To Catch A Botnet

botnetThe growth of Real-Time Bidding (RTB) has created a paradox for those trying to root out ad quality issues of all kinds. On the one hand, the rise of viewability measurement and the relatively small number of scaled RTB marketplaces has made it easier to identify and police worthless impressions. But it’s also easier for unscrupulous media sellers to make fraudulent inventory look legitimate, and then sell through exchanges — creating something of a new dawn for bad actors.

The rising opportunity for shady media sellers is apparent in a botnet described this morning by London-based ad measurement and viewability firm has observed 120,000 host machines on what it has dubbed the “Chameleon” botnet. It says these machines are driving traffic to a cluster of at least 202 websites, resulting in a minimum of 9 billion monthly ad impressions served.

This traffic often appears human, suggesting a high level of sophistication. Chameleon machines click on ads at a rate consistent with the general population – about 0.02% – and they even generate rollovers on 11% of impressions.

The sites receiving this non-human traffic are spread across several networks, but one U.S.-based firm in particular is strongly represented, according to sources.

AdExchanger spoke with several senior executives at this company, which owns 75-80 websites that sell billions of monthly impressions but lack recognizable brands. The company says it buys significant traffic from numerous sources, but denies owning or knowingly working with a botnet.

However these executives said they wouldn’t be surprised to learn of ad quality problems on their sites – partly because they’ve observed strange things themselves.

Among those characteristics is a lack of variation in browser versions, the company’s COO tells AdExchanger.

As it turns out, the browser version issue is consistent with what has observed with Chameleon. From’s disclosure:

“The bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. The bots visit the same set of websites, with little variation. The bots generate uniformly random click co-ordinates across ad impressions.”

But even as it has seen problems with its own traffic, the company has resisted overtures by companies representing advertisers. Its chief operating officer said the firm was approached by two viewability vendors who asked to run their tags, but declined to participate because “they wouldn’t tell us how they do it.”

Even viewability proponents are quick to point out that publishers receiving traffic windfalls from Chameleon and similar botnets may be unwitting pawns in another party’s fraud scheme. Even so, they are large beneficiaries of that scheme, and there are large short-term incentives to look the other way. founder Douglas de Jager says, “Any publisher experiencing a huge growth in traffic should take responsibility for knowing where that traffic originates.

Media6Degrees is among the companies very active in trying to reduce botnet traffic and other sources of fraudulent inventory.

Chief Operating Officer Andrew Pancer said, “We have seen botnet traffic grow significantly over the past 18 months. It’s a big concern for us, especially as we all see the huge potential in programmatic buying.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Andrew Casale

    A site that “buys” traffic has no place on an exchange when it can’t confidently substantiate the true origin of said traffic. What you’re effectively doing is selling someone else’s traffic under the guise of the property you’ve created. And worse in almost every case the “traffic” isn’t even real it’s just fraudulent tonnage. What troubles me is bid requests from sites like this land in the exact same pipe as the NBC’s and the WSJ’s of the world and they aren’t remotely comparable. It’s critically important the barrier to enter an exchange rise.

  2. I am afraid that this problem is even bigger on mobile app traffic where the origin of said traffic is hard to verify .

  3. Jeff Moore

    Spot on, Andrew. Certain exchanges are content to put their heads in the sand as long as the light is not shining on them. Without industry-wide pressure to hold media trading players accountable with regard to the inventory they peddle, bad actors will always find ways to poison the inventory well and display will never recognize its promise and become the formidable marketing pillar it can be. The secondary and tertiary effects of this bad behavior are incalculable. Is it the IAB that can provide this pressure? Lately they seem driven to preserve the ad tech status quo where low-value intermediaries are concerned (see Firefox 22). But I remain (cautiously) hopeful.

  4. Alejandro Correa

    I agree with the comments above but also wanted to highlight that there is a low-tech solution to this problem: having good buyers and incentivizing them to care about their clients. Good buyers should be setting up whitelists for sites with great content, and should be actively cutting any site that has a suspiciously high amount of impressions, or that has performance that is too good to be true. The fraud described here would be admittedly difficult to detect, but again, given enough time a smart buyer should be able to tell that something is wrong with this type of inventory.

  5. Back in January Triggit (where I work) released data proving roundly how much better Facebook’s RTB exchange inventory converts than other exchanges.

    The fact that 100% of Facebook’s exchange inventory is from one publisher & above the fold should not be lost on large direct response advertisers who are looking for ways to expand display as an acquisition channel. Extend your performance display to FBX first, and for non-FB RTB, find a good partner will to share risk.

  6. Penry Price

    Andrew is dead on and I fully agree. There needs to be an industry verification process in terms of inventory allowed in exchanges. The IAB is the right place to drive this and have begun to have these discussions. A good sign.

    Alejandro you are living in a bubble. There is almost no such thing as a good buyer when clients and agencies don’t know how to measure campaigns(click measurement, last-touch, etc). All buyers are forced to drive a campaigns “success” by how they are being measured. If not, they are kicked off the plan due to “weak performance”. There are many bad buyers absolutely taking advantage of this situation by putting their heads in the sand about the things you address(or they are buying this stuff on purpose). That won’t stop until clients and agencies begin to ask questions and force the issue. Additionally, this fraud is not hard to detect if you are looking to get rid of it and want to do the right thing for your clients.

    To me, the solution has to start with the supply side and be driven by a collective industry team and the IAB.

  7. We are currently working in tandem w/ @BoyGeorge to develop the “Karma Chameleon” Botnet that will return money to advertisers affected by the Chameleon Botnet. Your moral support is greatly appreciated.

  8. Everyone in the graphical display space getting more than a handful of RTB feeds has more than enough data to know about some of the funny business going on here. It’s just not usually in their interests to speak out about it. Companies like Triggit and Optimal (where I work) have seen how the sausage is made and rightly made the cost-benefit analysis that bidding on billions of hidden, of-uncertain-provenance impressions makes little sense for anyone but the absolute largest players who can see most of the market (especially since they need to spend a lot of time rooting out fraudulent impressions). I predict we’re going to see a huge shift in what kinds of javascript publishers decide to put on their sites, and in how advertisers seek to buy “tonnage” inventory via ad networks or DSPs, especially as third-party cookie blocking becomes a reality.

  9. Happy to see several friends commenting on this issue, including Rob, who has made a great point. Zach, great article – glad to see that you are making the conversation happen.

    I have been writing about these issues for over 10 years, tried to make changes via the IAB and other organization and these issue continue to persist for one reason: greed. The networks involved are greedy and ignore the obvious fraud. As pointed out above in the comments there is no way in hell that they are not noticing this amount of fraudulent traffic. If they want to us to honestly believe they aren’t noticing the fraud, then they want us to either believe their technology is so antiquated that it can’t detect obvious fraud, or that they are so stupid that we should not be doing any business with them.

    They know this is going on, but until someone points it out, they will ignore the fraud in order to bill and bill and bill. I’ve confronted these crappy networks over and over again that pop up on exchanges and pointed out the fraud, and they continue to run fraud.

    I’ve even submitted to networks entire folders of informations on individuals, their criminal convictions for fraud — and even gone as far as to put one fraudster in jail, who was raided on my evidence. Even after being arrested, several networks continued to work with this individual to generate traffic. Why? Because they don’t care. Period.

    Let’s stop beating around the bush here and call a spade a spade.