The anatomy of a click fraud gang

August 8, 2022 ∙ 8 minute read

Click fraud is a sophisticated internet crime which steals billions of dollars from advertisers every year. Its offenders include mom and pop websites, cybercrime gangs, and even Nasdaq listed multinational corporations. In this article we'll focus on a prolific Asia-based cybercrime gang, responsible for a large percentage of the world's click fraud.

What is click fraud?

Most websites display adverts as a way of monetizing their content. Every time a visitor clicks on an ad, the website owner earns a small fee from an advertising network.

Let's imagine Rolex wants to advertise their latest luxury watch, and decides to use Microsoft Ads - an advertising network - to manage the process. Rolex agrees to pay $20 every time their ad is clicked, and they tell Microsoft Ads to display the ad across the internet. A visitor goes to bbc.com, and clicks on the Rolex advert at the top of the page. In this scenario, Rolex pays $20 to Microsoft Ads, and Microsoft Ads gives around $10 to the BBC.

In our example, Rolex is the advertiser, Microsoft Ads is the advertising network, and the BBC is a publisher website.

Criminals take advantage of this advertising model by running their own publisher websites, and use bots - software pretending to be human - to click on the ads.

The scam typically works like this:

A criminal creates a website, and contacts an ad network to open a publisher advertising account. The publisher advertising account allows the criminal to display adverts on his scam website, and earn money every time an advert is clicked.

The criminal contacts a bot programmer - a software engineer who specializes in creating bots - and asks him to create a click fraud bot. The programmer uses bot software such as Puppeteer-Extra to create a bot which will visit the criminal's website and click on the ads. To help the bot appear more human-like, the programmer routes the bot's traffic through a residential IP address proxy service, ensuring the bot has a unique IP address every time it clicks on an ad.

The bot visits the criminal's website thousands of times each day, with roughly 10% of the visits resulting in an ad click. The advertising network is fooled into thinking the clicks are genuine, and the criminal earns hundreds of thousands of dollars every month.

The anatomy of a prolific click fraud gang

This Asia-based gang exclusively targets US advertisers, due to the lucrativeness of the US advertising industry, and the fact that stealing money from American advertisers is ignored by local police. The gang operates with impunity, knowing there is no risk of extradition should they ever be pursued by US law enforcement.

The gang uses a franchise model, with each franchise responsible for its own operations, except for the bot development and maintenance which is managed by a central team.

Each franchise hires Americans living in Asia - typically working locally as English teachers or small business owners - with the promise of high pay-outs for very little work. The job entails creating US companies and applying for publisher advertising accounts at a well known advertising network. They use this advertising network as it has less than ideal click fraud detection capabilities.

Typically, the Americans pose as AdTech companies (advertising technology companies) to increase their legitimacy and improve the chances of their publisher advertising accounts being approved.

Whether or not the Americans understand they're breaking the law is a question. They probably don't know what click fraud is, but their massive earnings must raise suspicion.

Each franchise creates dozens of websites for their American employees, and uses the publisher advertising accounts to display adverts on some or all of these websites.

The central bot development team places a lot of effort into creating bots which closely imitate humans. They create multiple bots, using various technologies such as Puppeteer-Extra, and place the bots on servers in the US. The bots route their traffic through a residential IP address proxy service to hide the servers' IP addresses, and to make the bots look like regular internet users.

Their most common bot uses a plugin called Puppeteer-Extra-Plugin-Stealth. This plugin goes to great lengths to make the bot difficult to detect, and is able to bypass the ad network's click fraud detection software.

Polygraph is able to detect Puppeteer-Extra-Plugin-Stealth, and every other bot used by this click fraud gang.

The bots visit the gangs' scam websites hundreds of thousands of times per day, and click on the ads roughly one out of every 10 visits. The financial loss to advertisers is huge.

To maximize revenue, the bots perform a search on the criminals' websites before clicking on an ad. For example, searching for "law firm new york" will display ads relating to law firms in New York. These search terms are selected for their high value - by forcing expensive adverts to appear on the scam websites, every fake click generates a high return.

A challenge faced by the gang is the fact their bots never purchase anything at the advertisers' websites. That risks their publisher accounts being flagged by the advertising network as having low quality traffic. To avoid this problem, the criminals find advertisers selling free of charge products, such as signing up to a mailing list or downloading a report, force those ads to appear on their websites, and then manually click on the ads and complete a "sale" such as signing up to a mailing list. These sales, also known as conversions, trick the ad network into thinking the criminals' bots are real people interacting with the advertisers' websites.

At the end of the month, the advertising network transfers the ad click revenue to the American employees' companies' bank accounts, with around 80% transferred onwards to the criminal gang, and the remaining 20% kept as wages.

Since Polygraph are aware of every website operated by this gang, and are able to detect their bots and fake clicks, Polygraph customers have complained to the advertising network used by the criminal gang about the high amount of click fraud on their ads. This sometimes results in the criminals' websites being suspended or closed, but usually the criminals are able to continue operating, either after a short suspension or through new companies and scam websites.

As an example, three scam websites operated by the gang were recently reported to the advertising network. The websites were suspended for a few weeks, but are back in operation, using the same click fraud bots. Additionally, during the weeks the websites were offline, the Americans fronting the suspended websites launched additional click fraud websites using the same advertising network.

How to protect adverts from click fraud?

If you restrict your ads so they appear in search engine results only, in other words, if you prevent your ads from being displayed on publisher websites, you'll dramatically reduce your exposure to click fraud. The downside to this is you're limiting your ads' audience, which will result in fewer website visits and sales.

A better solution is to use Polygraph to monitor your ads for click fraud. We track the websites operated by this criminal gang (and every other click fraudster), and can also detect their bots, including Puppeteer-Extra-Plugin-Stealth. Therefore, we're able to help you block their websites from seeing or clicking on your ads, and if you experience click fraud, we give you the details of every fake click so you can get refunds from the ad networks you use.

Try Polygraph today, free of charge (no credit card required), and start protecting your ads from click fraud.