What is Sophisticated Invalid Traffic (SIVT)? How to Detect and Block SIVT
Jeffrey Edwards
|Cyber Risks & Threats | September 15, 2022
Traffic is the lifeblood of digital businesses and, by extension, the lifeline of the marketing department. Traffic determines who sees your messaging, where your site ranks, and, ultimately, how many conversions you gain. But traffic isn’t always what it seems. On average, over 20% of the site’s visitors are not what they seem, according to recent research.
This invalid traffic threatens ad revenue, clouds marketing metrics, and muddies conversion rates. But to many marketers, it’s become a fact of life, an annoyance that cannot be effectively solved. But the problem is growing. Most fraudulent traffic today is highly sophisticated. Let’s look at the kinds of sophisticated invalid traffic affecting websites and ad publishers today and examine some of the ways marketers can fight back.
What is Invalid Traffic?
Invalid traffic is web traffic that cannot turn into a legitimate customer. This could mean harmless bots like search engine’s web scrapers or ad fraud botnets.
Google defines invalid traffic as “any activity that doesn’t come from a real user with genuine interest. It can include accidental clicks caused by intrusive ad implementations, fraudulent clicking by competing advertisers, advertising botnets, and more.”
To Google, IVT is primarily a concern because it can be used to artificially inflate a publisher’s ad earnings, a practice that is against Google Ad’s terms of service. But invalid traffic isn’t limited to paid traffic, it also makes up a large portion of direct traffic and unique site visitors, and has plenty of adverse effects downstream, from polluted marketing analytics to wasted remarketing efforts.
There are generally two types of invalid traffic, or IVT called general invalid traffic (GIVT) and sophisticated invalid traffic (SIVT). Let’s take a closer look at both below:
What is General Invalid Traffic (GIVT)?
General invalid traffic (GIVT) is the kind of nonhuman traffic you would expect to routinely access your websites: bots, spiders, search engine crawlers, and other traffic coming from data center IP addresses known to site owners and advertisers. GIVT will generally identify itself as such and is easy to filter out of campaigns and metrics.
What is Sophisticated Invalid Traffic (SIVT)?
Sophisticated Invalid Traffic (SIVT) is invalid traffic that does not identify itself as such. SIVT could be competitors clicking on ads, bots scraping your website for pricing information, botnets built for ad fraud, or malicious users concealing themselves via proxies and VPNs.
What are The Types of SIVT?
SIVT can take various forms, depending on its goal. Common forms of SIVT include:
- Bots: Scripts running on headless browsers will mimic real humans and click on ads in order to generate fraudulent ad revenue.
- Cookie Stuffing: Cookie stuffing is a form of affiliate fraud wherein third-party cookies are illegitimately attached to a user and then used to falsify conversions.
- Adware: Adware can be used to generate traffic from infected users without their consent.
- Web Scrapers: Web scrapers can be used to gather competitive information, such as pricing from your website.
- Concealed ads: Hidden or misleading advertising can be used to attract unwitting users with no chance of converting.
- Fraudulent proxy traffic: Proxies and VPNs can be used to mask fraudulent traffic.
How to Detect and Stop SIVT
So how can you detect and block SIVT? As a manual process, it can be a challenge, but there are some best practices that can be taken to achieve at least a baseline of protection. Let’s look at Google’s advice first.
Google’s Advice on Invalid Traffic
While Google does its best to prevent invalid and fraudulent traffic, they, unfortunately, do not offer much in the way of resources for publishers dealing with high volumes of SIVT.
In the eyes of Google, AdSense publishers are ultimately responsible for the traffic on their ads and are more or less left to their own devices when it comes to protecting site traffic and advertising budgets from fraud and waste. However, Google does offer some advice to publishers to help mitigate SIVT.
Namely, Google urges publishers to avoid unscrupulous third parties, make sure AdSense implementations are rock solid, understand ad traffic and site visitors, and watch for unusual behavior.
Best Practices for SIVT Mitigation
There are a few other manual methods for mitigating SIVT, and IVT in general, let’s dive into a few techniques you can use to clean up your traffic within AdSense and other tools you already have.
Rethink Your Targeting
As marketers, it’s natural to want to put your messaging in front of the biggest audience possible, but overly broad targeting can easily leave your ad campaign open to invalid traffic and bad actors. To minimize both your ad spend and your exposure to invalid traffic, it’s important to be as granular as possible with your geotargeting. Excluding countries or regions known for high rates of IVT is an easy first step to reducing bad traffic.
On the same note, limiting the runtime of your ads to just your time zones waking hours can also limit exposure.
Check Out Your Ad Placements
It’s easy to keep track of where your ads are being displayed, but many businesses simply set up the ad with Google, and never think about it again. But there are thousands of websites out there that exist just to generate fraudulent ad revenue. Site owners set up a basic site, with little or no genuine content, host ads, then push fake traffic through the site and ads to generate ad revenue.
If you’re getting a lot of referrals, but no conversions, it’s worth taking a look at where those referrals are coming from. If you find a low quality site, it’s probably worth reporting to Google to stop the flow of bad traffic.
Monitor Your Site Traffic
Fraudulent traffic will often come in patterns–high volumes of clicks with low conversions, rapid clicks from a single IP address, etc.– that will give it away under keen observation.
Legitimate site visitors may visit your site multiple times while making purchasing decisions, but if a single IP begins visiting to be arriving on a website from paid advertising in rapid succession, that’s a clear sign of abuse.
Patterns can vary widely by industry, geography or method of IVT, so it’s best to keep a keen eye on your site traffic. Take a look every day, get a feeling for the typical patterns of your site traffic, and try to identify patterns in bad traffic.
Once you’ve found what you’re looking for, it’s time to investigate your server logs for suspicious IP addresses and add those addresses to your blocklists and the blocklists of your advertising partners.
Inspect Packet Headers for Suspicious Data
Packet headers contain a lot of information: browser type and version, OS, and more. This information is extremely useful in uncovering disguised bad traffic.
For example,. if you receive dozens of requests from the same IP address, but the packet header shows different device detail for each visit, it’s fair to deduce that this IP is a proxy server. Malicious users also have their own calling cards. Typically linux is used, and outdated browsers are easier to exploit. So a version of Chrome that is 10 or 15 updates behind is a dead giveaway.
In another example, if a user appears to be using a mobile device, but the packet header shows that there are browser extensions on that device, that is clear evidence of an attempt to disguise the source of the traffic and mislead you and your advertising partners, and should be investigated in further detail.
Set up IP Exclusion Lists
Through the above techniques, you’ll likely find a lot of IP addresses that need blocking. Google Ads offers an IP exclusion list, which lets you identify IP addresses you don’t want your ads served to. However, there is a limit of 500 IP addresses per campaign, which is easy to hit, since fraudsters and bad actors constantly change their IP addresses through proxies and other methods.
Manual IP address exclusion management is a best practice for a basic level of protection from SIVT, but it is a labor intensive and tedious process, and Google’s limited exclusion list size limits its effectiveness greatly.
Stop SIVT with Go-to-Market Security
As outlined above, manual mitigation of invalid traffic is possible, in a limited scope, but it’s labor-intensive, and probably not the most cost-effective use of your team’s time. Not to mention, it can take weeks or months to properly set up, leaving your site exposed to bad traffic in the interim
For businesses serious about protecting their pipeline, a comprehensive go-to-market security platform will help automatically detect and block invalid traffic in real-time, whether the source is paid, organic, or direct, and provide better insight into marketing analytics.
CHEQ leverages thousands of security challenges to evaluate site traffic in real-time, determine whether a visitor is legitimate, suspicious, or invalid, and take appropriate action in blocking or redirecting that user. For paid traffic, CHEQ automatically updates IP exclusion lists to reflect the constantly changing threat landscape, saving you valuable time and ad spend.
Book a demo today to see how CHEQ can help you lower your CPA and protect your go-to-market efforts against SIVT and other threats.
Author
Jeffrey Edwards
Content Marketing Manager
Jeff is the resident content marketing expert at CHEQ. He has several years of experience as a trained journalist, and more recently in his career found a knack for communicating complex cybersecurity topics in an approachable yet detailed manner.
