Click Forensics Malware Lab identified a new malware scheme targeting display banner ads. The program performs a pop-up or pop-under and rotates brand advertisers’ banner ads every 10-15 min in an effort to boost impression figures.

In Q4 2010, the countries outside North America producing the greatest volume of click fraud were Japan, the Netherlands, the Philippines, Sweden and France, respectively.

“While the overall click fraud rate dropped last quarter for CPC advertising, we saw the emergence of new schemes focused on display advertisements,” said Paul Pellman, CEO of Click Forensics.

“We are investigating the malware-driven attacks in more detail, but early evidence points to an impression inflation scheme. It’s something we will examine more closely and report on later this year.”

Anchor Intelligence told WebProNews the record attempted click fraud rate can be attributed to dramatic growth in botnet scale and volume around the globe.

The countries with the highest attempted click fraud rates were Vietnam (35.4%), Australia (35.2%), and the U.S. (35%). The majority of this traffic was due to high velocity botnet traffic and coordinated click fraud rings. This increase in botnet click fraud also caused a significant surge in attempted click fraud in the U.K., from 18 percent in Q4 to 32 percent in Q1.

"As Internet usage has grown in countries lacking appropriate cybersecurity measures, more and more computers have become infected with malware and used as click fraud zombies," said Ken Miller, CEO of Anchor Intelligence.

"By releasing this report, we hope to convey the importance of advertising with ad networks and search engines that partner with third-parties such as Anchor to certify their traffic quality."

The jump in botnet activity across the Anchor Intelligence network is consistent with other accounts of corrupt activity originating from compromised computers around the world. Recent reports from McAfee and Google identified a surge in cyber attacks against blogs criticizing mining projects in Vietnam.

In addition, in December and January, over thirty companies were targeted by cyber attacks origination from China that were designed to steal personal data from corporate networks.
 

The jump in the attempted click fraud rate in Q4 was due to more activity by click fraudsters looking to take advantage of the increase in holiday ad spend online. The spread of botnets, which are used for automating traffic and coordinating click fraud activity, spiked late in the quarter.

"As botnets become more flexible and resilient, click fraud will be increasingly difficult to identify without a collaborative and systematic, network-based approach," said Ken Miller, CEO of Anchor Intelligence.

"By releasing this report, we hope to provide a barometer by which the industry can assess the level of threats to online advertising while also conveying the importance of advertising with ad networks and search engines that partner with third-parties to certify their traffic quality."

Highlights from the report include:

• In Q4 2009, the attempted click fraud rate peaked at 25.7%.
• The 5 countries with the highest attempted click fraud rates in 2009 were Vietnam, U.S., Egypt, Canada, and Australia. In particular, the U.S. and Canada accounted for the vast majority of traffic volume, making these two countries the largest sources of attempted click fraud by volume.
• Anchor predicts that click fraud attempts will increase in 2010 as cybercriminals increasingly exploit the growth and adoption of social networks such as Facebook and tools such as Twitter.

  Related Articles:

> How Search Engines Manage Click Fraud

> Botnets Driving Click fraud Traffic

> Massive Click Fraud Ring Shut Down

Here, spyware on a user’s PC monitors the user’s browsing to determine the user’s likely purchase intent. Then the spyware fakes a click on a Google PPC ad promoting the exact merchant  the user was already visiting. If the user proceeds to make a purchase — reasonably likely for a user already intentionally requesting the merchant’s site — the merchant will naturally credit Google for the sale. Furthermore, a standard ad optimization strategy will lead the merchant to increase its Google PPC bid for this keyword on the reasonable (albeit mistaken) view that Google is successfully finding new customers. But in fact Google and its partners are merely taking credit for customers the merchant had already reached by other methods.

Do you cosider click fraud a big concern? Discuss here.

Edelman details all of the specifics about his dicovery, pointing to an example perpetrator – Trafficsolar, which he blames InfoSpace for connecting Google to. He also suggests Google discontinue its relationship with InfoSpace and other partners who have their own chains of partners, making everything harder to monitor. In his example, he finds an astounding seven intermediaries in the chain between the click and the Google ad itself.

"Furthermore, Google styles its advertising as ‘pay per click’, promising advertisers that ‘You’re charged only if someone clicks your ad,’" says Edelman. "But here, the video and packet log clearly confirm that the Google click link was invoked without a user even seeing a Google ad link, not to mention clicking it. Advertisers paying high Google prices deserve high-quality ad placements, not spyware popups and click fraud."

As Andy Greenberg with Forbes points out in an article, which brought Edelman’s findings to the forefront of mainstream exposure (and likely to Google’s attention), Edelman has a history of criticizing Google, is actually involved with a lawsuit involving misplacement of Google ads, and has served as a consultant to Microsoft, but maintains that this research is not funded by Microsoft or a company involved in that lawsuit. Greenberg reports:

As for its ability to detect the new form of click fraud, Google has long argued that it credits advertisers for as much as 10% of their ad spending based on click fraud that the company detects. While the company wouldn’t comment on Edelman’s TrafficShare example, a spokesperson wrote that the company uses "hundreds of data points" to detect fraud, not just clicks.

In a report last October, click fraud research firm Click Forensics measured click fraud at around 14%, significantly higher than Google’s estimates. But even Click Forensics may not be counting the sort of click fraud Edelman accuses TrafficSolar of committing. Because Click Forensics’ data is pulled from advertisers, the company can’t necessarily detect click fraud that is disguised as real customers and real sales, according to the company’s chief executive, Paul Pellman. Pellman believes, however, that the kind of click fraud Edelman discovered is likely mixed with traditional click fraud to increase the scheme’s traffic volume while keeping it hidden.

Click Forensics’  own Steve O’Brien says "it was probably a fairly low-volume scheme to begin with.  It’s limited to machines of users that are infected with spyware who also visit select Google advertisers…It’s a problem, but probably not a huge one.  What would make it more serious is if there were another version of the spyware that simply clicks on paid links in the background without the user’s knowledge…"

As for Edelman’s suggestion that Google sever ties with Infospace and the like, O’Brien doesn’t think it is worth going that far. "A better solution would be for Google and InfoSpace to deal only with reputable partners who provide verified, audited clicks to ensure advertisers get what they pay for," says O’Brien.

Though Click Forensics appears to downplay the threat compared to Edelman’s own analysis, it shows the increasing sophistication with which fraudsters are carrying out their plots. Good times.

Do you think Google should take more action in trying to prevent new kinds of click fraud? Share your thoughts here.

Related Articles:

> How Search Engines Manage Click Fraud

> Botnets Driving Click fraud Traffic

> Massive Click Fraud Ring Shut Down

Click Forensics told WebProNews that the amount of click fraud traffic from botnets generally hovers around 33 percent, and it believes the sudden rise may be to due to the increasing sophistication and proliferation of botnets.

Botnets accounted for 42.6 percent of all click fraud in Q3 2009, more than doubling in the past two years and up from the 27.5 percent reported for the same quarter last year.

The overall industry average click fraud rate was 14.1 percent. That’s up from 12.7 percent for Q2 2009 and down from the 16 percent rate reported for Q3 2008.

In Q3, the countries outside North America producing the greatest volume of click fraud were the United Kingdom, Vietnam and Germany, respectively.

"The significant rise in botnet-generated click fraud lines up with recent findings of several well-known malware and online fraud tracking experts," said Paul Pellman, CEO of Click Forensics.

"Botnets perpetrating click fraud and other online schemes continue to grow in number and sophistication. Advertisers and ad providers need to be especially vigilant about such activity as we enter the competitive search marketing holiday season."
 

"This is really the first time anyone has ever been able to catch click fraudsters ‘in the act.’ Anchor has identified fraudsters down to the publisher site, IPs used (likely via botnets), and even the names and address of some perpetrators," an Anchor spokesperson told WebProNews. 

"We have an ongoing collaboration with the San Francisco Division of the FBI as well as the National Cyber-Forensics & Training Alliance (NCFTA) to share insights about the tactics used by these and other click fraud perpetrators."

The Chinese fraud ring consisted of thousands of publishers who created websites and generated fake ad traffic on these sites with the purpose of defrauding ad networks and advertisers.

Anchor says the click fraud hit the ads of nearly 2,000 advertisers across multiple ad networks. The clicks originated from 200,000 IPs, and if undetected would have cost the affected advertisers over $3 million over the course of a year.

The fraudsters dubbed "DormRing1" by Anchor because many of the people involved were students operating out of dormitories at Shanghai Technology Institute and other Chinese technical universities.  Working with one of its ad network customers, Anchor tracked the operations of DormRing1 by gaining access to exclusive bulletin boards on various Chinese social networking sites.

"Click fraud rings are active across the Internet and constantly evolving their tactics while trolling for vulnerable networks and advertisers," said Ken Miller, CEO of Anchor Intelligence.
 

These companies include Google, Yahoo, and Microsoft, as well as Business.com. When we think click fraud, the major search engines tend to come to mind, but that is still not the entire picture, obviously.

"The three largest search engines represent more than 95 percent of all U.S. searches, which in the month of May 2009 equaled more than 13 billion searches. Completing those companies’ click measurement audits represents a significant milestone in the war on click fraud," said Joe Laszlo, research director of the IAB.

"However, these guidelines also serve a broader audience of advertising buyers and sellers, and the participation of the leading business search engine in these audits points the way for other publishers selling cost-per-click ads to be audited against the guidelines as well," he added.

It is good to know that the big three search engines were able to meet these newly established guidelines so quickly, although some may wonder if the guidelines go far enough. There are still plenty of other networks to worry about too.

"We applaud these member companies for swiftly adopting the IAB’s Click Measurement Guidelines," said IAB President and CEO Randall Rothenberg. "We are confident that this initial group will be followed by many other organizations in our membership who recognize these guidelines as one of the most important ways to assure marketers that the clicks they pay for are real."

WebPronews summarized the IAB’s click measurement guidelines here. You can get more details by looking at the entire document on the IAB’s site.

The new tool is called "Block List" which provides ad networks with a continually updated list of visitor IP addresses and publishers known to generate online click fraud. Block List can be used with the Click Forensics platform to block invalid traffic and to shift  advertsing dollars to other sources that offer better results.

The Block List tool could help marketers reduce the rate of click fraud between 15 to 25 percent according to Click Forensics.

Paul Pellman

"Our new Block List is a quick first step for ad networks looking for information on some of the best and worst online traffic sources," said Paul Pellman, CEO of Click Forensics.

"They can use it to help their clients make the most of their online advertising investments."

Examples of blocked traffic sources include:

–Publishers committing click fraud;
–IP addresses of visitors known to commit a high level of fraud;
–IP address ranges generating non-human traffic, such as co-location facilities; and
–Other traffic sources that generate hacker attacks and spam.

"The Click Forensics Block List feature is an invaluable tool to help us protect our advertisers and deliver better results," said Evan Balafas, Managing Director of Excite Digital Media, a search advertising network.

"Just as we proactively protect our own computers from viruses and malware threats, we need to continually do the same for our advertisers so they get the most out of the millions of dollars they spend online."

The Click Fraud Suit

Sports site Rootzoo filed a lawsuit on Tuesday in federal district court in San Jose, CA, according to a report from MediaPost. They are apparently seeking class action status. Rootzoo’s claim is that Facebook charged advertisers for more clicks than what actually happened. Specifically, there was one day where RootZoo claims to have only had 300 clicks, and that Facebook charged them for 804.

Facebook said in a statement, "We have developed a series of sophisticated systems to detect suspicious clicks and ensure advertisers are not charged for this activity. In addition, we analyze tremendous amounts of data to discern larger click patterns and, in rare cases where this research or other analysis reveals advertisers have been charged for invalid clicks, we have always, and will continue to, issue credits to impacted advertisers."

Rootzoo is not the only party to complain of such activity from Facebook. A variety of users have voiced such issues in various locations on the web.

The Data Portability Suit

The second legal battle Facebook is involved with is a little more complicated. This one is actually a countersuit from a site called Power.com, who Facebook sued in the past after it violated their terms of service. Jason Kincaid paints a more elaborate rendition of the big picture in this case, but here is a look at the actual legal document.

If Facebook’s terms of service were violated, its hard to imagine the company losing this battle, although, I have no legal background by any means. Either way, it will be interesting to see the outcome of both cases.

Over the past few days, we have seen an increase in suspicious clicks. We have identified a solution which we have already begun to implement and expect will be completely rolled out by the end of today (06/21). In addition, we are identifying impacted accounts and will ensure that advertisers are credited appropriately.

Click fraud reportedly reached record levels at the end of last year, but began to decline early this year. Last month, the Interactive Advertising Bureau released its click measurement guidelines to serve as a framework for identifying click fraud. Microsoft is currently trying to set an example by suing a few alleged click fraudsters for $75,000.