The anatomy of a click fraud gang

August 8, 2022 ∙ 8 minute read

Click fraud is a sophisticated internet crime which steals billions of dollars from advertisers every year. Its offenders include mom and pop websites, cybercrime gangs, and even Nasdaq listed multinational corporations. In this article we'll focus on a prolific Asia-based cybercrime gang, responsible for a large percentage of the world's click fraud.

What is click fraud?

Most websites display adverts as a way of monetizing their content. Every time a visitor clicks on an ad, the website owner earns a small fee from an advertising network.

Let's imagine Rolex wants to advertise their latest luxury watch, and decides to use Microsoft Ads - an advertising network - to manage the process. Rolex agrees to pay $20 every time their ad is clicked, and they tell Microsoft Ads to display the ad across the internet. A visitor goes to bbc.com, and clicks on the Rolex advert at the top of the page. In this scenario, Rolex pays $20 to Microsoft Ads, and Microsoft Ads gives around $10 to the BBC.

In our example, Rolex is the advertiser, Microsoft Ads is the advertising network, and the BBC is a publisher website.

Criminals take advantage of this advertising model by running their own publisher websites, and use bots - software pretending to be human - to click on the ads.

The scam typically works like this:

A criminal creates a website, and contacts an ad network to open a publisher advertising account. The publisher advertising account allows the criminal to display adverts on his scam website, and earn money every time an advert is clicked.

The criminal contacts a bot programmer - a software engineer who specializes in creating bots - and asks him to create a click fraud bot. The programmer uses bot software such as Puppeteer-Extra to create a bot which will visit the criminal's website and click on the ads. To help the bot appear more human-like, the programmer routes the bot's traffic through a residential IP address proxy service, ensuring the bot has a unique IP address every time it clicks on an ad.

The bot visits the criminal's website thousands of times each day, with roughly 10% of the visits resulting in an ad click. The advertising network is fooled into thinking the clicks are genuine, and the criminal earns hundreds of thousands of dollars every month.

The anatomy of a prolific click fraud gang

This Asia-based gang exclusively targets US advertisers, due to the lucrativeness of the US advertising industry, and the fact that stealing money from American advertisers is ignored by local police. The gang operates with impunity, knowing there is no risk of extradition should they ever be pursued by US law enforcement.

The gang uses a franchise model, with each franchise responsible for its own operations, except for the bot development and maintenance which is managed by a central team.

Each franchise hires Americans living in Asia - typically working locally as English teachers or small business owners - with the promise of high pay-outs for very little work. The job entails creating US companies and applying for publisher advertising accounts at a well known advertising network. They use this advertising network as it has less than ideal click fraud detection capabilities.

Typically, the Americans pose as AdTech companies (advertising technology companies) to increase their legitimacy and improve the chances of their publisher advertising accounts being approved.

Whether or not the Americans understand they're breaking the law is a question. They probably don't know what click fraud is, but their massive earnings must raise suspicion.

Each franchise creates dozens of websites for their American employees, and uses the publisher advertising accounts to display adverts on some or all of these websites.

The central bot development team places a lot of effort into creating bots which closely imitate humans. They create multiple bots, using various technologies such as Puppeteer-Extra, and place the bots on servers in the US. The bots route their traffic through a residential IP address proxy service to hide the servers' IP addresses, and to make the bots look like regular internet users.

Their most common bot uses a plugin called Puppeteer-Extra-Plugin-Stealth. This plugin goes to great lengths to make the bot difficult to detect, and is able to bypass the ad network's click fraud detection software.

Polygraph is able to detect Puppeteer-Extra-Plugin-Stealth, and every other bot used by this click fraud gang.

The bots visit the gangs' scam websites hundreds of thousands of times per day, and click on the ads roughly one out of every 10 visits. The financial loss to advertisers is huge.

To maximize revenue, the bots perform a search on the criminals' websites before clicking on an ad. For example, searching for "law firm new york" will display ads relating to law firms in New York. These search terms are selected for their high value - by forcing expensive adverts to appear on the scam websites, every fake click generates a high return.

A challenge faced by the gang is the fact their bots never purchase anything at the advertisers' websites. That risks their publisher accounts being flagged by the advertising network as having low quality traffic. To avoid this problem, the bots occasionally submit bogus leads at the advertisers' websites - roughly 1 out of every 20 fake clicks results in a bogus lead. These fake leads, known as conversion fraud, trick the ad network into thinking the criminals' bots are real people interacting with the advertisers' websites.

At the end of the month, the advertising network transfers the ad click revenue to the American employees' companies' bank accounts, with around 80% transferred onwards to the criminal gang, and the remaining 20% kept as wages.

Since Polygraph is aware of every website operated by this gang, and are able to detect their bots and fake clicks, Polygraph customers have complained to the advertising network used by the criminal gang about the large amount of click fraud on their ads. This almost never results in any action taken against the criminals or their websites.

How to protect adverts from click fraud?

If you restrict your ads so they appear in search engine results only, in other words, if you prevent your ads from being displayed on publisher websites, you'll reduce your exposure to click fraud, but will still experience retargeting click fraud.

Polygraph protects your ads from all forms of click fraud, including those discussed above. We do this by detecting the fake clicks on your ads, and giving you the data you need to adjust your ad campaigns to avoid click fraud bots. Typically we reduce our clients' click fraud rates by over 80%.

Start using Polygraph today to protect your ads from click fraud.