Study finds botnets account for 23 percent of video ad views

Computers being remotely operated by hackers account for 23 percent of digital video ads worldwide, according to a study that estimates such fraud will cost advertisers $6.3 billion dollars next year.

The fake views, which also account for 11 percent of other display ads, often take place in the middle of the night when the owners of the hijacked computers are asleep.

The result is retailers, automakers and other companies paying for Web advertisements that are never seen by humans, or are seen by fewer people than they are paying for, according to the report released Tuesday by the Association of National Advertisers, whose members include Wal-Mart Stores, Ford and Wendy’s.

“We’re being robbed,” said Bob Liodice, president and chief executive officer of the New York-based association, which has 640 members that spend more than $250 billion a year in advertising. “This isn’t about system inefficiencies or process sloppiness. This is about criminal activity.”

Left unchecked, advertisers will lose $6.3 billion globally due to the fraud in 2015, said Michael Tiffany, chief executive officer of White Ops Inc., a cybersecurity company based in New York that conducted the study.

The fraud could undermine confidence in a fast-growing industry. Online display advertising accounted for an estimated 10 percent of ad spending in the U.S. last year, a figure that is projected to nearly double, to 19 percent, in 2018, according to EMarketer Inc.

The hackers use malicious software to string together computers, many of them privately owned, into “botnets.” They then command the computers to surf the Internet, watch videos and click on ads.

“Bots can make it look easy to reach high volumes of specific audiences,” according to the report. “A bot can look like a sports fan, someone with a six-figure income, someone interested in buying a car, or a grandparent looking for holiday gifts for grandchildren.”

For the study, researchers put software into the actual ads of 36 members of the advertising association between Aug. 1 and Oct. 1. The software allowed them to tell if viewers of the ads were people or bots. They found 23 percent of video ad views, and 11 percent of text-based display ads, were from botnets.

Hackers make money by selling their botnet services to companies that specialize in driving traffic to websites, Tiffany said.

Website owners “inflate their apparent audience size and pocket the difference between their traffic acquisition cost and the revenue received from advertisers,” according to the report.

“It really is in the advertising industry’s interest to take care of this problem because their purchases will work better,” Tiffany said. “Bots don’t buy anything.”

Some marketers may slow their shift of advertising dollars to online services from more traditional formats over concerns about fraud, said Richard Joyce, an analyst with Forrester Research Inc.

“It’s a very hot topic right now and it should definitely be a concern,” Joyce said. “It seems like the ad tech folks out there can’t keep up with the different ways that the fraudulent activity is actually coming into the marketplace.”

Some advertisers have started taking steps to ensure they’re reaching real people by purchasing ads that only are viewable by computers with residential Internet addresses in the U.S. Hackers, in turn, have targeted those computers to become part of their botnets.

Most of the observed botnet activity – 67 percent – came from residential homes, according to the report.

“How do you make money from breaking into Grandma’s computer? You have Grandma click a lot of ads,” Tiffany said.

U.S. law enforcement agencies have conducted criminal investigations into botnet operators. In one of the most recent examples, an FBI sting in June called Gameover Zeus dismantled a botnet that was allegedly used to steal more than $100 million from consumers and businesses over three years. That case was not linked to advertising.

Botnets can give themselves away. About half operated during early morning hours when most people are sleeping. That means companies can try to avoid them by advertising during daytime hours, according to the report.

The report includes other recommendations to help counter online fraud. Advertisers, for example, should demand transparency from website operators about where their traffic comes from.

Websites also should monitor where traffic comes from, consider reducing the number of ads they buy that can be viewed by older versions of browsers and boost spending on security measures, according to the report.