Any Device with CPU + Internet Can be Used as a Bot

I’ve been writing about bots and ad fraud over the last several years. And despite the proliferation of bot and Fraud Detection services, the ad fraud problem is not getting better. In fact, it is getting worse. But occasionally, you read industry reports that say fraud is lower and tout the success of fraud fighting measures. The fraud is not lower, it’s just that the fraud is better hidden and harder to detect because the bad guys are hackers. Their specialty is getting around your defenses and also covering their tracks so they can continue doing what they want to be doing — making gobs of money by siphoning ad dollars from big-spending, unsuspecting media buyers.

Sadly, the ad fraud problem is going to get a lot worse before it gets better. Here’s why….

Moving from malware on PCs – most of the bots you may have heard of before are typically associated with malware or viruses on PCs, which act in the background of a real human’s PC and load webpages to cause fraudulent ad impressions to load. But getting malware on PCs is really really hard — because the ecosystem of anti-malware and Anti-Virus software is pretty mature already and more and more human consumers are getting educated about not clicking on links from strangers, etc. So what’s easier to compromise in mass quantities? Right, mobile devices.

To compromised mobile devices – Real humans use mobile devices to get online in mass quantities now. There are 10x – 100x more mobile devices (smartphones and tablets) than there are laptops and desktop PCs. Also, the ecosystem of anti-virus and anti-malware software on mobile is far LESS mature and humans’ security hygiene is much less developed in mobile. For example, in the scramble to get pokemon go last summer, millions of users unsuspectingly downloaded re-written fake copies of Pokemon Go, with malware built in, because they went to non-official app stores. Once these mobile devices are compromised, the malware can quietly load massive quantities of ads behind the scenes without the human user knowing. The only evidence they may see is their bandwidth being all used up for no apparent reason, or their mobile device running slowly.

To headless browsers in data centers – But even waiting to compromise real humans’ mobile devices is slow. So bad guys turn to Cloud data centers, where they can spin up as many millions of bots as they want. They don’t even have any startup hardware costs because with cloud services you only pay for what you use; and you pay as you go. So bot makers create millions of headless browsers, that can simulate all human-like actions such as mouse movement, page scrolling, and clicks, to load webpages and cause ad impressions. Furthermore, they can use mobile simulators to create fake mobile devices. That’s right. Some of the mobile devices that download and install apps are not even real humans’ mobile devices. They are virtual (and fake). This kind of fraud operation is massively scalable and they can turn on and turn off the bots at will, to avoid detection.


Compromised IoT (Internet of Things) for DDOS (Distributed Denial of Service) – With more and more connected devices — a.k.a. Internet of Things — coming online in the home, auto, or in public areas, there will be many times more devices to be compromised and used for committing cybercrimes and fraud. We have already seen compromised traffic cameras and security cameras turned into botnets that have generated the largest ever observed DDoS attacks, that have even taken down DNS (and thus Spotify, Twitter, and Netflix). But why just overwhelm a site with traffic to take it down? Why not make money with all that traffic by monetizing it with digital ads! Much more lucrative. And let’s not forget to mention smart TVs (hacked), connected refrigerators, smart toaster ovens (hacked), connected thermostats, connected watches, and other wearables. These devices don’t even get turned off at night like PCs or laptops. They are on 24/7 and always connected.

Watch Bot Fraud (NHT) As It Happens

NHT = Non-Human Traffic — bots that cause ad impressions to load (impression fraud) and that click on ads (click fraud) to create collectively “digital ad fraud.” Source: Source: Marketing Science Consulting Group, Inc.

So the bot problem and other related issues such as ad fraud, DDoS attacks, unchecked surveillance, etc. are going to get worse before it gets better. The wild west is already here. What are you doing to secure your own personal Privacy and data and that of your marketing campaigns?

About the Author: “I advise advertisers, publishers, and agencies on the technical aspects of fighting digital ad fraud and improving the effectiveness of digital advertising. Using forensic technologies and techniques I help to assess the threat and recommend countermeasures to combat fraud and improve ROI.”

Follow me on LinkedIn (click) and on Twitter @acfou

Further reading:

This article was originally posted on

Leave a Reply

Be the First to Comment!

Notify of