launched that load other publishers' sites or ads in
these windows. This "juices" the organic traffic to increase the
profit potential.
Traffic Distributors/Accomplice
Publishers: Traffic distributors and accomplice publishers
have agreed to run code or ad tags from traffic multipliers and
have become a source of traffic to other sites (known as ghost
publishers). They may or may not know that they are part of a
botnet scheme, but they're getting paid for each user who comes to
their site and are generating multiple page views or pop-under
window loads per page view on their own site. These publishers are
essentially being used to launder botnet traffic before it gets to
ghost publisher sites.
Ghost Publisher Networks:
These are networks of sites created to look like they are populated
with real content written by real editors, but instead use
copyrighted content scraped from other sites or junk content
generated by computer programs. They are designed to fool human
reviewers at agencies and ad networks who are trying to screen
publishers that don't have "brand-safe content." Ghost publisher
sites receive traffic from traffic distributors and run ads from
unwitting "real-world" buyers or from fraudulent ad networks that
have duped advertisers into working with them. Ghost publisher
networks can include hundreds, thousands or even hundreds of
thousands of sites, making it impossible to screen these sites
through manual efforts.
Low-Quality Ad Networks and
Exchanges: Some ad networks and exchanges lure agencies
and advertisers into working with them by promising incredible
campaign performance at low prices. Unfortunately, since marketers
place a constant demand on their agencies for better campaign
performance at lower costs, agencies are often all too willing to
experiment with questionable ad network partners. Once this
happens, the flow of revenue into the botnet ecosystem has begun,
as the low-quality ad networks funnel ads to ghost publisher sites
and claim the traffic is real.
The bottom line: Marketers, agencies, and publishers
should be aware of the various players involved in ad scams, employ
multiple lines of defense -- such as installing security software
-- and be on the lookout for any component of this complex
ecosystem.