What percentage of digital ad impressions and clicks do you think is actually the work of non-human bots? Pick a number. Now double it. Double it again. You’re getting close. A recent study by Pixalate found that 19% of traffic from programmatic ads in the U.S. is fraudulent. David Raab from the CDP Institute found this number to be “optimistic.” Ad fraud historian Dr. Augustine Fou, our guest on this show, has compelling evidence that the actual number could easily be north of 50%. Why? Who benefits? Why is it hard to tamp out? Is it illegal (it isn’t!)? We explore these topics and more on this episode!
0:00:04 Announcer: Welcome to The Digital Analytics Power Hour. Tim, Michael, Moe, and the occasional guest discussing digital analytics issues of the day. Find them on Facebook at facebook.com/analyticshour, and their website analyticshour.io. And now, the Digital Analytics Power Hour.
0:00:27 Michael Helbling: Hi, everyone. Welcome to The Digital Analytics Power Hour. This is episode 123. To paraphrase Wanamaker, I know that half my online ad spend is fraudulent, but I just don’t know which half. We live in exciting times and the marketing technology and advertising ecosystems that are our home here in the field of digital analytics, well, they have a dark underbelly, an ongoing cat-and-mouse game of advertisers and those that would seek to siphon off revenue without actually trading that ad for actually a human seeing it or following industry standards. Tim, you’ve been in this field for a long time. Have you ever run across ad fraud in your career as the quintessential analyst?
0:01:15 Tim Wilson: You mean today?
0:01:17 MH: Just today?
0:01:18 TW: It’s the bane of my existence.
0:01:20 MH: Well, it’s a good thing we’re doing a show about it. What about you, Moe? Do they even have this down in Australia?
0:01:27 Moe Kiss: No. Wait till you hear my last call. It’s kind of depressing.
0:01:30 MH: Uh-oh.
0:01:31 MH: All right. Well, it seems like we’re certainly affected. And so, if that’s the true, and all of the internet was sort of like Gotham City, then our guest is ad fraud’s dark knight. Dr. Augustine Fou is an industry recognized thought leader in Digital Strategy and Integrated Marketing and former Chief Digital Officer of Omnicom’s Healthcare Consultancy group. Dr. Fou has over 20 years of management consulting experience and hands-on experience in creating and optimizing marketing across traditional and digital channels. He teaches digital and integrated marketing at both Rutgers University at NYU. He completed his PhD at MIT.
0:02:11 TW: Go Beavers!
0:02:12 MH: And he started his career with McKinsey & Company, and also served as senior vice president digital strategy lead at McCann MRM. He’s also known as the ad fraud historian, and is one of the industry’s top experts in ad fraud today, and he is our guest. Welcome to the show.
0:02:30 Dr. Augustine Fou: Thank you, Michael. Happy to be with you.
0:02:31 MH: Well, it’s great, and we’re excited to have you. So I think, to help our audience get a little better perspective of this, I’d just love to hear a little bit of your background. It sounds like you’ve got into the space. You are a marketer. You were helping companies do marketing as a practitioner, but then, you obviously cut an interest here. So I’m really curious to hear a little bit about your story.
0:02:55 DF: Yeah. I fell into the ad fraud research side of things because I’ve been a digital marketer for a very long time. And in the more recent years, since the rise of programmatic started to see strange things in the data. I always look at analytics, and as a small business owner, I have to look at analytics all day long. And with the rise of programmatic, we started seeing things like 30% click-through rates, 50% click-through rates, 0% bounce rates, and things like that. And so all of those were strange. Those don’t make sense because humans are just not that interested in your damn ad.
0:03:33 DF: But when we see those kinds of things, and I started asking around for like, “Why is this happening? Why are banner ads getting 30% click-through rates?” No one could explain why. So, started looking into the matter. And long story short, you can now start to imagine the bots clicking on ads to make it look like somebody engaged with the ad. So if you have ads that have zero clicks, the marketers would become suspicious and probably not spend more money there. But if you see nice, high or healthy click-through rates, you would say, “Oh wow, it’s working really well, so let me spend more money.” And over the years, there’s some young marketers coming out that don’t have the experience to know that click-through rates on banner ads were supposed to be in the 0.1% range, and search ads in the 1% range. When you see 30% click-through rates, something’s wrong with that. So they don’t have that common sense that something is strange ’cause that’s been the norm that they’ve been seeing. So in that sense, I fell into the fraud research because we had to build some of our own tools to start collecting the data, and then really figure out what was going on. And as it turns out, it’s basically bad guys making money off of all that ad spend that marketers are putting into digital.
0:04:54 MH: Was that when you were… Were you client side or were you at an agency when you started?
0:05:01 DF: I left my post at Omnicom in 2012, and kind of got back into my own consulting practice. And so, when I started looking at both my own data and some new client’s data, that’s when I started seeing these anomalous data points in the analytics. So it was right after I was on the agency side.
0:05:18 MH: Got it. That just doesn’t do anything to damage my assumption that agents, that media agencies are not incentivized to actually ferret out ad fraud.
0:05:29 DF: Exactly, exactly, nor are any of the middlemen. So think of the ad exchanges. They make more money when there’s more volume that passes through their exchange. So anything like ad fraud, if we discover that 50% of the volume is fraudulent, they would be making a lot less money. So some are simply looking the other way because they’ll say, “It’s not our job to look for that. It’s your job as a marketer. If you wanna waste the money, it’s your problem.” So, they’ll have that standby excuse. In other cases, they know it’s going on, but they’re deliberately not taking any action. So, all the middlemen have a motive to not only look the other way, but in some cases, deliberately let it happen.
0:06:12 MH: And does that even… That includes actually putting in tools that are like, “We’re auto detecting ad fraud to block it, but those aren’t necessarily… That they’re not necessarily investing heavily or really scrutinizing how robust that is.” I feel like I’ve had cases where they’re like, “Yeah, yeah, we’re checking for ad fraud, and we’re blocking it.” It’s like, “Yeah, but you’re checking with it at the most rudimentary level.”
0:06:36 DF: Yeah, absolutely. So, if you ask them the next question. So if you ask them a question, “Are you checking for it?” They’ll all say, “Yes, we’re checking for it,” and they’ll say, “Oh, yeah, we bought this, this, this,” fraud detection tech to check for it. But non of them actually understand how it works, or even know what to look for. So when you ask them the follow on question how… How the heck are you checking for it? They wouldn’t know what to say.
0:07:02 DF: But unfortunately, most media agency people and most marketers don’t ask that follow on question. So then everything just goes on.
0:07:11 MK: And so I understand from a client perspective, but what about from an industry perspective? I mean, how big is this problem?
0:07:20 DF: If I were to tell you how, actually how big I think it is, you wouldn’t believe me anyway.
0:07:25 DF: But should I run that by you guys?
0:07:27 MK: Yeah, try me, I’m really curious now.
0:07:30 DF: Okay, I have a pinned tweet on my Twitter account. In case you are online right now to take a look there was an increase in gap between humans using various digital things like the internet, like social media and various devices like computers, laptops, smartphones, tablets, and streaming TV, everything, right? There’s a dramatic divergence of the amount of digital ad spend, from the amount of time spent with media and that started in earnest in 2013. And so that entire gap, I kind of shaded in red, to say, that is potentially fraud. I’m not saying it is fraud, but there’s been that departure from the actual human usage. So according to Pew Internet, that’s been tracking Internet usage since the very beginning, usage of the internet usage of anything online and anything digital, plateaued at about 10 years ago, right?
0:08:30 DF: So there’s only a finite number of hours in the day, finite number of humans on Earth, and they generate a finite amount of media attention, if you will. But that doesn’t support the hockey stick growth of these ad tech companies. Right? And the VCs that fund them require this kind of hockey stick growth in order to justify the sky high valuations. And that growth is not supported by more humans using devices and spending time online, no matter how much parallel consumption you think there is. So, in years past, in the last couple of years, you look at some of the Nielsen numbers and they say, “Well, people still watch on average five hours of TV every day, and then they also spend eight hours on their phone and they spend another five hours on the internet”, when you start adding all that up, it’s more than 24 hours.
0:09:29 DF: But then they say, “Oh, oh, well, well, they actually watch TV while they use the phone. So we call that parallel consumption,” and they just basically brushed that under the rug, and say, “Oh yeah, we can account for the increase.”
0:09:40 TW: So you’re completely… You’re completely discounting the sheer joy that people find in navigating the Internet, and clicking through on banner ads and converting? I feel like…
0:09:49 DF: I’m even putting in there all the millennials.
0:09:54 DF: Literally, they are glued they might as well have a third arm holding the phone in front of their faces, 6 inches away from their face for 24 hours a day, including when they sleep. And that even that can’t account for all of the trillions upon trillions of ad impressions that were purportedly trading in digital marketing these days.
0:10:16 MH: So I was off by that half number. It’s way more than half. [chuckle]
0:10:20 DF: Yeah.
0:10:20 MH: Oh my god.
0:10:22 DF: Round number 90%.
0:10:24 MH: Oh wow.
0:10:25 DF: But I’ll show you a lot of the other details underlying that. There’s a group of publishers here in the US. Now, there’s a way to differentiate that between dollars and ad impressions. In the US, just using that as kind of a very mature market to look at, out of 100 billion spent in digital marketing, as of 2018, roughly 10 is accounted for going to publishers that we’ve heard of, Hurst, Conde, Meridith, some of these mainstream publishers that have had publications and actual media channels for many, many years. 10 billion out of the 100, go to them. The other 90 go through Google and Facebook to some other place that we collectively call the long tail sites. And some of these sites, you’ve never ever heard of. And you’ve never ever seen any other human go to. Right? In terms of dollars, it’s a 10-90 split. In terms of impression quantity, it’s more like a 1/99 split, because those mainstream publishers that have real human audiences, you look at their growth rate over time, it barely grows by 1% year over year because human audiences have plateaued and you don’t grow audiences significantly when you’re a big huge publication like that.
0:11:45 DF: So those audiences are very finite and the amount of time spent doesn’t change all that much. It’s relatively constant. So the number of impressions that those mainstream publishers can generate perhaps accounts for 1% of the total impression volume that generated in all of digital programmatic, because all of these other long tall sites, they’re generating 99% of the volume because it’s super large quantities at super low cost. You see what I’m saying? So in that sense, they can be generating the vast majority of the impression volume and most of those are on sites that you’ve never heard of and no one’s ever been to.
0:12:27 MH: Yeah, that’s definitely more than I thought. [laughter] It makes sense though, because that is absolutely what you see in the data a lot of times, is basically what you just described. And it’s always sort of like this assumption that, yeah, so those are just like, Yeah these websites are signed up through Google’s program or somebody else’s program, so they must have some quality standards that they’re hitting right, to be approved to be in these programs.
0:13:00 DF: Yeah.
0:13:00 MH: But it sounds like maybe that’s not really the case.
0:13:02 DF: Absolutely. So you think about AppNexus, that’s one well publicly documented case. So in 2015, they did a cleanup of their inventory and basically, they took the total number of impressions from 260 billion down to 20 billion per month. That’s a 92% decrease. So, what ad tech company would voluntarily chop off 92% of their own impression volume unless they had to? Because otherwise, they would get found out and they would go out of business, right?
0:13:35 MH: Right.
0:13:35 DF: So in that particular case, that was a 92% decrease, not a 9% decrease, not a 19% decrease. They chopped off 92% of their own inventory because it was so obvious, that it was fraudulent. So when AppNexus first started, in their effort to grow, they let everybody in. Anyone could go sign up for an account, put some ad tech on their site and start running ads. And so, that’s what allowed this kind of wild west to happen. And then similarly, with Google, we don’t know for sure, when and how strictly they enforce their policies, but we know in terms of the Google Play Store, they didn’t even scan the code for malware, until about three years ago. So, in that sense, all of these apps are uploaded to the Play Store, because again, Play Store was trying to catch up to iTunes, right? So they let every app developer put stuff in there, and so they didn’t even bother to scan the code for malware and other bad stuff. Adware and so and so forth, until very recently.
0:14:39 DF: And even when they started scanning the code for malware, the bad guys would simply get one version of the app approved and then side load some malware and Adware in it later. Right, so, a lot of those things, bad guys are just laughing at all the efforts of, supposedly the good guys, in terms of, “Oh, yeah, we clean up ad fraud.”
0:15:00 MH: Yeah.
0:15:00 DF: You’re not catching most of it.
0:15:01 MK: Sorry, can I just ask? Believe it or not, I was on holidays a couple months back and we were talking about ad fraud. I hang out with a bunch of weird people. And the one thing I think that a lot of people in the group that didn’t work in data and marketing, couldn’t understand, was how do the fraudsters actually get money out of it?
0:15:20 DF: Okay.
0:15:21 MK: So, do you mind like, for the lay person, how exactly does it get monetized?
0:15:27 DF: Yes, very easy. Think about it in layers. Okay, so I’ll start with probably the simplest concept that most people think of. It’s like the hacker that makes a bot net and things like that. So, you’ve probably heard of the term DDOS, distributed denial-of-service attacks. And those attacks have been happening over the years, where they simply overwhelm a site with so much traffic that the site can’t come up anymore. So there are techniques using bot nets of various kinds, right? Think of a whole bunch of computers, compromised with malware, or laptops or now, smartphones. There’s 10 times more smartphones than there are computers. And furthermore, the smartphones are left on 24/7, as opposed to computers or laptops, which you turn off at night.
0:16:17 DF: So when you have all these smartphones that can be remotely controlled by a bot master, you can now have millions and millions of devices that do certain things. So you could say, go hit this one website with so much traffic that it can’t come up anymore or you can point that traffic firehose to a site that has ad tech on it. So when there’s ad tech on it, it will start showing ads every time you load the webpage. And so, that’s how the early bots started to make money, by generating ad fraud. All they had to do was cause the page to load and then all these ads would load. And think about sticking five ads on the page or 10 ads on the page. Or if you’re really unscrupulous, 1500 ads on the page. So on and so forth, right?
0:17:06 DF: So, in that sense, the bot maker maintains a bot net that gets paid for the traffic that it sends to certain sites. And then there’s a next layer on top of that, that’s all these websites. So think about, you’re not a Hurst, you’re not a Conde Nast, or Meredith or these major publications that have sites and magazines and so on and so forth. You just started a site and you have no traffic, because no one’s ever heard of your site. If you’re greedy, do you actually wait for the traffic to come to your site, or do you start buying traffic? Because literally if you google, “Buy valid traffic,” or “Buy human traffic”, there are thousands and thousands of people willing to sell you traffic. So those are, think of them as…
0:17:53 MH: Wait, are we talking about human trafficking? No. Sorry, I had to… Sorry.
0:17:57 DF: It is related. I won’t go there for now on this podcast…
0:18:01 MK: Oh wow.
0:18:01 DF: But it is definitely related. How do you think those porn sites are monetized? The users that go there don’t pay for that.
0:18:07 MH: Wow.
0:18:08 DF: They’re monetized via digital ads that you don’t see. So, there’s a whole bunch of ad BS going on and think about all the piracy sites, so, web 1.0, web 2.0, that use pirated content to attract a human audience that they then monetized by doing digital advertising. So the humans didn’t pay for the pirated music or the pirated movies, so there’s some other way those sites are monetizing.
0:18:31 MK: Oh, wow.
0:18:31 DF: But kind of tying this back to the ad fraud, those sites have no traffic. So, they would just go out and buy all their traffic. And it’s a very simple arbitrage, right? If you buy your traffic for $1 and you sell your ads for $2, you’ve just made 100% profit. Pure profit. And there’s many, many variations. Sometimes you buy the traffic for a dollar, you can sell your ads for $10. Now you’ve made a 9 X markup. So some of my studies in that 2018, q2 ad fraud deck, you can see 25 X return. 42 X return. That’s not 42%, that’s 4200% return, for every dollar you spend in digital ad fraud. So why wouldn’t you spend the next dollar, to then make $42?
0:19:23 DF: Alright, so it’s a highly lucrative thing. And so, just to complete the picture, the bot makers will make the bots and they will say, “Whoever wants traffic, just buy X amount of traffic from me for a certain CPM.” Then, there’s all these traffic brokers in between that basically buy and resell. So, they buy low and sell high; it’s very simple arbitrage. And then, there’s these fake websites that have no traffic, they have to buy all of that, and when they buy the traffic, they have inventory. So, they’ll know, “Every month I’m gonna have this many ad impressions to sell into the exchanges.” And so, the exchanges love them because they provide the inventory that all their customers buy. And so, the media agencies go out and buy from these exchanges in large quantities and the marketers pay the media agencies the media budgets to go spend. So, the marketers and the media agencies are not paying the bot masters directly, they’re just paying to the exchanges, and the exchanges are benefiting from all of these fake sites that generate enormous volumes that the exchange also makes money from, because they get a cut of every media dollar that’s spent on their exchange.
0:20:39 TW: So now, it is kind of the infuriating part for me, that one of those layers being the… So, there are some over bad actors who are literally saying, “Through these layers, through just arbitrage of a marketplace, we can generate and sell stuff that’s not real.” But the layer of the media agencies, and there’s just no way it looks good. They’re either wilfully sticking their heads in the sand or they’re just clueless. And maybe this goes to my… I’ve only relatively recently worked at an organization where we have media buying as part of our offering. But historically, I was always in a case where I was just furious. I would watch an agency media that was slowly ramping up the spend on mobile, ’cause they were saying, “Hey, we’re getting a much better rate and we’ve got plenty of inventory for this mobile traffic,” which is, you’re talking about… I hadn’t thought about the fact that phones, you get into that, you make a botnet out of phones, and that traffic would have 99% bounce rate. It was a shitty… Might even be a shitty site experience. And I’m looking at the traffic and I just couldn’t even get an audience because no one wanted to even acknowledge it. And I don’t know if they didn’t want to acknowledge it or they knew they couldn’t fix it. But it’s infuriating either way.
0:22:12 DF: Yeah, so the agencies get paid based on the dollar spent, or even if the marketer were strong enough to negotiate that away, the media agency still makes more when more money gets spent with them. And so, then they go out to these exchanges and say, “How much inventory do you have to sell me?” And so, if they don’t have enough, they’ll go to the next exchange and try to get as much volume as possible, because ultimately, they have to fulfill the media plan. The client, the marketer, tells them, “Go out and get me 100 billion ad impressions.” Most real places don’t have 100 billion ad impressions ready to sell, but… And the exchange will say, “Oh, don’t worry, we’ll get it for you.” Now, what happens if they’ve contracted for that? They said, “Yes, we guarantee you we will sell you 100 billion impressions,” and when three quarters of the time period is done and they’re only at half the impressions? If they don’t fulfill that, they’re gonna be in breach of contract. So, we’ve created these situations where these media agencies then desperately go out and say, “Who has volume? Who has inventory? I want any inventory at whatever you wanna charge me.”
0:23:23 DF: And so, then they go out. And so, all of these sites, again, they don’t have the traffic, because you don’t know ahead of time how many people will actually come to your site and look at web pages. That’s not reliable. What is reliable is buying traffic from a botnet. You can tell it exactly, “I need 100 billion ad impressions,” or “I need so much traffic to generate 100 billion impressions,” and that is perfectly reliable. You know exactly how much you’re gonna pay and you know exactly that the botnet will deliver what you paid for. So, we’ve created this ecosystem where multiple parties will be in situations where, if they fail to deliver, they will be in breach of contract. Therefore, they’re incentivized to go out and find this fake traffic. Now, why wouldn’t people know that it’s fake traffic? Because we now conveniently have fraud detection tech companies whose job is not to detect the fraud, but their job is to actually tell the buyers, “Oh yeah, we didn’t detect any IVTs, so therefore, everything’s fine, therefore keep buying.”
0:24:29 DF: Their job is to make everyone feel comfortable to keep buying.
0:24:32 TW: I feel like they took a… Some of the people who got fired by Moody’s and Standard & Poor’s kinda just moved over and said, “We know how to play this game.”
0:24:41 DF: Yes, exactly. It is literally everything that led up to the 2008 financial crisis, it’s being played out to probably 10 to 100 times the scale in digital, because it’s all virtual. And there’s not even any financial regulations to put some boundary conditions around it.
0:25:01 TW: Well, adding to your layers one more level, I’ve got a theory, ’cause I’ve witnessed it a couple of times, but you’ve got a much broader exposure. It seems like even when you get in-house, even if a media agency said, “Look, sorry, we can’t get you that quality inventory. We know that you had $200,000 you wanted to spend on this audience. We don’t have it and the best thing we can do is say We didn’t hit it.” But then, on the client-side, although they should be incentivized to deliver results from the media depending on if they’re CPG or FMCG, they would have to say, “Oh, we didn’t spend some of our budget, which is gonna look bad for us at the end of our fiscal year and it’s gonna hurt us.” So, even the marketers, the advertisers are sometimes perversely incentivized to allow junk traffic to be bought?
0:25:56 DF: Yes, or to deliberately buy the junk traffic. Because if you’ve noticed on LinkedIn, certain CMOs or certain VPs of marketing and whatever, have as their badge of honor on their LinkedIn page, the amount of budget that they’ve been given to spend. So that is their badge of honor, and they’ll say, “Oh, yeah. Well, I’m in charge of $30 million of spending in digital.” So they will have to spend it all. If they don’t spend it all, they risk losing some of it, right? They won’t have as much to spend next year, so they will find every means to spend it and also find the means to make sure everything looks right. So they will buy those fraud detection reports that specifically say, “There’s no fraud, don’t worry about it.” Alright, so that provides them air cover, so that they can continue buying that. Even if some boy scout showed them the data that, “This is all fraudulent, you know that, right?” They’ll say, “Don’t tell anyone. We wanna keep buying.”
0:26:55 DF: Because if they found out that it was fraudulent, they would have less to buy, and they would actually have to redo the media plan and come up with new things to buy, and that means they have to work for it. So yes, there are many perverse incentives even for the marketers, right? So if a marketer spent 60 million last year in digital display ads, and now we find out after the campaign is over that there was fraud. I’m not even talking 90% fraud or 50% fraud. If we found out that it was 10% fraud, it’s still embarrassing. They don’t wanna tell their bosses, “Oh, well, I just spent 60 million last year, and 10% of that is fraudulent.” They’ll do everything they can to cover that up. So Ad front, I’ve said this before, Ad front is not a tech problem, it’s an incentives problem, and that goes all the way up to the marketer themselves, the parties that are spending them, the dollars.
0:27:45 MK: So I guess I keep listening to this, one, being completely terrified but also wondering who the hell’s responsibility is it then to figure out, and, I don’t wanna say police it, but uncover it for the company and communicate that. And for God’s sake, if you say it’s the analyst, I’m just gonna throw my hands in the air, ’cause we’ve already got enough bad news to deliver.
0:28:04 TW: I mean, I’ve been the analyst trying to deliver that, so I feel like I’ve sort of lived through it, and it’s exhausting, because you’re literally delivering some of the most objective bad news and opportunity to save money, but nobody wants to hear it.
0:28:17 DF: Correct. So basically, if they save that dollar, that dollar would flow right to their bottomline. So think about any FMCG or consumer packaged goods company, if they spend the dollars, so say a P&G, they spent two billion in digital marketing, right? And you saw the news last year where they cut 200 million from their $2 billion digital budget, and they saw no change in business outcomes, right? If they just save that, and they did in that particular case, that 200 million goes straight to their bottomline. And thinking about that entire industry category, they’re struggling with such low margins that if you had a $200 million drop straight down to your profit line, that would significantly move your profit margins rather than spend it on digital marketing where they can’t generate or document any kind of outcome.
0:29:13 DF: And there was a recent study I tweeted within the last week or so that there’s another larger study that showed, and this was interview, so I wouldn’t put too much weight on it, but marketers, like more than half of them, said digital marketing, especially programmatic display and all that kind of stuff, didn’t generate any noticeable business outcomes, and that was being kind. It was a complete waste of money, but they put it in the sense that it didn’t generate any noticeable business outcomes. Of course, you didn’t notice anything, because it didn’t do anything.
0:29:44 DF: So a lot of this is actually a game of big numbers. Marketers love big numbers. “Oh, yeah, my agency just bought me 10% more inventory at 20% lower cost.” How the heck do you think they did that? By mixing in a bunch of low cost inventory that they bought from crap exchanges.
0:30:03 TW: But there have been some exec like… Like last year, I think P&G did, and they come out into kind of a senior executive level, and I wanna say a few years ago like Kraft although I think… I can’t remember if it was the CMO or the CEO like they’re…
0:30:16 DF: Yes.
0:30:17 TW: Does that work when a senior exec…
0:30:19 DF: No.
0:30:19 TW: No? Okay. [chuckle]
0:30:21 DF: It’s PR for themselves.
0:30:22 MK: Alright, sorry. Wait, can you tell the whole story, getting the caption.
0:30:27 DF: Yes. Basically, I give no credit to Marc Pritchard even though he’s been quoted by every single publication as the white knight, as the guy who is bringing transparency. He has done no follow-on work and has not actually reduced ad fraud in the slightest. He doesn’t even understand it. So I give zero credit to those talking heads that are there to go to Cannes and get invited to paid speaking gigs to get more PR for themselves. They have done nothing for Ad Fraud. And in fact, he pointed people in the wrong direction, because he accidentally said, “Oh, you have to be TAG certified in 2016.” And in 2016, TAG, which stands for Trustworthy Accountability Group, wasn’t even formed completely. It was still concept stage.
0:31:20 DF: They had to rush to finish their documentation, so that they would have something to sell people. And basically, again, all of their certifications are self-declared, right? So a bad guy will fill out some form, pay the fee, and say, “I’m clean, trust me.” Okay, I don’t know if anyone thinks that that kind of certification works, but when Marc Pritchard said, “Oh, all the vendors must be TAG certified.” Everyone had to go pay that toll, and it was a toll that was completely not worth it, because the good publishers were clean to begin with not because they were TAG certified. The good publishers didn’t have a big bot problem, and I can explain that separately later, but they had to pay the toll to get TAG certified even though that didn’t do anything.
0:32:06 DF: And TAG certification basically allowed bad guys to now operate in broad daylight, because they also paid the $10,000 fee and now everyone thought they were TAG certified [laughter] So they’ve got to be clean, right? So then, they could sell to everybody. So, in fact, it has created the exact opposite effect. It’s enabled more fraud to happen, as opposed to put a dent in the fraud. And so, that’s why I don’t give credit to these talking heads CMOs that don’t actually understand the problem.
0:32:35 MK: So, what can we do about it within the business and particularly… I’m a little bit scared now. I suppose, what are the solutions? Because it sounds like a lot of the tech that’s being developed also doesn’t have a good reputation. So, I guess, internally, it’s hard to communicate, but does every company now need some kind of fraud team? Is that how you combat it? Or is it…
0:32:57 DF: No, you just need people like you and me, analysts who look at the analytics. And let me be more specific so it doesn’t sound trivial. Basically, if you look at your own analytics, say you just Google Analytics or Omniture, or whatever, and you knew what to look for and where to look for it, you’d be able to find the fraud yourself without using any specialized technology. And let me use a very simple example. If you’re tracking, say, traffic to your site and a lot of the traffic, 90% of your traffic hits between midnight and 1:00 AM, something’s wrong with that. And even if it’s not coming from ad fraud, that’s still not optimal, because unless there’s a specific reason for your customers to come to your site between midnight and 1:00 AM and not during normal waking hours, normal business hours, something’s strange with that. So, even if it’s not fraud, it’s still probably not optimal for your business.
0:33:55 DF: And then we see other things like 100% balance rates or 0% balance rates, or extremely high time on site, or things… I published some of these things over the years, but if you see 10 websites have the exact same time on site, meaning they send visitors that spend exactly two minutes and two seconds each across all 10 referring sites, something is wrong with that. That doesn’t happen naturally, ’cause humans can’t coordinate their behavior to all behave in the same way. So, that is indicative of something other than humans. Whether you wanna think of that as a botnet or fraud or whatever, that’s probably not something you wanna keep paying for. So, simple things like that, and that’s what I mean by analysts, people like you and me who look at the data all day long, we can find the fraud and help the clients. And then, it’s really… It’s a game of finding out which clients actually care to hear what we have to say.
0:34:53 MH: All right. Well, we need to take a little bit of time to pay the bills. And this is our multitouch moment. Hey, Josh have you heard of this new tool, Faceplant Analytics?
0:35:04 Josh Crowhurst: I think I have.
0:35:06 MH: It’s amazing. Okay, so think about all the data that you’re generating in social media. So much data, and so many metrics that you’ve never collected before that mean so much to your business today. The best part about it is, it’s gonna analyze all that data, put it all together, and then constantly change the numbers historically, so that you never know how to baseline those metrics. And of course, all the metrics are built on random indices that sound really good, but are completely undefined, like enthusiasm index and virality and virility. It’s got some really great features.
0:35:41 JC: Oh, yeah, yeah. I heard it has this other feature too, an automated intern, where if you’re losing your intern for back to school season, well, they’ve got you covered with the automated intern. Just feed your monthly report into their AI model and the automated intern will automatically round random digit numbers in the wrong direction.
0:36:02 MH: See? That’s the power of machine learning and AI today. Is there anything these guys haven’t thought of? And I’ve heard they have a great white labeling capability for agencies, and it’s only 3.99 a month.
0:36:12 JC: That’s amazing.
0:36:13 MH: Awesome. All right, and we have another sponsor for the show. We’ve all been asked over the years hundreds, maybe thousands of times, what kind of bounce rate should I be getting for my website? Oh, now we’ve got a way to answer that question: Whatisagoodbouncerate.com. Josh, this service is amazing. It lets you just enter your website and it tells you exactly what your bounce rate should be using science and algorithms to actually figure this out. The answer is now super clear. Isn’t that great?
0:36:45 JC: That is phenomenal.
0:36:46 MH: Yeah. And I hear they’re the same folks behind a couple other sites I’m sure you’ve heard of before too, which is whatisagoodtimeonsite.com, whatothersiteshavemyvisitorsvisited.com.
0:36:57 JC: Whoismyleastpopularvisitor.net.
0:37:00 MH: Yup, that one. And whatistheexitrateformyvisitors.com, I think is one of theirs too. So yeah, you definitely gotta check it out, whatisagoodbouncerate.com. It’s just amazing, what’s happening at our industry right now. All right, well, let’s get back to the show.
0:37:18 TW: So, two follow-ons. One, if we’re buying media on a cost per acquisition, I assume that it’s a lot harder, it’s a lot more not worth it for an organization to try to botnet, add fraud around cost per acquisition.
0:37:38 DF: No.
0:37:39 TW: No?
0:37:39 DF: No. No, never assume. Never assume. The only assumption you should make is that bad guys are trying to steal your money at all times. Okay. So that is the only assumption you should ever make. The assumption that, “Oh, cost per acquisition is immune.” That’s what a lot of marketers, including the DMA, Direct Marketing Association, told me not that many years ago. They said, “Most of the marketers believe that ad fraud doesn’t affect them because they already optimized a CPA.” But let me give me a couple of examples. You’ve heard of affiliate fraud, right?
0:38:10 TW: Yeah.
0:38:11 DF: Back in 2013, the two eBay super affiliates. Both of the largest eBay affiliates super affiliates, were both committing fraud. That’s how they became super affiliates because they were cookie stuffing in order to get paid for a portion of the sales that they didn’t actually earn through their hard work right? They earned that by cheating, so both of their top super affiliates were caught cheating and fined and whatever, whatever. So the same thing happens. In this case, I use the mobile example. So, Uber, right now, referring to the second lawsuit that was recently disclosed, they’re now suing the exchanges for sending them bogus app installs. So you would think a marketer like Uber, they’re not paying for the impressions, they’re not paying for the clicks, they’re only paying when they get the install. Right? That’s the cost per acquisition cost per install cost for action, whatever you wanna call that. You think that’s already optimized, but if you’re paying on that thing, the bots will take that specific thing. Right?
0:39:15 DF: So every time you get an install, the bots get paid, so now they set up fake mobile devices, install your app, get paid the $5 bounty, uninstall it, and then install it another time, get paid another $5 bounty, and keep doing that over and over again. So that’s what I mean by don’t assume.
0:39:34 TW: Is that having to skip They were… That was, it was Densu, one of the Densu…
0:39:40 DF: Yeah.
0:39:40 TW: So did that just skip a couple of levels, there were unintentional bad actors in between Uber’s pocket book and the app install. I’m still a little fuzzy on how the bot got the…
0:39:53 DF: Yeah, so the agencies that Uber paid. Basically, Uber told them get as many installs as possible ’cause we just need to show growth in user numbers. App installed and all that kind of stuff. So there were feedback to Uber to say, “this is probably not real installs”, but then they said, “Shut up, just keep buying them. We just need the numbers.” And so, Uber’s not without fault, themselves, but these agencies will then say, “Oh well, we use Tune, we use all these fraud detection tech companies and they say that everything’s fine. So let’s keep buying.” Right? So then they have the next guy to kick the can down the road and say, “Oh well, it’s his fault. They didn’t tell me it was fraudulent” right? And now from the Uber lawsuit, you can see that in the LinkedIn post that I wrote up. The significance of the second Uber lawsuit.
0:40:43 DF: The significance was that Uber themselves, their own analysts looked at some of the reports that were given to them. And common sense told them it didn’t make any sense. That’s how they found the fraud. They found it themselves, even though Tune told them everything was fine. And as it turns out, the attribution company, Tune, was being tricked by the bad guys. Right? So they would basically send in, essentially, a click. They would do click flooding and all that kind of stuff, to claim credit for an app install. So in the case of Uber, it’s simpler to explain.
0:41:18 DF: If you wanted Uber, and you heard about it from your friend, you probably go to the Google play store and just download it, install it yourself. That’s called an organic install. Right? The human just installed it without clicking an ad. But what the bad guys are doing, just like the eBay super affiliates, they were stealing credit for the organic install and claiming that it was a paid install. They said, “Oh yeah, I drove that install” when, no, you didn’t drive that install. It was organic. The user installed because they wanted to. So when they do click flooding, all they’re doing is they’re sending in these fake URLs that trick the attribution provider, Tune, and they say, “Oh well, this source drove that install, therefore, you pay them the bounty.” So, in that sense, the attribution was easily tricked. And there’s also cases where you would say, “Oh well, bots don’t buy things, right?” That would be assumption that you should not make.
0:42:18 DF: So in this case, bots actually don’t spend the money but what if you can actually send in an attribution URL that says “This item was purchased for this amount on this date, by this user”? And you just send them the complete information so that gets logged into the system that tracks your orders. The ordered didn’t occur, but because the bots know exactly how to send in the right variables. They got paid the bounty anyway. You understand what I’m saying?
0:42:45 TW: Yeah, so here’s… Okay. One more… One that I feel like I’ve heard and I kinda wonder how you respond when you get told this. So I, as a digital analyst, can find not even at a macro level, that fraud is happening, but I can isolate traffic that is, say, this specific traffic is at fraud. I can even set up some sorts of rules to say, for a short period of time, can identify fraudulent traffic, let’s optimize to the real traffic and immediately, we’ll run into, no, no, no, the magic of programmatic, your system, you’re looking in Google Analytics or Adobe Analytics, that doesn’t close the loop into our ad tech which really needs pixels firing. We can’t use what you, the analyst, is able to find, identify fraud, because that doesn’t close the loop to our system.
0:43:41 DF: Yeah, I know. They’ll just make up whatever excuse. It doesn’t even have to make sense, right? They will make up any excuse to then shoot you down so that the client will keep buying from them. Agency people would do this, fraud detection companies will do this. We tell them, “We just found a whole bunch of fraud that you didn’t catch.” They’ll say, “Oh well, it must be some anomaly in your site. Ours is right, ’cause we’re MRC accredited.” So they will find every excuse, realistic or not, to shoot you down and to protect the status quo. And they trade bodies, and the standards body, the IAB MRC, every one of those trade bodies, is actually not helping the situation because they’re actually helping all the existing players protect the status quo. That’s their job. It’s not to actually detect fraud and find it and help you solve.
0:44:31 MH: Alright. We’re almost having to wrap up, but I’ve got another question that I think might be interesting to talk about, and that is around legality, because we’re talking about ad fraud, and certainly, there’s people that inserting themselves into a process they have no part of. But what is legal and what is not legal? ‘Cause it seems to me like if you’re a credit card company, the FBI gets involved to bust up credit card rings and stuff like that, that are doing stuff fraudulently, but what is the legal line for people in this space?
0:45:03 DF: There is none. So there’s no law against ad fraud, therefore, people operate with full impunity. They will operate in broad daylight. They don’t fear getting caught. They don’t fear getting called out. When one company is shut down by an exchange, they basically rename all their websites, and rename the company and just keep going. So there is no law against at fraud, and you might have heard the FBI staying at the end of 2018. They arrested eight Russian nationals, not on ad fraud, but on computer crimes because in that particular case, those criminals planted malware on people’s devices and used that malware to load ads in the background. So, they were not arrested for ad fraud. They were arrested for computer crimes, which included intrusion, tampering with systems, and things like that.
0:45:55 TW: Wait, Russians tampering with computers, that’s fake news.
0:46:00 DF: Yeah.
0:46:01 TW: We’ll just cut this out. We’re a serious journalistic enterprise here.
0:46:06 DF: Yeah. [laughter]
0:46:08 MH: No. See, and… I think that’s the point that a lot of people miss ’cause I think a lot of people assume this is all illegal, but it’s not.
0:46:16 DF: Not even close, yeah.
0:46:18 MH: Yeah.
0:46:18 DF: And you’d have to interpret other laws to apply to this, right? So basically, this is a great example of an industry and technology that’s far ahead of the laws, right? And so, you’d have to interpret computer crimes laws to apply to some of this, right? And that’s assuming the bad guys use malware to do the fraud. If you’re actually making a million bots in an AWS, right? Amazon Web Services data center, you’re a legitimate paying customer. Amazon won’t even shut you down, right? You paid to use their servers, and your use case was generating some bots that went and loaded some web pages. You’re a legitimate paying customer, so they want you, and they’re not gonna look into them. And then the other part of it would be trying to interpret wire fraud laws or mail fraud laws, right? Mail fraud would be if you wrote down something like you’re gonna deliver ads to humans, and you didn’t do that. That’s wire fraud.
0:47:12 MH: Right.
0:47:13 DF: But in this case, the perpetrators are very clever. They will say, “Oh yeah, we’re selling you traffic.” And if the buyer was dumb enough to buy the traffic, they never said it was human traffic. They just said traffic, right? You just wanted something or whatever to load your web pages, right? And that’s what you bought, so you still can’t sue the bad guy.
0:47:34 TW: It’s always fun to get the mail fraud where they will be like a law from 1892, where you’re like, “Well, my pea packet is really the same as the saddle bag on the pony express.” And if you interpret it that way, it makes for good court arguments.
0:47:46 MH: It sounds like, frankly, the best way is through maybe the IRS. Maybe there’s a bunch of undeclared revenue going through this stuff or something.
0:47:53 DF: There is, but it really is up to the government and Attorneys Generals to subpoena financial records, and then you’ll actually see where the heck the money went. So, conspiracy theory is that this is so lucrative. In the US, 100 billion is spend in digital. Worldwide, it’s 330 billion. So with all this money, and it’s $330 billion every single year. It’s not just one time, right? Every single year, there’s another pot of $330 billion to take from. So, do you think organized crime is not taking from that pot?
0:48:26 DF: Right? And all of this money is not funding terrorism, and other bad shit?
0:48:30 MH: Yeah, exactly.
0:48:31 TW: Wow.
0:48:32 MH: I’m in the entrepreneurial side of me is really having a problem with like, “Well, I guess we should all start ad fraud link, kids.”
0:48:41 DF: Yeah.
0:48:42 MH: Now, I’m like, “Geez.”
0:48:44 TW: That’s good.
0:48:44 MH: I know how to make those URLS. I know how to send a flood light tag with the bunch of false data in it. That would be really easy.
0:48:51 TW: And I would say now The Digital Analytics Power Hour is gonna shift its focus from this episode forward into that how to site, how to…
0:49:00 MH: Well, we need to wrap up, but the scale and the numbers you’re talking about are obviously well beyond lucrative. And there are people that are definitely funding all kinds of crazy things. And it seems like, yeah, we’re sitting on a pretty big societal problem actually, that’s hiding under the covers of our day-to-day Internet.
0:49:18 DF: Yeah. So if we tie this to societal problems, the dollars that are being siphoned off by the bad guys, right? Whoever those bad guys are that’s facilitated by the media agencies, and all the middle man, and made automated by programmatic. Programmatic has just helped the bad guys automate the fraud. So, they don’t literally have to go, take out a gun, and rob a bank, right? They can sit in front of their computers from the comfort of their home and just rip off billions of dollars. It’s helped them scale and automate the fraud to a point where, now, these dollars are being siphoned off to some other third party, and it’s not going to legitimate publishers, like some of the news organizations. So when the news organizations and these big publications are struggling to survive because they can’t make enough ad revenue, right? ‘Cause these are free sites that show news, and they depend on ad revenue.
0:50:12 MH: Right.
0:50:13 DF: And they can’t make enough ad revenue, they can’t pay their journalist. That’s why we’re now seeing a decline in news and decline in real journalism, and that vacuum is being filled by fake news, and because no one is there to actually fact check anything. Right now, we’re relying on the community fact check. So, these things have real world societal implications, right? We are now being bombarded with a lot of fake news because there’s sites like abcnew.com, right? Abcnew.com, and if you don’t look closely, that’s not abcnews.com, that’s a fake site that’s pretending to be a news site that’s obligating fake news. And so, all of that is the… What I would call it the ripple effects that’s pervading society now. The fake news phenomena that everyone’s heard of, it’s actually causing harm to society, right? And that would not be an overstatement that ad fraud is tied to organized crime and societal harm.
0:51:15 MH: Well, on that bright note, we’ve gotta start to wrap.
0:51:21 MH: Hey everybody listening, sleep well tonight. We do need to wrap up. This is amazing and, Augustine, thank you so much for coming on the show and bringing this to light. I think this kind of information is of extreme value to our listeners, so I really appreciate that.
0:51:39 DF: Thank you.
0:51:40 MH: One thing we love to do on the show is go around the horn and do a last call. Something we’ve run into, or we found interesting in the last couple of weeks. Dr. Fou, you’re our guest. Do you have a last call you wanna share?
0:51:51 DF: Yes, I think the message I wanna leave with all your listeners is they can do it themselves. Solving ad fraud is not as hard as most people think. If they actually wanted to solve it, they would basically pay attention to their own analytics. And don’t assume that someone else took care of that for you. Especially if you’re the marketer, get yourself trained on how to look at analytics or ask people like you and me for help. And look for tell-tale signs of fraud, and it’s very simple. These things just don’t make common sense. You should be able to pick that out from your own analytics and then take some action yourself. You don’t need super advanced technology to detect the fraud because just know that the bad guys have more advanced technology at all times. So you should just look for tell-tale signs in your own Analytics and you can put a big dent into ad fraud yourself.
0:52:46 MH: Nice, that’s awesome. What about you Mo, what’s your last call?
0:52:50 MK: It’s actually on that exact same topic. So this is the third time now that I’ve adopted a Google Analytics Premium implementation, which has just kind of been sit to left and fester. And then get the really fun job of… No one uses this but we should fix it. And stupidly, this is a very gentle reminder to those out there, ’cause I kind of, I didn’t actually think about this until the other day. Someone was talking about which cities in the US had the highest traffic, and so I was like, “Oh I’m just gonna go quickly check that and just make sure that the order is correct, that we were discussing.” And then, of course, I saw a old freaking Boardman Oregon, which is like the bot factory from hell. And there is a very…
0:53:34 DF: It’s an AWS data center.
0:53:36 MK: Yeah, oh yeah. And there’s a very quick fix to filter it out of Google Analytics. And I should have checked it straight away, when I started, and I just didn’t. And of course, I was kicking myself because it inflates the heck out of your numbers. So this is just a gentle reminder to everyone out there. If you haven’t checked your Analytics account by region, or by city, I really recommend it.
0:53:58 TW: You should probably check the exclude bots, check bots, too, just as like the first cut.
0:54:04 MK: Oh yeah but, who hasn’t clicked that?
0:54:07 TW: I just threw it in there. So now, somebody’s gonna be like, “Oh shit, did I not?” [chuckle]
0:54:11 MK: Yeah. Okay. Good point. But also, I really enjoyed, Dr. Fou, your slides from the State of Digital Ad Fraud in Q2 of 2018. Just because it also shares a lot about them, like you have a lot of numbers in there about how big the problem is. So if anyone wants to do a little bit more further rating, we’ll share the link to those slides ’cause they were, that presentation looked really fantastic.
0:54:33 MH: Alright. Okay, and what about you, Tim?
0:54:37 TW: So I’m gonna continue the progression, so we’ll stick with Google and we’ll stick with critical thinking. And our hero, Cassie Kozyrkov, who wrote Your Data Set Is A Giant Inkblot Test, back in middle of July, I don’t know if you guys caught that on Medium. Basically, Cassie, who every time she writes something, I worship her just that much more. But it’s basically a whole post that goes through, well, one, it has apophenia, is like a word that she defines.
0:55:09 MH: Nobody knows what that means Tim.
0:55:11 TW: Exactly. So now, they should go. It’s our tendency to try to find patterns in things. So it is a delightful article that basically it hits on confirmation bias, it hits on, has lots of examples and it’s just kind of Cassie who is running massive data science things and saying we need human beings who are critical thinking and are self-aware, and it’s amazing. And then as my twofer, to build on that, I’m also gonna throw in something that Matthias Bettag, past guest on the show, co-organizer of the DA Hub, posted on the LinkedIn. It’s from a couple of years ago, but it’s the site callingbullshit.org. You guys seen this?
0:55:53 TW: It’s a couple of professors at the University of Washington who basically put together an entire class and then they’ve put all their lectures and other case studies and stuff online. A lot of it is kind of around being data visualization and critical thinking, but it’s just kind of a host of things that say, “Don’t take anything at face value. Learn how to look at the numbers and call bullshit,” and different kind of techniques for doing that. But the site is a very easy thing to just poke around and kinda consume a little small video or two or read a case study. So, it’s all in the same vein of lies analyzed in analytics. So can you continue the theme?
0:56:40 MH: Yeah. I feel compelled now to just keep going. So actually, there’s been some talk on Twitter and online about this concept called dark patterns. And so that’s when a company uses their own persuasive techniques to fool you, into doing stuff you wouldn’t normally do. So not the ads, but the websites themselves. And so, there’s actually a really great website that kinda lays some of this out, and there’s a lot of research being done. A lot of it being led by a couple of professors of Princeton, of course, their names are escaping me, but, darkpatterns.org is a great starting place. And then there is some academic paper that was just released. We’ll find a link to that as well. So be on the look-out for dark patterns.
0:57:25 MH: It looks like the web is back to not being a safe place. So there’s one place, and I know you’re probably listening to this and being like, “Where can we huddle for warmth and keep each other safe from all of that stuff?” And the answer is the Measure Chat Slack group. That’s where we all hang out. We’d love to hear from you, we’d love to hear your reaction to the show, some questions. You could also follow Dr. Fou on Twitter, @acfou. And he posts a lot of really great information and new research and things like that, and everything that’s happening in this space on a regular basis. So a great follow on Twitter, just for your own informational purposes. Dr. Fou, thank you so much for coming on the show. It’s been a delight having you.
0:58:11 DF: Thank you.
0:58:11 MH: Yeah, this has been really astounding. Honestly, it’s hard to sort of wrap your arms around it. And then you sort of like… I think I need to go hide for the rest of the week and just contemplate a different career. But, hang in there, everybody. [laughter] Just ’cause there’s no law against it, eventually, we’ll get this whole internet thing worked out. And it’s just the wild wild west right now. But yeah, we would love to hear from you. Reach out to us. Also wanna throw a shout out to our producer, Josh Crowhurst, who was in no way involved with any ad fraud, he assures us. And no, I’m just kidding. And I mean, if he’s not, he should be. It’s free money. It’s free money, Josh, what are you doing? No, I’m kidding. He is not. Anyways, so no matter how dark it gets out there, everybody, I’m sure I speak for my two co-hosts, Tim Wilson and Moe Kiss, when I tell you keep analyzing.
0:59:12 Announcer: Thanks for listening and don’t forget to join the conversation on Facebook, Twitter, or Measure Slack Group. We welcome your comments and questions. Visit us on the web at analyticshour.io Facebook.com/analyticshour, or @analyticshour on twitter.
0:59:32 Charles Barkley: So smart guys want to fit in, so they’ve made up a term called analytic. Analytics don’t work.
0:59:40 S9: Analytics, oh my god, what the fuck does that even mean? .
0:59:48 MH: Anyone knows his twitter account is @acfou. Come on.
0:59:53 TW: Okay. Okay.
0:59:56 MH: Everybody knows that.
0:59:58 TW: Just trying to help. Alright.
1:00:00 MH: There we go. Now I’m following you.
1:00:07 TW: As I’m I. Look at that. Blowing up your follower count. Just by recording.
1:00:12 DF: That’s right.
1:00:12 TW: Okay.
1:00:13 DF: Awesome. Awesome.
1:00:15 TW: Alright.
1:00:18 MH: He’s just got 20 years… I’m gonna have to start that over. I screwed that up. Okay, quick reset, just giving myself a pause. I’m gonna start again.
1:00:25 TW: You know if you’re talking during the pause, then it’s actually not a pause.
1:00:29 MH: Maybe if you and Moe would stop laughing, Tim.
1:00:34 TW: You were just a scant $1 billion was Michael Helbling.
1:00:38 MH: Yeah, no, I only made 100 million of ad fraud. No.
1:00:44 TW: Rock flag and botnets.