Click Fraud Gets Smarter

Internet ad-traffic scams could be ripping off as much as $1 billion annually. Are Web companies like Google doing enough to foil them?

Web consultant Greg Boser has an ingenious method for sending loads of traffic to clients' Internet sites. Last month he began using a software program known as a clickbot to create the impression that users from around the world were visiting sites by way of ads strategically placed alongside Google search results. The trouble is, all the clicks are fake. And because Google charges advertisers on a per-click basis, the extra traffic could mean sky-high bills for Boser's clients.

But Boser's no fraudster. He cleared the procedure with clients beforehand and plans to reimburse any resulting charges. What's he up to? Boser wants to get to the bottom of a blight that's creating growing concern for online advertisers and threatens to wreak havoc across the Internet: click fraud.


  The practice can wildly skew statistics on the popularity of an ad, drain marketing budgets, and enrich the scam artists behind it. While click fraud isn't new, the methods for carrying it out -- take Boser's clickbot software -- are getting increasingly sophisticated. And some advertisers, analysts and consultants question whether Web companies such as Google (GOOG) and Yahoo (YHOO) are doing enough to nip click fraud in the bud. "No one has any idea how much of this is actually going on," says Boser. "So we're going to see how well [the search engines] actually try to protect advertisers."

One of Boser's biggest challenges is putting a finger on exactly how widespread the practice is. Some search consultants say click fraud accounts for upwards of 20% of all traffic, and may generate more than $1 billion in dubious sales a year. Others say those stats vastly overstate the problem.

Now, one of the biggest players in fraud detection aims to end the guessing. Fair Isaac (FIC), which analyzes 85% of U.S. credit card transactions, in partnership with Web search consultancy Alchemist Media, will unveil plans at this week's Search Engine Strategies Conference for what it says is the most rigorous study ever of click fraud. Fair Isaac will invite companies to submit traffic data that can be mined for aberrations that may signify fraud. "We've seen indications that the overall losses due to click fraud could equal more than $1 billion [a year] -- larger than the total magnitude of credit card fraud in the U.S.," says Kandathil Jacob, Fair Isaac's director of product marketing. "It's certainly worth our effort to look at it."


  A rising number of companies would agree. The percentage of advertisers listing click fraud as a "serious" problem tripled in 2005, to 16%, according to a survey by the Search Engine Marketing Professional Organization. Advertisers have filed at least two class-action suits saying Google, Yahoo, and other search engines ought to be more up-front about methods for combating the practice. Google says the suits are meritless. Yahoo declines to comment.

And in January, Standard & Poor's equity analyst Scott Kessler downgraded Google stock in part because he considers click fraud a "notable risk" (see BW Online, 1/17/06, "S&P Downgrades Google to Sell"). Among his concerns: the prospect of false clicks may sour companies from placing ads on Google. He too says Google needs to be more forthcoming on the issue. "No one has any idea as to what Google assesses [as] its own percentage of clicks that are generated by fraud, no idea what that process consists of, and all the things that are being done to battle it," he says.

Attention to online fraud will only increase as advertisers devote more of their budgets to the Net, where the cost of ads varies by frequency of clicks. The more times an ad is clicked, the more the advertiser pays. In one of the most common categories of pay-per-click ads, the ad shows up next to search results.


  The other common type is known as a contextual ad, where ads are placed on third-party Web sites. Ad revenue is split between the Web site publisher and the company, such as Google or Miva (MIVA), that works as a middleman, matching advertisers to relevant sites. Yahoo's comparable contextual-ad program is still in testing. It's with these types of ads that serious damage can be done by site owners who fraudulently click ads appearing on their own Web pages, security experts say.

So how do they do it? This isn't the work of a lone Webmaster with an itchy mouse finger. Software like Boser's routes traffic all over the Internet through anonymous "proxy" servers scattered in far-flung locales, creating the illusion that visitors are logging on from all over the place, masking the traffic's true origin.

Then there are software companies with names like Fakezilla that sell traffic simulators online for as low as $40, advertising them as a way to "improve your site profits." The owner of Fakezilla, who would only give his name as Jack, says the software is intended to make sites appear popular and thus boost ranking on search engine pages. He concedes it can be used for other purposes.


  Security experts say that filtering out some software-created traffic is easy, since it's possible to detect when it comes from anonymous sources. "We feel that 99% of legitimate traffic has no reason to use anonymous proxies," says Dmitri Eroshenko, founder of click fraud consultancy Click Labs. "As far as finding them, it's just a matter of checking who the [server] address is registered to."

It gets more complicated when a hacker employs a whole network of clickbots. In this scenario, a virus writer could release a worm that infects thousands of unprotected PCs, making them slaves to the hacker. He could then route traffic from real computers all over the world to his network of sites.

With enough Web pages and enough "zombie" computers, each clicking and receiving clicks just a few times a day, a hacker could create a tidy business that's nearly impossible to detect, says Ken Dunham, a Web-security expert with Verisign-owned iDefense. "They're bloodsucking mosquitoes, and you just can't get them all," says Dunham, who works with law enforcement officials to track down hackers and online con artists.


  Meanwhile, code for botnet software is becoming more freely available on the Internet, making it easier for would-be hackers to disseminate spam or perpetrate identity theft and click fraud. "In August, 2004, we predicted we'd see exponential growth, and that's exactly what we saw," says Dunham.

Google and Yahoo say they strive to weed out all kinds of illegitimate traffic. "Monitoring compliance is a regular activity for us," says Shuman Ghosemajumder, manager of the Google team that monitors invalid click activity. To stop click fraud, Google uses software to scour Web traffic through its ads for repeated clicks, unusual patterns and visits from anonymous and overseas proxy servers. The program filters out what it deems invalid, and doesn't charge advertisers. When an advertiser complains about potential click fraud, a special team investigates and determines a refund is warranted, says Ghosemajumder.

Says John Slade, Yahoo's senior director of product management: "Click [fraud] is a serious but manageable challenge. It's challenging, and that's why we've built up a system that we continually refine and update for new patterns and problems."


  Some advertisers remain skeptical. A class-action lawsuit led by Texarkana, (Ark.)-based Lane's Gifts & Collectibles accuses Google of reticence and conflict of interest over the matter. A pay-per-click system "is not structurally designed to avoid these problems -- in fact it facilitates them," says Stephen Malouf, who is representing Lane's and the other companies. "I don't attribute any malevolence to (the search engines), but there is a lack of transparency...what's needed is a trusted third party that the industry decides on collectively."

Until then, Boser is taking matters into his own hands. He wants to ensure click fraudsters don't take his clients' dough into theirs.

Before it's here, it's on the Bloomberg Terminal.