Bots and Bonus Abuse in iGaming: Protecting Sportsbooks from Evolving Threat Methods

The gaming industry is rapidly expanding. Since the pandemic, it has offered a new means of socialisation for players. This has led to iGaming becoming an increasingly lucrative industry. The downside is that fraudsters now have their sights set on iGaming. The barrier for entry is low, and with the evolution of technology such as artificial intelligence (AI), fraudsters have created numerous methods to exploit sportsbooks.

With each new development in technology, it becomes that much easier for threat actors to launch successful attacks against profits. Casinos and sports betting apps are most frequently targeted by ad fraud from January 2022 to February 2023. Statista estimated that within this time, ad fraud cost sportsbooks and casinos around $1.2 billion. This demonstrates the very real threat that fraud poses to sportsbooks, and without strategies in place to mitigate the damage it causes, the issue will only grow.

Fraudsters can infiltrate advertising campaigns with Invalid Traffic (IVT). A primary form of this IVT, is automated bots. These bots allow fraudsters to bypass systems, at speed and undetected to wreak havoc on advertising budgets in overwhelming numbers.

Sportsbooks must adopt proactive measures and give precedence to defense by implementing a thorough fraud prevention strategy, the same way they take a proactive approach from a cyber security perspective. This strategy should entail strengthening the IT platform infrastructure, improving in-platform security checks, and reinforcing safeguards throughout marketing campaigns.  

Malicious AI Targeting Ad Campaigns

The gambling industry has thrived since digitalisation, with technology making gaming accessible to a much wider audience. The online Gross Gambling Yield (GGY) in the UK reached £1.4 billion between January and March 2024 alone according to the Gambling Commission. This success hasn’t gone unnoticed by threat actors, and they’ve turned their sights on sportsbooks.

AI tools have developed significantly, and bots can rapidly perform repetitive tasks without the need for human intervention. While this can be useful for businesses, they can have more malicious intent in the hands of threat actors.

Pay-per-click (PPC) campaigns, a popular choice for marketers seeking to drive traffic, have become prime targets for fraudsters who capitalize on automated bots to generate fake clicks. Fraudulent bots can mimic human behaviour, allowing them to automatically click on paid ads to increase ad revenue for the publisher drastically.

Bad actors have found a way to infiltrate sportsbooks by using hosting servers. These servers store data in a physical or cloud server and are typically used by companies to store large amounts of data. From these servers, bad actors use a residential Internet Service Provider (ISP) proxy to anonymize themselves and appear legitimate. Proxy servers work as a middleman between a user’s device and the internet. They can mask a user’s actual location by routing the connection through a different server, for example, residential proxies use residential IP addresses to appear as an average user to websites and online services.

Through the use of residential proxies, bots can then blend in with traffic from real users to carry out activities like scraping content, fraud, or cyberattacks. Fraudsters program scripted bots to click on sportsbook ads and then delete their cookies and all associated information. The bot can then rotate to a different device and carry out the task again and again. These fake clicks increase marketing expenditure without leading to real customers, draining resources and diluting returns on investment (ROI).

Many iGaming operators rely on special promotions or bonuses to entice new customers or keep existing ones interested. Doing so has become a staple for new and established brands in the industry and looks set to remain the case for at least some time to come. These bonuses are designed to encourage players to continue betting using their own money once the bonus funds have run out. Bonus abuse involves unfairly manipulating promotion incentives aimed at those yet to sign up. Given that most bonuses can only be used once, fraudsters often set up multiple accounts to take advantage of repeated bonuses.

There are also advanced gambling communities consisting of tech-savvy criminals who collaborate to take advantage of these bonuses (referred to as bonus hunting). They employ betting bots, virtual machines, emulators, and simulated IP addresses to exploit the system. 

Mass production of bots enables them to launch attacks with heightened frequency, evading detection. Legacy fraud tools struggle to identify IVT and bots, as they can’t distinguish between legitimate and fraudulent traffic. To counteract this, sportsbooks need to take it upon themselves to develop a proactive strategy to identify fraudulent engagement. Without a strategy in place, sportsbooks risk significant profit loss.

Impact of Bots on Marketing Acquisition Campaigns

In marketing acquisition campaigns, the primary goal is to attract and convert potential customers into actual users. Bots can significantly undermine these efforts in several ways:

1. Draining Advertising Budgets: Bots can generate fake clicks on ads, leading to inflated costs without any real user engagement. This not only wastes the marketing budget but also skews performance metrics, making it difficult to assess the effectiveness of the campaign.

• Reducing Conversion Rates: Fake clicks do not convert into actual users. This results in lower conversion rates, which can mislead marketers into thinking their campaigns are underperforming. A low conversion rate can also impact future budget allocations, leading to reduced spending on channels that might be effective.

• Distorting Data Analytics: Bots can distort data analytics by creating false impressions of user behavior. This can lead to incorrect assumptions and misguided marketing strategies. For instance, if bots are mimicking legitimate user behavior, it becomes challenging to distinguish between real and fake engagement, which can lead to poor decision-making.

In a detailed analysis by TrafficGuard, it was revealed that of the $753,313 spent on advertising, $107,005 was wasted on invalid traffic classified as ‘bots, hosts, and malware.’ This included known host IPs, known residential proxy IPs, and known bot user agents. These forms of invalid traffic are sophisticated and require advanced detection and prevention strategies to mitigate financial losses effectively.

Proactive Measures for Sportsbooks

To combat the impact of bots on marketing acquisition campaigns, sportsbooks need to adopt a multifaceted approach:

1. Implement Advanced Fraud Detection Tools: Utilizing tools that can detect and block bot traffic in realtime is crucial. These tools should be capable of identifying patterns associated with bot activity, such as unusual click-through rates, high bounce rates, and suspicious IP addresses.

• Regular Traffic Monitoring: Continuous monitoring of traffic can help identify anomalies that indicate bot activity. Sportsbooks should look for signs such as abnormal traffic spikes from unexpected locations, high pageviews, and suspicious accounts.

• Custom Verification Rules: Setting custom verification rules can help limit the impact of bots. For example, creating a click limit for users can prevent bots from repeatedly engaging with ads and driving up costs.

• Transparent Data Practices: Maintaining transparency and visibility into systems and data can help detect fraudulent activity early. By being aware of the indicators of IVT, sportsbooks can verify their traffic and take action against fraudulent engagements.

Conclusion

As the iGaming market continues to flourish, sportsbooks are being presented with new opportunities to expand and reach new audiences. With these opportunities come new risks, as threat tactics have become increasingly complex and difficult to identify. To protect their ad budgets from AI bots and achieve campaign success, sportsbooks need to take a stand.

Focusing on transparency and visibility into systems and data is key to detecting fraudulent activity before it can damage the integrity of ad campaigns. By prioritising their defence, sportsbooks can end bonus abuse and save the rewards for their real, loyal customers.