The Walls of Yesterday – The Problem With Present-Day Click Fraud Protection

Ad Fraud – We’ve met the bots and they’re us!
July 1, 2015
German Conficker B infection drives ‘Count in Fives’ ad fraud botnet
October 3, 2015

The security industry, especially online, is a classic problem of walls and ladders. The white hats build big walls to protect assets. The black hats come up with bigger ladders to get over them. It’s essentially a perpetual cycle of wall- and ladder building, with an ecosystem of it’s own determining whether higher walls or taller ladders are going to be more prevalent at any given time.

In terms of advertising fraud, taller ladders determine the situation by far. To understand why, I’ll describe what consists of ‘Walls’ in this space, citing terms and conditions from different advertising networks, describing the shortfalls, and present solutions for the gaps in the system.

The Building Block – The Blacklist

The fundamental element of any online security system, the blacklist, is the go-to solution for protection against fraud. These are usually either UserAgents or, more commonly, IP addresses of malevolent actor. We measure the user actions against these to determine whether we should credit the action or not. In layman’s terms, we look at the origin IP address of a click, and see if it’s on the list of baddies — and if it is, we don’t credit it. Companies pay a lot of money for lists like these – the IAB charges between $4,000 – $14,000 / year for access to theirs — or they develop their own following internal investigation into fraudulent practices.

And that would just be fine and dandy. Except it only filters the lowest-level of fraud… Plus, IP addresses are reassigned quite often — meaning that it gives a false sense of security without protecting against real, problematic fraud (which we’ll cover in a minute), while discrediting actual, human initiated clicks through false positives.

We’ve seen this problem arise in handling transactions, and it’s the same for online advertising: relying on IP blacklists is by no means enough to combat fraud.

The Fence We Have – Velocity and Overlap detection

Now, the problem with the above is that it implies that click fraud is committed in one of the following ways:

  1. Fraudster clicks on your ads, either to drive your bill up or for financial gain (when the ad is displayed on his site)
  2. Fraudster employs people using proxies to click on ads to the same effect
  3. A low-level click bot is used to click on advertisements non-stop

That is certainly a way to do it, and was the trend circa 10-15 years ago. But for a system to boast that it can protect from these practices in 2014 is… lacking, to say the least. Yet, it took me some time to gather examples where Buyer Protection for advertisers is explicitly mentioned as a means of fighting click fraud.

Examples — screenshots from ‘What we do against Click Fraud’ at various ad-tech companies

Fraud_indicator_xThis is essentially saying, besides what we’ve covered above: if we don’t know what’s happening, it’s fraudulent.

IP_Indicator_BlacklistsAgain, implying that clicks originating from the same IP address are where the fraud is at.

PPC_Fraud_ixJust picturing a false positive where a would-be customer receives a pop-up for ad fraud is… amusing.

All of this, I would say, is why we have such a glaring fraud problem. The fraudsters have realized that everybody feels safe using the above-mentioned walls — and how easy it is to beat them. Contemporary ad fraud operations use hundreds of thousands — if not millions — of IP addresses and just as many or more UserAgents. They simulate a click-through rate that won’t raise any alarms and imitate user behavior on the level that the tracking systems will put the false-clicks into audience groups with buyer’s intent. How?

The Ladders We’re Up Against – Botnets and Click Generating Ads

The ad industry’s dirty little secret is that at least 36% of all online advertising spend ends up in a fraudster’s pocket. And given the size of the market, it’s easy to believe it’s not actual people or low-level bots that are clicking on a third of the inventory. Modern fraud uses the following methods among others, and it’s easy to understand how the above-mentioned walls won’t be enough to protect you:

  1. Ad stacking: flash or html5 banners that load pages in the background with more ads on them, after which a script can fire to ‘click’ on some of these banners.
  2. Retargeting fraud: a page with display ads that opens an iframe to a lander with retargeting cookies, essentially repackaging it’s audience into something more valuable (say, torrent surfers into investment bankers) by fooling the tracking systems.
  3. Impression fraud: again, faulty banners load pages with more advertisements in the background. It’s especially worrying in the video advertising space.
  4. Botnets: invisible browser windows in the background that conduct search, browse and click banners – very much like a human would do, without giving away to the fact that they’re bots.
  5. Toolbars: browser hijacking malware that re-sells organic visitors or visitors of other websites as banner-clicking users from their site — one fishy example of which we’ve covered here.

Put together, checking against IP blacklists is simply not enough. They weren’t enough to catch Shawn HoganThe Chameleon, or Bamital botnet. And you can bet they’re not enough to catch what’s out there right now.

What Can You Do About It?

The future is clear. Advertisers need to start asking questions on what their money is buying. And advertising networks need better tools to filter bad actors out of their inventory. Botnets and advanced click-fraud schemes can be countered through pattern recognition and behavior analysis. And given how developing these tools in-house is expensive, you may want to enlist professionals — we’re eager to help you build better walls.

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us