

Uncovering an advertising fraud scheme - Panos
http://behind-the-enemy-lines.blogspot.com/2011/03/uncovering-advertising-fraud-scheme.html

======
nkurz
This is a stunning article, which deserves a close reading if you are
advertising online and paying per click. If you've wondered why some of the
clicks you've paid for seem to come from very unlikely sources, you might have
an answer.

In this scheme, a 'fraudulent' site buys traffic from a 'legitimate' one in
the form of a popup or popunder. In some way they get a page opened that they
have control over. This page includes a number of invisible iframes, each of
which loads a URL for an innocent looking parked domain that belongs to an ad
network. So far no one has been defrauded.

But instead of just loading and not displaying that ad-laden page parked page,
the site redirects the user's browser to act as if it has clicked on one of
those ads. The results of this click are never seen by the user, as it's in a
hidden iframe, but the contents are delivered to the user's browser. From an
IP and HTTP header analysis it looks a lot like a real user had clicked on the
ad.

The owner of the parked domains then collects a few cents per click, or
really, per redirect. And it's very hard for the ad network to realize that
they've been had. As Panos points out, they might not even look too hard,
since they're making more per fraudulent click than the scammer. And the
advertiser would have to go pretty deep to figure out that the click was fake,
since the content was actually delivered to a legitimate user, just not one
who ever actually saw the ad.

------
code_duck
"The lifesaver was a technique developed at AdSafe: The key to the solution
was the ability to read the address of the top frame that was hosting the ad(
_).

(_) For the technically curious: reading the address of the top frame is a
challenging problem. For security reasons, browsers do not allow cross-domain
scripting. So, it is not possible to just call the "top" object and read its
properties. We have a proprietary solution for this."

Am I correct in reading this as they're relying on JavaScript security
exploits?

~~~
Panos
Yes and no.

No, because it cannot be used as an exploit.

Yes, because it allows you to read the address of the "top" object.

Consider it similar to the CSS link-color hack to read the past browsing
history of a user.

~~~
code_duck
By 'exploit' I mean bending the rules, or skirting restrictions. Information
disclosure, not code execution. They are taking advantage of flaws in browsers
in order to gather information which is not supposed to be available.

I assume this same method could be used by people with less savory goals, but
this company isn't reporting the security flaws in browsers that let them do
this as it would make things more difficult for their business.

I probably wouldn't go around telling everyone if it was me.

------
alastair
Nice article, but I felt it skipped over the most interestig part. What
specifically is happening on the click fraud sites "click.mygeek.com,
ppc.rolenews.com, feed.bizclick.com, and others"?

Kinda bummed that I'm stuck in a hotel room with nothing but my iPhone else
I'd take a poke around myself.

Anyone else care to fill in the blanks?

------
teyc
I don't understand how a bunch of redirects from his own sites simulates
clicking on ads.

~~~
Panos
What is a click other than a "redirect" from one page to another? Add the
appropriate parameters in the HTTP call and you are done. There is no need for
actual user interaction for an HTTP call to be considered a "click".

Take a look at the screenshots: You will see that the redirects are URLs that
you would "click" as a user to see an ad.

The clever part is that the "clicks" come from a wide variety of IPs, wide
variety of browsers, and on different times.

------
michaelbuckbee
I know that Google has gone after fraudulent ad scamsters before, wouldn't the
Ad Networks in this case pursue action? What kind of penalties would there be
for something like this?

~~~
jonkelly
Having run a CPC network, I can say "definitely yes" - we pursue fraud
aggressively. I enjoyed the article and appreciate his sleuthing, but his
conclusion is completely wrong (at least for major CPC advertisers, who are
almost all ROAS-driven) - the biggest advertisers care deeply about their
results. I would go so far as to say that the lack of policing of the Overture
feed on parked domains was a significant (if not the most significant) issue
in Yahoo's poor monetization of search and eventual failure with that product.

~~~
pirot
Notice that most of the affected advertisers are the ones running the CPM
campaigns, not the CPC campaigns.

The defrauded CPC campaigns were directing people to sites with video content
that were running mainly display advertising campaigns. These display ads were
mainly from brand advertisers that do not care too much about clickthroughs or
conversions (e.g., Coca Cola, or Continental, or Verizon, or ...).

So, even though the guys running the CPC campaigns (e.g. Mevio) were victims
of fraud, they were getting the (invisible) traffic and they were selling the
display ads to this traffic. Not that Mevio et al. do not care. Quite the
oppositve. However they were just getting more traffic. Why would you research
your own CPC ad campaign that is effective in bringing you traffic?

I tell you, the scammer has executed this beautifully.

~~~
teyc
I can't see how the guy could defraud CPM from the traffic he generated. They
were all header redirects, so the browser doesn't load any pages, and there
were no ads loaded by the browser.

~~~
Panos
See the updated blog post.

------
paolomaffei
The problem with full disclosure is always scriptkiddies a la blackhatworld
who'll try to do the same

------
pornel
Wow. That kind of traffic is really going to be hard to detect as fraudulent.

Also, I blame Netscape for this and I'm digging out my NO FRAMES animgif! ;)

------
tmaly
I could not see any of the activity described in sites listed in the article.
He must have changed something.

