Click Fraud Autopsy
Businessweek had an excellent profile of click fraud networks that incentivized Indian house-wives to click on ads a while back. The article focused on the manual face of click fraud.
A few Google employees have just released a paper that provides a stunning insight into the presumably more common form of automated click-fraud networks. I printed off the 14 page article and read it on the subway home. I’d recommend everybody who reads this to do the same.
Beside from the “we just want to make sure to reiterate that Google has caught every fraudulent click”, “Seriously”, “Did I mention that Google caught every one of the fraudulent clicks?” tone of the article it provides a brilliant portrait of exactly how click fraud networks work.
Basically, a small piece of spyware is distributed through screensavers or downloaded games. Once the spyware has been activated (the article also makes clear hardly any anti-virus software picks up the spyware and also that users don’t really care because it doesn’t affect the performance of their PC and the software itself is perishable), it registers to a central command center.
The central command center is usually a hacked ISP account and if it is discovered and/or removed it can reappear elsewhere on the net in another hacked ISP account in a relatively short amount of time.
The central command center basically farms out instructions based upon a keyword dictionary it knows about. No spyware client clicks more often than 15 minutes at a time, and doesn’t click more than 20 times (in the bot net example). In addition, the clicks are spread out of a wide variety of sites and ad networks. In addition to what you’d expect in search they also click on porn links.
The low noise of the network (i.e. across many networks, relatively few clicks, across a huge network of normal people’s computers and over a non-concentrated time period) is fairly sophisticated. As is the distributed and redundant nature of the operation. And as the paper notes, the software was at a fairly beta stage (v. 0.007).
The network washes the clicks through a doorway page that masks the referrer to the advertising network and sub-publishers.
To me, the problem seems to stem from the sub-distributor relationships Yahoo and Google have with other firms. I.e. Firms that sign up publishers to be in Yahoo’s and Google’s network. There is also the tougher example where search firms have affiliate programs that bring in traffic. In both there are legitimate examples of relationships but it seems to me there should be greater auditing and accountability (i.e. analytics on the affiliate pages or search pages themselves that originated the click).
The second thing that struck me was the sophistication of the networks themselves. The redundancy and distributed nature of the networks is fascinating and many of the principles can be applied to legitimate web applications and data processing. Like anything, technology can be used for good or bad.
Either way, bravo to Google for a great paper and go and read it yourself.
I thought this sentence was interesting: “It is important to note that in a Clickbot.A-type attack, top-tier search engines would not pay miscreants directly.” IOW, Google is implying that it’s not their fault this happens. As you point out, though, it’s up to Google and Yahoo to manage their distribution partners.