Computerworld

Click fraud shoots up in Q4, driven by botnets

Click fraud rate hit a record in the fourth quarter, driven in part by scammers' use of botnets.

Click fraud, a big threat to the highly profitable pay-per-click search advertising business, increased significantly in the fourth quarter, thanks to scammers' rising and sophisticated use of botnets.

The incidence of click fraud rose to 17.1 percent, up from 16 percent in the third quarter of 2008 and from 16.6 percent in 2007's fourth quarter, according to Click Forensics' quarterly report.

That's the highest quarterly level ever detected by Click Forensics, which provides services to monitor ad campaigns for click fraud, the company said Wednesday. The company has been publishing quarterly click-fraud incidence reports since April 2006.

Although click fraud usually experiences a seasonal spike during the holiday shopping season, 2008's fourth quarter was particularly bad, said Click Forensics President Tom Cuthbert.

"It was a big jump. It's something advertisers should be watching. Search ad providers should be concerned as well," he said.

Click fraud happens when someone clicks on a pay-per-click (PPC) ad with malicious intent or by mistake. For example, a competitor may click on a rival's PPC ads in order to drive up their ad spending. Also, a publisher may click on PPC ads on its site to trigger more commissions. Click fraud also includes non-malicious activity that nonetheless yields a click of little or no value to the advertiser, such as when someone clicks on an ad by mistake or two consecutive times.

A big factor in the fourth quarter's increase was the continued rise in the use of botnets. A botnet is a network of computers that have been secretly compromised by malicious hackers who use them for a variety of tasks, such as sending spam and, in this case, perpetrating click fraud.

In the fourth quarter, botnets generated 31.4 percent of click fraud traffic, up from 27.6 percent in the third quarter and from 22 percent in 2007's fourth quarter, according to Click Forensics. Detecting click fraud from botnets is difficult because it comes from geographically distributed individual PCs with unique IP (Internet Protocol) addresses, and thus masking itself as legitimate traffic, as opposed to coming from a more easily detectable click-fraud "farm."

Another factor boosting click fraud is the global economic crisis, which has caused a spike in crime and cybercrime of all sorts. "Click fraud fits right into that," Cuthbert said.

Search advertising is the largest online ad format, generating about 40 percent of all online ad spending. Google is by far the largest provider of this type of ad, which generates most of the company's revenue.

Page Break

Google and Click Forensics have often locked horns in the past over the rate of click fraud. Google has accused Click Forensics of being inept in its methodology and misleading in its results in order to make the problem seem bigger than it is. Meanwhile, Click Forensics has charged that Google has purposefully trivialized click fraud and mischaracterized it as a minor problem.

However, the animosity between the companies seems to have decreased in intensity lately, to the point where in October Google began publicly cooperating with Click Forensics by agreeing to accept the electronically generated click-quality reports generated by the Click Forensics FACTr service.

Cuthbert said the collaboration has been going well and achieving its goal of simplifying and automating for advertisers that use the FACTr service the process of documenting click-fraud instances and submitting reports to Google. Click Forensics has similar arrangements with other search ad providers, including Yahoo.

Click Forensics generates its quarterly click-fraud incidence report using its Click Fraud Index, which gathers data from more than 4,500 online advertisers and agencies that use ad services from all major search engines.

Other interesting findings from the fourth-quarter report include:

-- Click-fraud traffic generated outside of the U.S. came mostly from Canada (7.4 percent), Germany (3.0 percent) and China (2.3 percent).

-- The click-fraud rate on third-party sites that carry ads from providers like Google and Yahoo -- often called "content networks" -- was 28.2 percent, up from the 27.1 percent in the third quarter and down from 28.3 percent in 2007's fourth quarter.