Protected Media Unveil Ad Fraud Operation Called “The Traffic Alchemist”

Protected Media, a provider of anti-fraud solutions, have discovered a fraud operation they are calling “The Traffic Alchemist”. The company say the fraudsters have been disguising junk traffic as views on reputable sites, with high Alexa ratings originating from Google and Twitter. The scam started in New York in April 2016 and managed to evade detection since it involved real users instead of bots, masqueraded traffic, and masked fraudulent sites to keep them off data scientists’ radar. The fiddle burned through $7 million dollars a month at its peak, and Protected Media say it is still continuing today, albeit at a slower rate.

“The Traffic Alchemist scam is unusual not because of the sophistication of one single technique but because it combines several methods together to keep the fraudulent activity under the radar”, said Asaf Greiner, CEO of Protected Media.  “By looking beyond the technology, and uncovering the mechanism that manipulates traffic attributes, it’s possible to detect similar complicated ad schemes that are always in place but with slightly different variations”.

Protected Media say the fraudster began by buying what it calls “junk traffic”, typically on porn or torrent sites, which are known for long viewing times. Those long sessions were then split into hundreds of short sessions on “legitimate, lucrative” sites operated by the fraudster. Then these sites were cloaked to appear reputable for direct traffic, but were actually cluttered with pop-up ads that weren’t even viewable.  Up to 35 ads were served per user that were refreshed every 15 seconds resulting in 140 ad impressions per minute.  The fake web sites were clustered together, into groups of 7-10, and traffic was cycled through each site to keep realistic measurements so an alert wouldn’t be issued to anti-fraud software.

The path to these pop-under sites was disguised so that the viewers appear to be arriving organically from Google or Twitter, from legitimate search and social activity rather than views on porn and torrent sites. The cleaned up traffic was shared with Google Analytics and then reported by reputable third party platforms making advertisers confident the traffic was legitimate. After several weeks, when the performance was no longer good enough to keep the sites on target publisher lists, the websites were abandoned for a fresh cluster, to keep the scam continuing month after month.”

The Traffic Alchemist

Subscribe to Weekly VAN Newsletter

Ad TechVerification