Anatomy of bots, a real life use case

We hear a lot about bot fraud and fake traffic. There are astounding numbers and when the money is being paid for a brand budget but being lost to these bad actors, you can sure there’s no significant business growth coming from it.

It is essential to take this beyond the headlines, from abstraction and dive into what is happening here. Following is a vivid example of a bot campaign in action, with one of our clients. All names have been changed for confidentiality.

Background

A recent content-centric campaign was anchored around a major tentpole cultural event, whereby brand partners with a publisher to create custom content. Our role at Nudge was to measure the material and provide insight into it. Insurance and learnings on the buy, if you will. We measure up to 48 data points when people read or watch content, to understand how it is consumed and provide insight from that. A happy accident from this is that we capture bot or non-human traffic because the behavior stands out from the rest.

The campaign started with some red flags. Despite our ego and the creative pride that comes with making things, the fact is: people do not often re-read or re-watch content. Some do, but most don’t. Over a population of users, we typically expect 1.2 to 1.4 impressions per person. In this campaign, we saw magnitudes times that people were coming in, over and over again.

So we got digging and saw that the traffic was coming from a third party source. The publisher had gone out and engaged another firm, to buy traffic from. This firm then has a subsidiary that provides ‘incentivized traffic’. That is end users sign up, to earn points, for clicking on content, which then they can redeem for cash or gift cards.

So, instead of Client -> Agency -> Publisher -> End user. i.e. our brand in a premium environment.

It was Client -> Agency -> Publisher -> Undisclosed third party -> Subsidiary -> End user

The brand wasn’t buying an engaged user in a premium environment. They were getting users who didn’t care about the content just some points.

The economics here are terrible, the end user is being incentivized at 1 or 2 cents, and passed to the brand at a primarily inflated price. With up to 98% of that value evaporating into the value chain

These facts would have been egregious enough. But it gets worse.

We dug into the data, and most of it was the same few people (UUIDS) or IPS. So 95% *appeared* to be bot-generated. We stopped analyzing at that point. We notified all involved.

Now typically at this point, the publisher would go, hold on, a junior pressed a button, our bad, we fess up. Let’s do a make good. They came out and said, yup, we bought the traffic (we shouldn’t have) but it’s not a bot, it’s human.

We investigated further.

What we found

We came back and found things like:

- For a population of users like this, we would expect tens of thousands of different browser versions, in this use case we saw less than 10. Very odd. Despite you/I both using the same browser, for many reasons it’s likely we’d have a slightly different version.

- A significant portion of users registered no attention or scroll. Which is very, very odd.

- Some users visited the content every minute or every few minutes, 24 hours a day, for up to 12 days.

- Some users were looking at the same piece of content, multiple times, in parallel at once. A human impossibility.

For Nudge to capture the impression, you had to be active in each of multiple browser windows, all at once. That’s like having four mice on screen, in four different windows, scrolling through content on each at once. Surely at this point, the publisher goes, you’re right, a human couldn’t create this. They go, it passes the ad verification companies (companies like DoubleVerify, IAS, Moat ) — Ben you don’t understand incentivized traffic. So it must be human.

So then, we do more digging, liaise with the traffic provider. Now they’re four steps removed from the brand. Their job isn’t to manage bots. They go, the verification didn’t detect it, it can’t be bots.

We then look on YouTube and Google and find forums and instructional videos for setting up bots to generate points on the sites. DIY bots that you load up and browse the content for you.

One of these DIY bots even has a premium subscription.

We share this and inquire about controls to limit these tools. Nothing. Looks like, if nobody complains they look the other way. So then, we share our findings with another third-party ad verification provider. Who digs through it. And the providers says it is illegitimate traffic — but it’s not a bot. Otherwise, they would have detected as such. So now, we’ve been liaising further, and there is a general agreement this behavior crosses the threshold for what is considered the human activity. So they’re going to dig in deeper.

This episode opens up many new cans of worms.

What brands need to know

How do you define human activity? For us, we have a data profile of real people consuming content. It is easy to spot. For others, not so much. Even then, it is a battle of definitions. What is a bot? What isn’t? Or at least that’s the defense used.

It’s also supply chain transparency. A more convoluted supply chain reduces accountability and improves deniability. Everyone pointed to each other in this use case.

Agency/Brand is mad. Publisher pointed to third-party traffic supplier. Third party traffic supplier pointed to ad verification.

Both are grumpy with us because we found evidence of fraud. The brand is grateful for the notification. We believe this impacts hundreds of brands based on our research, and we are building out a data model that can help others identify these new types of malicious activity.

1. Measure everything, even if it’s one piece of content. Without it, you have zero independence nor scorecard to point to.

2. In contracts, require explicit sign off on external traffic sources. And consider explicitly calling out no incentivized traffic.

This kind of outcome is like a robbery; when it happens, they take everything. And whatever the brand’s stated goals are to create content, the misallocation of capital and energy is disastrous.

When we extrapolate this idea out widely across markets and industries, the dent it puts on growth and progress is astounding.