The bots are evolving: Ad fraud in a privacy driven world

10/25 By Evgeny Shmelkov

Virtually all websites nowadays use Internet cookies, harmless pieces of information that are saved to your browser when you visit a website. The browser will then return the cookie to the server the next time you visit that website. This exchange of cookies is how websites “remember” you and your selected preferences (e.g. login, language settings, preferred font size, etc.) so you don’t have to re-enter this information every time you come back to the website. These same internet cookies have been widely used in online behavioral advertising for years. 

In recent years, however, the regulatory environment has begun to shift worldwide toward protecting personal data and privacy of consumers. Resulting privacy regulations have limited how pseudonymous identifiers, such as cookies, can be processed by websites, advertisers, and others in the digital advertising ecosystem. As a result, a large number of websites have implemented a consent process, which requires websites, advertisers, and others in the digital advertising ecosystem to only collect and process cookies from those users who affirmatively consent to the setting of those cookies.

How were ad fraud bots affected by privacy-related changes?

Some bots accept and retain cookies from the different websites they visit. For example, any number of sophisticated bots designed to target the online advertising ecosystem can be optimized for taking advantage of behavioral targeting, which requires them to accept cookies. Other bots might accept cookies in order to build believable human-like profiles, which help them to remain undetected by some ad verification vendors. 

The IAS Threat Lab regularly conducts experiments to understand and decipher any new kind of bot behavior. In one such experiment, website visitors were asked to provide cookie consent in a way that no human user would be able to see and select the cookie consent feature. Any affirmative consents by website visitors we obtain would have to be attributed to bots. We tracked these cases when consent was provided and discovered a source of fraudulent traffic where bots were designed to automatically opt-in to the GDPR mandated cookie retention policies of websites they visit. 

Why Machine Learning? 

Our findings once again confirm that ad-fraud bots are constantly adapting to the realities of the ever-changing internet ecosystem. Simply optimizing advertising campaigns based on behavioral metrics cannot remove enough fraudulent traffic, and advertising on sites with cookie-walls, forced registration, opt-in setups, or even pay-walls won’t guarantee a successful reach to bot-free audiences. 

Detection of sophisticated bots is not a trivial task: it’s nearly impossible to achieve with only simple predetermined rules that do not quickly adapt to the rapidly evolving advertising fraudscape. The only way to confidently protect advertising campaigns from ad fraud is by using verification technology that is as dynamic as fraudsters. Artificial intelligence and machine learning technology are irreplaceable in modern-day ad fraud prevention. 

Learn more about the IAS Threat Lab here.