Click Fraud Attacks: Emerging Trends
Click fraud attacks have become significantly more sophisticated over the last few months.
At the same time, click fraud detection systems are becoming increasingly more efficient to detect smart attacks.
Here, we describe three cases that were caught by Authenticlick
over the last seven days.
Additional Notes about Adware
- Bogus Conversions
Over a period of several months, a single distribution partner generating well over 1% of the traffic from the leading
search engine network was responsible for up to 15% of the downstream conversions. All these conversions were found
to be fake. The distribution partner in question was targeting advertisers where conversions consist of filling up a web form.
These advertisers are an easy target for smart fraudsters. In addition to generating bogus conversions, the culprit
operated from abroad and experienced an usually fast rate of exponential growth over the last two years.
- Fraud through AOL and other "good proxies"
Another fraud case was identified last week, generating a large proportion of clicks from known good proxies including AOL. This type of scheme
is more difficult to detect. Authenticlick was able to unearth the fraudulent activity thanks to advanced
methodology based on network topology metrics. It is interesting to note that the fraud scheme was detected, even though the data submitted
by the search engine did not include any information about the user agent.
- Fraud involving a symbiotic relationship between a distribution partner and an advertiser
This interesting fraud case involves a very large number of IP addresses, but a very small number of advertisers. It
was first identified by Authenticlick in April 2007. It is believed that either the
advertiser and the fraudster have a symbiotic relationship, or the advertiser is a victim who benefits from click fraud as
the fraudster improves the victim's ROI, through a particular type of fraud described
The last fraud case discussed in this article is particularly interesting in the sense that it almost certainly implies
viruses (adware or spyware) installed and remotely controlled over thousands of computers.
Two types of viruses are currently active:
- The first type actually triggers Internet Explorer and is best described
in Google's paper. It is an Internet Explorer parasite.
This type of virus is easier to detect as
it generates too many clicks per user.
- The second type of hitbot does not rely on Internet Explorer to trigger clicks. Instead, it has its own code to
communicate using the HTTP protocol. This type of virus, more widespread than the previous, is more difficult to detect. Yet, as
it relies on user agent lookup tables to generate clicks, Authenticlick has been able to
identify this type of fraudulent activity, as criminals (so far) have not been able to correctly replicate the
expected underlying multivariate distributions. Also note that we have developed a patented solution to catch this type of fraud.