Research & Development

Large Publishers Buy Incentivized Traffic & Popups Too

Posted 1 month ago   |   9 min read
incentivized@2x
Written and published by
Rocky Moss
Chief Executive Officer

Enjoying the article?

We protect against this kind of threat and many more.

Reach out if you are interested in improving your campaign outcomes.

Introduction

In this post, we’ll be sharing what we know about a traffic sourcing campaign that affected multiple Yahoo properties between February 2021 (at minimum; possibly earlier) and February 2022. The sites affected were: yahoo.com & its subdomains, techcrunch.com, and autoblog.com.

The traffic was sourced by multiple means, and it’s hard to quantify exactly how much traffic came via specific paths without analyzing logs of buyers at a large scale. In this post we will describe the avenues by which we observed sourced traffic flowing, and give readers the tools to flag related impressions using their own log data.

If you would like to identify ANY and ALL of the invalid sourced traffic we refer to in this article, you need simply look for the presence of a “yotavid” string in the full page URLs you have relating to yahoo advertising events.

A Quick Primer on Incentivized Traffic

Incentivized traffic, for those unaware of this term (we will be using it quite heavily in this post), comes from users who are paid to visit a certain web property. They may additionally be required to perform subsequent actions on the page to receive their rewards. Compensation usually comes in the form of points that can be redeemed for prizes, or gift cards.

There are many such platforms that offer users rewards for doing these kind of activities; a very popular example of such a platform is Swagbucks, owned by Prodege, who operates several other popular platforms like Swagbucks.

These platforms are often leveraged in order to get prospective customers to take actions like:

  • Signing up for free trials (that convert to paid membership after a month)
  • Filling out surveys
  • Installing mobile / ctv apps

Most relevant to this post, users are also sometimes encouraged to visit ad-supported publishers, and create multiple page / ad views. In such cases, these platforms open destination pages in new tabs / windows in order to create visits that appear as direct.

Is Incentivized Traffic Considered Valid?

In the past, this was more of a gray area. After all, real people are the ones who participate in incentivized traffic programs, right? The MRC has no guidelines on intentionally purchased incentivized traffic.

The most important thing you can takeaway from this article is: human does not matter in this case. The biggest ad buying platforms in the world consider this activity invalid, and will offer make-goods on this traffic.

We shared the data from our own internal investigations with Morning Brew in order to get help quantifying the effect on the industry at large. As part of their due diligence, they asked Google about their stance on incentivized traffic being used to fulfill advertising campaigns, and Google offered this on-the-record statement:

“Google considers invalid traffic to be ad traffic that does not represent genuine user intent or interest. This includes both incentivized traffic and traffic from pop-unders. Generally speaking, invalid traffic applies to any clicks or impressions that may artificially inflate an advertiser’s costs or a publisher’s earnings.[…]”

This is echoed in numerous places across their publisher policies, for example in the AdSense publisher policies:

https://support.google.com/adsense/answer/2660562?hl=en#zippy=%2Cusing-an-incentivized-traffic-source

When the Morning Brew asked The Trade Desk their thoughts on incentivized & pop traffic, The Trade Desk said:

“We consider popunders and incentivized traffic as IVT

Additionally, they said:

“Since our founding, The Trade Desk has been committed to ensuring our clients, brands and their agencies, are buying the most valuable digital media available.

Our Marketplace Quality team has long focused on a transparent supply chain, including working on industrywide initiatives that have improved the entire ecosystem such as sellers.json and ads.txt. They work closely with partners and researchers to ensure that we only buy legitimate inventory and clean up the supply chain. Our work here has made fraud reports and discoveries less prominent than many years ago, and our team continues to stay at the forefront of new technologies and ways to maintain a transparent and fair marketplace.

Our publisher team focuses on building an efficient supply chain, with close relationships with publishers and their SSP partners, which ensures we are closely integrated with the biggest media companies in the world and are directly connected through them. This is even more evident in initiatives such as OpenPath, where we buy directly from the publisher themselves.

The Trade Desk has led the way on these initiatives and will continue to do so in service of a transparent, competitive and trusted market for advertising on the open internet, and both teams continue to evolve to stay at the forefront of the marketplace.”

Readers: be sure to ask your DSP their policy on incentivized traffic, and the means they have in place to detect it. You should not be paying for ads served to visitors without genuine interest in visiting whatever site they’re on.

How Did Traffic Arrive at Yahoo Properties, and How Can I Identify It?

As mentioned in the intro, multiple means were leveraged in order to create visits to Yahoo properties. The most observable means were:

  • Pop Traffic, coming from a vendor called “Viral Sparks”
    • This was identified during Q4 of 2021, but may have been occurring earlier
  • Incentivized Traffic, coming from Prodege properties (and perhaps others, but it hasn’t been observed directly)
    • Happened as early as February 2021, likely detectable earlier as well


Describing the Pop Traffic With Examples

In previous articles, we’ve covered how pop traffic is leveraged to create “clean” impressions that take advantage of real users on real devices; take the below links as examples.

In typical fashion, when visitors to porn, piracy, and other such sites interact with the page, they were sometimes taken to yahoo properties.

This is exemplified in this video from November 2021:

In this video, it seems the pop campaign destination leads to a redirect domain meant to leech off bit.ly’s reputation, “getbitly.pro;” again, this is not a domain operated by bit.ly, the popular link shortening service.

Subsequently, users are sent to another redirect domain: viralsparks.io

In these examples, we can see that the query string parameters are preserved; the user is simply bounced to anonymize upstream sources of traffic.

We believe that the Viral Sparks (the entity in the domain field above) is the one who purchased the pop traffic to be sent to Yahoo properties. This is kind of obvious, when you consider that viralsparks.io sent users to viralsparks.com (cached version linked) until late Q4 2021.

Likely they realized their fraud activity would become too obvious if they used their corporate domain to redirect pop traffic, so they later changed the redirect domain to adverify.cloud while still using the same query string params / values during the act of redirecting pop traffic to yahoo properties; more on this later.

Ultimately, the user lands on a yahoo page with a video ad (this is a consistent observation from both the pop & incentivized traffic).

Again, in this url we can see preserved query string parameters from the original “getbitly.pro” request. This is one way that we are able to flag the sourced traffic, and this lets us give readers the means to identify traffic in their own data.

The behavior is quite similar for pops that took users to other Yahoo family properties, like techcrunch.com:

The methodology in this case is nearly exactly the same, though the entity redirecting the traffic in this case has changed their url from viralsparks.io to adverify.cloud.

How to Identify the Pop Traffic in Logs

For anyone who has access to full page URLs on their programmatic buys, this will be easy. The pop visits are signified by the presence of several possible query string parameters relating to Viral Sparks. These filters should only be applied to the following domains & their subdomains: yahoo.com, techcrunch.com, autoblog.com

  • Look for the presence of a query string parameter called “aolapubid” which has a value starting with “vsp” (vsp likely signals Viral Sparks)
    • Example: aolapubid=vsp237bedbaa9038610fe9b2c34c8d50432
  • Look for the presence of a query string parameter called “cid” which has a value starting with “vs” (vs likely signals Viral Sparks)
    • Example: cid=vs_yv

For anyone looking for more examples, we’ve compiled hundreds of cases from November 2021: https://docs.google.com/spreadsheets/d/1xxAIqVBHandZdLWCmprHSVsg53sCnr_GBrZTJ-CSEi4/edit?usp=sharing

In the examples, the “from_domain” is the domain we visited, and which prompted the pop / redirect activity. The “to_domain” is the ultimate destination of that pop / redirect activity. The full urls in the “examples” tab are cases from which we were able to reverse engineer the identification strategy.

Describing the Incentivized Traffic With Examples

In February 2021 we decided it would be in the best interest of the industry if we checked into who was currently buying traffic from some of the top incentivized traffic platforms. We started by checking into the active campaigns on: mypoints.com, swagbucks.com, prizerebel.com, zoombucks.com, and inboxdollars.com.

We found that yahoo had active campaigns on swagbucks.com, mypoints.com, and inboxdollars.com. They weren’t the only site purchasing traffic, but we did find it particularly noteworthy due to the fact that yahoo inventory is purchased across many campaigns worldwide. Their volume is very high, and we were curious to know how much was supported by incentivized traffic.

It was additionally noteworthy due to the time period across which traffic was purchased. Between these sites, there was at least one active campaign until mid-February 2022, which makes at least a year-long incentivized traffic campaign.

The following videos show the flow of traffic from swagbucks.com to yahoo.com:

As we can see, participation in this program requires enabling pop-ups in your browser. This is likely to obfuscate the true source of traffic.

Popups required to participate in incentivized traffic platforms

As we can see, users are required to view multiple pages for 30 seconds+ each in order to claim their swagbucks / points. This amounts to a blatant manipulation of bounce & time-on-page metrics; no way around it.

Here’s another video showing how the experience appears to potential swagbucks users; they don’t even need to be tabbed-in to the content, they can be browsing in another tab and still reap the rewards:


How to Identify the Incentivized Traffic In Logs

As we mention in the intro, and as exemplified below, the traffic can be characterized by the presence of a query string value like “yotavid“:

In every case of incentivized activity, this query string value appears, and it is confirmed to not appear during organically generated sessions. The exact meaning behind it is not as clear as the Viral Sparks related query string parameters.

Additionally, the pop traffic we identified ALSO carries the “yotavid” string in the full page URL. Basically, you can use that information in the following way (only for yahoo, techcrunch, and autoblog urls):

  • To find incentivized traffic that was NOT a popup, look for the following combination of factors:


Conclusion and Takeaways

If you would like to identify ANY and ALL of the invalid sourced traffic we refer to in this article, you need simply look for the presence of a “yotavid” string in the full page URLs you have relating to yahoo advertising events.

However, in the course of researching the effects of this scheme on the industry at large, we found that it’s very common for buyers to not even be privy to the full page URLs they serve ads on. This can sometimes be related to the technological limitations of measuring the top level URL from within the context of an ad-unit, but often it’s just information the SSP / DSP doesn’t deign relevant to include in reporting.

Incentivized traffic is a huge industry, and it touches all device types and ad experiences. One of the best, if not ONLY, ways to identify such traffic is by analyzing full page URLs inclusive of query strings. Informed media buying platforms need access to this information, so be sure to request it of all supply partners you work with. Unwillingness to provide such information can be a big red flag, so tread carefully.

Thus-far-unreleased findings of ours indicate that this scheme is just a drop in the bucket, so look forward to learning about the even larger incentivized traffic events we are currently tracking.

Remember: the line for invalid traffic has officially been drawn at the user’s intent to visit an ad-supported publisher page.

Ad fraud is serious business.

Let us help you understand the threat.

Additional articles you may enjoy.