By Zeus, I declare this holiday Botsgiving!
Although bots have long been a menace to digital media (remember click fraud?), bot fever has been spreading like wildfire across the industry this year, probably in response to some dire statistics. The latest, from Integral Ad Science, suggests 14% of all impressions out there are fraudulent, and the company admits the number may be conservative. Estimates of wasted spend vary, but it’s definitely billions of dollars yearly.
But aren’t you curious about how bots accomplish this feat? After all, as ops pros, we’re always concerned with “how the sausage is made” – so how do bots go about their menacing ways?
Through a blog post and video, Spider.io CEO Douglas de Jager (who has been ringing the bell on bots for years) invites us into the lair of Zeus, an “infamous” bot rootkit that was publicly leaked in 2011, enabling every Joe Troll out there to start up a bot factory in the comfort of their home. (It seems a lot of these homes are in Eastern Europe…) In a previous blog picked up by Wired UK, de Jager offers a comprehensive history of Zeus and suggests that for the low price of $600, you too could be a bot lord – “and you don’t need to know the first thing about coding,” de Jaeger notes.
Cybercrime has much lower overhead than drug manufacturing and distribution – if only Walter White had taught computer science instead of chemistry (though somehow an alter ego named “Turing” sounds less threatening than “Heisenberg”) – as well as little risk of capture. Who’s going to punish you? As noted at a recent Integral event, the lack of regulatory action in this area leaves most players helpless.
But can it really be that easy to set up and execute? That’s where this somber, silent video comes in (you could throw on “Carmina Burana” in the background to highlight the tension). It’s a behind the scenes look at what controlling a bot is like, complete with dashboard.
There are a few striking parts here – first, (some) bots are borrowing the browsers of real people and taking advantage of “earned” cookies. These bots are running on hidden browser windows, unbeknownst to the real user. (Other bots go about collecting high value cookies.) Second, Spider.io injects its “GhostVisitor” protocol, which commands the bot to act like a human – similar programs will fool viewability metrics and record completed video views.
With little to no regulatory recourse, the name of the game here is prevention. There are a variety of bot-fighting solutions out there, but many rely on blacklisting URLs, which is a rather blunt tool for approaching such a nuanced problem. The video above certainly points to real-time detection as the most viable path – as described in a previous piece, these are technologies that can weed out bots and deny them impressions at the moment of transaction.
We believe there’s a huge opportunity here for premium publishers (ones for whom the majority of traffic is actual users) to build deeper relationships with advertisers and drive revenue to a variety of products (i.e., private exchanges and programmatic direct). Read more here.