This is a stunning article, which deserves a close reading if you are advertising online and paying per click. If you've wondered why some of the clicks you've paid for seem to come from very unlikely sources, you might have an answer.
In this scheme, a 'fraudulent' site buys traffic from a 'legitimate' one in the form of a popup or popunder. In some way they get a page opened that they have control over. This page includes a number of invisible iframes, each of which loads a URL for an innocent looking parked domain that belongs to an ad network. So far no one has been defrauded.
But instead of just loading and not displaying that ad-laden page parked page, the site redirects the user's browser to act as if it has clicked on one of those ads. The results of this click are never seen by the user, as it's in a hidden iframe, but the contents are delivered to the user's browser. From an IP and HTTP header analysis it looks a lot like a real user had clicked on the ad.
The owner of the parked domains then collects a few cents per click, or really, per redirect. And it's very hard for the ad network to realize that they've been had. As Panos points out, they might not even look too hard, since they're making more per fraudulent click than the scammer. And the advertiser would have to go pretty deep to figure out that the click was fake, since the content was actually delivered to a legitimate user, just not one who ever actually saw the ad.
"The lifesaver was a technique developed at AdSafe: The key to the solution was the ability to read the address of the top frame that was hosting the ad().
() For the technically curious: reading the address of the top frame is a challenging problem. For security reasons, browsers do not allow cross-domain scripting. So, it is not possible to just call the "top" object and read its properties. We have a proprietary solution for this."
Am I correct in reading this as they're relying on JavaScript security exploits?
By 'exploit' I mean bending the rules, or skirting restrictions. Information disclosure, not code execution. They are taking advantage of flaws in browsers in order to gather information which is not supposed to be available.
I assume this same method could be used by people with less savory goals, but this company isn't reporting the security flaws in browsers that let them do this as it would make things more difficult for their business.
I probably wouldn't go around telling everyone if it was me.
Nice article, but I felt it skipped over the most interestig part. What specifically is happening on the click fraud sites "click.mygeek.com, ppc.rolenews.com, feed.bizclick.com, and others"?
Kinda bummed that I'm stuck in a hotel room with nothing but my iPhone else I'd take a poke around myself.
What is a click other than a "redirect" from one page to another? Add the appropriate parameters in the HTTP call and you are done. There is no need for actual user interaction for an HTTP call to be considered a "click".
Take a look at the screenshots: You will see that the redirects are URLs that you would "click" as a user to see an ad.
The clever part is that the "clicks" come from a wide variety of IPs, wide variety of browsers, and on different times.
All these parts happen within the index2.php of the parked domains (see the section with the title "Re-directions and generating click fraud with normal click patterns").
I got the explanation: All the targeted sites (e.g., Mevio or Current.TV) now have filters in place. So you will not be able to see the actual landing pages. The landing page will be a blank page as the ad click will not work.
Btw for the record: It is mainly CPC fraud, sending (invisible) traffic to sites like Mevio and Current.TV which serve mainly CPM ads.
OK, I added the screenshots that show the adservers as well. When I was writing the article, I was told not to involve any party that has been defrauded and did not give explicit permission to be involved in the story. Since I see them mentioned in the WSJ article, I feel that I can put the relevant screenshots there as well.
thats what I am wondering, how is sending the actual click? does he have access to a PPC feed (from who?) or is he somehow getting the links for the link via javascript and for what ad networks ??
That, unfortunately, I could not observe. My intuition says that he had a PPC feed for his parked domains and he was using the click.mygeek.com etc services to click on them.
Note that he was not always clicking on the links, to maintain a reasonable low clickthrough rate for the ads.
You run a video site or a search engine that serves CPM ads. If you can buy PPC cheap enough, you can arbitrage and make money.
PPC from Google is expensive, but there are companies that sell cheap clicks. Some publishers on these ad networks run porn sites with hidden iframes that generate the clickthrough.
However, iframes generate a http referer, and this gives away the rather dubious traffic sources. The series of redirected clicks are used to subvert click fraud analysis.
I know that Google has gone after fraudulent ad scamsters before, wouldn't the Ad Networks in this case pursue action? What kind of penalties would there be for something like this?
Having run a CPC network, I can say "definitely yes" - we pursue fraud aggressively. I enjoyed the article and appreciate his sleuthing, but his conclusion is completely wrong (at least for major CPC advertisers, who are almost all ROAS-driven) - the biggest advertisers care deeply about their results. I would go so far as to say that the lack of policing of the Overture feed on parked domains was a significant (if not the most significant) issue in Yahoo's poor monetization of search and eventual failure with that product.
Notice that most of the affected advertisers are the ones running the CPM campaigns, not the CPC campaigns.
The defrauded CPC campaigns were directing people to sites with video content that were running mainly display advertising campaigns. These display ads were mainly from brand advertisers that do not care too much about clickthroughs or conversions (e.g., Coca Cola, or Continental, or Verizon, or ...).
So, even though the guys running the CPC campaigns (e.g. Mevio) were victims of fraud, they were getting the (invisible) traffic and they were selling the display ads to this traffic. Not that Mevio et al. do not care. Quite the oppositve. However they were just getting more traffic. Why would you research your own CPC ad campaign that is effective in bringing you traffic?
I tell you, the scammer has executed this beautifully.
I can't see how the guy could defraud CPM from the traffic he generated. They were all header redirects, so the browser doesn't load any pages, and there were no ads loaded by the browser.
In this scheme, a 'fraudulent' site buys traffic from a 'legitimate' one in the form of a popup or popunder. In some way they get a page opened that they have control over. This page includes a number of invisible iframes, each of which loads a URL for an innocent looking parked domain that belongs to an ad network. So far no one has been defrauded.
But instead of just loading and not displaying that ad-laden page parked page, the site redirects the user's browser to act as if it has clicked on one of those ads. The results of this click are never seen by the user, as it's in a hidden iframe, but the contents are delivered to the user's browser. From an IP and HTTP header analysis it looks a lot like a real user had clicked on the ad.
The owner of the parked domains then collects a few cents per click, or really, per redirect. And it's very hard for the ad network to realize that they've been had. As Panos points out, they might not even look too hard, since they're making more per fraudulent click than the scammer. And the advertiser would have to go pretty deep to figure out that the click was fake, since the content was actually delivered to a legitimate user, just not one who ever actually saw the ad.