Click fraud

Last updated

Click fraud is a type of fraud that occurs on the Internet in pay per click (PPC) online advertising. In this type of advertising, the owners of websites that post the ads are paid based on how many site visitors click on the ads. Fraud occurs when a person, automated script, computer program or an auto clicker imitates a legitimate user of a web browser, clicking on such an ad without having an actual interest in the target of the ad's link in order to increase revenue. [1] Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.

Contents

Media entrepreneur and journalist John Battelle describes click fraud as the intentionally malicious, "decidedly black hat" practice of publishers gaming paid search advertising by employing robots or low-wage workers to click on ads on their sites repeatedly, thereby generating money to be paid by the advertiser to the publisher and to any agent the advertiser may be using.

Pay-per-click advertising

PPC advertising is an arrangement in which webmasters (operators of websites), acting as publishers, display clickable links from advertisers in exchange for a charge per click. As this industry evolved, a number of advertising networks developed, which acted as middlemen between these two groups (publishers and advertisers). Each time a (believed to be) valid Web user clicks on an ad, the advertiser pays the advertising network, which in turn pays the publisher a share of this money. This revenue-sharing system is seen as an incentive for click fraud.

The largest of the advertising networks, Google's AdWords/AdSense and Yahoo! Search Marketing, act in a dual role, since they are also publishers themselves (on their search engines). [1] According to critics, this complex relationship may create a conflict of interest. This is because these companies lose money to undetected click fraud when paying out to the publisher but make more money when collecting fees from the advertiser. Because of the spread between what they collect and pay out, unfettered click fraud would create short-term profits for these companies. [1]

Non-contracting parties

A secondary source of click fraud is non-contracting parties, who are not part of any pay-per-click agreement. This type of fraud is even harder to police, because perpetrators generally cannot be sued for breach of contract or charged criminally with fraud. Examples of non-contracting parties are:

Advertising networks may try to stop fraud by all parties but often do not know which clicks are legitimate. Unlike fraud committed by the publisher, it is difficult to know who should pay when past click fraud is found. Publishers resent having to pay refunds for something that is not their fault. However, advertisers are adamant that they should not have to pay for phony clicks.

Organization

Click fraud can be as simple as one person starting a small Web site, becoming a publisher of ads, and clicking on those ads to generate revenue. Often the number of clicks and their value is so small that the fraud goes undetected. Publishers may claim that small amounts of such clicking is an accident, which is often the case. [1]

Much larger-scale fraud also occurs in cybercrime communities. [2] According to Jean-Loup Richet, Professor at the Sorbonne Business School, click fraud is frequently one link in the large ad fraud chain, and can be leveraged as part of a larger identity fraud and/or attribution fraud. [3] Those engaged in large-scale fraud will often run scripts which simulate a human clicking on ads in Web pages. [4] However, huge numbers of clicks appearing to come from just one, or a small number of computers, or a single geographic area, look highly suspicious to the advertising network and advertisers. Clicks coming from a computer known to be that of a publisher also look suspicious to those watching for click fraud. A person attempting large-scale fraud, from one computer, stands a good chance of being caught.

One type of fraud that circumvents detection based on IP patterns uses existing user traffic, turning this into clicks or impressions. [5] Such an attack can be camouflaged from users by using 0-size iframes to display advertisements that are programmatically retrieved using JavaScript. It could also be camouflaged from advertisers and portals by ensuring that so-called "reverse spiders" are presented with a legitimate page, while human visitors are presented with a page that commits click fraud. The use of 0-size iframes and other techniques involving human visitors may also be combined with the use of incentivized traffic, where members of "Paid to Read" (PTR) sites are paid small amounts of money (often a fraction of a cent) to visit a website and/or click on keywords and search results, sometimes hundreds or thousands of times every day [6] Some owners of PTR sites are members of PPC engines and may send many email ads to users who do search, while sending few ads to those who do not. They do this mainly because the charge per click on search results is often the only source of revenue to the site. This is known as forced searching, a practice that is frowned upon in the Get Paid To industry.

Organized crime can handle this by having many computers with their own Internet connections in different geographic locations. Often, scripts fail to mimic true human behavior, so organized crime networks use Trojan code to turn the average person's machines into zombie computers and use sporadic redirects or DNS cache poisoning to turn the oblivious user's actions into actions generating revenue for the scammer. It can be difficult for advertisers, advertising networks, and authorities to pursue cases against networks of people spread around multiple countries.

Impression fraud is when falsely generated ad impressions affect an advertiser's account. In the case of click-through rate based auction models, the advertiser may be penalized for having an unacceptably low click-through for a given keyword. This involves making numerous searches for a keyword without clicking of the ad. Such ads are disabled [7] automatically, enabling a competitor's lower-bid ad for the same keyword to continue, while several high bidders (on the first page of the search results) have been eliminated.

Hit inflation attack

A hit inflation attack is a kind of fraudulent method used by some advertisement publishers to earn unjustified revenue on the traffic they drive to the advertisers’ Web sites. It is more sophisticated and harder to detect than a simple inflation attack.

This process involves the collaboration of two counterparts, a dishonest publisher, P, and a dishonest Web site, S. Web pages on S contain a script that redirects the customer to P's Web site, and this process is hidden from the customer. So, when user U retrieves a page on S, it would simulate a click or request to a page on P's site. P's site has two kinds of webpages: a manipulated version, and an original version. The manipulated version simulates a click or request to the advertisement, causing P to be credited for the click-through. P selectively determines whether to load the manipulated (and thus fraudulent) script to U's browser by checking if it was from S. This can be done through the Referrer field, which specifies the site from which the link to P was obtained. All requests from S will be loaded with the manipulated script, and thus the automatic and hidden request will be sent. [8]

This attack will silently convert every innocent visit to S to a click on the advertisement on P's page. Even worse, P can be in collaboration with several dishonest Web sites, each of which can be in collaboration with several dishonest publishers. If the advertisement commissioner visits the Web site of P, the non-fraudulent page will be displayed, and thus P cannot be accused of being fraudulent. Without a reason for suspecting that such collaboration exists, the advertisement commissioner has to inspect all the Internet sites to detect such attacks, which is infeasible. [8]

Another proposed method for detection of this type of fraud is through use of association rules. [9]

Manipulation of organic search results

One major factor that affects the ranking of websites in organic search results is the CTR (Click-through Rate). That is the ratio of clicks to impressions, or in other words how many times a search result is clicked on, as compared to the number of times the listing appears in search results.

In contrast to PPC fraud, where a competitor leverages the services of a botnet, or low-cost labour, to generate false clicks, in this case the objective is to adopt a "beggar thy neighbour" policy against competitors by making their CTR rate as low as possible, thereby diminishing their position in search results.

Bad actors will therefore generate false clicks on organic search results that they wish to promote, while avoiding search results they wish to demote. This technique can effectively create a cartel of business services controlled by the same bad actor, or be used to promote a certain political opinion etc. The scale of this issue is unknown but is certainly evident to many website developers who pay close attention to the statistics in webmaster tools.

Lawsuits

Michael Anthony Bradley

In 2004, California resident Michael Anthony Bradley created Google Clique, a software program that he claimed could let spammers defraud Google out of millions of dollars in fraudulent clicks, which ultimately led to his arrest and indictment. [17]

Bradley was able to demonstrate that fraud was possible, and was impossible for Google to detect. The Department of Justice alleged that he contacted Google saying that unless they paid him $100,000 for the rights to the technology, he would sell it to spammers, costing Google millions. As a result, Bradley was arrested for extortion and mail fraud in 2006. [18]

Charges were dropped without explanation on November 22, 2006; both the US Attorney's office and Google declined to comment. Business Week suggests that Google was unwilling to cooperate with the prosecution, as it would be forced to disclose its click fraud detection techniques publicly. [19]

Fabio Gasperini

On June 18, 2016, Fabio Gasperini, an Italian citizen, was extradited to the United States on click fraud charges. [20] An indictment charged Gasperini with:

According to the U.S. government, Gasperini set up and operated a botnet of over 140,000 computers around the world. This was the first click fraud trial in the United States. If convicted of all counts, Gasperini risked up to 70 years in prison.

Simone Bertollini, an Italian-American lawyer, represented Gasperini at trial. On August 9, 2017 a jury acquitted Gasperini of all the felony charges of the indictment. Gasperini was convicted of one misdemeanor count of obtaining information without a financial gain. Gasperini was sentenced to the statutory maximum of one year imprisonment, a $100,000 fine, and one year of supervised release following incarceration. Shortly after he was credited with time served and sent back to Italy. An appeal is currently pending. [21]

Solutions

Proving click fraud can be very difficult since it is hard to know who is behind a computer and what their intentions are. When it comes to mobile ad fraud detection, data analysis can give some reliable indications. Abnormal metrics can hint at the presence of different types of frauds. To detect click fraud in the ad campaign, advertisers can focus on the following attribution points [22]

Often the best an advertising network can do is to identify which clicks are most likely fraudulent and not charge the account of the advertiser. Even more sophisticated means of detection are used, [23] but none are foolproof.

The Tuzhilin Report [24] produced by Alexander Tuzhilin as part of a click fraud lawsuit settlement, has a detailed and comprehensive discussion of these issues. In particular, it defines "the Fundamental Problem of invalid (fraudulent) clicks":

The PPC industry is lobbying for tighter laws on the issue. Many hope to have laws that will cover those not bound by contracts.

A number of companies are developing viable solutions for click fraud identification and are developing intermediary relationships with advertising networks. Such solutions fall into two categories:

  1. Forensic analysis of advertisers' web server log files.
    This analysis of the advertiser's web server data requires an in-depth look at the source and behavior of the traffic. As industry standard log files are used for the analysis, the data is verifiable by advertising networks. The problem with this approach is that it relies on the honesty of the middlemen in identifying fraud.
  2. Third-party corroboration.
    Third parties offer web-based solutions that might involve placement of single-pixel images or Javascript on the advertiser's web pages and suitable tagging of the ads. The visitor may be presented with a cookie. Visitor information is then collected in a third-party data store and made available for download. The better offerings make it easy to highlight suspicious clicks, and they show the reasons for such a conclusion. Since an advertiser's log files can be tampered with, their accompaniment with corroborating data from a third-party forms a more convincing body of evidence to present to the advertising network. However, the problem with third-party solutions is that such solutions see only part of the traffic of the entire network. Hence, they can be less likely to identify patterns that span several advertisers. In addition, due to the limited amount of traffic they receive when compared to middlemen, they can be overly or less aggressive when judging traffic to be fraud.

In a 2007 interview in Forbes, Google click fraud prevention expert Shuman Ghosemajumder said that one of the key challenges in click fraud detection by third-parties was access to data beyond clicks, notably, ad impression data. [25]

Click fraud is less likely in cost per action models.

Research

The fact that the middlemen (search engines) have the upper hand in the operational definition of invalid clicks is the reason for the conflict of interest between advertisers and the middlemen, as described above. This is manifested in the Tuzhilin Report [24] as described above. The Tuzhilin report did not publicly define invalid clicks and did not describe the operational definitions in detail. Rather, it gave a high-level picture of the fraud-detection system and argued that the operational definition of the search engine under investigations is "reasonable". One aim of the report was to preserve the privacy of the fraud-detection system in order to maintain its effectiveness. This prompted some researchers to conduct public research on how the middlemen can fight click fraud. [26] Since such research is presumably not tainted by market forces, there is hope that this research can be adopted to assess how rigorous a middleman is in detecting click fraud in future law cases. The fear that this research can expose the internal fraud-detection system of middlemen still applies. An example of such research is that done by Metwally, Agrawal and El Abbadi at UCSB. Other work by Majumdar, Kulkarni, and Ravishankar at UC Riverside proposes protocols for the identification of fraudulent behavior by brokers and other intermediaries in content-delivery networks.

See also

Related Research Articles

Affiliate marketing is a marketing arrangement in which affiliates receive a commission for each visit, signup or sale they generate for a merchant. This arrangement allows businesses to outsource part of the sales process. It is a form of performance-based marketing where the commission acts as an incentive for the affiliate; this commission is usually a percentage of the price of the product being sold, but can also be a flat rate per referral.

Google AdSense is a program run by Google through which website publishers in the Google Network of content sites serve text, images, video, or interactive media advertisements that are targeted to the site content and audience. These advertisements are administered, sorted, and maintained by Google. They can generate revenue on either a per-click or per-impression basis. Google beta-tested a cost-per-action service, but discontinued it in October 2008 in favor of a DoubleClick offering. In Q1 2014, Google earned US$3.4 billion, or 22% of total revenue, through Google AdSense. In 2021, more than 38 million websites used AdSense. It is a participant in the AdChoices program, so AdSense ads typically include the triangle-shaped AdChoices icon. This program also operates on HTTP cookies.

<span class="mw-page-title-main">Google Ads</span> Online advertising platform owned by Google

Google Ads is an online advertising platform developed by Google, where advertisers bid to display brief advertisements, service offerings, product listings, and videos to web users. It can place ads in the results of search engines like Google Search, mobile apps, videos, and on non-search websites. Services are offered under a pay-per-click (PPC) pricing model.

<span class="mw-page-title-main">Yahoo Native</span> Internet advertising service provided by Yahoo

Yahoo! Native is a native "Pay per click" Internet advertising service provided by Yahoo.

Pay-per-click (PPC) is an internet advertising model used to drive traffic to websites, in which an advertiser pays a publisher when the ad is clicked.

Cost per action (CPA), also sometimes misconstrued in marketing environments as cost per acquisition, is an online advertising measurement and pricing model referring to a specified action, for example, a sale, click, or form submit.

Online advertising, also known as online marketing, Internet advertising, digital advertising or web advertising, is a form of marketing and advertising that uses the Internet to promote products and services to audiences and platform users. Online advertising includes email marketing, search engine marketing (SEM), social media marketing, many types of display advertising, and mobile advertising. Advertisements are increasingly being delivered via automated software systems operating across multiple websites, media services and platforms, known as programmatic advertising.

Click-through rate (CTR) is the ratio of clicks on a specific link to the number of times a page, email, or advertisement is shown. It is commonly used to measure the success of an online advertising campaign for a particular website, as well as the effectiveness of email campaigns.

Search engine marketing (SEM) is a form of Internet marketing that involves the promotion of websites by increasing their visibility in search engine results pages (SERPs) primarily through paid advertising. SEM may incorporate search engine optimization (SEO), which adjusts or rewrites website content and site architecture to achieve a higher ranking in search engine results pages to enhance pay per click (PPC) listings and increase the Call to action (CTA) on the website.

<span class="mw-page-title-main">Microsoft Advertising</span> Online advertising service

Microsoft Advertising is an online advertising platform developed by Microsoft, where advertisers bid to display brief ads, service offers, product listings and videos to web users. Provides pay per click advertising on search engines Bing, Yahoo! and DuckDuckGo, as well as on other websites, mobile apps, and videos.

In Internet marketing, search advertising is a method of placing online advertisements on web pages that show results from search engine queries. Through the same search-engine advertising services, ads can also be placed on Web pages with other published content.

Paid to click (PTC) is an online business model that draws online traffic from people aiming to earn money from home. PTC websites act as middlemen between advertisers and consumers; the advertiser pays for displaying ads on the PTC website, and a part of this payment goes to the viewer when they view the advertisement.

Website monetization is the process of converting existing traffic being sent to a particular website into revenue. The most popular ways of monetizing a website are by implementing pay per click (PPC) and cost per impression (CPI/CPM) advertising. Various ad networks facilitate a webmaster in placing advertisements on pages of the website to benefit from the traffic the site is experiencing.

<span class="mw-page-title-main">Targeted advertising</span> Form of advertising

Targeted advertising is a form of advertising, including online advertising, that is directed towards an audience with certain traits, based on the product or person the advertiser is promoting.

Behavioral retargeting is a form of online targeted advertising by which online advertising is targeted to consumers based on their previous internet behaviour. Retargeting tags online users by including a pixel within the target webpage or email, which sets a cookie in the user's browser. Once the cookie is set, the advertiser is able to show ads to that user elsewhere on the internet via an ad exchange.

Performance Marketing, also known as pay for performance advertising, is a form of advertising in which the purchaser pays only when there are measurable results. Its objective is to drive a specific action, and advertisers only pay when that action, such as an acquisition or sale, is completed.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Search syndication is a type of contextual advertising which allows online search advertisers to buy keyword-targeted traffic outside of search engine results pages. This is considered to be an alternative to advertising on search engines, since 43% of all searches occur outside of the top search engines.

Ad fraud is concerned with the practice of fraudulently representing online advertisement impressions, clicks, conversion or data events in order to generate revenue. Ad-frauds are particularly popular among cybercriminals.

Methbot was an advertising fraud scheme.

References

  1. 1 2 3 4 Wilbur, Kenneth C.; Zhu, Yi (2008-10-24). "Click Fraud". Marketing Science. 28 (2): 293–308. doi:10.1287/mksc.1080.0397. ISSN   0732-2399.
  2. Schonfeld, Erick; The Evolution Of Click Fraud: Massive Chinese Operation DormRing1 Uncovered". TechCrunch. October 8, 2009.
  3. Richet, Jean-Loup (2022). "How cybercriminal communities grow and change: An investigation of ad-fraud communities". Technological Forecasting and Social Change. 174 (121282): 121282. doi: 10.1016/j.techfore.2021.121282 . ISSN   0040-1625. S2CID   239962449.
  4. Richet, Jean-Loup (2011). "Adoption of deviant behavior and cybercrime 'Know how' diffusion". York Deviancy Conference.
  5. Gandhi, Mona; Jakobsson, Markus; Ratkiewicz, Jacob;Badvertisements: Stealthy Click-Fraud with Unwitting Accessories Archived 2016-03-04 at the Wayback Machine ", APWG eFraud conference, 2006
  6. Grow, Bryan; Elgin, Ben; with Herbst, Moira (October 2, 2006). "Click Fraud: The dark side of online advertising". BusinessWeek. Archived from the original on October 4, 2006.
  7. "Botnets strangle Google Adwords campaigns, Keyword Hijacking Risk". The Register. Retrieved 2005-02-04.
  8. 1 2 V. Anupam; A. Mayer; K. Nissim; B. Pinkas; M. Reiter (1999). "On the Security of Pay-Per-Click and Other Web Advertising Schemes. In Proceedings of the 8th WWW International World Wide Web Conference" (PDF). Unizh.co. pp. 1091–1100. Archived from the original (PDF) on 2017-10-10. Retrieved 2014-03-11.
  9. A. Metwally; D. Agrawal; A. El Abbadi (2005). "Using Association Rules for Fraud Detection in Web Advertising Networks. In Proceedings of the 10th ICDT International Conference on Database Theory" (PDF). pp. 398–412. Archived from the original (PDF) on 2020-07-31. Retrieved 2013-03-01. An extended version appeared in a University of California, Santa Barbara, Department of Computer Science, technical report 2005-23.
  10. Davis, Wendy (July 5, 2005). "Google Wins $75,000 in Click Fraud Case". Media Post. Retrieved 2024-04-15.
  11. Ryan, Kevin M. (July 5, 2006). "Big Yahoo Click Fraud Settlement". iMedia Connection. Archived from the original on July 20, 2006. Retrieved July 6, 2006.
  12. Wong, Nicole; "Update Lanes Gifts v. Google". Google Blog, March 8, 2006
  13. Griffin, Joe E. (July 27, 2006). "Lanes v. Google Final Order" (PDF). Googleblog.blogsport.com.
  14. Sullivan, Danny;"Google Agrees To $90 Million Settlement In Class Action Lawsuit Over Click Fraud" Archived 2007-11-22 at the Wayback Machine . March 8, 2006
  15. "Court Docket For: Lane's Gifts and Collectibles, L.L.C. et al. v. Yahoo! Inc., et al". Docket Alarm, Inc. Retrieved 6 August 2013.
  16. Stricchiola, Jessie (July 28, 2004). "Lost Per Click". Search Engine Watch.
  17. "Criminal Docket for: USA v. Bradley, 5:04-cr-20108 (N.D.Cal.)". Docket Alarm, Inc. Retrieved 6 August 2013.
  18. US Department of Justice; "Computer Programmer Arrested for Extortion and Mail Fraud Scheme Targeting Google, Inc." Archived 2006-10-01 at the Wayback Machine . March 18, 2004
  19. Elgin, Ben; "The Vanishing Click Fraud Case". Business Week. December 4, 2006
  20. "Cybercriminal Who Created Global Botnet Infected With Malicious Software Extradited To Face Click Fraud Charges". www.justice.gov. Retrieved 2017-11-21.
  21. "Cybercriminal Convicted of Computer Hacking and Sentenced to Statutory Maximum". www.justice.gov. Retrieved 2017-11-21.
  22. "Click Fraud Prevention – Identify & Reduce Bot Traffic in Your Paid Ads". June 7, 2019
  23. Ghosemajumder, Shuman; "Using data to help prevent fraud". March 18, 2008
  24. 1 2 Tuzhilin, Alexander; The Lane's Gifts v. Google Report, by Alexander Tuzhilin. July, 2006
  25. Greenberg, Andy; "Counting Clicks". Forbes. September 14, 2007
  26. Jansen, B. J. (2007) Click fraud. IEEE Computer. 40(7), 85-86.