Online Advertising Fraud 101
I have long been of the opinion that the lack of transparency on the web is one of its growing and impending problems. It has become clear to observant consumers that it is very easy to create a false and misleading impression on the internet if one has the skill and desire to do so (for financial benefit).
It hasn't taken long for advertising to become just as big on the internet as it always has been in more traditonal commerce. While the majority of online advertising purveyors are legitimate businesses or solopreneurs, it has recently been revealed that, in the aggregate, there is a tremendous about of money lost, by advertisers, to advertising schemes and scams.
In fact, no less prestigious authority than Advertising Age’s online magazine recently stated that 1 out of 3 advertising dollars spent are siphoned off by fraud. They estimated the total lost was $18.5B. That’s a lot of money.
But, like anything else, this subject has already gotten obscured, to most people, by terminology and a lack of understanding of the basics involved. That’s what this article is about.
Another commonly used name for ‘online advertising fraud’ is ‘Click Fraud’.
Click fraud is especially common in something you've probably at least have heard about…PPC (pay per click) advertising. It occurs when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link.
Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.
In the book, The Search: How Google and its Rivals Rewrote the Rules of Business and Transformed our Culture, media entrepreneur and journalist John Battelle described click fraud as the "decidedly black-hat" practice of publishers illegitimately gaming paid search advertising by employing robots or low-wage workers to repeatedly click on each AdSense ad on their sites, thereby generating money to be paid by the advertiser to the publisher and to Google.
Pay-per-click advertising
PPC advertising is an arrangement in which webmasters (operators of websites), acting as publishers, display clickable links from advertisers in exchange for a charge per click. As this industry evolved, a number of advertising networks developed, which acted as middlemen between these two groups (publishers and advertisers).
And of course, any time there’s big money involved, some people succumb to the temptation of scamming consumers.
Each time a (believed to be) valid Web user clicks on an ad, the advertiser pays the advertising network, which in turn pays the publisher a share of this money. This revenue-sharing system is seen as an incentive for click fraud.
The largest of the advertising networks is Google's AdWords/AdSense and Yahoo! Search Marketing. They actually act in a dual role, since they are also publishers themselves (on their search engines).[3]
According to critics, this complex relationship may create a conflict of interest. This is because these companies lose money to undetected click fraud when paying out to the publisher but make more money when collecting fees from the advertiser. Because of the spread between what they collect and pay out, unfettered click fraud would create short-term profits for these companies.
Non-contracting parties
A secondary source of click fraud is non-contracting parties, who are not part of any pay-per-click agreement. This type of fraud is even harder to police because perpetrators generally cannot be sued for breach of contract or charged criminally with fraud. Here are some examples:
-
Competitors of advertisers: These parties may wish to harm a competitor who advertises in the same market by clicking on their ads. The perpetrators do not profit directly but force the advertiser to pay for irrelevant clicks, thus weakening or eliminating a source of competition.
-
Competitors of publishers: These persons may wish to frame a publisher. It is made to look as if the publisher is clicking on its own ads. The advertising network may then terminate the relationship. Many publishers rely exclusively on revenue from advertising and could be put out of business by such an attack.
-
Other malicious intent: As with vandalism, there are many motives for wishing to cause harm to either an advertiser or a publisher, even by people who have nothing to gain financially. Motives include political and personal vendettas. These cases are often the hardest to deal with, since it is difficult to track down the culprit, and if found, there is little legal action that can be taken against them.
-
Friends of the publisher: Sometimes upon learning a publisher profits from ads being clicked, a supporter of the publisher (like a fan, family member, political party supporter, charity patron or personal friend) will click on the ads to help. This can be considered patronage. However, this can backfire when the publisher (not the friend) is accused of click fraud.
Advertising networks may try to stop fraud by all parties but often do not know which clicks are legitimate. Unlike fraud committed by the publisher, it is difficult to know who should pay when past click fraud is found. Publishers resent having to pay refunds for something that is not their fault. However, advertisers are adamant that they should not have to pay for phony clicks.
Organization
Click fraud can be as simple as one person starting a small Web site, becoming a publisher of ads, and clicking on those ads to generate revenue. Often the number of clicks and their value is so small that the fraud goes undetected. Publishers may claim that small amounts of such clicking is an accident, which is often the case.
However, this technique can be scaled up considerably. Those engaged in large-scale fraud will often run scripts which simulate human clicking on ads in Web pages. However, huge numbers of clicks appearing to come from just one, or a small number of computers, or a single geographic area, obviously look highly suspicious to the advertising network and advertisers.
Clicks coming from a computer known to be that of a publisher (which can be and usually is tracked) also look suspicious to those watching for click fraud. For that basic reason, a person attempting large-scale fraud from one computer stands a good chance of being caught.
One type of fraud that usually circumvents detection is based on IP patterns uses existing user traffic and turning this traffic into clicks or impressions. These types of attacks can be camouflaged from users by using 0-size iframes to display advertisements that are programmatically retrieved using JavaScript.
They could also be camouflaged from monitors (advertisers and portals) by ensuring that so-called "reverse spiders" are presented with a legitimate page, while human visitors are presented with a page that commits click fraud.
The use of 0-size iframes and other techniques involving human visitors may also be combined with the use of incentivized traffic where members of "Paid to Read" (PTR) sites (often in developing countries) are paid small amounts of money to visit a website and/or click on keywords and search results, sometimes hundreds or thousands of times every day.
Some owners of PTR sites are members of PPC engines and may send many email ads to users who do search, while sending few ads to those who do not. They do this mainly because the charge @ click on search results is often the only source of revenue to the site. This is known as forced searching, a practice that is frowned upon in the Get Paid To industry.
Organized crime or wealthy solopreneur scammers can handle this by having many computers with their own Internet connections in different geographic locations. Because the scripts they use often fail to mimic true human behavior, these operators use Trojan code to turn the average person's machines into zombie computers and use sporadic redirects or DNS cache poisoning to turn the oblivious user's actions into actions generating revenue for the scammer.
These are pretty smart people, i.e. smart at their craft. Thus not only are they good at covering their trails technically but it is usually very difficult for advertisers, advertising networks, and authorities to pursue cases against networks of people spread around multiple developing countries.
Impression fraud is when falsely generated ad impressions affect an advertiser's account. In the case of click-through rate based auction models, the advertiser may be penalized for having an unacceptably low click-through for a given keyword. This involves making numerous searches for a keyword without clicking of the ad. Such ads are disabled[7]
Hit inflation attack
A hit inflation attack is a kind of fraudulent method used by some advertisement publishers to earn unjustified revenue on the traffic they drive to the advertisers’ Web sites. It is more sophisticated and harder to detect than a simple inflation attack.
This process involves the collaboration of two counterparts, a dishonest publisher, P, and a dishonest Web site, S. Web pages on S contain a script that redirects the customer to P's Web site, and this process is hidden from the customer. So, when user U retrieves a page on S, it would simulate a click or request to a page on P's site.
P's site has two kinds of web pages: a manipulated version, and an original version. The manipulated version simulates a click or request to the advertisement, causing P to be credited for the click-through. P selectively determines whether to load the manipulated (and thus fraudulent) script to U's browser by checking if it was from S. This can be done through the Referrer field, which specifies the site from which the link to P was obtained. All requests from S will be loaded with the manipulated script, and thus the automatic and hidden request will be sent.
This attack will silently convert every innocent visit to S to a click on the advertisement on P's page. Even worse, P can be in collaboration with several dishonest Web sites, each of which can be in collaboration with several dishonest publishers.
If the advertisement commissioner visits the Web site of P, the non-fraudulent page will be displayed, and thus P cannot be accused of being fraudulent. Without a reason for suspecting that such collaboration exists, the advertisement commissioner has to inspect all the Internet sites to detect such attacks, which is infeasible. Another proposed method for detection of this type of fraud is through use of site parameters specified by the respective advertising association.
Online advertising fraud isn't anything that's going to be stamped out overnight. The internet is a jungle where the fight for survival is constant. Perhaps the good thing to recognize here is that online advertising fraud has only recently being recognized as a serious problem. That being the case, it might even spawn a new, entrepreneurial, industry of ad-revenue protection.
David O