
Inside the Million-Machine Clickfraud Botnet - nkurz
https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/
======
IamFermat
Seriously, I have spent some time in my career in the online advertising
world. In the video ad world, we have actually done simple fraud test (stupid
bots clicking on the same pixel all the f'ing time is a clear give-away). A
good 50% or more of video ad views are fraudulent. Since video ads are paid on
CPM basis, advertisers totally get f'ed. Ad agencies who manages the spend
don't care bc they take a % of spend. So it's all a giant collusion.

------
ikeboy
How do people cash out with these schemes? Google AdSense requires an
identity, right?

~~~
cldellow
You could have a legit site that you pad with bot traffic.

You could go via a bunch of brokers who have less stringent identity
verification than Google. They will all take cuts, but you don't care, since
that's just a cost of doing business.

Source: have been defrauded before by one of the major ad exchanges and been
stonewalled when I asked for my money back.

~~~
cmdrfred
I've also heard tell of paying to exhaust competitors advertising budgets. Pay
$1 to cost them $20 kind of thing.

------
gengkev
Would public key pinning stop the MITM of Google, even in this case?

~~~
gruez
In this specific implementaion, yes. But they had local code execution, so
they could replace the executable with one that doesnt have the checks, or at
least patch the code in-memory.

~~~
ikeboy
This is incorrect, at least for chrome:

[https://www.chromium.org/Home/chromium-security/security-
faq...](https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-
does-key-pinning-interact-with-local-proxies-and-filters-)

Tl;Dr key pinning doesn't protect against local root certs.

------
omash
Surely Google detects all the anomalies and refuses to pay? The referrers
would probably be suspicious and the fact it's apparently coming from the
official google.com site/results page and not from wherever the bot masters
are pretending the traffic is coming from.

~~~
eli
Google claims they detect and filter bot traffic, but it's very difficult to
determine how good they are at it from the outside.

~~~
jbooth
A few years ago at least, they were regarded as better-than-most which is
definitely not to say perfect.

A lot of mid-sized ad networks and ad buyers actually have a negative
incentive when it comes to detecting fraud -- those fraudulent clickthroughs
look great on the aggregate metrics, so if you're the only person flagging
them, you look like you're getting your customers a lower CTR than the
competition, unless your customers are sufficiently educated.

------
coldcode
While interesting to read why do articles like this one fail to mention this
only works on Windows and likely only certain versions of Windows and certain
versions of browsers. It's not clear to everyone who might come across this
who is impacted.

------
partycoder
Google analytics detects click rings and also having a high clickthrough rate,
(e.g: over 3%) will immediately trigger a red flag. Of course these guys
scaled the ring so large that it's impossible to detect.

------
beardog
DO_NOT_TRUST_FiddlerRoot? why would they make their root cert say 'do not
trust'?

~~~
Buge
Because they are extremely lazy. The Fiddler software (an http debugging
proxy) allows you to MITM your own https traffic by creating a cert saying
this.

They decided to use that cert directly, instead of creating their own cert
with a more normal name.

[http://www.telerik.com/fiddler](http://www.telerik.com/fiddler)

~~~
beardog
Thanks

