How Do Ad Fraudsters Make Money From Click Fraud

What is Ad Fraud?

Simply put, ad fraud is any attempt to defraud digital advertising networks for financial gain.

Scammers use lots of different methods to trick advertisers and ad networks into paying them, which we’ll go into later. And ad fraud that uses bots is typically click fraud.

When PPC marketing exploded in the early noughties, scammers followed the money. And ad fraud has been a growing problem ever since.

In the last 10 years botnet operations such as Methbot, 3ve, and DrainerBot have demonstrated ad fraud’s enormous multichannel and multiplatform scaling ability.

And it’s marketers who are paying the price. 78% of them cited click fraud as their top concern in a 2016 AdWeek survey. And with the progression of ad fraud since then, that number is unlikely to have reduced.

How Much Money Can Scammers Make From Ad Fraud?

For a start, they’re not exactly feeling the pinch of the rising cost of living.

The amount of money scammers can make from ad fraud depends on the scale and sophistication of the operation they’re running. But in all cases we’re talking about life-altering amounts of cash.

A lone bot operator may be able to make thousands each month. But a co-ordinated team of black hat fraudsters can generate millions of dollars every week – much of which is fed back into further organised criminal activity.

That was certainly the case with the Methbot scam. In November 2021 Aleksandr Zhukov, the self-proclaimed “King of Fraud” was sentenced to 10 years in prison by the US Department of Justice for his role as the lynchpin of the operation.

Aleksandr and several co-conspirators carried out the digital advertising fraud through a fake advertising network Media Methane, hence the name “Methbot”.

At its height, Methbot was making the group of scammers more than $3 million a day.

While this outfit was particularly successful, headlines like these are now cropping up on a regular basis as more criminal gangs move into ad fraud.

Device-Driven Fraud vs Content-Driven Fraud

As we mentioned earlier, fraudsters use bots to engage in ad fraud, which can be divided into two main categories:

Device-Driven Fraud
Content-Driven Fraud

The two often go hand-in-hand, allowing sammers to make money in the process.

Device-Driven Fraud

This is where scammers use networks of devices like computers, servers, and phones to get advertisers to pay out for fake clicks. Bots hidden within the devices mimic human behaviour and fake real ad impressions or interactions. When bots then push traffic to fake websites also owned by scammers, they make money from the clicks and impressions.

Content-Driven Fraud

This involves creating fake websites and apps and selling ad space to advertisers. Unfortunately for them, they think their ads are showing up on real websites and apps. But these sites are either “ghost sites” or “cashout sites” containing only ad space. Sites whose only visitors are bots that generate fake clicks.

In essence, advertisers pay to buy space on fake websites, then they pay for fake clicks on their ads which are displayed there.

7 Common Ways Scammers Make Money From Ad Fraud

Let’s take it a little further and look at more specific strategies used to make money from ad fraud.

1. Click Spam

Click spam uses click bots to generate fake clicks in the background whilst a real user interacts with an app or engages with a website.

All the while, the user is blissfully unaware it’s happening. Or that they’re the ones that triggered it, allowing the scammers to make a tidy profit.

2. Click Injection

Click injection is a bit more sophisticated and doesn’t rely on user interaction to be triggered.

It’s a form of mobile app fraud, specific to Android, where a click is ‘injected’ at an exact moment in the download process, just before an app is fully installed. The fraudster then gets credit for the download (rather than the real media source or ad network).

3. Domain Spoofing

Domain spoofing is exactly what it sounds like. It’s where a low-value site mimics a well-reputed one. The domain name is different, usually by just one letter. So people hit the site when they make a typo. Each time a user clicks on the page, the scammer gets paid.

4. Pixel Stuffing & Ad Stacking

Pixel stuffing involves using 1×1 pixel ads that are pretty much invisible to humans but still charge the advertiser for the “impressions”.

Similarly, ad stacking works by “stacking” loads of ads on top of each other. Only the ad at the front is visible yet scammers claim credit for all of them.

5. Affiliate Ad Fraud

Affiliate marketing uses cookies to determine the source of a visit to a website. Fraudsters exploit this by placing cookies on a browser without the user’s knowledge. So when the user visits an affiliate site, the scammer gets credit and makes money.

6. Redirect Attacks

This is where fraudsters redirect users that have clicked on one ad to multiple other ads and back again in the blink of an eye. All of those redirects count as individual clicks, generating revenue for the cybercriminals.

7. Install Farms

Install farms are real locations with real people using real devices to click and install apps. It’s the manual way to generate the activity they’re paid for.

Scammers will change the IP address for each install so the process can be repeated without flagging any warnings.

Why is Ad Fraud Becoming More Prevalent?

As with any criminal activity, it’s a question of risk vs reward. The graph below from Hewlett Packard’s 2016 ‘The Business of Hacking’ report shows ad fraud is the solitary entry in the ‘low risk, high reward’ section. This makes it incredibly lucrative for cybercriminals.

But why isn’t law enforcement doing more?

Simply put, they’re not equipped to regulate the online ad space. Combating ad fraud at its current levels would require a huge amount of resources and specialist skill sets that are just not available.

In a recent article about online advertising scams, Rocio Concha, Director of Policy and Advocacy at Which? said:

“Our research…shows how organised crime gangs have been able to exploit weak online advertising regulation to build a smash and grab business model that can make them almost a million pounds in a day from scamming unsuspecting consumers before their activities are shut down”

He also pointed out that legislation is also lagging behind.

“This is another situation where governments and regulators need to act quickly to catch up with tech-savvy criminals…backed up by a statutory regulator with powers to crack down on the problem and prevent these adverts appearing in the first place and which requires ad tech providers to collect and share data on scams.”

With ad spending only set to increase over the next few years (Forbes predict that marketers are expected to shell out $1 trillion in 2026) the problem is likely to get worse before it gets better.

How to Protect Your Ads From Fraud

So there we have it. A brief but comprehensive overview of what ad fraud is and how scammers make money from it. But what can you do to protect yourself against it?

In a world of digital automation, it’s easy to assume all is well without digging any deeper. So it’s important to take proactive steps in monitoring your campaign performance for signs of any suspicious activity.

Lunio can help you with that. Using cybersecurity-powered insights, we protect your ads from fake clicks across all platforms, not just Google. By eliminating click fraud, you only ever pay for clicks from real humans, not bots.

The money saved can then be automatically reinvested into your top performing channels and campaigns, giving you more conversions for the same ad spend.

The details of all fake and legitimate clicks logged as first-party data in real-time, providing useful insights into the key differences between converting and non-converting traffic.

Check out our reviews on G2 and get in touch today to find out more.