Falsifying Traffic Counts to Manipulate Website Auction Marketplaces

Online Auction Houses, by their very nature, are semi-moderated online spaces where people are buying and selling goods partially on the expectation of good-faith representations of the goods. Of particular notoriety, scammers on eBay attempted to bilk would be bidders on Playstation 5’s last year - instead of selling the Playstation 5, the scammers were selling photographs of Playstation 5's, which when represented on a bidding page, was almost imperceptibly different from a genuine auction for a physical Playstation 5 rather than a photograph of one:

While the buying and selling of consumer goods is a huge market, a smaller niche auction site, Flippa, concerns itself with the buying and selling of websites, apps, and other online services. Essentially, this marketplace allows buyers and sellers to congregate to buy and sell ready-made online businesses. Core to these auctions are the sorts of metrics that drive revenue to these businesses, or are closely related to that revenue - prominent aspects of each bid listing contains information like the name of the business, the nature of revenue generation (online ads, drop-shipping, etc), the number of active users, and how much money the company currently makes per month. Buyers can take this information in hand to make decisions about which businesses they may want to purchase.

Core to any single listings statistical information meant to inform the would-be bidder of whether or not they should bid on the auction is the view count for a given website. Alongside and above the reported monthly profits generated from the website, traffic counts are provided as raw monthly statistic, both in terms of unique visitors as well as total visitations. Further down, in some cases, we even see a widget of live imported Google Analytics traffic counts, which, as established earlier in research from IPM, are gameable statistics. Flippa ensures bidders that the traffic statistics provided by these auction listings are “legitimate” numbers that are “verified” by Flippa by virtue of their transparent importation directly from Google Analytics. Of course, we know that these can be easily manipulated.

Let’s suppose that there were unscrupulous people out there willing to squeeze more money from the auctions they listed by engaging in some light fraud. Just like on eBay, these unscrupulous people will abuse assumptions of good-faith representations of the goods being bought and sold to make an extra buck off the folks they intend to scam. In order to do so, they’ll increase the hits to their websites by visiting the sites with some sort of mass automated visitation scheme - in truth, it doesn’t need to be too complicated since the goal is purely to juke numbers on Google Analytics, which will be sufficient to represent way more traffic than is real to would-be purchasers, all wrapped nicely as a verified “fact” about the website on the auction listing. So long as the cost of these hits is less than the amount of money one expects to make from the fraudulent traffic boost, this will make economic sense and people will be incentivized to do so.

In early November 2021, IPM identified a sample of 418 listings from Flippa, and sent a total of 154,625 “probe” hits to these sites to measure whether or not our requests would be honored, what evidence we could glean about what analytics we may trigger, and the price point at which we could make these visitations. Of the 418 services, we were able to confirm that 50% of these sites used Google Analytics and set a Google Analytics tracking cookie in the browser state in nearly every request we made to the server. 65% of the sites set at least one cookie associated with popular systems associated with tracking like Google Analytics, Shopify, WordPress, Facebook, and so forth. Further, 390 of the 418, or 93% of the sites checked returned screenshots consistent with what a real human end-user would see - of the 7% that failed to return a valid screenshot, some failed to the server being offline, while a few others failed due to proper site blocking based on clearly automated traffic behavior of the sort we sent.

Because IPM is an end-to-end service that tracks its own costs, it’s possible to get very granular with how much money a would-be scammer would have to spend on compute resources in order to boost their numbers - in our case, for the typical site being sold on Flippa, we expect it to cost about $0.00035 per hit to the servers, or about 35¢ per thousand hits. Because we collected a fairly comprehensive sample of auctions, we were also able to analyze the degree to which auction price correlates with traffic. Since traffic counts, and corresponding prices, scale several orders of magnitude, this is better observed on a log/log plot of that relationship -

In order for the fraud to work, we have to prove several things:

1. The traffic can be faked sufficient to trick would-be buyers,

2. Would-be buyers care about that traffic enough to adjust their bids based on that information,

3. The adjustment that would-be buyers make is more money than we spend in generating that traffic.

We already know that (1) is true based on previous work. How about the other two points? For (2), we ran some statistical regressions to see which factors matter most for how auctions are priced. We looked at two points in auctions, the initial price set by a would-be seller, and the downstream bids actually placed by buyers. We analyzed three pricing factors - (a) the monthly revenue, (b) the age of the site, and (c) the monthly traffic. We found that sellers vastly overestimate how important monthly revenue is compared to buyers. The monthly revenue of a site was by far the strongest factor in describing how sellers price their sites initially at the beginning of an auction - it becomes of almost equal strength compared to monthly traffic when bidders actually place their bids however. This indicates that traffic does indeed play a meaningful role in how bidders determine their bids, and do likely adjust their bids based on traffic counts.

So traffic matters a great deal to the bidders - but does it matter enough for us to economically exploit that fact? In order to address that, we used the coefficients from our regression analysis to project out how much it would cost for us to boost traffic, and how much we could expect to earn in additional value from our auctions from that fraudulent traffic. We looked at the marginal effect of adding traffic across a wide range - from a 1% boost on existing traffic to a 10,000% increase on existing traffic. In all cases, we make way more money sending the traffic than we spend on it - in fact, relative to the amount we earn, the amount we spend doesn’t even register on our chart below.

Far from being a fantastical hypothetical, any would-be fraudster has the clear motive and opportunity to boost their traffic, and ultimate bid prices. The means to do so is relatively rudimentary - basic selenium workers are able to demonstrably boost these numbers on these sites at scale at a minimal cost in terms of operation and up-front engineering. For their part, Flippa clearly has demonstrated that this is an ongoing concern, since so much of their digital real estate within the auction site is dedicated to “transparent” disclosures of traffic, and whether or not that traffic is verified. Flippa would likely benefit from a deeper introspection into these numbers, and a more comprehensive regimen of verification which aims to remove this loophole from their auctions.