1. ClickFraud:
An Overview
of the
Problem
Brendan
Kitts
Data Mining
Aleksander Kolcz
Legal
Andy Cookson
Steve Santorelli
Scott Stein
Jon Zieger
Chris Weinstein
Financial Ops
Lisa Larsen
Anthony Lopez
Tim Sloane
Viruses / Malware
Jeff Williams
Ziv Mador
Black Ops
Ron Mills
Tier 2 Support
Bridget Bidlack
Joseph Morrison
Jason Dorsey
Kimberly Lancaster
Larry Golden
Michael Grochau
MSN Search
Zijian Zheng
PR / Planning
Jenifer Handler
Program Management
Ben Herd
Brian Burdick
Brendan Kitts
Email SPAM
Geoff Hulten
Development
Kaz
Hank Hoek
Julien Beasley
Ken Pierce
Binu John
Rajeev Prasad
Tier 3 Support
Michael Grochau
Matt Rice
Display Ads Platform
Alam Ali
Prasanth
Nir
Systems Integration
Martin Markov
Busijness
Development
Corey Rosemond
2. "I think something has to be done
about this really, really quickly,
because I think, potentially, it
threatens our business model,"
George Reyes, Google Chief
Financial Officer
“Click fraud is the biggest
threat to the Internet
economy” George Reyes,
Google Chief Financial
Officer
Introduction
Prevalence
Detection Methods
Examples
Auction Theory
Conclusions
“Anyone who says this is not a
real challenge is kidding you”,
John Slade, Senior Director
Product Management, Yahoo!
Search Advertisinh
Click Fraud
3. Click Fraud: Reactions
Perplexed:
"It's hard to tell how big the
problem is, but people are
looking at it closer and closer
as the cost of search
advertising goes up," John
Squire, VP Business
Development, Coremetrics
Philosophical:
"Click fraud is like a big
elephant standing in the middle
of the living room. Everyone
sees it and knows it's there, but
no one is quite sure what to do
about it." Lisa Wehr, President,
Oneupweb,
Hysterical:
“Click fraud is ‘rampant’ and
‘staggering’…. it could wipe
out ROI in search
marketing...”, Stephen
Messer, CEO, LinkShare
4.
5.
6.
7.
8.
9.
10.
11.
12. “Click Fraud: The Google Killer”
(WebProNews)
“Click Fraud: Is It Happening to YOU?”
(French)
“Click Fraud Looms as Search Engine Threat”
(Associated Press)
“The Google Bomb”z(Silicon Valley Daily News)
“Fraud A
Big Threat” (MSNBC)
17. 100,000 computer botnet, Clickbot.A
Bots instructed to click no more than 20 times per day. click
on ads at a number of adult-oriented sites, which were
delivered by a common Web address: www.asdbiz.biz,
according to Panda officials. This would bring up adult sites,
such as girlsascats.com and virgin-clitors.com. Both of these
sites are registered to a possibly-fictional entity dubbed
BeatOn in Kirov, Russia. Attempts to reach the Web-site
owners were not successful.
18. Source: http://www.benedelman.org/spyware/images/yahoo-apr06/4/
Spyware – spyware link creation
The Spyware - Click-Fraud
Connection -- and Yahoo's Role
Revisited - Ben Edelman
This traffic is notable both
because it resulted from
spyware installed on my test PC
without my consent, and
beause it resulted from
insertion of advertising links
into third parties' web sites
(without their consent). In
particular, as shown below, this
traffic was predicated on
Qklinkserver inserting link into
the New York Times web site,
without its consent and without
any on-screen labeling.
On a test PC with Qklinkserver, I
observed numerous extraneous
hyperlinks inserted into third
parties' sites. See e.g. the New
York Times site below. Note the
stray hyperlink labeled "prime
minister" -- words that are not
actually a hyperlink on the
"real" New York Times site, as
viewed on uninfected test PCs.
The Spyware - Click-Fraud
Connection -- and Yahoo's Role
Revisited - Ben Edelman
This traffic is notable both
because it resulted from
spyware installed on my test PC
without my consent, and
beause it resulted from
insertion of advertising links
into third parties' web sites
(without their consent). In
particular, as shown below, this
traffic was predicated on
Qklinkserver inserting link into
the New York Times web site,
without its consent and without
any on-screen labeling.
On a test PC with Qklinkserver, I
observed numerous extraneous
hyperlinks inserted into third
parties' sites. See e.g. the New
York Times site below. Note the
stray hyperlink labeled "prime
minister" -- words that are not
actually a hyperlink on the
"real" New York Times site, as
viewed on uninfected test PCs.
http://www.benedelman.org/spyware/images/yahoo-apr06/4/video.wmv
Qklinkserver.com, Searchdistribution.net, Intermix's Sirsearch
19. Spyware window opener
This page gives screenshots showing
on-screen displays after I requested
SmartBargains. 180solutions opened
a popup substantially covering my
initial SmartBargains window. The
popup's traffic flowed from
180solutions to Nbcsearch, then to
Ditto.com, on to Yahoo Overture, and
finally to a Yahoo advertiser -- all
without me clicking on any sponsored
link.
Interestingly and unusually, the
harmed Yahoo advertiser here is
SmartBargains itself -- the same site
I had initially requested. The net
effect of this click fraud is to show the
user the site the user had requested
-- but to show that site also in a
second ("double") window. Since
users end up at the requested site,
users may not notice that anything is
wrong. But from an advertiser's
perspective, something is very
wrong: This process asks
SmartBargains to pay Yahoo
Overture PPC fees for
SmartBargains' own organic traffic --
a bad deal, since Yahoo Overture is
providing SmartBargains with no new
leads and no genuine value.
All testing occurred on March 2,
2006.
This page gives screenshots showing
on-screen displays after I requested
SmartBargains. 180solutions opened
a popup substantially covering my
initial SmartBargains window. The
popup's traffic flowed from
180solutions to Nbcsearch, then to
Ditto.com, on to Yahoo Overture, and
finally to a Yahoo advertiser -- all
without me clicking on any sponsored
link.
Interestingly and unusually, the
harmed Yahoo advertiser here is
SmartBargains itself -- the same site
I had initially requested. The net
effect of this click fraud is to show the
user the site the user had requested
-- but to show that site also in a
second ("double") window. Since
users end up at the requested site,
users may not notice that anything is
wrong. But from an advertiser's
perspective, something is very
wrong: This process asks
SmartBargains to pay Yahoo
Overture PPC fees for
SmartBargains' own organic traffic --
a bad deal, since Yahoo Overture is
providing SmartBargains with no new
leads and no genuine value.
All testing occurred on March 2,
2006.
Source: http://www.benedelman.org/spyware/images/yahoo-apr06/4/
180 solutions
20. Ads not doing it for your webpage?
Try porn instead!
Spyware that replaces Contextual Banner
ads
http://www.techshout.com/internet/2005/27/
a-trojan-horse-program-that-targets-
google-ads-has-been-detected-by-an-
indian-web-publisher/
32. Human Clicking Operations
• Data World, New Delhi (1)
– Rajiv Kumar, CEO
– Sells the names of web sites that pay people to click
on internet ads for 350 rupees ($6.74).
– Kumar claims to have recruited 300 clickers during
the last year or so. “We’ve been doing this for a year
and a half and haven’t heard of any problems,” Kumar
says.
33. Human Clicking Operations
• Shipranet, New Delhi (1)
– Jagriti Bora, CEO
– Bora has claimed to have recruited about 1,000
clickers.
– She says its perfectly all right to click on ads. “There’s
nothing wrong with looking through a shop window
even if you don’t buy.”, she says.
35. $90
million
(Money
bag)
Google "failed to take any significant measures to track or prevent click
fraud," and "fails to adequately warn its existing and potential customers
about the existence of click fraud."
Google "failed to take any significant measures to track or prevent click
fraud," and "fails to adequately warn its existing and potential customers
about the existence of click fraud."
Google: Lanes Gifts
36. Yahoo case: Checkmate Strategic Group
$4.95
million
(Money
bag)
Yahoo breached its contract with class members,… by charging and/or
overcharging Class Members for clicks that were click fraud, click
through fraud, fraudulent clicks, click spam, invalid clicks, unwanted
clicks, unqualified clicks, improper clicks, non-converting clicks,
inadequately converting clicks, clicks that were not reasonably expected
by ClassMembers.
Yahoo breached its contract with class members,… by charging and/or
overcharging Class Members for clicks that were click fraud, click
through fraud, fraudulent clicks, click spam, invalid clicks, unwanted
clicks, unqualified clicks, improper clicks, non-converting clicks,
inadequately converting clicks, clicks that were not reasonably expected
by ClassMembers.
37. Yahoo case: Crafts by Veronica
Ongoing!
$$$$
In spite of Defendants’ promise and duty not to place ads in pernicious
spyware programs, Defendants have done just that…. By placing Class
Members’ ads into illegal platforms such as spyware programs, Defendants
wrongfully collect high search engine advertising fees for ads that are actually
shown in contexts that are worth far less, if anything…. [allowing search
engines to] pocket the difference… Defendants also caused Class Members’
ads to appear within “typosquatting” web sites… [which are] illegal under the
Anti-Cybersquatting Consumer Protection Act. Charges: (i) Civil Conspiracy,
(ii) unjust enrichment, (iii) breach of contract (iv) violation of NJ Consumer
fraud act. Plaintiff demands a trial by jury on all issues so triable.
In spite of Defendants’ promise and duty not to place ads in pernicious
spyware programs, Defendants have done just that…. By placing Class
Members’ ads into illegal platforms such as spyware programs, Defendants
wrongfully collect high search engine advertising fees for ads that are actually
shown in contexts that are worth far less, if anything…. [allowing search
engines to] pocket the difference… Defendants also caused Class Members’
ads to appear within “typosquatting” web sites… [which are] illegal under the
Anti-Cybersquatting Consumer Protection Act. Charges: (i) Civil Conspiracy,
(ii) unjust enrichment, (iii) breach of contract (iv) violation of NJ Consumer
fraud act. Plaintiff demands a trial by jury on all issues so triable.
38. Samuel Lassoff vrs Google
– Samuel Lassoff sues Google, Class action on behalf
of residents of NY and NJ.
Ongoing!
$$$$
Charges: (i) breach of contract, (ii) negligence, (iii)
unjust enrichment and (iv) unfair business practices.
Charges: (i) breach of contract, (ii) negligence, (iii)
unjust enrichment and (iv) unfair business practices.
39. Microsoft vs Eric Lam and family
• 1.5 million in damages
• Sued for 750K
The Web Giant confronts Microsoft, a slumping stock – and a surge of swindlers clicking on ads, Anthony Effinger and Jonathan Thaw, Bloomberg Markets, May
41. Production performance – Quality separation and Revenue retainedProduction performance – Quality separation and Revenue retained
0
100
200
300
400
500
600
700
800
900
1000
CPA billed CPA filtered
0
10
20
30
40
50
60
70
80
90
100
CPA billed
CPA billed
1. Quality billed is extremely stable, even when the environment is subjected to massive shifts in
traffic quality.
2. Red line shows Quality of filtered, which is the Quality of the traffic that we pulled out. It fluctuates
wildly. Blue shows Quality billed which hovers within 20% over an extended period of time.
42. Traffic
Scorer
Smart-
pricing
adCenter Delivery Engine
MB Log
Scores
Ads
Impression /
ad call
Call for ads
Publisher
Web Site
ARTEMIS Real-time Scoring Engine
Minerva Filtration
System
adCenter
Reports
Dump and
Load
OLTP
Database
BI Database
Redirection
Server
MR Logs
FR Logs
MC Logs
New site
Click on Ad
Advertiser
quality and
targeting
settings
Ad rotation
module
Publisher
Pipeline
Advertiser
Pipeline
PubCenter
Reports
Publisher
Database
KPI Excel
KPI Cube
KPI
Pipeline
Bot Telemetry
Instrumentation
Server
Blacklist Capture
System
Automated
Crawler
System
Bot Telemetry
Instrumentation
Server
F.MSN.Co
m Log
Glaux Data
Bridge
OLS Stats
Minerva training
pipeline
CPA Glaux OLS
File
Feature Stats
CFR row by
rowSnapshot
Call for
payload
FWB
Cases
Fraud
Ops
AdUnit
BTIS
Payload
Bot
payload
Telemetry
Third party
and internal
data sources
Third party
and internal
crawlers
Top Bad Feed
Microsoft filtration
technology
architecture
43. Bot SignaturesBot Signatures
0.8 1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
filtration rate (1==average for population)
probability
fraud
non-fraud
Bot signatures: Method for
identifying bots in a standard
format
Allows investigators to
calculate true positive, false
positive rates. For example
graphs like the one at left
45. Google Attacks the Third Parties
“third party firms significantly over-
estimate the […] amount of “click fraud”.
“In one case where 800 paid clicks were
marked as “fraudulent”, the rate of
conversion for these clicks was 5.1%,
which compared favorably with 5.8%
overall conversion rate”
47. Customer control
• Valid / invalid is the wrong way to think about this
problem
– legally, operationally, statistically.
– Even customers recognize that invalid clicks are always “shades
of grey”
• Retroactive credits
– Nobody likes them
• CPA
– Also fraud risk
• 3rd
parties
– Google is currently fighting 3rd
parties instead of working with
them
– 3rd
party revenue models include rev recovery and law suits!
48. Customer control
– Advertiser controls the filtration system
– Even poor quality clicks may be profitable – junk
bonds
– No more Invalid/valid
– Reduce retroactive credits to near zero
– Uses the massive distributed system of advertisers to
shut down revenue to fraudsters
– Quality bucket is a targeting variable just like age,
gender, time-of-day, publisher-site.
– 3rd
parties plug in their own fraud engines
49. Click Fraud: An Overview of the
Problem
• Kitts, B., Zhang, Jingying, Roux, A., Mills, R. (2013), Click Fraud Detection
with Bot Signatures, Proceedings of the 2013 IEEE Conference on
Intelligence and Security Informatics (ISI IEEE 2013), June, Seattle, WA.