Log Management & SIEM for Security, Compliance, Operations | the dialog

Spending on Internet advertising in the US alone eclipsed $10 billion in 2010. Unfortunately, online sponsored advertising has a major downside: Click Fraud. Industry rivals, or other interested parties impersonate consumers by clicking on paid ads with no intent of making a purchase. These fraudulent clicks effectively drive up a company’s advertising costs without increasing sales. Click Fraud has become such a widespread issue that in the eyes of LinkShare CEO Stephen Messer, it “could wipe out ROI in search marketing.”

Initially, advertisers placed their trust in search companies such as Google, Yahoo and Microsoft to police fraudulent clicks. In 2006, Google CEO Eric Schmidt compromised that trust when he stated:

“Eventually the price that the advertiser is willing to pay for the conversion will decline because the advertiser will realize that these are bad clicks. In other words, the value of the ad declines. So, over some amount of time, the system is, in fact, self-correcting. In fact, there is a perfect economic solution, which is to let it happen.”

His statement led many companies to question the commitment of their providers to preventing Click Fraud.

At the heart of Click Fraud is the act of simulating a click. This is accomplished through multiple means. The simplest is to employ individuals who spend their time clicking on ads without ever purchasing an item. This act is both costly and time consuming if done inside the United States. In developing countries, this is not the case. In the words of Nir Kshetri, the fraudster “must often decide to employ the seemingly bottomless source of human clickers in developing countries, or use technology.” Kshetri goes on to point out that employing human labor becomes less attractive as PPC providers and advertisers become more adept at employing invalid click detection. Because the IP address of a human clicker is usually consistent, PPC providers can easily block traffic from it.

Another method for performing fraud is to write a program that simulates clicks. To do this, the program must perform many tasks normally undertaken by a web browser. The program must first execute JavaScript code to retrieve the HTML code of a web advertisement. It then parses the HTML code for links and sends an HTTP request to the advertiser’s web server. Since this type of fraud is simple to detect, the perpetrator must distribute the program across the Internet using a botnet. The botnets find their way onto unsuspecting users’ computers through many means. Tempting offers of free software, games or other goods from illegitimate websites lure many consumers into loading botnets unknowingly. Computers can also be infected by visiting legitimate websites that have been compromised by Click Fraudsters.

Unlike many other online crimes, Click Fraud has no offline counterpart. One impact of Click Fraud is that the legal system has not been able to keep pace with it. Online crime is growing at a rapid rate that legislators have been unable to match. Adding to the problem is a lack of regulation across borders. While new antifraud laws are slowly being passed in the United States and the European Union, other countries have little or no regulation. In India in 2006; for example, advertisements looking to hire people to click on ads ran in national newspapers.

As an industry, online advertising is not going away anytime soon. Click Fraud will not be going away either. Given my background in law, it is obvious to me that just like with other legal issues regarding technology, legislators cannot keep up with the rapid pace with which Click Fraudsters change their tactics. Add in the challenges of enforcing laws across international borders and the problem becomes even direr. It is therefore obvious that legal changes will not come soon, so other methods are necessary. With legal recourses lagging behind, it is up to industry to find ways to protect itself.