Just announced: HUMAN’s Satori Threat Intelligence and Research team has disrupted a cunning mobile advertising fraud campaign dubbed Konfety.

Deals, Steals, and Automated Bots

Researchers: Mikhail Venkov and Rosemary Cipriano

During a normal year, Black Friday starts the night of Thanksgiving right after the last piece of pumpkin pie. However, much like everything this year, Black Friday 2020 was different. Stores notably started their Black Friday/Cyber Monday deals early, and we mean very early. Walmart started their Black Friday Deals for Days online November 4th - a full 3 weeks and 3 days before. According to eMarketer, 76% of North America’s top 50 retailers had holiday sales running the Monday before Thanksgiving. And notably, the PlayStation 5 didn’t drop in stores on Black Friday with a massive frenzy. They had pre-sales in September or if you were quick, you could snag a PS5 online starting November 12th. Again, if you were quick (there’s a botsplanation for that).

TLDR: Black Friday wasn’t actually on Black Friday this year.

The National Retail Federation reported that in 2020: “With retailers enticing consumers with generous deals as early as October, more than half (52%) of holiday shoppers said they took advantage of early holiday sales and promotions this year. Of those, 38% said they checked off holiday purchases in the week leading up to Thanksgiving.”

So what does this mean for bots? They got a head start on when they might have started in an “average” year. The HUMAN Satori Threat Intelligence & Research team dove into the data to see just how much of a holly jolly time sophisticated bots had in November.


SIVT for Christmas

We started by looking at how much Sophisticated Invalid Traffic (SIVT) we protected our MediaGuard retail and e-commerce clients from. As we know, advertising during this time of year sharply increases for brands looking to get the word out about their deals. With deals starting so much earlier this year, ads naturally followed suit.

The chart below shows the SIVT trend across retail and e-commerce from October and November 2020 through Cyber Monday. The SIVT rate remains steady in October to early November. It started to steadily increase around November 9th, peaking with over a 140% increase in SIVT rates on November 21st (the Saturday before Thanksgiving) vs the top of October. We see a drop off after that, but on average the week of Thanksgiving and the weekend on Black Friday through Cyber Monday had a higher average SIVT than October.

pasted image 0 (2)

Figure 1: SIVT rate, relative to IVT rate on October 1, from October 1, 2020 - November 30, 2020
Source: HUMAN Satori Threat Intelligence & Research Team

So what exactly were bots up to during that mid-November peak? Below shows the type of IVT we saw during the same time period. Most notably, we see a sharp increase in Misleading User Interface (MUI) on November 15th, coinciding with the larger SIVT trend rate increasing from that day forward.

pasted image 0 (3)

Figure 2: IVT Category Composition by day, October 1, 2020 - November 30, 2020
Source: HUMAN Satori Threat Intelligence & Research Team

At the peak, MUI accounted for just over 60% of SIVT for MediaGuard retail and e-commerce clients. MUI is when a website or app is modified to include multiple ads. This could be ad injecting, where one ad is displayed but behind it are a bunch of different ads that are not visible to the audience, or ad stacking shown in Figure 3. This shows an ad rendering and then a different ad popping up on top. In both cases, the advertiser pays for the impressions even though a true, human impression was not delivered. A possible reason for this specific type of SIVT for fraudsters is that with more advertisers competing for more impressions, they saw it more fruitful to use ad injection and similar MUI tactics to maximize on that demand.


Figure 3: An example of ad stacking out in the wild
Source: HUMAN Satori Threat Intelligence & Research Team

We may sound like a broken record, but fraud follows the money. And during the biggest shopping season of the year, advertisers use their budget to reach their human fans and share a deal with them. Without proper bot mitigation in place to spot even the most sophisticated bots, advertisers could potentially lose that budget to fraudsters. HUMAN's MediaGuard protected our clients this Black Friday season from all the SIVT activity we described here, and will continue to do so. The holiday shopping season is still in full swing with more chances for bots to take their piece of the leftover pie. So advertisers, give sophisticated bots a big lump of coal this year.