» All clicks have a Nokia Series30 or Series40 user agent using the Nokia Ovi web browser. For example: “Mozilla/5.0 (Series40; Nokia311/03.81; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/220.127.116.11.31”
» The user agent isn’t spoofed. We can tell because the Nokia web browser used on these phones is cloud-based, and the traffic is routed through Nokia proxy servers.
» The clicks are coming entirely from IP addresses outside the US, even though they are showing up in campaigns restricted to the US only.
» The clicks originate from parked domains, with a few exceptions. These are not real sites, and they have no content. They exist only to serve ads. In a recent test, Loki was focusing on park domains imitating university websites!
» The user behavior on the PureCaptcha for these clicks is consistent: 3 seconds on the page and gone with no recordable exit action. None have ever navigated the PureCaptcha.
It was the inhuman consistency of time on the PureCaptcha which first raised our suspicions, as you can see in the charts. At first, we thought maybe something about Nokia’s cloud-based browser architecture was causing this anomaly. But testing has shown that the Nokia browser in this version can interact normally with PureCaptcha. It isn’t possible that this pattern of behavior arises from human traffic.
Reconciling Recorded Clicks With Billed Clicks
The first question is: are the clicks these bots generate being billed? None of the ad networks we’ve surveyed provide for click-level reporting at a transactional level, but through a careful analysis of the reporting they do provide, PureClick has been able to demonstrate that the overwhelming majority have been billed.
Instead of reporting at the level of a single click transaction, the networks provide summaries that may be broken down by day and by publisher. When PureCaptcha handles a click request, it also records the date and time, as well as the referring URL, either from the browser or from query string parameters provided by the ad network.
By comparing the number of clicks billed for a given referring URL with the number of clicks received by the PureCaptcha, taking into time zone differences, and allowing for slight variations in time between the network record of when the click occurred and PureClick’s measurement of the subsequent request, we are able to reconcile about 90-95% of billed traffic against individual recorded clicks. In most cases, we are able to identify a 1 to 1 correspondence between the number of clicks billed from a given publisher on a given day, and the number received.
Having performed this type of reconciliation, we believe that the overwhelming majority of clicks we’ve recorded from Loki have been billed.
Assessing The Cost Of Loki
PureClick has been tracking Loki traffic since March of 2014. Across 17 separate surveys, Loki has accounted for 1.5% of billed traffic in US-only campaigns, and about 1% of international billed clicks.
With total Display advertising exceeding 50 billion USD in 2014, Loki may have cost advertisers in the range of 60-120 million alone. In an enormous industry, if 1-2% of traffic is Loki, it is easily overlooked by technologically outclassed advertisers, who simply don’t know what they are paying for, but that 1% still makes a significant impact.