This is “Search Engines, Ad Networks, and Fraud”, section 14.9 from the book Getting the Most Out of Information Systems (v. 2.0). For details on it (including licensing), click here.
For more information on the source of this book, or why it is available for free, please see the project's home page. You can browse or download additional books there. To download a .zip file containing this book to use offline, simply click here.
There’s a lot of money to be made online, and this has drawn the attention of criminals and the nefarious. Online fraudsters may attempt to steal from advertisers, harm rivals, or otherwise dishonestly game the system. But bad guys beware—such attempts violate terms-of-service agreements and may lead to prosecution and jail time.
Studying ad-related fraud helps marketers, managers, and technologists understand potential vulnerabilities, as well as the methods used to combat them. This process also builds tech-centric critical thinking, valuation, and risk assessment skills.
Some of the more common types of fraud that are attempted in online advertising include the following:
Disturbing stuff, but firms are after the bad guys and they’ve put their best geeks on the case. Widespread fraud would tank advertiser ROI and crater the online advertising market, so Google and rivals are diligently working to uncover and prosecute the crooks.
On the surface, enriching click fraud seems the easiest to exploit. Just set up a Web site, run PPC ads on the page, and click like crazy. Each click should ring the ad network cash register, and a portion of those funds will be passed on to the perpetrating site owner—ka ching! But remember, each visitor is identified by an IP address, so lots of clicks from a single IP make the bad guys easy to spot.
So organized crime tried to raise the bar, running so-called click farmsRecruiting a network of users to engage in click fraud with the goal of spreading IP addresses across several systems and make a fraud effort more difficult to detect. to spread fraud across dozens of IP addresses. The Times of India uncovered one such effort where Indian housewives were receiving up to twenty-five cents for each ad click made on fraudster-run Web sites.N. Vidyasagar, “India’s Secret Army of Online Ad ‘Clickers,’” Times of India, May 3, 2004. But an unusually large number of clicks detected as coming from Indian IP addresses foiled these schemes as well.
Fraudsters then moved on to use zombie networksSometimes called “clickbots” or “botnets,” these are hordes of surreptitiously infiltrated computers, linked and controlled remotely. This technique is used to perpetrate click fraud, as well as a variety of other computer security crimes.—hordes of surreptitiously infiltrated computers, linked and controlled by rogue software.C. Mann, “How Click Fraud Could Swallow the Internet,” Wired, January 2006. To create zombie networks (sometimes called botnets), hackers exploit security holes, spread viruses, or use so-called phishing techniques to trick users into installing software that will lie dormant, awaiting commands from a central location. The controlling machine then sends out tasks for each zombie, instructing them to visit Web sites and click on ads in a way that mimics real traffic. Zombie botnets can be massive. Dutch authorities once took down a gang that controlled some 1.5 million machines.T. Sanders, “Dutch Botnet Gang Facing Jail,” IT News Australia, January 18, 2007; and N. Daswani and M. Stoppleman, “The Anatomy of Clickbot” (paper, Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, April 11–13, 2007).
Scary, but this is where scale, expertise, and experience come in. The more activity an ad network can monitor, the greater the chance that it can uncover patterns that are anomalous. Higher click-through rates than comparable sites? Caught. Too many visits to a new or obscure site? Caught. Clicks that don’t fit standard surfing patterns for geography, time, and day? Caught.
Sometimes the goal isn’t theft, but sabotage. Google’s Ad Traffic Quality Team backtracked through unusual patterns to uncover a protest effort targeted at Japanese credit card firms. Ad clicks were eventually traced to an incendiary blogger who incited readers to search for the Japanese word kiyashinku (meaning cashing credit, or credit cards), and to click the credit card firm ads that show up, depleting firm search marketing budgets. Sneaky, but uncovered and shut down, without harm to the advertisers.M. Jakobsson and Z. Ramzan, Crimeware: Understanding New Attacks and Defenses (Cupertino, CA: Symantec Press, 2008).
Search firm and ad network software can use data patterns and other signals to ferret out most other types of fraud, too, including rank-based impression fraud, spamdexing, and keyword stuffing. While many have tried to up the stakes with increasingly sophisticated attacks, large ad networks have worked to match them, increasing their anomaly detection capabilities across all types of fraud.M. Jakobsson and Z. Ramzan, Crimeware: Understanding New Attacks and Defenses (Cupertino, CA: Symantec Press, 2008). Here we see another scale and data-based advantage for Google. Since the firm serves more search results and advertisements than its rivals do, it has vastly more information on online activity. And if it knows more about what’s happening online than any other firm, it’s likely to be first to shut down anyone who tries to take advantage of the system.
Accounts on the actual rate of click fraud vary widely. Some third-party firms contend that nearly one in five clicks is fraudulent.S. Hamner, “Pay-per-Click Advertisers Combat Costly Fraud,” New York Times, May 12, 2009. But Google adamantly disputes these headline-grabbing numbers, claiming that many such reports are based on-site logs that reflect false data from conditions that Google doesn’t charge for (e.g., double counting a double click, or adding up repeated use of the browser back button in a way that looks like multiple clicks have occurred). The firm also offers monitoring, analytics, and reporting tools that can uncover this kind of misperceived discrepancy.
Google contends that all invalid clicks (mistakes and fraud) represent less than 10 percent of all clicks, that the vast majority of these clicks are filtered out, and that Google doesn’t charge advertisers for clicks flagged as mistakes or suspicious.M. Lafsky, “Google and Click Fraud: Behind the Numbers,” New York Times, February 27, 2008. In fact, Google says their screening bar is so high and so accurate that less than 0.02 percent of clicks are reactively classified as invalid and credited back to advertisers.M. Jakobsson and Z. Ramzan, Crimeware: Understanding New Attacks and Defenses (Cupertino, CA: Symantec Press, 2008).
So who’s right? While it’s impossible to identify the intention behind every click, the market ultimately pays for performance. And advertisers are continuing to flock to PPC ad networks (and to Google in particular). While that doesn’t mean that firms can stop being vigilant, it does suggest that for most firms, Google seems to have the problem under control.