Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Traffic origination super networks v redacted

3,732 views

Published on

Updated deck

Published in: Marketing

Traffic origination super networks v redacted

  1. 1. Bot-Free Traffic Origination Super-Networks December 2017 Augustine Fou, PhD. acfou [at] mktsci.com 212. 203 .7239
  2. 2. December 2017 / Page 1marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou “Page redirects are a well-known blackhat technique to disguise the real origins of traffic. Now page redirects are observed to be creating, originating traffic out of thin air, fully laundered. This form of fake traffic is undetectable by fraud detection tech because no bots are required.”
  3. 3. December 2017 / Page 2marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Big redirect traffic sellers … How much does it cost?How much is available?
  4. 4. December 2017 / Page 3marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou How-To Guides from 2011-2017 a.k.a. “zero-click” “pop-under” “forced-view” “auto-nav” “pop-under and redirect traffic is well known in porn; what’s proven in porn is now used mainstream to make ad revenue.”
  5. 5. December 2017 / Page 4marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Sites buy traffic, sell ad inventory Ads sold throughBuy traffic for $1.70 CPM Sell ads for $5 - $10 CPMs Marketers duped Source: SimilarWeb Source: SimilarWeb REMOVED
  6. 6. December 2017 / Page 5marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Observed example – dingit.tv Source: SimilarWeb purchased traffic Pages with redir JS dingit.tv fake sites ORIGINATING traffic Pages with redir JS Carried ads for …
  7. 7. December 2017 / Page 6marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Family of fake “highlight” sites Same traffic, same shape, same pages/visit, same bounce dotahighlight.net sc2spotlight.com starcrafthighlights.com hotsspotlights.com csspotlights.com hotsspotlight.com hotshighlight.com csplayback.com sc2highlight.org Source: SimilarWeb
  8. 8. December 2017 / Page 7marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Audience overlap is abnormal The audience overlap (same users going to all these sites) among the “highlight” sites appear abnormally high. This is consistent with botnets and redirect networks. Source: Alexa
  9. 9. December 2017 / Page 8marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake site – pipeschannels.com Redirects to Google.com when visited Large volumes Source: SimilarWeb
  10. 10. December 2017 / Page 9marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Non-existent site, 100% redirects adware/malware (redirect virus) No pages, 100% redirects
  11. 11. December 2017 / Page 10marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Previously exposed fraud
  12. 12. December 2017 / Page 11marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Screenrush generating fake traffic Gets traffic from Sends traffic to screenrush.io Source: SimilarWeb https://www.buzzfeed.com/craigsilverman/remember-tom
  13. 13. December 2017 / Page 12marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Family of fake “arcade” sites Same traffic, same shape, same pages/visit, same bounce arcadetsunami.com antarcade.com airarcade.com arcadewow.com arcadefancy.com arcadecore.com arcadeamazing.com arcadeearth.com arcadesync.com arcadebreak.com Source: SimilarWeb Source: Alexa
  14. 14. December 2017 / Page 13marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Audience overlap is abnormal The audience overlap among the “arcade” sites also show abnormal overlap or clustering. Source: Alexa
  15. 15. December 2017 / Page 14marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou “grand daddy” of ad fraud - Blinkx Gets traffic from same “arcade, redirect, games” families REFERENCE: http://www.benedelman.org/news/012814-1.html Source: SimilarWeb
  16. 16. December 2017 / Page 15marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Mobile apps also load ads w/o bots May 26 Forbes “Judy Malware” • 40 bad apps to load ads • 36 million fake devices to load bad apps • e.g. 30 ads per device /minute • 30 ads per minute = 1 billion fraud impressions per minute June 1 Checkpoint “Fireball” • 250 million infected computers • primary use = traffic for ad fraud • 4 ads /pageview (2s load time) • fraudulent impressions at the rate of 30 billion per minute
  17. 17. December 2017 / Page 16marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Redirect traffic origination observed in the wild
  18. 18. December 2017 / Page 17marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Not human traffic from redirects redirect network starting to send traffic monitored website
  19. 19. December 2017 / Page 18marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Top 4 Referrers – same exact pattern
  20. 20. December 2017 / Page 19marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Sample of auto-redirects - NSFW https://higheurest.com/afu.php?zoneid=1407888&var=340505 http://pebadu.com/afu.php?zoneid=1346827&var=1366409 http://moradu.com/afu.php?zoneid=1000394&var=622903 http://newstarads.com/afu.php?zoneid=1407888&var=1328435 http://bestadbid.com/afu.php?zoneid=1407888&var=1409806 http://wonderlandads.com/afu.php?zoneid=1376718&var=881673 http://vebadu.com/afu.php?zoneid=1130319&var=1431813 http://jebadu.com/afu.php?zoneid=1352060&var=1175344 http://yoredi.com/afu.php?zoneid=1428558&var=1428506 NSFW NSFW NSFW (also leads to porn and malware) NSFW NSFW NSFW http://fedsit.com/afu.php?zoneid=1208001&var=1220218 http://deloton.com/afu.php?zoneid=1365143&var=1241630 http://pipeschannels.com/afu.php?zoneid=1365143&var=471151
  21. 21. December 2017 / Page 20marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Example fake site - fedsit.com Source: SimilarWeb
  22. 22. December 2017 / Page 21marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Non-existent site – fedsit.com
  23. 23. December 2017 / Page 22marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Gets traffic from other fake sources 100% from Unknown, fake, Porn/Adult Source: SimilarWeb
  24. 24. December 2017 / Page 23marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Even larger traffic origination super-networks
  25. 25. December 2017 / Page 24marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Less than 6 mo old; huge volumes Source: SimilarWeb
  26. 26. December 2017 / Page 25marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Fake sites feeding traffic to others Source: SimilarWeb Source: SimilarWeb
  27. 27. December 2017 / Page 26marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Details of fake site – exosrv.com Source: SimilarWeb
  28. 28. December 2017 / Page 27marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Details of fake site – cpm10.com Source: SimilarWeb
  29. 29. December 2017 / Page 28marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Details of fake site - redirect2719.ws Source: SimilarWeb
  30. 30. December 2017 / Page 29marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Details of fake site - 20a840a14a0ef7d6.com Source: SimilarWeb
  31. 31. December 2017 / Page 30marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Countless more fake sites/apps 1221e236c3f8703.com 62b70ac32d4614b.com a6f845e6c37b2833148.com da60995df247712.com d869381a42af33b.com a1b1ea8f418ca02ad4e.com 1de10ecf04779.com 2c0dad36bdb9eb859f0.com a6be07586bc4a7.com fe95a992e6afb.com 42eed1a0d9c129.com da6fda11b2b0ba.com afa9bdfa63bf7.com 739c49a8c68917.com baa2e174884c9c0460e.com d602196786e42d.com 153105c2f9564.com 8761f9f83613.com 20a840a14a0ef7d6.com 31a5610ce3a8a2.com 5726303d87522d05.com 3ac901bf5793b0fccff.com b014381c95cb.com 2137dc12f9d8.com 06f09b1008ae993a5a.com fbfd396918c60838.com 97ff623306ff4c26996.com b1f6fe5e3f0c3c8ba6.com 23205523023daea6.com 6068a17eed25.com b1fe8a95ae27823.com f4906b7c15ba.com eac0823ca94e3c07.com 1f7de8569ea97f0614.com 21c9a53484951.com 24ad89fc2690ed9369.com efd3b86a5fbddda.com 34c2f22e9503ace.com 0926a687679d337e9d.com 6a40194bef976cc.com 33ae985c0ea917.com 02aa19117f396e9.com f8260adbf8558d6.com 9376ec23d50b1.com pushedwebnews.com a0675c1160de6c6.com 0f461325bf56c3e1b9.com 850a54dbd2398a2.com com.dxnxbgj.mkridqxviiqaogw com.obugniljhe.fptvznqwhmcjm com.bpo.ksuhpsdkgvbtlsw com.rlcznwgouw.vvtexstbfttngc com.kasbgf.sbzwtgpcbjexi com.bprlgbl.vbze com.zka.lzhsoueilo com.alxsavx.mizzucnlb com.jxknvk.lrwfdfirdzpsw com.tvwvqbt.wbshaguqy com.iwnxtpahcu.leyuehdwdbb com.okf.rhvemtykfibzpxj com.obpmirzste.ldsjpv com.zmm.shmxvjxnsagndui com.nqzwr.leusrmpmsq com.rced.zcdsglptpdlwpu com.kerms.ehlsgnc com.cmia.iabhheltm com.skggynmtx.tyyjnwpefvqtll com.kgdtltnuv.hayvfhob com.ztzsiqg.dyojlxdscxws com.xlwuqe.ddrdhsuosbn com.rkrhmzee.wjcoznxu com.ebhzb.hbzvomzpcctovj Fake sites Fake sites Fake apps
  32. 32. December 2017 / Page 31marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Examples of big advertisers being defrauded
  33. 33. December 2017 / Page 32marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou healthyway.com - big advertisers Ads sold through Source: SimilarWeb
  34. 34. December 2017 / Page 33marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou healthyway.com IS suspicious 323 million daily impressions = 9.9 billion monthly impressions 7.5 million visits /mo = 1322 ads/visit 9.2 million pageviews /mo = 1075 ads/pageview
  35. 35. December 2017 / Page 34marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou therichest.com - big advertisers Ads sold through REMOVED
  36. 36. December 2017 / Page 35marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou therichest.com IS suspicious 308 million daily impressions = 9.4 billion monthly impressions 17.4 million visits /mo = 540 ads/visit 9.2 million pageviews /mo = 159 ads/pageview REMOVED
  37. 37. December 2017 / Page 36marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou What “normal” looks like
  38. 38. December 2017 / Page 37marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou cnn.com appears normal – ads/pg 381 million daily impressions = 11.6 billion monthly impressions 553 million visits /mo = 21 ads/visit 1.3 billion pageviews /mo = 9 ads/pageview
  39. 39. December 2017 / Page 38marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou weather.com appears normal 318 million daily impressions = 9.7 billion monthly impressions 262 million visits /mo = 37 ads/visit 597 million pgviews /mo = 16 ads/pageview
  40. 40. December 2017 / Page 39marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou Facilitator Ad Exchange: Propeller Ads Media
  41. 41. December 2017 / Page 40marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou PropellerAds.com http://www.bloggersideas.com/propeller-ads-review/
  42. 42. December 2017 / Page 41marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou fedsit.com Gets traffic FROM Sends traffic TO Source: SimilarWeb
  43. 43. December 2017 / Page 42marketing.scienceconsulting group, inc. linkedin.com/in/augustinefou pipeschannels.com Gets traffic FROM Sends traffic TO Source: SimilarWeb

×