Just as antivirus and antispam vendors must constantly upgrade their products to detect new kinds of attacks, an escalating battle of software is raging against the scourge of online advertising — click fraud.
I reported in this space on Aug. 17 that some experts believe fraudulent pay-per-click schemes represent about 10% of billings in the rapidly growing field of paid search-engine marketing.
I also found that spokespersons for the largest PPC advertising channels, Google.com’s AdWords and Yahoo.com’s Overture, were reluctant to say much on the record about these schemes and counter-measures that the sites are taking against them.
However bad the situation may be, it appears to be worsening.
The Anatomy Of Click Fraud
Click fraud occurs when the people behind Web sites that display PPC ads — and receive a portion of the revenue — start self-clicking the ads repeatedly, either manually or using software to automate the clicks.
To evade attempts by the major advertising channels to detect clicks coming from a single Internet Protocol (IP) address, such software uses techniques that generate fake but plausible IP addresses.
Vincent Granville, Ph.D., president of Data Shaping Solutions, a statistical consulting firm in Pittsburgh, Calif., says he’s found lists of thousands of “anonymous proxy servers” on the Web.
These servers can have legitimate uses, such as making one’s Web surfing anonymous. But Granville points out that many proxies allow almost all identification of a visitor, including the country the visitor is in, to be faked.
Here’s how this technique works:
Find Anonymous Proxies
About half of the servers are on IP addresses assigned to the United States.
Find Elite Proxies
Many of the listed servers are described as “elite” proxies.
These servers can not only give a person an anonymous IP address, they allow you to mask the fact that a proxy server is being used, among other things.
After an unscrupulous operator has set up numerous Web sites that feature PPC advertising, he or she can program software to click revenue-generating links via the proxies.
These clicks can appear to be coming from the U.S. or any other country that may be an advertiser’s target market.
If the click-throughs are randomly timed and are buried within a mass of other click activity, the fake charges that are generated can be extremely difficult for an advertiser to detect.
Granville says he’s currently consulting with several clients, including InfoSpace, which powers several meta-search engines, although he wouldn’t be specific about how his statistical skills would be employed in the battle against click fraud.
The Robots Race Ahead
The sophistication of click-automation software is hinted at by sites such as ClickingAgent.com.
This site, which also is based in Russia but is apparently unrelated to the SamAir site, sells both proxy-finding and click-automation software.
Here’s how the site describes the steps in the process:
Set Realistic Goals
“All banner clicks should come from unique IP addresses in reasonable time intervals,” explains the More Info page.
Also, “There must be reasonable show/click ratio for banners. It would be highly suspicious if every other visitor to your page would click a banner.”
Find Anonymous Proxies
The site offers a program called ProXYZ for $35. This software “checks every found proxy server against existing ones and adds a new proxy to the list,” according to the site’s SoftProXYZ page.
Configure Clicking Agent
ClickingAgent, the heart of the technique, which the site also calls “CACA,” is sold for $100 for use on up to two computers simultaneously.
The program allows you to “define how many clicks it should do, what show/click ratio should be, how many simultaneous connections to use, and more,” the site’s SoftCACA page says.
When I wrote to the contact e-mail address provided by the site, I received a reply from a person who identified himself as Anatoly Smelkov.
I called the phone number in Moscow that he provided and e-mailed him a list of questions.
“Ad companies are actively fighting such artifically generated banner clicks, but it’s not a very simple task,” Smelkov wrote in his response.
“New ways of cheat protection are constantly developed, but the Web robots are also growing in power and features,” he added.
“I guess the only 100% working way to stop such activity is to close access to all public proxy servers.”
The Advertisers Start To Fight Back
Jessie Stricchiola is president of Alchemist Media, a Los Angeles-based firm that develops click-fraud detection software and negotiates refunds from PPC channels on behalf of clients.
She feels that online advertisers and high-tech thieves are locked into an endless race to outsmart each other.
“I don’t see any point at which this issue will ever be resolved for either side with a total victory,” Stricchiola says.
“It’ll be a constant battle as long as the current CPC [cost-per-click] model is maintained and isn’t changed in some significant way.”
Search engines that offer pay-per-click advertising aren’t feeling enough pressure from advertisers to completely eliminate fraud, in her opinion.
“For them to tweak or tighten down their click-fraud protection, it represents a significant reduction in their revenue,” Stricchiola says. “They have no reason to do more than they’re doing.”
Click fraud looms as the biggest threat to online advertising, which generated $7.3 billion in 2003 and is once again rapidly growing, according to the Interactive Advertising Bureau and PricewaterhouseCoopers.
More than one-third of that total was PPC search-engine advertising — double the market share of one year earlier — but few corporations will continue throwing money at the medium if click-fraud techniques grow fast enough to eat away at the advertising’s cost-effectiveness.