When it comes to cheating advertisers out of their ad spend and stealing revenue from publishers, fraudsters are upping the ante. By monitoring of invalid traffic (IVT) associated with digital advertising, our team tracked an unrelenting, sophisticated operation first publicly reported as 404bot.

By using a broad range of tools, our researchers were able to pinpoint the actual proxy software that had been installed on consumer PCs. This key discovery allowed us to closely track the fraud as it morphed. We found this scheme to be particularly devious for two reasons:

1. The offending program was typically installed unknowingly through various seemingly safe entry points. (This is (often referred to as a PUP, or potentially unwanted program.) It would then turn the downloader’s computer into a botnet carrying out ad fraud in the background.
2. Much like software companies roll out bug fixes and updates to their code, the scheme similarly evolved its mechanisms for fraud. Each adjustment was made with the intent to elude detection.

The following is a debrief on the uncovering of the scheme. We outline what tipped us off to foul play. We also discuss the steps we are taking to mitigate the activity and why it’s so important to monitor invalid traffic to protect all sides of the programmatic supply chain.

The deep dive into botnet activity

In mid-2019, our team observed suspicious botnet activity. We spent weeks investigating and tracking various suspicious identifiers surrounding this activity. Finally, we were able to pinpoint a unique signature. We then matched it to a binary of a desktop application called NotToTrack. This free VPN, readily available for any consumer to download, masked itself as software meant to secure the installer’s computer.

Our team was able to obtain the VPN’s actual malware binary. We ran it in our clean room, where we can safely download malware ridden software and de-obfuscate code. This allowed us to:

• Record its web activity and thus reconstruct the behavior seen in impressions from the relevant time period
• Validate that it is based on Chrome Embedded Framework (CEF), a popular framework for web based applications that can be used both legitimately and by bots
• Develop new detection methods based on these observations

The discovery of this VPN and its executable file allowed us to see the full breadth of the operation. What we found was very persistent, targeted ad fraud.

Summary of the bot’s evolution

The VPN front was just one point of entry for the operation’s fraud. It was probably not even the most common distribution vector.

Following the newly discovered evidence, we have found forum complaints that indicate this operation has been underway since as early as November 2016. Based on evidence we’ve gathered, we also believe the origins of this bot are the same as 404bot, a recent fraud scheme made public by another verification provider.

However, our findings reveal that this bot has not ceased its fraudulent activity. And as it attempts to elude detection, it has moved from its initial domain spoofing practice onto other mechanisms.

In the graph, we see the subset of spoofed domains tracked by Integral Ad Science (blue) alongside the rest of the malware-originated activity that Moat has been tracking (orange). Where the domain spoofing ceases (blue activity falls flat), we see the fraudulent impression activity actually has continued as the perpetrators evolved their tactics.

What is the impact that we are seeing?

The question of impact always comes up when discussing the discovery of an ad fraud scheme. This is usually in relation to stolen impressions and ultimately, lost ad spend. But even as we bring the pieces of the puzzle together, the true size of any botnet is hard to measure. So, we caution against assigning too much value to a market impact analysis.

Even more important is how this bot illustrates the ability for these schemes to quickly mutate. So when the conversation turns to impact, we firmly believe it should not be about size, especially as it relates to protecting our clients and doing what is right for the industry. A botnet that is “small” by our measurement today could easily evolve into a much larger threat tomorrow.

What we do know, from the portion of traffic we are able to measure, is that at its peak, this bot was clocking in at around 11 million impressions per day. And, as recently as March, it was still showing activity at just under 2 million impressions.

Further, the nature of how this bot is operating—by targeting the computers of unknowing consumers through shifty mechanisms—is particularly invasive. The distribution of malware can have severe consequences on hardware. The complaints of users who unknowingly downloaded the offending proxy software mention various, flag-raising behavior. For example, at the Bleeping Computer forum a user describes, “I have a bunch of programs running that I did not allow to start… My computer in-turn slows down due to all these programs running their bleep [sic]. Earlier today, I had 3 virus programs scanning my computer. I never downloaded, let alone installed them.”

How to protect your investments from IVT and ad fraud

Unfortunately, ad fraud is a pervasive and pesky byproduct of programmatic advertising. This is thanks to an environment that affords ample anonymity as well as produces a significant amount of profit. Having meaningful data is the first step in enabling us all to ask the right questions about these schemes that will continue to occur.

Moat has numerous methods for detecting various forms of IVT. As we identify and track fraudulent botnets, we use our findings to understand how they evolve. We continuously develop detection mechanisms that can identify and separate bot activity from human. We believe everyone in the ecosystem has a role to play in eliminating ad fraud and addressing IVT. It is through continued collaboration, information sharing, and advancing our technology that will help us build trust and ultimately, stop the cheaters from lining their pockets.