12-letter domains. The ad fraud scheme

Experts of the SadBotTrue team detected the largest global ad fraud scheme, using high-quality targeted artificial referral traffic. The ad fraud of this scale has never been fully investigated.

Unlike previous anonymous botnet stories, in this case, all organizers, participants and main beneficiaries were found. This week we begin to disclose information, in the series of publications “12-letter fraud”.

Key facts

The main element of the found scheme is the set of 1000 technical disposable sites that redirected bots visits as referral traffic to the sites with advertising. The name of this site is a 12-letter meaningless set, (without numbers and other signs), more like a wi-fi password. At an early stage, there are 8-digit in summer 2016 and 50-digit domains in September. All domains are registered in the dot-com zone.

Over the past 8 months, since August 5, 2016, with this scheme, more than a billion artificial visitors (bots) have been launched into the network, for mass viewing of all types of advertising, including video.

These sites were registered daily, with occasional breaks, from 1 to 19 sites a day, depending on the need. On the same day, a few hours after the creation, they received the main portion of traffic, it could be up to 4-5 million visits.

Bot behavior pattern

The average visit to such a site lasts 3 minutes, 2 pages views, according to Similar Web. Alexa shows slightly different stats, 28 seconds and 1.3 pageviews. Later we explain the reasons for this discrepancy in stats. In the end of the visit bot simulated referral to the site with ads, and then to the next one, and so on, from one to the other.

The way the site is displayed in the browser depends on IP you come from. If your IP falls within the allowable range, then you see a simulation of the search page. All links lead to the same technical domain. If your IP does not fall within the acceptable range, you will see an error message.

How would it look if these sites were visited by real people? A few hours after the creation of the unpronounceable domain, millions of people around the world somehow know its name and immediately without a mistake type it. Then they go to a blank/fake site, reload the page, find a non-existent link on it, wait for 3 minutes and click on it. Sometimes this happens with 19 sites per day, and the audience comes only from those countries and with the parameters that are needed by the final recipients of traffic.

The average lifetime of the site is 5-7 days. The average site received 1,000,000 visits, but in fact, the limits were very different, from several tens of thousands to several million.

There are constant recipients of this traffic, which appeared from the very beginning of the creation of this scheme, every month new ones appear, some sites disappear. On average, each bot imitated several dozens of ad views. On sites comes both desktop and mobile traffic, most often its ratio of 75% -25%. On small sites with traffic up to a million, there is mostly desktop traffic.

It should be noted the conversion of these sites. It can be up to 130%. That is, not just every visitor to the site was redirected to another site, but some of them were redirected even twice. Absolutely anomalous is the fact that each site sends 3-4% of advertising traffic.

What is the infrastructure for generating artificial traffic?

In order to simulate a web audience, you need 3 components.

1. Database of simulating devices, browsers, and users.

2. Software to manage the algorithms of botnet activity.

3. Rented proxy servers around the world, used to simulate users from more than one hundred countries.

The black market of proxy servers is the most important part of the ad fraud infrastructure. It has long been a global and accessible for everyone.

These parts are common to all ad fraud schemes. But for verification of artificial traffic, a credible source is needed. A huge audience can not appear suddenly from nowhere. We have already written how social traffic is used as an imitation of a fast recruitment of the audience. Also for this, search engines are often used, primarily Google.

As we see here, the newly created 12-letter domains are used as a reliable source of high-quality quality traffic. The uniqueness of this scheme is its primitiveness and impudence, which, it seemed to us, is already impossible to imagine in 2016-2017. Similar schemes were in use 10-15 years ago. Today, such schemes also exist, but they are better disguised and not so large-scale. It's a unique case that one-time sites with a weekly lifecycle generate multi-million-dollar traffic for more than 100 countries during 8 months.

The scheme is still active, new sites continue to send millions of bots to the web.

Where were these domains hosted?

The creators of the fraudulent scheme used the white infrastructure not only as a proxy but also as a hosting. Inactive domains changed their host to hide the server, that sends this traffic.

All used almost 1000 of these domains are now located on the Digital Ocean server in New York, but this should not lead to wrong conclusions. These domains appear on New York servers 25 days after registration. The previous server, where exactly all the fraudulent activity occurs, is located in Dallas. It belongs to the company Total Uptime.

Was it impossible to detect this activity by the hoster for 8 months? We are sure, that yes.

Where and by whom was this traffic used?

This traffic was used not only by the owners of this botnet for their own digital assets but also put up for sale inside the closed digital community, as well as on open marketplace.

This is one of the largest suppliers of bot traffic, not only for other black webmasters but for large white publishers and agencies. The organizers of the botnet sold targeted referral traffic, which allows publishers to receive the most expensive advertising.

Which were brands affected?

If we are talking about hundreds of billions of advertising views, then the victims were exactly all those who spent more than $ 1000 on digital advertising in the last 8 months. We will analyze the individual cases in the following articles.

On the sites that received this traffic, all major advertising systems were installed, including Adsense/DoubleClick, its partners, all members of the open RTB ad exchange.

Who is the creator of the scheme?

Finally, we moved on to the most important question. It is clear who its main beneficiary is, too many facts lead us to one digital advertising company.

1. The early 8-letters domains in the summer of 2016 are redirected to Popads.net.

2. Sources sending referral traffic to 12-letter domains are the main donors of the ad traffic for Pop Ads.

3. All domains receive display ad traffic from Popads.net. This traffic is very small, 0.2-0.3%, but it comes to all these sites.

4. 12-letter domains are sent to other sites is not only a referral but also advertising traffic. It is marked as Pop Ads ad traffic.

5. PopAds.net is hosted on a nearby IP on the same server in Dallas. - Active ad fraud domains - Pop Ads

The other PIs in the range are not used for web hosting.

PopAds.net is also a global converter of direct traffic to advertising traffic. Over the past 3 months, it was visited almost 2 billion times, of which 77% were direct visits. During the same period, it sent 743 million advertising traffic to the customers.

The trademark "Pop Ads" is used by TOMKSOFT S.A. The company was founded in 2011 in Costa Rica by the Polish programmer and digital entrepreneur Tomasz Klekot. Initially, it specialized in pop-up ads, but now it is actively engaged in the sale of traffic resellers, publishers, and agencies.

Read the new facts about the largest digital global fraud in the following parts of the investigation.

The appendix

All 950 12-letters domains. Data set.

Top 3 most active 12-letters domains for January, 2017. Data set.

Top 3 most active 12-letters domains for February, 2017. Data set.