In the click fraud list of infamy, HyphBot shows how clever the networks behind ad fraud operations can be. The latest entry in our click fraud hall of fame series looks at the biggest discovery since the Methbot & 3ve takedown.

NameHyphBot
StatusDeactivated
SummaryAd fraud network targeting mostly video impressions.

Discovered around September 2017 by Adform, HyphBot was first flagged up due to indiscrepancies in websites using ads.txt inventory.

It quickly became apparent that the volume of fraudulent traffic on these ads was huge, with Adform estimating that HyphBot could be around 3 or 4 times bigger than Methbot.

How did HyphBot work?

Using algorithms that detect ads displayed by non-legitimate sellers, Adform realised that there was a botnet displaying ads on unauthorized or fake websites. 

These fake sites were being spoofed by the HyphBot network specifically to host ads and collect the payout, in bulk. The HyphBot botnet targeted a huge selection of premium inventory websites, including some of the most visited sites on the web.

To get around the ads.txt algorithms, HyphBot used a similar approach to Methbot: A genuine URL would be appended with a nonsensical tail, or a randomized set of letters and numbers. 

For advertisers, at first glance, it would look like their ad had appeared on sites such as Forbes or the Economist. But, on closer inspection, the actual URL didn’t exist and the advertiser would have paid out for an impression on a fake website.

Most of the 1.5 billion impressions were of video ads, but 230 million impressions were non-video, most likely display ads.

How did this affect advertisers?

2017 saw a number of high profile click fraud botnets hit the headlines. Just a year before had seen the takedown of Methbot, the biggest PPC ad fraud network to date. 3ve, which was built by most of the same programmers as Methbot, began to be rolled out around mid 2017.

  • HyphBot generated around 1.5 billion ad requests each day. 
  • It also used around 34,000 domain names and manipulated the ad networks from their SSP data centres. 
  • The botnet was built on infected desktop computers, the majority in the US but with some also in the UK, Canada, the Netherlands and India. 
  • For advertisers, it looked like their ads were being displayed on premium websites, with a CPM at around $7-12.
  • In fact HyphBot was estimated to be making between $260,000 to $1.2 million each day in fake ad impressions for the network operators. 

Who makes botnets like HyphBot?

Most of these organised botnets are built on existing viral networks that have been busy infecting computers and devices for some time. An example of this is the Mirai botnet, which is primarily used to target IoT devices and carry out DDoS attacks. However Mirai has been used to carry out click fraud campaigns, most notably by the creators of the botnet.

Devices hosting botnets can often be based in data centers or click farms. However, they are often able to mask their location by changing their IP addresses, usually using VPNs or virtual private networks.

As these viruses tend to be constantly spreading, there is always a ready-made network of botnets available for whatever fraudulent purposes a developer might want them for. This can include anything where generating fake traffic would be a benefit.

For example, organised criminals can then hire these botnets to drive traffic to their network of spoofed inventory. 

In short, creating an ad fraud network is something that is usually a collaborative effort and one that can be very hard to track down.

Catching those who operate these criminal botnets is actually a rare occurrence, with the take down of the team responsible for Methbot and 3ve a rare win in the fight against organised click fraud.

Because this form of fraud is relatively simple for skilled programmers to work around, the news of new ad fraud networks just keeps coming.

Protecting your ad campaigns against fraud

Running PPC ads is part and parcel of many businesses’ marketing strategy, and the issue of click fraud is one that often rears its ugly head. What can marketers do to protect their marketing budget from fraudulent traffic and criminal networks?

It’s become increasingly important to protect paid campaigns from fake traffic with fraud prevention software.

Using machine learning algorithms and a constantly growing blacklist of bad traffic sources, click fraud prevention tools like ClickCease protect PPC ads in real time.

This means that even if a new botnet should rear it’s head, your campaigns have a level of protection that the ad platforms just don’t provide.

Talking of which, don’t Google and co do something to protect you from ad fraud and click fraud?

Google and the PPC ad networks do have their own way of handling ‘invalid traffic’, as they call any fraudulent click. However, here at ClickCease, we do see fraudulent traffic making it’s way through in bulk.

In fact, our data shows that around 20% of all clicks on paid ads are from fraudulent sources. This includes botnets like Hyphbot and Methbot, click farms, malware clicks and even repetitive clicks from malicious actors online (such as competitors or brand haters).

Avoid falling victim to the next HyphBot style click fraud campaign and sign up for your free trial today.


Sources used for this article:

https://site.adform.com/knowledgecenter/whitepapers/how-adform-discovered-hyphbot