Phony Web Traffic Tricks Digital Advertisers
The website Songsrpeople.com looks a lot like other amateur-video sites. It is wallpapered with clips featuring "the most insane amusement park ever" and "your girlfriend's six friends."
The site draws tens of thousands of visitors a month, according to audience measurement firms. It also has ads for national brands, including Target Corp., TGT -0.41% Amazon.com Inc. AMZN -0.14% and State Farm.
But Web-security investigators at a firm called White Ops contend that most of the site's visitors aren't people. Rather, they are computer-generated visitors, or "bots," designed to fool advertisers into paying for the traffic, says White Ops, which has blacklisted the site—and thousands more like it—so that ads from clients such as Zipcar don't land there.
An anonymous representative for Songsrpeople declined to discuss the site's traffic but in an email called the White Ops methodology into question.
State Farm said it was looking into the matter while Target declined to comment and Amazon didn't immediately respond to requests for comment.
Authorities and Internet-security experts say tens of thousands of dubious websites are popping up across the Internet. Their phony Web traffic is often fueled by "botnets," zombie armies of hijacked PCs that are controlled from unknown locations around the world, according to Internet security experts.
The sites take advantage of the simple truth that advertisers pay to be seen. This creates an incentive for fraudsters to erect sites with phony traffic, collecting payments—often through middlemen and sometimes directly from advertisers.
"When you walk into this world, you walk with eyes wide open," said Brian Harrington, chief marketing officer at Zipcar, which ran a recent ad campaign, assisted by White Ops to filter out bogus traffic. "You know stuff is not real."
At their most sophisticated, botnets can mimic the behavior of online consumers, clicking from one site to the next, pausing at ads, watching videos, and even putting items in shopping carts.
Earlier in the year, an FBI operation, "Ghost Click," resulted in two men from Estonia pleading guilty in U.S. federal court in New York for their roles in a botnet ad-fraud scheme. The fraud involved four million hijacked computers in 100 different countries and yielded at least $14 million for a group of seven, federal prosecutors said.
"It's drug-level money, but you don't have to kill anyone," says Tamer Hassan, a co-founder and chief technology officer of White Ops, a year-old startup in New York that has developed technology that it says can spot robotic traffic and uncover digital ad fraud.
Security experts say that botnets can be rented or purchased on private forums and message boards around the world. In a translation of one proposal written in Russian, a member called "Shantaram" offers to drive 1,000 visitors to any website for $1, noting that it can source the traffic to any country "desired."
Hackers build botnets by infecting computers with malware, which are regularly buried in email attachments or disguised as legitimate website downloads. Those infected computers are then connected by a command machine, which stealthily directs the network of zombies to do its work, whatever it may be. A computer user may not be aware of it.
Ad industry executives blame the murky and complicated online ad ecosystem for creating an environment for the fraud. Most publishers, big and small, sell inventory through multiple channels, using middlemen who aggregate space across a host of sites and resell it to brands.
The middlemen include ad networks, which often have sales teams, as well as ad exchanges, which employ automated systems that allow advertisers to bid on publishers' inventory. That inventory can be supplied either directly by the publisher, by ad networks, or through other companies that help websites sell their ad space.
It isn't unusual for marketers to now have ads running across hundreds of different websites, elevating the chances that ads could land on questionable sites, unbeknownst to the advertiser. Even when advertisers find out their ads ran on a botnet-fueled site, there's no formal process for them to get their money back, ad buyers say.
Automated systems have "enabled greater buying efficiencies and controls, but also made it easier for the bad guys," said Arthur Muldoon, co-founder and chief executive of the media buying firm Accordant Media, whose clients include Starwood Hotels, Seamless and Zipcar.
To sift out bad traffic, Accordant uses a growing cast of security and verification companies, including comScore Inc., SCOR -1.34% DoubleVerify and White Ops. Last year it doubled the money it spent on their services. Accordant also has a swelling blacklist of sites where it won't buy ads. That list has tripled from last year and now includes hundreds of thousands of sites.
White Ops was...