Just as antivirus and antispam vendors must constantly upgrade their products
to detect new kinds of attacks, an escalating battle of software is raging
against the scourge of online advertising — click fraud.
I reported in this space on
Aug. 17 that some experts believe fraudulent pay-per-click
schemes represent about 10% of billings in the rapidly growing field of paid
search-engine marketing. I also found that spokespersons for the largest PPC
advertising channels, Google.com’s AdWords and Yahoo.com’s Overture, were
reluctant to say much on the record about these schemes and counter-measures
that the sites are taking against them.
However bad the situation may be, it appears to be worsening.
The Anatomy Of Click Fraud
Click fraud occurs when the people behind Web sites that display PPC ads
— and receive a portion of the revenue — start self-clicking the
ads repeatedly, either manually or using software to automate the clicks. To
evade attempts by the major advertising channels to detect clicks coming from a
single Internet Protocol (IP) address, such software uses techniques that
generate fake but plausible IP addresses.
Vincent Granville, Ph.D., president of
Data Shaping Solutions, a statistical consulting firm in
Pittsburgh, Calif., says he’s found lists of thousands of “anonymous proxy
servers” on the Web. These servers can have legitimate uses, such as making
one’s Web surfing anonymous. But Granville points out that many proxies allow
almost all identification of a visitor, including the country the visitor is
in, to be faked.
Here’s how this technique works:
• Find Anonymous Proxies.
One of the proxy lists is
SamAir.ru/proxy, a service based in Moscow, Russia.
About 2,000 anonymous proxy servers are listed, sorted by the country where
each server is located. About half of the servers are on IP addresses assigned
to the United States.
• Find Elite Proxies.
Many of the listed servers are described as “elite” proxies. These servers can
not only give a person an anonymous IP address, they allow you to mask
the fact that a proxy server is being used, among other things.
• Click Away.
After an unscrupulous operator has set up numerous Web sites that feature
PPC advertising, he or she can program software to click revenue-generating
links via the proxies. These clicks can appear to be coming from the U.S.
or any other country that may be an advertiser’s target market. If the
click-throughs are randomly timed and are buried within a mass of other
click activity, the fake charges that are generated can be extremely
difficult for an advertiser to detect.
Granville says he’s currently consulting with several clients, including
InfoSpace, which powers several meta-search engines,
although he wouldn’t be specific about how his statistical skills would be
employed in the battle against click fraud.
The Robots Race Ahead
The sophistication of click-automation software is hinted at by sites such as
This site, which also is based in Russia but is apparently unrelated to the
SamAir site, sells both proxy-finding and click-automation software.
Here’s how the site describes the steps in the process:
• Set Realistic Goals. “All banner clicks should come from
unique IP addresses in reasonable time intervals,” explains the
More Info page. Also, “There must be reasonable show/click
ratio for banners. It would be highly suspicious if every other visitor to your
page would click a banner.”
• Find Anonymous Proxies. The site offers a program called ProXYZ
for $35. This software “checks every found proxy server against existing
ones and adds a new proxy to the list,” according to the site’s
• Configure Clicking Agent. ClickingAgent, the heart of the
technique, which the site also calls “CACA,” is sold for $100 for use on up
to two computers simultaneously. The program allows you to “define how many
clicks it should do, what show/click ratio should be, how many simultaneous
connections to use, and more,” the site’s
SoftCACA page says.
When I wrote to the contact e-mail address provided by the site, I received
a reply from a person who identified himself as Anatoly Smelkov. I called the
phone number in Moscow that he provided and e-mailed him a list of questions.
“Ad companies are actively fighting such artifically generated banner clicks,
but it’s not a very simple task,” Smelkov wrote in his response. “New ways
of cheat protection are constantly developed, but the Web robots are also
growing in power and features,” he added. “I guess the only 100% working
way to stop such activity is to close access to all public proxy servers.”
The Advertisers Start To Fight Back
Jessie Stricchiola is president of
Media, a Los Angeles-based firm that develops click-fraud detection software and negotiates refunds from PPC
channels on behalf of clients. She feels that online advertisers and high-tech
thieves are locked into an endless race to outsmart each other.
“I don’t see any point at which this issue will ever be resolved for either
side with a total victory,” Stricchiola says. “It’ll be a constant battle
as long as the current CPC [cost-per-click] model is maintained and isn’t
changed in some significant way.”
Search engines that offer pay-per-click advertising aren’t feeling enough
pressure from advertisers to completely eliminate fraud, in her opinion.
“For them to tweak or tighten down their click-fraud protection, it represents
a significant reduction in their revenue,” Stricchiola says. “They have no
reason to do more than they’re doing.”
Click fraud looms as the biggest threat to online advertising, which generated
$7.3 billion in 2003 and is once again rapidly growing,
according to the Interactive Advertising Bureau and PricewaterhouseCoopers.
More than one-third of that total was PPC search-engine advertising —
double the market share of one year earlier — but few corporations will
continue throwing money at the medium if click-fraud techniques grow fast
enough to eat away at the advertising’s cost-effectiveness.