These Brands Are All Getting Ripped Off by Bots

MdotLabs says it has executed a fraud sting operation

Here’s a list you don't want to be a part of: American Express, Allstate, Maybelline, GE Capital, Disney, Comcast, Subway, L.L. Bean, Farmers, Starbucks, Honda, EA Sports, Priceline, Staples, Lifelock, Audi, Samsung, Avis, Choice Hotels, AT&T.

But, wait. These are all big brand names—why wouldn't you want to be on this list? Because these companies all are getting ripped off by bot vendors and shady traffic sellers, according to a new startup, MdotLabs. The company says that bot vendors are generating 15 billion phony ad impressions in the U.S. per month.

MdotLabs ought to know. A few years ago, its parent company, Broadcast Interactive Media, ended up on an undesirable list of its own. The company was founded as an online ad network specializing in repping ads for local TV and radio station sites. And then it decided to get bigger, and got burned—bad. In the late 2000s, the company began selling inventory for a handful of seemingly bigger publishers, when boom—Google hit it with a $300,000 bill. According to Google, Broadcast Interactive Media was selling some dicey inventory, and owed the Web giant a refund.

By late 2010, the accusations of ad fraud had become a million-dollar issue for the firm, causing it to pull back from its broader ad network ambitions. On the flip side, its founders—many of whom have backgrounds in academia—and security saw a big opening.

“In trying to defend ourselves, we’d see too many one-off solutions,” said MdotLabs CEO and co-founder Timur Yarnall. “There are known ways to engineer around this stuff [like ad verification and viewability software]. We’ve got big security chops, so we spun off a company.”

MdotLabs was born. Over the past nine months or the company has operated in stealth mode, says Yarnall, executing an elaborate sting operation that might as well be dubbed To Catch a Botnet. According to Yarnall, the company set up 15 fake Web sites. Then it went out to multiple traffic vendors and bot leasers and started sending fake traffic to these fake sites.

Rather than just paying for cheap clicks, Yarnall says his team found vendors willing to sell on a “pay-per-view basis” (he claims to have sent out a group of consultants with pre-paid credit cards to make the deals). Here’s how it works.  A publisher agrees to put tags on his or her site. When users visit the site, tons of invisible pop-under ads are delivered. The vendor makes money selling those invisible ads, says Yarnall, while the publisher “magically gets a check.” Problem is, no actually humans actually see any of the ads, which included brands like American Express and Disney.

Next, MdotLabs went out and crawled the rest of the Web, claims Yarnall, and found those same tags from the unnamed shady vendor on all sorts of other sites. Some seemed completely bogus, per Yarnall, such as and But other sites were far more recognizable, Yarnall says, though he declines to name names.

“We did a volume estimate, and said, “this looks like a huge problem,” said Yarnall. “Just from-pay-per-view ads alone, we see this as a $200 million a year problem. It’s a huge mode of ad fraud. These are serious brand advertisers. I guarantee these CMOs are thinking they have protections in place.”

Naturally, MdotLabs says it can offer those sorts of protections. It’s joining a growing number of vendors claiming to have the most comprehensive bot and fraud protections out there. The company’s AdSecure product is designed to help “media clients track and eliminate invalid traffic,” says the firm. "We are already saving brands millions of dollars annually by working directly with their agencies and DSP partners to remove wasted ad spend," said Yarnall.