Blocking Ad Fraud with DataDome Device Check

A leading online automotive marketplace, offering both search and shopping services to end users as well as a selling platform for car dealers, generates part of its revenue through online advertising campaigns. These campaigns increase the visibility of car sellers’ offers, and—in order to ensure a satisfying conversion rate—it is of primary importance to avoid automated, fraudulent clicks. Preventing ad fraud not only protects the revenue generated by the advertisement campaigns, but also reinforces the reputation of the advertiser among the ecosystem of car sellers.

For these reasons, the company decided to extend DataDome’s bot protection to their online ad campaigns.

The newly protected traffic consisted of a simple redirection from the online ad click to the car dealer domain, with the marketplace server acting as a pass-through.

Ad Fraud is a Challenging Detection Context

In the context of ad fraud, it is particularly difficult to apply “classic” bot detection techniques, as DataDome has only access to single HTTP requests, independent from one another. We cannot observe the end users’ behavior throughout their sessions, nor collect information about the context the ad click originated from. IP-based aggregations and reputational signals are available, but HTTP fingerprinting and IP categorization alone are not enough to detect sophisticated bots conducting large scale ad fraud operations. In general, the unavailability of end users’ session data is one of the main challenges of ad fraud protection.

How does DataDome detect ad fraud?

Initially, the customer added ad click traffic to DataDome’s monitoring without activating protection. This meant that DataDome monitored and classified traffic, but did not block or challenge any requests.

During the first week, DataDome detected illegitimate bot activities in around 50% of the monitored traffic.

The daily percentage of bot threat traffic was stable, whereas the traffic followed a daily pattern.

Ad Fraud Traffic Characteristics

To better understand the ad fraud traffic targeting ad clicks, let’s dive into some of its characteristics. First of all, we can see that most of the traffic is originating from data centers. The graph below shows the different sources of traffic—the residential IPs (red) generate far fewer malicious requests than data centers (green).

Separating traffic by autonomous system (AS) shows another interesting pattern: we can see one specific data center generating the vast majority of the requests. The graph below represents the traffic of the top 5 autonomous systems, every color corresponding to a different AS.

Most of the traffic generated by the main data center (blue line above) was flagged as malicious by DataDome. But was there a real difference in the quality of that traffic compared to traffic from the other ASes?

Looking at the main data center, several cases were observed that fall in one of these categories:

1. Bots sending multiple requests from a single IP: Not only were these IPs recognized by DataDome in other contexts as used by bots, but the fingerprints of the requests contained evidence like outdated user-agents or missing headers.
2. Bots sending one request per IP: Even without behavioral patterns, the fingerprints of these requests were clearly indicating bot activity from outdated user-agents, missing referrers, or presenting inconsistencies between HTTP headers.

On the other hand, other ASes showed a much greater proportion of human traffic, with recent user-agents and consistent HTTP headers.

Keep in mind that, in this initial context, no client-side signals related to user behavior or browser fingerprinting were available. Given the limitations, DataDome was able to correctly detect malicious bot activity using both behavioral and signature-based analysis. A large portion of this bot traffic originated from a specific data center. Given the proportion of the threat—half of their overall traffic—the customer decided to activate DataDome’s protection.

Device Check Unveils Hidden Ad Fraud Traffic

Once protection was activated, DataDome started to leverage DataDome CAPTCHA and block malicious traffic. Moreover, the customer was an early adopter of Device Check, a new frictionless solution offered by DataDome to detect sophisticated bots without the need for human interaction. This new functionality turned out very useful to collect more signals and perform further checks every time a request presented suspicious traits, without enough evidence for being blocked.

In other words, by adding Device Check among DataDome’s response options, requests detected as malicious were blocked, and suspicious traffic was challenged with Device Check before making the final decision.

In one week, the following responses were applied:

Device Check was used to collect additional client-side signals and detect bots producing fraudulent ad clicks with more precision. Since it does not introduce friction on end users in the form of a CAPTCHA challenge, Device Check was used whenever weak evidence of bot activity was found or information was missing from the HTTP fingerprint. It turned out that 99.94% of the time, Device Check detected and blocked a bot, whereas only 0.06% of Device Check challenges were proposed to (and successfully passed by) legitimate users.

Since Device Check was applied in those cases where DataDome did not have enough evidence to classify a request as a threat, it allowed us to unveil a vast proportion of ad fraud that remained hidden during the initial monitoring phase.

This aspect becomes evident looking at how the traffic classification varied after protection was activated:

One week after activating DataDome protection and using Device Check, the traffic was classified as follows:

It was only after activating protection and interacting with suspicious requests thanks to Device Check that DataDome had the necessary conditions to stop all ad fraud traffic.

Want to see how Device Check can enhance your business’ protection against online threats like ad fraud? Book a demo today or start a free trial.