Two web traffic quality monitoring firms, Anchor Intelligence and Click Forensics, released click fraud reports yesterday and the results were pretty shocking: according to Anchor’s Traffic Quality Report, in Q2 2009 the incidence of attempted click fraud rose from 21.7% to 22.9% of all clicks. When you include “innocuous invalid” clicks – that is, clicks that are not fraudulent but also not valid – the share of invalid clicks is 27.1% across the world. Click Forensics’ report was a bit more optimistic, showing click fraud dropping from 13.8% in Q1 to 12.7% in Q2. This is still considerably higher than estimates from, for instance, Google, which claims to filter these clicks before they are charged to advertisers.
I spoke with Anchor Intelligence’s VP of Product Management and Marketing, Richard Sim, and Product Marketing Manager, Carrie Bourguignon, about these issues, and in particular about the curious observation that, of the top 30 countries by click volume, the one with the highest rate of fraud – 48.3% – was Vietnam. While there’s no simple explanation for this, it does highlight the point that click fraud and similar enterprises, like phishing, often take root in emerging economies where access to Internet technology has begun to outpace legitimate economic opportunity.
For those unfamiliar with this dark area of Internet commerce, a typical click fraud scheme works something like this: an operator first must recruit a large bank of computers to automatically click on pay-per-click ads on demand – this can be done either by paying willing accessories, or, more elaborately, by deploying a virus like Conficker to support such activity by remote control on unknowing users’ machines. (Note, Conficker was mentioned by Mr. Sim at Anchor, but there appears to be no evidence that this specific virus was used for this purpose.) The operator then sets up a web site or farm of web sites, often using a “parked domain” to attract some “legitimate” traffic, and proceeds to sell advertising space through a CPC network such as Google AdSense, AdBrite, or any of a large number of similar networks. As the ads start to appear, the operator activates his automated click network and the money starts to flow.
Beyond the obvious caveat emptor for click advertisers, there’s a point to be made about the emerging world of apps on alternative devices such as smartphones and Internet-connected set-top boxes. PCs have been the subject of an ongoing cat-and-mouse game of virus protection for years, but newer Internet-connected devices are green field opportunities for black-hat enterprises, especially those that seek to exploit the exploding demand for accountable advertising on digital devices. As I happily explore the world of Apple TV hacks, for example, I can’t help wonder what that little box might be doing all the time.
So it’s safe to predict a bright future for security solutions in advertising.