7 places bad guys buy and sell ad clicks

Beneath the surface of the $330 billion digital advertising sector is a vast underground market.

In barely-hidden online marketplaces vendors offer services to undermine customer acquisition. Like any modern tech company Clicks-as a-service vendors offer product reviews, communities, and case studies to encourage people to buy.

However ultimately, the buying and selling of ad clicks is designed to manipulate the normal acquiring of new customers and online traffic. Instead of real users clicking on ads, bad actors use underhand methods to sabotage campaigns. The net effect is putting bots and fake users in funnels, wasting money, skewing analytics and hurting company’s productivity.

Here are seven places that bad guys buy and sell bad ad clicks, creating confusion and chaos in campaigns.

1. Marketplaces selling bot attacks on competitor campaigns

One notorious company, GoodGoogle promises clients the ability to block the appearance of competitors’ ads. The company says: “Are you tired of the competition in Google AdWords that take your first position and quality traffic?” “I will help you get rid once and for all competitors in Google AdWords.”

The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use such services to sideline a handful of competitors’ ads indefinitely.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) suggests it involves a private botnet of hacked computers that click on ads, and advanced software that controls the clicking activity of the botted computers so that it appears to be done organically from search results.

One satisfied user, “Alienstels”, says on GoodGoogle’s forum: “The project was launched for several days, but after the launch, the competitor turned off direct advertising literally the next day (or he ran out of money).”

Elsewhere, TrafficBotPro ($30) promises “to make fast money or beat your competitors by clicking their ad automatically.” It says: “TrafficBot Pro can visit any page directly from a search, then click any ad you set on the page automatically. It can simulate real human operation by setting random page stay time, mouse move, scroll, inner link clicks, proxy, user agent and visit interval. You will make fast money by this ad click bot and your competitors will be crazy because of this.”


2. Buying lots of bot traffic

Searches for ‘buying traffic for websites’ yields tens of thousands of results.

Independent ad fraud investigator Dr Augustine Fou says: “Traffic vendors can sell you all kinds of “traffic” and you can even select the “quality” level. Higher “quality” means the bots work harder and fake more things (like mouse movements, page scrolling, and clicks)”

Seif Khemaissia, group director, programmatic and analytics at Innocean Worldwide Canada, says: “Somebody would have a huge surge on a day that we launched a campaign and everybody’s patting themselves on the back, saying ‘Hey we did a really good campaign. We ran all of these leads.’ But when those leads come in and you find out that they are all fake, then it disrupts the entire reporting systems. The main characteristics of the fraud that Innocean saw was that 99% of it was coming from a Linux device and spending less than 00.01 seconds on the site. Another traffic buyer anonymously says: “These vendors offer a range of services and traffic types – everything from $2.00 CPC traffic sourced from Google, Yahoo, and Bing, to $0.002 CPC from god knows where. When we told them, we were looking for the cheapest traffic we could possibly buy there would be sort of a wink and a nod, and they’d make us aware that for that price the traffic would be of “unknown quality”.

How much you pay determines how much bot traffic you’re getting, so when you’re paying $0.002 a click, you’re getting mostly bots. You can tell its bot traffic just by looking at the analytics. We’d see a traffic spike in our real-time analytics dashboard and then we would see all of our traffic for the day serve in a couple of hours.”

3. Autoclick software

Autoclickers are in clear breach of Google’s advertising policies, outlawing “automated, fraudulent or otherwise invalid impressions, inquiries, clicks or conversions.”

Nevertheless, services offer cheap ad clicking simulation through a computing device.

Prominent solutions include The Bear Autoclicker (costing $175) and The Diabolic Traffic Bot ($25). Bear Autoclicker for instance employs several evasion techniques, including browser emulation (so the traffic appears to be originating from a browser). In addition, the software can interact with content on sites, such as downloading items and viewing videos.

One auto clicking site states that activity will not be detected as bot traffic “because the bot changes the user agents”.

This service also allows users to set the time for the bot to visit their site to appear more human. However fraud prevention software,  CHEQ for PPC is able to detect these visits including analyzing traffic though 1,000 cybersecurity parameters including discrepancies between the declared browser, and the actual user agent.

For unprotected campaigns, customers talk about autoclick software being effective. On the user forum one says: “I set the minimum time that the bot would spend on my site to be 17 seconds and the max 59 seconds – to make it look natural.”

Customers describe a range of requirements for hiring automated clicking services . One user reviewing the service, says “I bought this traffic for helping my inbound marketing report client”, while another needed to “push my article on a travel site”.

However, the net effect from this activity is harming brands, wasting money, and damaging further the reputation of digital advertising.

4. Gig Economy Clicks

Direct revenue schemes, or PTC (paid-to-click) sites are booming. These services pay tens of thousands of people to click on ads. The business model of PTC sites is generally based on profiting from advertisements clicked on by visitors.

Ryan Hildreth, talking about microworkers.com, says in a video watched 131,000 times on YouTube that you can get paid “$20,000 just to click on websites. These people will pay you a dollar to sign up and download an app, or $9 to install an app. The easiest are the ones you have to click on a website.”

Based on claims of 20 of the most well-known PTC sites, they have paid out $13.2 million to people employed to click and view ads, at 5 cents a click or 266 million ads clicked.

It is worth remembering, these ad views are not by desired customers. Instead, they are clicked by paid workers with no intention or interest in the product or service, and often, no geographic ability to access them – using VPNs to hide their location.

In a testimonial video on the Serpclix site, one freelance clicker called Mohammad, says: “I have been clicking for Serpclix since it was founded in 2016. I am paid 5 cents for every click I make. I make about $15 to $20 a month from just a few minutes per day.”

Google itself warns against using such sites. It says: “To deliver the traffic levels that their customers expect, these services often generate clicks and impressions using click bots, or by providing users incentives to visit sites or click on ads. For this reason, we strongly urge you to use caution when partnering with third-party traffic services.”

Showing the move away from traditional click farms, these sites also have league-style sales leaderboards to encourage competition and boost earnings. They also encourage posting of payouts to show the legitimacy of the service and remuneration.

Pay to click services have enjoyed rising traffic as COVID-19 requires new sources of income globally. Scarlet Clicks for instance achieved a 41% increase in traffic within six months, to 1.3 million visits a month in September 2020, according to SimilarWeb data. PTCShare has seen a 13% increase in traffic to 1.2 visits a month. NeoBux, one of the largest players, hit a peak of 9m visits in May 2020.

Other sites such as Fivesquid offer $5 packages to give certain amounts of “safe” Ad Sense Clicks to sites. This for instance sets out the terms of the clicks including real human visitors from the US. The offers set out “the minimum time that the visitor spends on your site” (in order not to attract attention) and ensures that the clicks are spaced out so customers achieve 5 clicks a day for seven days.” Sellers also offer monthly subscriptions to get regular visits.

5. Captcha solving

Captchas are verification tests to determine whether a user is a human or a robot, but they’re easy to bypass. Captcha-solving farms provide armies of codebreakers to solve their captchas – which are deployed by companies to keep bots out of their funnels. Pricing for vendors such as 2Captcha is around $0.77 per 1,000 Captchas. They also claim to have more than 2,000 workers online at any one time.

Deathbycaptcha.com offers solving rates at $1.39 per 1,000. The combination of software and APIs allow for fast account creations or automated sign ups using bots and Captchas. For instance new accounts on Reddit can be created using dev ops software such as Puppeteer and captcha-solving leader, 2Captcha, as shown in this study.

One firm, Anti-captcha provide a profile of their Captcha solvers, and the importance of the industry in providing employment. They explain: “An average worker makes about $100 per month which is a very good salary in such countries like India, Pakistan, Vietnam and others. With your help they now have a choice between working in polluted industries and working in front of a computer.” In this case the largest share of employees come from Venezuela, followed by Indonesia, Vietnam and India.

6. Old-school click farms

There are also the classic click farms. Strictly, a click farm is any kind of operation intended to fraudulently interact with a website. They continue to migrate to online platforms, as we’ve seen. However physically located mass-click farms remain housed in low-cost regions like South East Asia or India. Occasionally the authorities uncover these click farm operations, sometimes recovering hundreds of thousands of SIM cards used to validate accounts.

Former click farms workers have reported working 12-hour shifts for very little money, and even experienced some form of PTSD related to hearing the incessant clicking of keyboards and mice for hours on end.

7. Buying bot-generated fake reviews

CHEQ for PPC also increasingly sees bots carrying out fake reviews, after entering funnels and landing pages from company’s own paid search and paid social customer acquisition campaigns. For instance, in the analysis of one travel site, we found 2,500 invalid clicks from bots generating fictitious reviews.

It has been shown how easy it is for bots to mimic human reviews. Fake reviews services are common on the dark web, including generating fake app ratings, both manually and through bots.

Conclusion

Persistent automated clicking of ads is a constant feature across the client accounts CHEQ for PPC analyzes.

CHEQ is able to identify all the techniques used here – and many using more than 1,000 cybersecurity parameters. CHEQ is also the first solution to block invalid clicks and fake users, protecting customer acquisition across multiple platforms including Google, Facebook, Instagram, Baidu, Bing, LinkedIn, Snap, Twitter, Pinterest, Yahoo, and Yandex. Get your free demo today.