Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Click Fraud: What IT Should Know

As fraud grows, more marketing execs are asking IT to ascertain who's really clicking online ads

If your company advertises on the Web, chances are that it's spending thousands, even millions, each month on pay-per-click advertising. But how many of those clicks represent customers, or even potential customers? With click fraud on the increase, many enterprises are beginning to wonder.

Click fraud, which can be perpetrated by humans or bots, refers to the artificial creation of clicks on an advertisement or Web page in order to inflate the number of page views recorded for that page. A publisher or search engine, for example, may attempt to "manufacture" clicks on an ad in an effort to pad its bill. In other cases, a competitor may look for ways to click on its rivals' ads in an effort to exhaust its advertising budget.

There's no way to know for sure how much of Internet advertising traffic is fraudulent, because there's no way to know what's in a user's mind when they click on a specific URL. However, Click Forensics, which offers a click fraud monitoring service that helps identify bot-generated clicks and those emanating from a single IP address, estimates that about 14 percent of "page views" are generated by fraudsters.

"It's a real threat," says Tom Cuthbert, president and CEO of Click Forensics. "It's becoming more and more complex to identify this sort of fraud, and advertisers are paying for it."

Increasingly, so are publishers and search engines. Back in March, Google agreed to pay $90 million to settle a class action lawsuit filed by advertisers who claimed that the search giant padded its numbers via click fraud. Yahoo!, which was also named in the suit, vowed to fight the allegations in court; some of the advertisers filed a countersuit over the settlement, claiming that Google was getting off too cheaply.

Google, Yahoo!, and other search engines are supposed to filter out fraudulent clicks before they bill their customers, but some critics say they aren't doing enough. Click fraud monitoring service Click Defense filed a $5 million suit against Google in May over some disputed ad refunds, and lawyer/publisher Samuel Lassoff filed a click fraud suit against Google just last week.

"And even with the settlements, which will be appealed, it still isn't clear how much fraud there was," notes Jeff Rohrs, CEO of Optiem, a marketing consultancy that specializes in online advertising. "Google says they don't want to reveal some of their data because they don't want the black hats to find new fraud techniques, but the side effect is that the advertisers are in the dark as well."

As they hunt for ways to stop click fraud from eating up their advertising budgets, many marketing executives are asking for help from IT. In some cases, IT departments analyze Web log files to look for trends and help identify likely fraud. But such analysis can be time-consuming, and the refunds it might generate usually aren't large enough to justify the effort.

More frequently, IT departments are turning to third-party monitoring services, such as Click Defense and Click Forensics, to analyze the click data provided by publishers and search engines and help generate refunds on page views that don't come from legitimate prospects.

Click Forensics, for example, analyzes each click in three ways. First, it checks the source IP address and tracks how long the "visitor" was on the site, and which pages were visited, just as most publishers and search engines do. Second, it monitors the behavior of each visitor to identify questionable behavior, such as very short page views that might indicate the presence of a bot. Third, it monitors activity by the value of a click, seeking out activity by competitors who might be trying to drive up a client's ad spending.

"That's one of the ways we know that this sort of fraud is going on," says Cuthbert. "When the price per click goes above $2, the threat of fraud goes up from 14 percent to more than 20 percent."

Prices charged by Web publishers and search engines can run as low as a few cents apiece to as much $80 per click, which lawyers targeting high-end clients might pay, for example.

Should every enterprise subscribe to a click fraud monitoring service? Probably not, says Kevin Lee, executive chairman of Did-it.com, a search marketing company. "If you're a small company, like a local lawyer or a dentist who spends $1,000 a month on advertising, the click fraud is most likely going to come from a competitor, not a search engine." On the other hand, large Web marketers like Travelocity don't get much fraud from competitors, because it would take an incredible amount of traffic to affect their Web advertising budgets, he says.

Cuthbert says Click Forensics is watching a new trend in which publishing affiliates agree to click on each other's sites in order to drive up traffic in a fashion that can be difficult to identify. "I'm a publisher, and I agree to click on your site's and Karl's in order to drive traffic," he explains. "You and Karl agree to click on mine, and we all get better traffic, but we're all human and coming from different IP addresses, so it's harder to detect."

Until recently, search giants such as Google have been mum about click fraud, but they are beginning to do more about it, Rohrs observes. "If I'm MSN or Yahoo!, and I find a better way to detect and filter out click fraud, I might gain a competitive advantage over Google," he says. "That's a pretty good incentive."

Search engines and publishers are also beginning to band together to work on the problem. This week, the Internet Architecture Board, which includes representatives from Google and other search engines, is meeting in New York to discuss methods for standardizing their methods of measurement, including a standard definition of what constitutes a "click," experts say.

"The IAB is a good forum for this to happen," says Cuthbert. "If there are some standards, it will be easier to separate the legitimate traffic from the fraudulent clicks."

— Tim Wilson, Site Editor, Dark Reading

  • Click Defense LLC
  • Click Forensics LLC
  • Google (Nasdaq: GOOG)
  • Yahoo Inc. (Nasdaq: YHOO)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
    Cybersecurity: What Is Truly Essential?
    Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
    3 Cybersecurity Myths to Bust
    Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Google Maps is taking "interactive" to a whole new level!
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-17
    When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
    PUBLISHED: 2021-05-17
    There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
    PUBLISHED: 2021-05-17
    There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.
    PUBLISHED: 2021-05-17
    The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The â€&oe...
    PUBLISHED: 2021-05-17
    It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via...