Post by lizaseo11 on Nov 8, 2024 19:46:31 GMT -8
Advertising fraud is a subtype of cybercrime that affects advertisers, services, affiliate platforms and potential clients. The increase in click fraud cases shows that fraudsters are ready to do anything for a tasty morsel – the advertiser’s budget. Every year new methods appear: hacking websites or HTML code for ads, bots, pseudo-installations – new tools and loopholes are found.
In this article, we will tell you about 10 techniques that cybercriminals use most often to click on ads. Read how to recognize the actions of fraudsters and whether it is possible to resist them.
Contents hide
1. Brief characteristics of techniques
2. Technique #1 - Invisible Ads in CPM and CPI
3. #2 - Impression Laundering
4. No. 3 - Hacking a website and "stealing" a block for advertising
5. #4 - Traffic "Stealing"
6. #5 - Pop-unders (advertisement in the background)
7. No. 6 - Pseudo- and motivated traffic
8. #7 - Bots and Fake Users
8.1. How to protect yourself from bots
9. No. 8 - Pseudo settings
10. #9 — Ad replacement via extensions
11. #10 — Attribution Manipulation
Brief characteristics of techniques
Type of
fraud Technique Options
With shows Invisibles Pixelation. Off-page placement. Layering.
Autostart of mobile applications.
Laundering impressions Substitution of donor site for impressions
Pop-unders Hidden ads in pop-ups and background tabs
With clicks Traffic hijacking Redirecting the user to a third-party resource, not the advertiser's site.
Hacking DNS, proxy.
Pseudo and motivated traffic Botnets and purchased traffic
Bots and fake users Bots, click farms
With conversion Pseudo settings Farms for installations using mobile device emulators.
Attribution manipulation Click spam.
Attribution hijacking.
With data Hacking a website and stealing an ad block Hacking a PC and changing the DNS resolver.
Hacking a partner's website.
Hacking a proxy server.
Ad replacement via extensions Installing malicious browser extensions.
Technique #1 - Invisible Ads in CPM and CPI
Unfair partners are the scourge of the shopify website design advertising community. They will resort to any tricks to increase their dishonest income. The most common method is to make the ad invisible. This fraudulent technique is typical for CPM (cost per 1000 impressions) and CPI (cost per impression) advertising.
► «1 x 1 pixel»
The most cunning partners have found a way to place ads on their sites without "spoiled" the facade of the pages with advertising. Cybercriminals reduce the block size to a minimum, for example, 1x1 pixel. Thus, it is not visually visible to the average user. The ads are shown, do not convert, the fraudster receives income from impressions, and the advertiser loses the budget.
► Placing ads outside the page boundaries
Such techniques have been known for a long time. They come from the times of poor-quality placement of links and other content. The ad is placed outside the page. Users view the page with the ad, but do not actually see it. The impressions go, and with them the budget is "drained".
► Layering - "one on all and all under one"
This is a technique where ads from different advertisers are placed one on top of the other. The winner is the one who is on top. Everyone is shown, but only the "lucky one" gets the traffic.
► Autostart of mobile applications
Mobile advertising is at risk. Fraudsters (app owners) launch them in the background and play ads endlessly, even if the user does not actually use the app. Impressions are coming, conversions are zero.
How to identify. Check your partners periodically, even if you trust the platform. They cannot always track fraudulent actions. Especially if the ads are considered posted and impressions are running. If you do not see your content visually on the page, try switching to the code view mode (CTRL+U) and search by text. Found in a hidden block? Down with such a partner!
#2 - Impression Laundering
When using this advertising fraud technique, the advertiser does not know on which platforms his ads were ultimately placed. It is also typical for CPM and CPI advertising. Here is how this fraud technique is used:
The advertiser carefully selects donor sites with thematic content and the desired audience. That is, he selects a relevant site.
Pays for impressions, and on such platforms they can cost a lot of money.
Some of the impressions are directed not to paid thematic places, but to fraudulent sites with irrelevant content and a non-target audience. As a rule, these are resources "for adults" (18+) with high traffic. Why them? Such topics are more difficult to monetize by legal means.
The advertiser sees only that impressions are being displayed, and on those sites that he paid for. This effect is achieved through a complex structure of redirects and nested frames. That is why the technique is called "impression laundering."
#3 - Hacking a website and "stealing" an ad block
Ad block hijacking, or substitution, is a technique in which malware "hijacks" a block for affiliate ads on someone else's site and places its content there. The resource owner may not even suspect that his site has been hacked. How does this happen:
► Hacking a user's PC and changing the DNS resolver
The information is displayed not through the classic – original – DNS resolver of the user, but through a fraudulent one.
► Hacking an advertising partner's website
The partner's site is hacked, the HTML code changes dynamically when displaying the resource pages. Accordingly, the advertising that is beneficial to the cybercriminal is shown.
► Proxy server hacking
A proxy server or router (or even a provider's router) is hacked. The DNS server is replaced or the HTML code on the site is changed.
How to determine. If the first and third types are difficult to calculate, then the second is determined, again, by checking your partners. If you see that what is displayed is not what you need, block the placement and leave a complaint to the site.
#4 - Traffic "Stealing"
The technique is very similar to the previous one, only in this case the cybercriminal steals not the advertising block, but the user’s click: the target client is redirected to a third-party site.
How scammers steal clicks:
► Hacking a PC and changing the DNS resolver
► The tag <=»» li=»»> is used
► Hacking a proxy server and replacing HTML code.
#5 - Pop-unders (advertisement in the background)
This is almost the same as classic pop-ups, only pop-unders appear under some content block, not on top of it. Fraudsters can combine this technique with impression laundering to increase revenue. Tabs with a large number of banners and context are loaded automatically in the background when you click on a link, open an infected site, etc.
Despite the fact that advertising networks have recently blocked this method of placement, some sites still continue to consider it legal.
#6 - Pseudo and Motivated Traffic
To click on advertisements, criminals use both real users and bots.
► Pseudotraffic on bots
Some customers buy mass and cheap traffic to their sites for pennies on various RTB platforms. And there is no guarantee that they will not fall for click-bots. Even that small budget spent on advertising can slip away like sand through your fingers.
We have previously written about botnets , which are used by cybercriminals. For them, this is a powerful, albeit illegal, tool in which users' devices are infected with malware and controlled by a bot operator. This is currently a common advertising fraud technique.
According to a 2019 study by analytics agencies Traffic Guard and Juniper Research, advertisers spent $407 on each Internet user, of which $61 was spent on fake traffic.
Due to their mass character, bot networks guarantee their master an increase in clicks, effective impressions and income growth.
The most famous botnet for clicking ads is Methbot . What methods does it use:
Pseudo-clicks and automated behavior on the site.
Pseudo-registration and fake accounts in social networks.
False transmission of geographic location through control of an infected device located at the desired IP address, and others.
► Motivated traffic
In this case, low-paid labor of real people is used. The audience is students, women on maternity leave, schoolchildren. They are not interested in the advertiser's product. More than 150 exchanges throughout Russia offer services for such cheap traffic.
#7 - Bots and Fake Users
Cybercriminals use not only PCs but also mobile devices to imitate actions. They use bots, malware, and click farms to create an army of fake users. Fraudsters fill the entire advertising environment with them, wreaking havoc on advertisers' conversions.
► Click farms
Click farms use low-paid labor of real people who personally go through advertising sites and click all the ads.
► Bots
Clicker bots are created to fake actions on websites and mobile apps. Advertisers are deceived by high click-through rates, but in the end they do not receive target customers.
How to identify. Pay attention to Webvisor . If there are mass similar transitions with viewing 1-2 pages, similar behavior (robotic behavior is immediately visible) and no conversion, then these are probably bots. They cannot completely recreate the behavior of real visitors, their goal is to click on the ad and do "something similar to viewing the page."
You can also determine by country and device. If you advertise in Russia, and all such transitions come from Congo, then this is a sure sign of click fraud. Look at which partner the transitions come from. If they have become widespread, then refuse to place ads on their site. Motivated traffic is determined almost in the same way. They are characterized by a mass flow and a single template of actions with no conversion.
In this article, we will tell you about 10 techniques that cybercriminals use most often to click on ads. Read how to recognize the actions of fraudsters and whether it is possible to resist them.
Contents hide
1. Brief characteristics of techniques
2. Technique #1 - Invisible Ads in CPM and CPI
3. #2 - Impression Laundering
4. No. 3 - Hacking a website and "stealing" a block for advertising
5. #4 - Traffic "Stealing"
6. #5 - Pop-unders (advertisement in the background)
7. No. 6 - Pseudo- and motivated traffic
8. #7 - Bots and Fake Users
8.1. How to protect yourself from bots
9. No. 8 - Pseudo settings
10. #9 — Ad replacement via extensions
11. #10 — Attribution Manipulation
Brief characteristics of techniques
Type of
fraud Technique Options
With shows Invisibles Pixelation. Off-page placement. Layering.
Autostart of mobile applications.
Laundering impressions Substitution of donor site for impressions
Pop-unders Hidden ads in pop-ups and background tabs
With clicks Traffic hijacking Redirecting the user to a third-party resource, not the advertiser's site.
Hacking DNS, proxy.
Pseudo and motivated traffic Botnets and purchased traffic
Bots and fake users Bots, click farms
With conversion Pseudo settings Farms for installations using mobile device emulators.
Attribution manipulation Click spam.
Attribution hijacking.
With data Hacking a website and stealing an ad block Hacking a PC and changing the DNS resolver.
Hacking a partner's website.
Hacking a proxy server.
Ad replacement via extensions Installing malicious browser extensions.
Technique #1 - Invisible Ads in CPM and CPI
Unfair partners are the scourge of the shopify website design advertising community. They will resort to any tricks to increase their dishonest income. The most common method is to make the ad invisible. This fraudulent technique is typical for CPM (cost per 1000 impressions) and CPI (cost per impression) advertising.
► «1 x 1 pixel»
The most cunning partners have found a way to place ads on their sites without "spoiled" the facade of the pages with advertising. Cybercriminals reduce the block size to a minimum, for example, 1x1 pixel. Thus, it is not visually visible to the average user. The ads are shown, do not convert, the fraudster receives income from impressions, and the advertiser loses the budget.
► Placing ads outside the page boundaries
Such techniques have been known for a long time. They come from the times of poor-quality placement of links and other content. The ad is placed outside the page. Users view the page with the ad, but do not actually see it. The impressions go, and with them the budget is "drained".
► Layering - "one on all and all under one"
This is a technique where ads from different advertisers are placed one on top of the other. The winner is the one who is on top. Everyone is shown, but only the "lucky one" gets the traffic.
► Autostart of mobile applications
Mobile advertising is at risk. Fraudsters (app owners) launch them in the background and play ads endlessly, even if the user does not actually use the app. Impressions are coming, conversions are zero.
How to identify. Check your partners periodically, even if you trust the platform. They cannot always track fraudulent actions. Especially if the ads are considered posted and impressions are running. If you do not see your content visually on the page, try switching to the code view mode (CTRL+U) and search by text. Found in a hidden block? Down with such a partner!
#2 - Impression Laundering
When using this advertising fraud technique, the advertiser does not know on which platforms his ads were ultimately placed. It is also typical for CPM and CPI advertising. Here is how this fraud technique is used:
The advertiser carefully selects donor sites with thematic content and the desired audience. That is, he selects a relevant site.
Pays for impressions, and on such platforms they can cost a lot of money.
Some of the impressions are directed not to paid thematic places, but to fraudulent sites with irrelevant content and a non-target audience. As a rule, these are resources "for adults" (18+) with high traffic. Why them? Such topics are more difficult to monetize by legal means.
The advertiser sees only that impressions are being displayed, and on those sites that he paid for. This effect is achieved through a complex structure of redirects and nested frames. That is why the technique is called "impression laundering."
#3 - Hacking a website and "stealing" an ad block
Ad block hijacking, or substitution, is a technique in which malware "hijacks" a block for affiliate ads on someone else's site and places its content there. The resource owner may not even suspect that his site has been hacked. How does this happen:
► Hacking a user's PC and changing the DNS resolver
The information is displayed not through the classic – original – DNS resolver of the user, but through a fraudulent one.
► Hacking an advertising partner's website
The partner's site is hacked, the HTML code changes dynamically when displaying the resource pages. Accordingly, the advertising that is beneficial to the cybercriminal is shown.
► Proxy server hacking
A proxy server or router (or even a provider's router) is hacked. The DNS server is replaced or the HTML code on the site is changed.
How to determine. If the first and third types are difficult to calculate, then the second is determined, again, by checking your partners. If you see that what is displayed is not what you need, block the placement and leave a complaint to the site.
#4 - Traffic "Stealing"
The technique is very similar to the previous one, only in this case the cybercriminal steals not the advertising block, but the user’s click: the target client is redirected to a third-party site.
How scammers steal clicks:
► Hacking a PC and changing the DNS resolver
► The tag <=»» li=»»> is used
► Hacking a proxy server and replacing HTML code.
#5 - Pop-unders (advertisement in the background)
This is almost the same as classic pop-ups, only pop-unders appear under some content block, not on top of it. Fraudsters can combine this technique with impression laundering to increase revenue. Tabs with a large number of banners and context are loaded automatically in the background when you click on a link, open an infected site, etc.
Despite the fact that advertising networks have recently blocked this method of placement, some sites still continue to consider it legal.
#6 - Pseudo and Motivated Traffic
To click on advertisements, criminals use both real users and bots.
► Pseudotraffic on bots
Some customers buy mass and cheap traffic to their sites for pennies on various RTB platforms. And there is no guarantee that they will not fall for click-bots. Even that small budget spent on advertising can slip away like sand through your fingers.
We have previously written about botnets , which are used by cybercriminals. For them, this is a powerful, albeit illegal, tool in which users' devices are infected with malware and controlled by a bot operator. This is currently a common advertising fraud technique.
According to a 2019 study by analytics agencies Traffic Guard and Juniper Research, advertisers spent $407 on each Internet user, of which $61 was spent on fake traffic.
Due to their mass character, bot networks guarantee their master an increase in clicks, effective impressions and income growth.
The most famous botnet for clicking ads is Methbot . What methods does it use:
Pseudo-clicks and automated behavior on the site.
Pseudo-registration and fake accounts in social networks.
False transmission of geographic location through control of an infected device located at the desired IP address, and others.
► Motivated traffic
In this case, low-paid labor of real people is used. The audience is students, women on maternity leave, schoolchildren. They are not interested in the advertiser's product. More than 150 exchanges throughout Russia offer services for such cheap traffic.
#7 - Bots and Fake Users
Cybercriminals use not only PCs but also mobile devices to imitate actions. They use bots, malware, and click farms to create an army of fake users. Fraudsters fill the entire advertising environment with them, wreaking havoc on advertisers' conversions.
► Click farms
Click farms use low-paid labor of real people who personally go through advertising sites and click all the ads.
► Bots
Clicker bots are created to fake actions on websites and mobile apps. Advertisers are deceived by high click-through rates, but in the end they do not receive target customers.
How to identify. Pay attention to Webvisor . If there are mass similar transitions with viewing 1-2 pages, similar behavior (robotic behavior is immediately visible) and no conversion, then these are probably bots. They cannot completely recreate the behavior of real visitors, their goal is to click on the ad and do "something similar to viewing the page."
You can also determine by country and device. If you advertise in Russia, and all such transitions come from Congo, then this is a sure sign of click fraud. Look at which partner the transitions come from. If they have become widespread, then refuse to place ads on their site. Motivated traffic is determined almost in the same way. They are characterized by a mass flow and a single template of actions with no conversion.