Google officials said its engineering and operations teams are moving quickly to deal with growing ad fraud activity on its networks that is tied to so-called clickjacking attacks.
Clickjacking refers to the practice in which threat actors modify the appearance of a Web page, or part of a Web page, to trick users into clicking on something different from what they assume they are clicking on. In such attacks, also referred to as user-interface redress attacks, users are presented with a Web page, ad or other content that conceals underlying content that the attacker actually wants the user to click on.
Google officials said some publishers, in an attempt to commit ad fraud, have been using the technique to trick users into clicking on ads that they otherwise might not have clicked on. “For example, a user may intend to click on a video play button or menu item, but instead, clicks an invisible ad unit,” Andres Ferrate, chief advocate, Ad Traffic Quality, Google, wrote in a blog post this week.
Ferrate described the issue as a growing threat to the integrity of its cost-per-click display ads program. It is a problem that first got Google’s attention earlier this year when the company’s operations teams identified clickjacking activity on its display networks.
“They moved swiftly to terminate accounts, removing entities involved in or attempting to use this technique to trick users,” Ferrate said, without offering an indication on the scope of the problem. While the operating team worked to weed out publishers using clickjacking to trick users, Google’s engineering team worked to quickly release a tool for automatically filtering out the invalid traffic generated by such attacks on its display ad networks, he said.
The two-pronged approach has helped Google clean out publishers violating policy from its network and put in place filters for mitigating future and ongoing clickjacking traffic on its networks.
According to Ferrate, Google’s clickjacking measures work by analyzing and evaluating display ads placed across desktop and mobile platforms for certain characteristics associated with clickjacking. When such behavior is detected, the company zeroes in on the traffic associated with the ad placement and removes it from payment reports so advertisers are not charged for any fraudulently obtained clicks, he said.
In discussing the measures that Google has taken to mitigate clickjacking traffic, Ferrate also offered several recommendations to publishers for ensuring their sites are not used to commit ad fraud.
Publishers, for instance, should “double- and triple-check” their Website code for programming errors that enable clickjacking attacks and make sure that ads display correctly across browsers and platforms. Similarly, they should reduce the potential for people to accidentally click on advertisements by ensuring that clickable content is well separated from ads. Website owners should also consider setting up Google Analytics alerts for spotting abnormal traffic around particular ad placements, he said.