In the programmatic marketing eco-system, the arbitrager is what black hat hacker is for cybersecurity. Where as 10 years ago, being a black hat marketer, meant being someone with a high level of technical skill, today it mostly means to buy garbage low, and sell it as premium high.
A Black Hat Media Trader, Who Now Fights Ad Fraud
What media arbitragers typically do, is buy clicks for as low as $0.001 CPC to drive traffic to a spam-site that often took just hours to setup, and turn it in to a profit by pushing CPM inventory through dodgy but seemingly legit ad networks and ad exchanges to the prime media market.
Shailin Dhar, now an independent ad fraud consultant from the bay area, used to be such an arbitrager, before becoming one of the unsung heroes of the fight against ad fraud. He was the first person I met since 2006 who had the smarts of a black hat, coupled with profound understanding of adtech, and sincere aspiration for fighting ad fraud. Shailin gives us as a unique look inside the sourced traffic market, where fake clicks bought for sub-pennies at any scale, are turned in to profit by selling them as impression. Arbitragers are the desperadoes of the $700 billion per year media market, and sourced traffic is the fuel that keeps their engines going.
Can you share about your background related to ad fraud and especially what is now referred to as sourced traffic?
First time I became aware of ad-fraud was when I was buying leads for a healthcare marketing company. Our business model was to buy lead forms through affiliate and CPA networks targeted towards certain regions that we had clinics in. Our call center called these leads and converted them into paying patients at our partner clinics after understanding what their needs were. For a long time, the customers were happy to receive the calls from us because they actually wanted to find a dental or veterinary clinic.
As we became a bigger and bigger buyer in the CPA market and started targeting entire states and provinces instead of cities, our cost per lead went down and volume went up. The shock that we got was when instead of warm calls with these customers, the call center staff was getting screamed at to “be taken off the call list” and that they “hate telemarketers like you.” After some investigating, I found that the supply partners had taken advantage of the targeting and just filled out the lead forms with directory information through the use of bots.
I started with being upset that I was duped, but then was fascinated with the prospect of how much of the advertising services purchased were fueled by this fraudulent traffic. After the fascination and awe with how prevalent this was, I was actually very disillusioned with the understanding that it was an unacknowledged and unknown plague on advertising.
I continued to search into where these traffic vendors were getting all these “users” that seemed to be an infinite stream of people’s attention. I’d become extremely skeptical of every pay-per-click and cost-per-click company because they all seemed to have endless supplies; whether I requested 10,000 or 10,000,000 clicks, the only difference was the price point and targeting. As I continued digging more and more into the ecosystem, I found that there are tons of websites purchasing these clicks, some that I heard of and many that I couldn’t believe were actual sites.
I’ve learned that Fraud is not an external force in advertising but is unfortunately part of the foundation of online advertising when it comes to the basic supply of web traffic. All ad-fraud originates from the time someone “buys traffic” without digging into where the users are actually coming from. Unless there is an entire re-evaluation of what “traffic” means and what the implications are of “buying traffic” or “acquiring audiences”.
How easy it is to buy sourced traffic, and how big do you think that eco-system is (in terms of number of players and what kind of revenues those players are making)?
It is extremely easy and all it takes is a willingness to do it. Search on LinkedIn, Look for it on Google, whatever search engine you use. Honestly, that eco-system is so hard to actually quantify in terms of revenue, many many billions. I’m comfortable saying that the true cost of ad-fraud is at least 4-5 times every industry estimate that has been released. But what I do know, is that there are thousands of people that work with the buying and selling of cheap sourced traffic at the most basic level.
The “funny” part about this is that the people buying and selling these cheap clicks (that are then typically arbitraged in to impressions at a profit) are rarely aware of the actual implications of their work on the advertising system as a whole. For most of the sourced traffic traders, it’s all just about making money while having the luxury of flexible schedules and mostly working from home.
What do you know about how sourced traffic companies “source” their traffic?
So I’m assuming that you’re referring to the initial sources of traffic, which are different than other CPC/PPC vendors like native ad platforms that mostly recycle sourced traffic. These are, from my experience, mostly generated through hosting companies and cloud servers. Which is different than what most of the technical verification companies focus on, which seem to, at least publicly, focus on “hunting botnets.” My research collaborators have conveyed that it’s easier to create traffic to pass filters from cloudbot setups rather than conventional botnets.
Another major source of sourced traffic is malicious toolbars and browser extensions. There are companies that will not only help distribute toolbars and extension products through pay-per-install models, but they will also help monetize them through the addition of adware components. A wide network of computers infected with malicious adware is actually what is commonly referred to as a botnet. These programs will run a browser invisibly in the background of a user’s machine, sending traffic that is coming from a potentially verified human device and a residential IP address rather than a data center.
I’ve seen a lot of offering at 1/10 of cent per click, do the prices go down from that still a lot or is that the floor?
I think that’s probably the floor price for clicks as far as buying as a publisher. Obviously those vendors are making a profit so actually creating this type of traffic costs far less than that. The prices per click go up depending on who you are selling to, because naturally, people question the quality of click traffic less as the price gets higher. 1/10 of a cent per click might sound too cheap so you would question it. But there are vendors selling that same type of traffic for 5 cents per click or higher to bigger publishers and that is accepted as a reasonable rate.
How common do you think that buying this kind of traffic is among the premium publishers, let’s say top100 US news sites?
I think it’s very common and most of the time happens without the knowledge or consent of the premium publishers. This is again hard to quantify unless you actually go through their books and see who all they buy from. But I know from evidence provided to me that there are major publishing houses that buy non-human traffic, both knowingly or unknowingly.
Many premium publishers have begun not only buying traffic from native ad and content promotion platforms, like Taboola, Outbrain and RevContent, but also selling traffic into these platforms for incremental revenue. Once bots get into these click recycling systems, it’s harder to clean up the quality of traffic going to any particular site.
Can you tell more about your experience on working with big publishers and the kinds of pressure they are under (that leads them to the sourced traffic market)?
I’ve worked to monetize several large publishers in the programmatic exchanges. They are run very differently than the smaller publishers and often have revenue goals and projections that come from C-level in their organizations. This undoubtedly puts enormous pressure on the ad-operations teams to keep numbers consistent and show measured predictable growth.
The way I look at it is that online publishers are very different than newspapers or magazines or billboards. Ad space is sold through those channels based on an estimate of how many viewers there will be. With web publishers, it’s all measurable and is based on how many actual exact times the site is loaded in a browser. A newspaper or magazine has a harder time adding new paying subscriptions than a website does with just adding visits to their pages. Like any large corporation, the big premium publishers have siloed departments with different goals, so ad-sales generally doesn’t know how ad-operations is adding traffic or measuring it. Thus, the sales teams usually operate without full knowledge or visibility into how traffic is generated or acquired.
Other than the results of your test and what you already say in your upcoming report on sourced traffic and the capability of leading verification vendors to detect it as fraud, what do you think about the ad fraud verification companies and the role they play in the “sourced traffic epidemic”?
I think the blind acceptance of these verification technologies as a full solution has actually contributed to the rise in fraud because it has reduced the level of human scrutiny placed on potentially fraudulent sources. Even if a human person at an ad exchange knows without a doubt that a certain site is not something humans are visiting, they will have little reason to boot them off the platform or question their validity as long as the [verification] software spits out a favorable fraud metric.
Who do you think are making the most money out of all the fake traffic that is being sold? Looking at the click prices, I don’t think it’s the traffic companies?
One thing that’s important to understand about ad-tech, even before approaching fraud, is how the money flows through the system. If we start with what’s called the tech-tax in the industry, it starts with a certain price paid by the advertiser brand, lets say $5. The trading desk, the DSP, the exchange, the SSP, and the publisher are ALL paid with a portion of that money. So if we take a fraudulent publisher with non-human traffic that gets purchased, all those technologies along the way still made money off of the sale of the fraudulent impressions. This is what I think has been the most difficult concept for buyers to grasp and admittedly the most difficult thing for the ad-tech community to accept.
What would be your advice to the eco-system, and to the hundreds of botlab.io members that include many of the leaders of the industry, in order to effectively do their part to put an end to this?
First thing is to READ MORE. You can never solve a problem if you don’t understand the cause, let alone the available solutions. Most advertisers have relied on another company to just give them a polished solution in a nice pretty package, but the true protection from fraud lies in education of not just the executives but the actual media buyers and planners who are executing the campaigns for brands. There need to be MORE continuing education programs at all online advertising related companies in regards to not only fraud, but new technologies like programmatic, header bidding, etc.
Is there anything else you would like to add?
I think the major thing I try to impress upon people in the industry is to stop expecting other companies to do the right thing without a financial incentive. It sounds extremely cynical, but I’d say take everything [you are told] with a grain of salt and make sure to do your own investigating into any and all claims made by technology companies. There is no harm in questioning these things, you will get answers that you can either accept or reject, that’s your prerogative.
Another thing is to stop sacrificing long term sustainability for short-term goals. Online advertising is a foundation for the structure of the internet economy as a whole. If advertising loses its integrity, there are much bigger things at stake than advertiser budgets.