Tuesday, January 22, 2008

Click Fraud Antics

I have begun to read into the area of click fraud. In doing so I have come across several blogs in which the owner of the blog complains that their Adsense account has been disabled due to click fraud, which they of course did not perpetrate. I would suspect some of these bloggers are not as innocent as their story claims. However, I am certain that there are some innocent victims in this crime. There is no way to tell whether the click fraud identified by Google originates from the author of the blog or not. In every case the author complains that Google will not level with them and divulge what exactly was detected as click fraud, so that the author can rectify the situation.

I understand that Google is worried that the more that a fraudster knows about how they detect click spam, the easier it will be for a fraudster to go undetected. That is why they cannot share any of their secrets with the authors of blogs, who would certainly share any information they learned on their blog. However, any actions that Google takes against fraud gives away some small details about what they do.

There are two sources of information that could potentially be used against Google. The first is that Google reports to Adsense users the number of clicks that they were given credit for. The second being either warnings or the disabling of accounts. In the first case if a fraudster were able to make an Adsense account for a website not exposed to the general public, then they could generate any number of attacks, with each attack having a different number of clicks associated with it in such a way that when the final number of clicks reported on that page would tell the attacker exactly which attacks failed and which attacks succeeded. Of course, such attacks would very quickly result in the suspension of their account. The attacker would necessarily need to make several accounts and perform fraud in such a small amount as to not be noticeable so quickly. The question then arises how easily could a fraudster generate several accounts without any of these new accounts traceable back to the fraudster?

This question leads to the second source of information which could be used by fraudsters to discover Google's fraud detection suite. Since accounts are being disabled for fraudulent behavior, then an attacker could use the feedback from a number of unsuspecting bloggers. An attacker would choose a number of blogs to carry out their attack. The attacker would generate fraudulent clicks on a particular blog until their clicks were detected and the blogger's Adsense account disabled. The attacker would fashion a new attack and repeat the whole process on another bloggers account. If successful, the attacker would not make any money on the attack, but would have a working prototype to use for their own purposes in the future. In this way an attacker receives a certain amount of feedback from Google without risking their own identity, shuts down a number of Adsense accounts that they may have competed with, and if it is their purpose creates a number of enemies for Google.

In the last attack, how could Google detect fraudulent clicks authorized by the author of a blog or website versus those attacks originating from outside sources. One cannot assume that click fraud would only be performed by the owner of the Adsense account or an accomplice to that owner. One could perhaps from Google's side compare similar click fraud attacks among websites for similarities and perhaps find a common signature among a number of attacks. This would not prove any of the Adsense account holders innocent, but may point to some of them being innocent. I am not sure that there is an easy answer to protecting the innocent in this last case.

No comments: