Loki, the Norse Bot of Click Fraud

Summary

PureClick uses the PureCaptcha to detect mobile fraud on major display network and operating on the Nokia proxy network.

Description

This is Loki: An organized form of click fraud active first detected in 2014 on a major Display Network, still active today, costing advertisers millions of dollars.

One of the benefits of being  the only independent company in AdTech doing post-PPC-click analysis is that sometimes you see something that no one else can see. Through careful analysis of user behavior patterns on PureCaptcha, we turned up a form of click fraud that we’re calling Loki. Whether this makes us Thor, or any member of the Avengers, we’ll leave as an open question…

The name is in honor of the fact that it involves clicks that always originate from Nokia’s proxy network for its Series 40 mobile devices. Nokia sold over a billion of these phones, and apparently they are popular for more than just making calls.

Profiling Loki Traffic

» All clicks have a Nokia Series30 or Series40 user agent using the Nokia Ovi web browser. For example: “Mozilla/5.0 (Series40; Nokia311/03.81; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/5.0.0.0.31”

» The user agent isn’t spoofed. We can tell because the Nokia web browser used on these phones is cloud-based, and the traffic is routed through Nokia proxy servers.

» The clicks are coming entirely from IP addresses outside the US, even though they are showing up in campaigns restricted to the US only.

» The clicks originate from parked domains, with a few exceptions. These are not real sites, and they have no content. They exist only to serve ads. In a recent test, Loki was focusing on park domains imitating university websites!

» The user behavior on the PureCaptcha for these clicks is consistent: 3 seconds on the page and gone with no recordable exit action. None have ever navigated the PureCaptcha.

It was the inhuman consistency of time on the PureCaptcha which first raised our suspicions, as you can see in the charts. At first, we thought maybe something about Nokia’s cloud-based browser architecture was causing this anomaly. But testing has shown that the Nokia browser in this version can interact normally with PureCaptcha. It isn’t possible that this pattern of behavior arises from human traffic.

The probability of this distribution of time occurring for human traffic is infinitesimal, and yet  very common for simple bots found in our surveys. In this case, it also reflects the nature of the javascript proxying platform that the Nokia web browser uses. In the absence of further evidence to confirm the fraudulent nature of this traffic, the mere consistency of time may have been a red herring. But, when considered alongside the absolute lack of PureCaptcha confirmed clicks, the homogeneity of publishers, and the fact that the only traffic originating from these domains is Loki, it becomes clear that this traffic is fraudulent.

The strategy seems clear: domain parking provides for insurance against being shut down — it’s inexpensive to generate new parked domains. The proxy network allows the real source of traffic to be masked, both in terms of its geographical location but also in terms of user behavior. The lack of confirmed clicks suggests an automated form of fraud, rather than click farming.

Reconciling Recorded Clicks With Billed Clicks

The first question is: are the clicks these bots generate being billed? None of the ad networks we’ve surveyed provide for click-level reporting at a transactional level, but through a careful analysis of the reporting they do provide, PureClick has been able to demonstrate that the overwhelming majority have been billed.

Instead of reporting at the level of a single click transaction, the networks provide summaries that may be broken down by day and by publisher. When PureCaptcha handles a click request, it also records the date and time, as well as the referring URL, either from the browser or from query string parameters provided by the ad network.

By comparing the number of clicks billed for a given referring URL with the number of clicks received by the PureCaptcha, taking into time zone differences, and allowing for slight variations in time between the network record of when the click occurred and PureClick’s measurement of the subsequent request, we are able to reconcile about 90-95% of billed traffic against individual recorded clicks. In most cases, we are able to identify a 1 to 1 correspondence between the number of clicks billed from a given publisher on a given day, and the number received.

Having performed this type of reconciliation, we believe that the overwhelming majority of clicks we’ve recorded from Loki have been billed.

Assessing The Cost Of Loki

PureClick has been tracking Loki traffic since March of 2014. Across 17 separate surveys, Loki has accounted for 1.5% of billed traffic in US-only campaigns, and about 1% of international billed clicks.

With total Display advertising exceeding 50 billion USD in 2014, Loki may have cost advertisers in the range of 60-120 million alone. In an enormous industry, if 1-2% of traffic is Loki, it is easily overlooked by technologically outclassed advertisers, who simply don’t know what they are paying for, but that 1% still makes a significant impact.