Click Fraud Rate Jumps in Q3 Behind Botnets

The click fraud rate rose to more than 22 percent during the third quarter of 2010, according to Click Forensics. Security pros offer advice on what to do.

Click fraud is rising, and sophisticated botnets are to blame.

Click fraud is a scheme where a person, automated script or computer program mimics a legitimate user clicking on an online ad to make money from a pay-per-click arrangement. According to a new report by Click Forensics, the click fraud rate was 22.3 percent in the third quarter of 2010, up from 18.6 percent in the previous quarter and 14.1 percent in the third quarter of 2009.

It is difficult to estimate how much this costs the industry each year, explained Steve O'Brien, vice president of marketing for Click Forensics.

"We can't estimate exactly how much this costs the industry each year because each search engine employs various ways to monitor and filter invalid traffic and click fraud," he said. "While most third-party ad networks and all major search engines typically apply filters before charging advertisers, we have seen some advertisers waste as much as 10 percent of their monthly spend on invalid traffic and fraud."

Much of the click fraud is botnet-driven, though no single botnet can be blamed, he said.

"Years ago human click farms played a greater role, but now the biggest perpetrators of fraud generally use botnets, malware and other advanced programs to attempt click fraud," he said. "Collusion fraud is one example of a botnet scheme we've seen grow over the past year as well. It's quite sophisticated and difficult for most to detect."

Top-tier search engines and ad networks have defenses in place to automatically mark potentially fraudulent clicks invalid, noted Neil Daswani, CTO of Dasient. However, that is not true of all companies, he noted, and the quality of defense may vary.

"In some cases, ad networks have the appropriate incentives to fight click fraud and ensure that ads are more legitimately monetizeable than on competitive ad networks," Daswani said. "At the same time, that may not always be the case, and advertisers can work together with click fraud auditors and ad networks to curb the problem."

Toby Trevarthen, vice president of business development for Anchor Intelligence, said the emergence of intelligent bots and a hit and move strategy appear to be the biggest challenge in policing.

"The fraudsters are gone, before you realize you had a problem," he said. "The biggest shift is what is happening throughout the ecosystem itself-the move to real-time. Post-click or post-impression analysis is quickly becoming not good enough as we move forward."

According to Click Forensics, there is a growing volume of click fraud through a more diverse number of sources, such as mobile proxies.

"We haven't seen a noticeable volume of invalid traffic from mobile devices and proxies until recently," O'Brien said. "Given that PPC [pay-per-click] is not the predominant form of advertising for mobile devices, it is unusual to see any significant volume of paid clicks from mobile proxies. Our suspicion is that fraudsters are simply using mobile proxies in attempt to mask the true source of invalid traffic."

To fight click fraud, O'Brien suggested businesses ask third-party ad networks about their detection mechanisms and filtering policies, and compare reports provided by search engines and other PPC advertising venues with their own logs. Also, companies should watch for anomalies, such as a big spike in traffic from a single source, he said.