Click fraud is a type of fraud that occurs on the Internet in pay-per-click (PPC) online advertising when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link. Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.
In his book, The Search: How Google and its Rivals Rewrote the Rules of Business and Transformed our Culture, media entrepreneur and journalist John Battelle described click fraud as the "decidedly black-hat" practice of publishers illegitimately gaming paid search advertising by employing robots or low-wage workers to repeatedly click on each AdSense ad on their sites, thereby generating money to be paid by the advertiser to the publisher and to Google.
PPC advertising is an arrangement in which webmasters (operators of websites), acting as publishers, display clickable links from advertisers in exchange for a charge per click. As this industry evolved, a number of advertising networks developed, which acted as middlemen between these two groups (publishers and advertisers). Each time a (believed to be) valid Web user clicks on an ad, the advertiser pays the advertising network, which in turn pays the publisher a share of this money. This revenue-sharing system is seen as an incentive for click fraud.
The largest of the advertising networks, Google's AdWords/AdSense and Yahoo! Search Marketing, act in a dual role, since they are also publishers themselves (on their search engines). According to critics, this complex relationship may create a conflict of interest. This is because these companies lose money to undetected click fraud when paying out to the publisher but make more money when collecting fees from the advertiser. Because of the spread between what they collect and pay out, unfettered click fraud would create short-term profits for these companies.
A secondary source of click fraud is non-contracting parties, who are not part of any pay-per-click agreement. This type of fraud is even harder to police, because perpetrators generally cannot be sued for breach of contract or charged criminally with fraud. Examples of non-contracting parties are:
- Competitors of advertisers: These parties may wish to harm a competitor who advertises in the same market by clicking on their ads. The perpetrators do not profit directly but force the advertiser to pay for irrelevant clicks, thus weakening or eliminating a source of competition.
- Competitors of publishers: These persons may wish to frame a publisher. It is made to look as if the publisher is clicking on its own ads. The advertising network may then terminate the relationship. Many publishers rely exclusively on revenue from advertising and could be put out of business by such an attack.
- Other malicious intent: As with vandalism, there are many motives for wishing to cause harm to either an advertiser or a publisher, even by people who have nothing to gain financially. Motives include political and personal vendettas. These cases are often the hardest to deal with, since it is difficult to track down the culprit, and if found, there is little legal action that can be taken against them.
- Friends of the publisher: Sometimes upon learning a publisher profits from ads being clicked, a supporter of the publisher (like a fan, family member, political party supporter, charity patron or personal friend) will click on the ads to help. This can be considered patronage. However, this can backfire when the publisher (not the friend) is accused of click fraud.
Advertising networks may try to stop fraud by all parties but often do not know which clicks are legitimate. Unlike fraud committed by the publisher, it is difficult to know who should pay when past click fraud is found. Publishers resent having to pay refunds for something that is not their fault. However, advertisers are adamant that they should not have to pay for phony clicks.
Click fraud can be as simple as one person starting a small Web site, becoming a publisher of ads, and clicking on those ads to generate revenue. Often the number of clicks and their value is so small that the fraud goes undetected. Publishers may claim that small amounts of such clicking is an accident, which is often the case.
Much larger-scale fraud also occurs. Those engaged in large-scale fraud will often run scripts which simulate a human clicking on ads in Web pages. However, huge numbers of clicks appearing to come from just one, or a small number of computers, or a single geographic area, look highly suspicious to the advertising network and advertisers. Clicks coming from a computer known to be that of a publisher also look suspicious to those watching for click fraud. A person attempting large-scale fraud, from one computer, stands a good chance of being caught.
Organized crime can handle this by having many computers with their own Internet connections in different geographic locations. Often, scripts fail to mimic true human behavior, so organized crime networks use Trojan code to turn the average person's machines into zombie computers and use sporadic redirects or DNS cache poisoning to turn the oblivious user's actions into actions generating revenue for the scammer. It can be difficult for advertisers, advertising networks, and authorities to pursue cases against networks of people spread around multiple countries.
Impression fraud is when falsely generated ad impressions affect an advertiser's account. In the case of click-through rate based auction models, the advertiser may be penalized for having an unacceptably low click-through for a given keyword. This involves making numerous searches for a keyword without clicking of the ad. Such ads are disabled automatically, enabling a competitor's lower-bid ad for the same keyword to continue, while several high bidders (on the first page of the search results) have been eliminated.
Hit inflation attack
A hit inflation attack is a kind of fraudulent method used by some advertisement publishers to earn unjustified revenue on the traffic they drive to the advertisers’ Web sites. It is more sophisticated and harder to detect than a simple inflation attack.
This process involves the collaboration of two counterparts, a dishonest publisher, P, and a dishonest Web site, S. Web pages on S contain a script that redirects the customer to P's Web site, and this process is hidden from the customer. So, when user U retrieves a page on S, it would simulate a click or request to a page on P's site. P's site has two kinds of webpages: a manipulated version, and an original version. The manipulated version simulates a click or request to the advertisement, causing P to be credited for the click-through. P selectively determines whether to load the manipulated (and thus fraudulent) script to U's browser by checking if it was from S. This can be done through the Referrer field, which specifies the site from which the link to P was obtained. All requests from S will be loaded with the manipulated script, and thus the automatic and hidden request will be sent.
This attack will silently convert every innocent visit to S to a click on the advertisement on P's page. Even worse, P can be in collaboration with several dishonest Web sites, each of which can be in collaboration with several dishonest publishers. If the advertisement commissioner visits the Web site of P, the non-fraudulent page will be displayed, and thus P cannot be accused of being fraudulent. Without a reason for suspecting that such collaboration exists, the advertisement commissioner has to inspect all the Internet sites to detect such attacks, which is infeasible.
- Disputes over the issue have resulted in a number of lawsuits. In one case, Google (acting as both an advertiser and advertising network) won a lawsuit against a Texas company called Auction Experts (acting as a publisher), which Google accused of paying people to click on ads that appeared on Auction Experts' site, costing advertisers $50,000. Despite networks' efforts to stop it, publishers are suspicious of the motives of the advertising networks, because the advertising network receives money for each click, even if it is fraudulent.
- In July 2005, Yahoo settled a class-action lawsuit against it by plaintiffs alleging it did not do enough to prevent click fraud. Yahoo paid $4.5 million in legal bills for the plaintiffs and agreed to settle advertiser claims dating back to 2004 In July 2006, Google settled a similar suit for $90 million.
- On March 8, 2006, Google agreed to a $90 million settlement fund in the class-action lawsuit filed by Lane's Gifts & Collectibles. The class-action lawsuit was filed in Miller County, Arkansas, by Dallas attorneys Steve Malouf, Joel Fineberg, and Dean Gresham. The expert witness for the Plaintiffs in the case was Jessie Stricchiola, an internet search expert who first identified instances of PPC fraud in 2001.
Michael Anthony Bradley
In 2004, California resident Michael Anthony Bradley created Google Clique, a software program that he claimed could let spammers defraud Google out of millions of dollars in fraudulent clicks, which ultimately led to his arrest and indictment.
Bradley used technology that he created for his other companies that took him five years to develop. Using this technology, he was able to demonstrate that fraud was possible, and was impossible for Google to detect.
Bradley notified Google of this security flaw, and was willing to work with them to close up some of these holes. However, Bradley was offered $500,000 for his software and technology by some of the world's top spammers. With this information, Bradley thought he could put a price of $100,000 on his technology, and offered to sell Google all rights to his technology, and they could make the Internet a better and safer place.
When Bradley showed up to Google's offices, he demonstrated the software for them, and when they asked what he wanted, he had stated that he would consult for free if they wanted to purchase the rights to his technology. He explained the prior offer of $500,000 and said he knew he could get it, but would settle for $100,000 if they wanted to work together.
Unknowingly, Bradley returned to Google's offices and was met by United States Secret Service officers who were undercover. They kept asking him what he wanted, and they even pushed a check for $100,000 to him, Bradley stated that this felt like blackmail and he was not comfortable with this, and pushed the money away. Just then the Secret Service came in and arrested him.
Charges were dropped without explanation on November 22, 2006; both the US Attorney's office and Google declined to comment. Business Week suggests that Google was unwilling to cooperate with the prosecution, as it would be forced to disclose its click fraud detection techniques publicly.
Proving click fraud can be very difficult, since it is hard to know who is behind a computer and what their intentions are. Often the best an advertising network can do is to identify which clicks are most likely fraudulent and not charge the account of the advertiser. Even more sophisticated means of detection are used, but none are foolproof.
The Tuzhilin Report produced as part of a click fraud lawsuit settlement, has a detailed and comprehensive discussion of these issues. In particular, it defines "the Fundamental Problem of invalid (fraudulent) clicks":
- "There is no conceptual definition of invalid clicks that can be operationalized [except for certain obviously clear cases]."
- "An operational definition cannot be fully disclosed to the general public because of the concerns that unethical users will take advantage of it, which may lead to a massive click fraud. However, if it is not disclosed, advertisers cannot verify or even dispute why they have been charged for certain clicks."
The PPC industry is lobbying for tighter laws on the issue. Many hope to have laws that will cover those not bound by contracts.
A number of companies are developing viable solutions for click fraud identification and are developing intermediary relationships with advertising networks. Such solutions fall into two categories:
- Forensic analysis of advertisers' web server log files.
This analysis of the advertiser's web server data requires an in-depth look at the source and behavior of the traffic. As industry standard log files are used for the analysis, the data is verifiable by advertising networks. The problem with this approach is that it relies on the honesty of the middlemen in identifying fraud.
- Third-party corroboration.
In a 2007 interview in Forbes, Google click fraud czar Shuman Ghosemajumder said that one of the key challenges in click fraud detection by third-parties was access to data beyond clicks, notably, ad impression data.
Click fraud is less likely in cost per action models.
The fact that the middlemen (search engines) have the upper hand in the operational definition of invalid clicks is the reason for the conflict of interest between advertisers and the middlemen, as described above. This is manifested in the Tuzhilin Report as described above. The Tuzhilin report did not publicly define invalid clicks and did not describe the operational definitions in detail. Rather, it gave a high-level picture of the fraud-detection system and argued that the operational definition of the search engine under investigations is "reasonable". One aim of the report was to preserve the privacy of the fraud-detection system in order to maintain its effectiveness. This prompted some researchers to conduct public research on how the middlemen can fight click fraud. Since such research is presumably not tainted by market forces, there is hope that this research can be adopted to assess how rigorous a middleman is in detecting click fraud in future law cases. The fear that this research can expose the internal fraud-detection system of middlemen still applies. An example of such research is that done by Metwally, Agrawal and El Abbadi at UCSB. Recent work by Majumdar, Kulkarni, and Ravishankar at UC Riverside proposes protocols for the identification of fraudulent behavior by brokers and other intermediaries in content-delivery networks.
- "Software bots could menace Google ads". The New Scientist. Retrieved 2005-02-04.
- Battelle, John (2005-09-08). The Search: How Google and Its Rivals Rewrote the Rules of Business andTransformed Our Culture. Penguin. ISBN 9781101218419. Retrieved Aug 13, 2014.
- Asdemir, Kursad; Yurtseven, Özden; Yahya, Mon. An Economic Model of Click Fraud in Publisher Networks. 2008.
- Schonfeld, Erick; The Evolution Of Click Fraud: Massive Chinese Operation DormRing1 Uncovered". TechCrunch. October 8, 2009.
- Gandhi, Mona; Jakobsson, Markus; Ratkiewicz, Jacob;Badvertisements: Stealthy Click-Fraud with Unwitting Accessories", APWG eFraud conference, 2006
- Grow, Bryan; Elgin, Ben; with Herbst, Moira; (October 2, 2006). "Click Fraud: The dark side of online advertising". BusinessWeek.
- "Botnets strangle Google Adwords campaigns, Keyword Hijacking Risk". The Register. Retrieved 2005-02-04.
- V. Anupam, A. Mayer, K. Nissim, B. Pinkas, and M. Reiter (1999). "On the Security of Pay-Per-Click and Other Web Advertising Schemes. In Proceedings of the 8th WWW International World Wide Web Conference" (PDF). Unizh.co. pp. 1091–1100.
- A. Metwally, D. Agrawal, and A. El Abbadi (2005). "Using Association Rules for Fraud Detection in Web Advertising Networks. In Proceedings of the 10th ICDT International Conference on Database Theory" (PDF). pp. 398–412. An extended version appeared in a University of California, Santa Barbara, Department of Computer Science, technical report 2005-23.
- Davis, Wendy; "Google Wins $75,000 in Click Fraud Case". Media Post July 5, 2005.
- Ryan, Kevin M. (July 5, 2006). "Big Yahoo Click Fraud Settlemen". iMedia Connection.
- Wong, Nicole; "Update Lanes Gifts v. Google". Google Blog, March 8, 2006
- Griffin, Joe E. (July 27, 2006). "Lanes v. Google Final Order" (PDF). Googleblog.blogsport.com.
- Sullivan, Danny;"Google Agrees To $90 Million Settlement In Class Action Lawsuit Over Click Fraud". March 8, 2006
- "Court Docket For: Lane's Gifts and Collectibles, L.L.C. et al. v. Yahoo! Inc., et al.". Docket Alarm, Inc. Retrieved 6 August 2013.
- Stricchiola, Jessie (July 28, 2004). "Lost Per Click". Search Engine Watch.
- "Criminal Docket for: USA v. Bradley, 5:04-cr-20108 (N.D.Cal.)". Docket Alarm, Inc. Retrieved 6 August 2013.
- US Department of Justice; "Computer Programmer Arrested for Extortion and Mail Fraud Scheme Targeting Google, Inc.". March 18, 2004
- Elgin, Ben; "The Vanishing Click Fraud Case". Business Week. December 4, 2006
- Ghosemajumder, Shuman; "Using data to help prevent fraud". March 18, 2008
- Tuzhilin, Alexander; The Lane's Gifts v. Google Report, by Alexander Tuzhilin. July, 2006
- Greenberg, Andy; "Counting Clicks". Forbes. September 14, 2007
- Metwally, Ahmed; Agrawal, Divyakant; El Abbadi, Amr (2007). "DETECTIVES: DETEcting Coalition hiT Inflation attacks in adVertising nEtworks Streams". Proceedings of the International WWW conference. IW3C2. pp. 241–250.
- Metwally, Ahmed; Agrawal, Divyakant; El Abbadi, Amr (2005). "Duplicate Detection in Click Streams". Proceedings of the International WWW conference. IW3C2. pp. 12–21.
- Majumdar, Saugat; Kulkarni, Dhananjay; Ravishankar, Chinya (2007). "Addressing Click Fraud in Content Delivery Systems". Infocom. IEEE.
- "Truth in advertising", The Economist, November 23, 2006.
- "Vendors release click-fraud detection tools", eWeek. Retrieved March 4, 2005.
- "Click fraud roils search advertisers", CNet. Retrieved March 4, 2005.
- "Mice Attack: Internet scammers steal money with 'click fraud'", Newsweek. Retrieved January 18, 2005.
- "Google CFO: Fraud a Big Threat", CNN Money. Retrieved December 2, 2004.
- "How Click Fraud Could Swallow the Internet", Wired Magazine, issue 14.01 (January 2006). Retrieved December 29, 2005.
- "Click fraud fears growing for online advertisers", The Times. Retrieved February 2006.
- Datamation. Retrieved September 2004.
- Simone Soubusta: "On Click Fraud", Retrieved March 2014.