Ad Revenue Is Under Attack: Beware the Bots

Aug 05, 2013

Article ImageAnyone who has a blog with an open comment option has encountered malicious online bots. Log in to your Wordpress dashboard, and you'll find hundreds of new comments. Deceptively, they're not often people excited about your eloquently penned prose, but rather systematic bot programs plugging their own products to your regular human readers.

But the world of malicious bots is taking a turn beyond drowning your blog in sales comment threads. According to the "Bot Traffic Market Advisory" from Solve Media-a website security firm with more than 6,000 clients such as AOL-bot traffic increased significantly for the first quarter of 2013, costing brand advertisers an estimated $3 billion online and $1 billion through mobile devices. 

But bots don't create themselves. That's what Ari Jacoby, co-founder and CEO of Solve Media, thinks about bots: Someone is behind it, and it's usually someone looking to gain an unfair advantage.

See, not all bots are bad. In fact, similar to most tech, the use of bots was initially purposed for extending the reach of brands across the internet, such as software-as-a-service (SaaS) companies that automatically feed a series of posts, comments, and links to all of the major social media sites and groups. "These services can be understood to be bots in the sense that they, too, are automated ways to push things out," explains Scott Frangos, president of WebDirexion, LLC, a content marketing firm that provides website security as one of its services. He recommends using social media for authentic, human-to-human connections, citing that robo-posting to an extreme is never a good tactic. "That said, we do automatically schedule some postings via tools such as Hootsuite, since it's tough to be everywhere at once," Frangos adds.

Bots are malicious when robo-posting becomes more about, well, being malicious. "In the case of advertising, a bot might go to a site and be programmed to click the play button on a video so that the click-per-play spikes," Jacoby explains. "This suggests to the advertiser that there was great performance, although there was almost none. Bots make fake registrations on sites, fake likes for pages, fake votes, post spam links in comment sections: they falsify the effectiveness of ad campaigns."

Earlier this year, Microsoft and Symantec Corp. discovered the Bamital Botnet, and they joined forces to take it down. The botnet attacked more than 8 million computers in a span of 2 years. On Feb. 28, U.K.-based discovered what is known as the "Chameleon Botnet." Initial results showed at least 202 targeted websites (with at least 65% of the traffic attributed to the botnet) and more than 120,000 host machines in the network.

Jacoby explains in more detail how these and other botnets work, even going beyond the creation of fake ad clicks and selling fake website real estate to advertisers. "Media ad agency personnel have access to research tools that help them to find good publishers for a certain demographic," he says. "Through those tools, advertisers are very likely to find things that look very attractive." For example, Jacoby explains, you could be looking to advertise a product or service directed toward individuals living in the St. Louis area. You can certainly go to sources you know and trust to purchase banner ad space, such as the local St. Louis Post-Dispatch website. "All of a sudden, a site pops up that's called and it's showing great results and lots of traffic, so they buy an ad on it because it's cheap and has good results, but it never had traffic to begin with," he says. The web traffic was the result of malicious bot activity, because the website was set up by bot programmers to hack into a share of the ad revenue going around.

"Malicious bots will actually commandeer a server and might even take down your site, or perhaps be more sneaky about it and use your existing site to promote their own products," Frangos says. "Usually their goal is to reroute your traffic to something that will make them money. This directly impacts your ad revenue by pulling eyes off your content and your brand."

Frangos sees a multitude of bot attacks on WordPress-based websites, extending beyond blog comment spam. He cites an example through one of his clients: a high-traffic HVAC company based out of Florida. An interior page of the company's website that received high page views was hacked and replaced with an ad redirecting to another website. "We had to hunt for the code insertion, and then reinstall and overwrite the entire CMS code to root out the attacker," he explains.

Mark Stevens, CEO of the marketing firm MSCO, believes that if you're the least bit suspicious of a site's authenticity, steer clear. "It's like me saying to you, ‘Give me $1,000 right now and wait here-I'll be back in five minutes with $2,000.' I'd be a walking bot." Instead, Stevens recommends using your company's mission and your personal intelligence to avoid engaging bots that comment on blog posts, spam your Twitter account, or try to propagate your marketing budget. "The issue is not the bot, but the people that allow them to manipulate," he says. "Any aspect of the internet is filled with sand traps. You could just stay away, but that's ridiculous because life is sand traps. Instead, go in and be skeptical of everything you do."

Frangos provides suggested steps for additional security. "Learn about the best security technologies for your server and content management system," he says. "Work closely with the technicians at your hosting location, since they will help with firewall and server level controls." He recommends implementing proactive controls, setting up an alert system, and drilling the team for best practice responses to attacks. Jacoby adds that site owners should demand third-party website traffic research from vendors in order to hold them accountable.

All in all, stick with advertising on websites you know you can trust and don't respond to comments or Twitter messages that are clearly meant to hook you rather than create a business relationship. As Stevens points out, the old adage rings true here as it does in many circumstances: If it sounds too good to be true, it probably is.  

(Image courtesy of Shutterstock.)