Bots Run the Internet
When Aleksandr Zhukov went on trial last year, he stood accused of defrauding US companies, including The New York Times and pet care brand Purina, out of millions of dollars. According to the court, the then 41-year-old set up a company that promised to show online adverts to humans, but he instead placed those adverts on an elaborate network of fake websites where they were seen only by bots. Yet Zhukov’s defense did not center around his innocence or his remorse. Rather, he said he was giving the online economy exactly what it wanted: cheap traffic, whatever the source.
“There was nothing to conceal,” he said on the stand in May 2021. “We were making business. We are not making scam or fraud.”
The federal courthouse in Brooklyn disagreed and, in November 2021, Zhukov was sentenced to 10 years in prison. By extraditing the Russian cybercriminal from Bulgaria, the US justice system sent a message that this type of crime has consequences. Yet Zhukov’s testimony hints at an uncomfortable truth: The online economy is willing to look the other way while bots distort it and line the pockets of cybercriminals.
The Elon Musk v. Twitter trial is set to resurrect such concerns. Musk, who claims that Twitter has undercounted millions of fake accounts on its platform, was handed extra ammunition when Twitter’s former head of security Peiter Zatko, known as Mudge, turned whistleblower in August. Mudge claimed that executives’ bonuses were tied to increases in daily users, meaning they had no incentive to crack down on bots—an allegation Twitter’s CEO, Parag Agrawal, has denied.
Bots are polluting the internet. Fake online users make up as much as 40 percent of all web traffic, according to some estimates. Researchers specializing in advertising fraud describe a Kafkaesque system where businesses pay millions to advertise to bots and research their “opinions.” Yet the digital advertising industry has grown so accustomed to working with inflated numbers that few are willing to unmask the fake clicks powering large swathes of the online economy.
In June, the Association of National Advertisers (ANA), a US industry group, published a blog post that estimated that ad fraud is costing US advertisers $120 billion each year. Hours after it was published, those statements were removed. John Wolfe, the ANA’s director of communications, tells WIRED that the figures were removed because they were out of date, but declines to provide any new figures.
Zhukov’s trial established how the trade in fake clicks works. Between 2014 and 2016, the so-called King of Fraud—a name he gave himself in a text message, revealed in court—ran an advertising network called Media Methane, which received payments from other advertising networks in return for placing brand’s adverts on websites. But the company did not place those adverts on real websites. Instead it created fake ones, spoofing more than 6,000 domains. It then rented 2,000 computer servers in Texas and Amsterdam and programmed them to simulate the way a human would act on a website—using a fake mouse to scroll the fake website and falsely appearing to be signed in to Facebook.
“As a result of this elaborate scheme, the defendant falsified billions of ad views and caused businesses to pay more than $7 million for ads that were never actually viewed by real human internet users,” the Department of Justice said. Although TheNew York Times was named as a “victim” by the Justice Department, the publication declined to clarify whether it paid for fake ad views or whether its website was spoofed by one of Zhukov’s fake sites. Nestlé, the parent company of Purina, did not respond to a request for comment.
Some companies have taken matters into their own hands. In 2017 Uber sued one of its advertising agencies for charging it for ads that were not seen by real people or placed on real websites. The case started when Uber pulled all online advertising and discovered barely any drop in app installs or sales. Why? Some claim online ads target people who already plan on buying that product or service. Others argue that ads often target bots. But it's hard to get a straight answer. Companies paying for advertising have an incentive to play down the number of bots to conceal how much cash they're wasting. And cybersecurity companies have an incentive to exaggerate numbers to sell anti-bot products.
The technology to detect and block bots already exists, says Sandy Carielli, a principal analyst specializing in cybersecurity at the consultancy firm Forrester. But companies can be unwilling to investigate traffic that, on-the-surface, makes their website look popular, she says. “Keep in mind if you cut off the bots and it turns out that a large amount of traffic on your site is generated by bots, that’s going to influence your performance numbers.”
Advertising didn’t always used to be like this. Augustine Fou, who has been a digital marketer for 25 years, says that in the past decade there’s been an explosion in fake traffic. Fou believes the industry was corrupted around a decade ago, when a series of opaque middlemen entered the scene. “Prior to that, advertisers would buy ads from publishers like TheNew York Times,” he says. But now it’s typical for brands to approach a digital ad exchange—which facilitates the buying and selling of advertising from different ad networks—to place their adverts on huge numbers of websites and apps. And it is this part of the system that has become vulnerable to bots, claims Fou.
“The exchanges have deliberately looked the other way when there are fraudulent sites and mobile apps that become part of that exchange,” he claims. Google and Facebook are among the companies that run these exchanges alongside other listed US companies such as Pubmatic and Magnite. “The ad exchanges don't want to solve fraud because fraud generates so much volume,” Fou claims. “And the exchanges essentially make more money when more volume passes through their platforms.” None of the exchanges responded to requests for comment.
And it’s not just the exchanges seemingly dodging the fraud issue. Advertisers are also reluctant, says Fou. “It's too embarrassing for them to admit that they purchased fraudulent inventory.” He cites one rare attempt to sue by Uber, after it discovered Austin-based advertising company Phunware was selling fake app installs using bots. “Most of the Uber app installations that Phunware claimed to have delivered were generated by a fraudulent process known as ‘click flooding,’ which reports a higher number of clicks than those occurring,” Uber’s law firm Reed Smith said after winning the fraud suit.
“Many still think ad fraud is a victimless crime,” says Fou. “After all, who cares if big brands waste their money showing ads to bots?” But the industry is letting ad dollars flow into the pockets of cybercriminals, he adds, who can then use it to fund other illicit activities. It’s a major problem, he argues. “One that no one talks about, no one writes about, everyone thinks it’s someone else’s problem.”
More Great WIRED Stories
Credit belongs to : www.wired.com