Thursday, December 01, 2005

Why I quit Miva / FindWhat and Google advertising...

False clicks caused me to stop advertising on Google, and Miva / Findwhat.
Pay per click search engines were awesome advertising mediums 3-4 years ago. Now I have decided to remove my companies off from that medium because I've been seeing a lot more potential click fraud than usual. Even CNET posted an article last year about their concerns and their analysis on click fraud. In their 2004 article, they estimate 20% of the clicks are fraudulent. They also stated that:

"A growing alternative employs low-cost workers who are hired in China, India and other countries to click on text links and other ads. A third form of fraud takes place when employees of companies click on rivals' ads to deplete their marketing budgets and skew search results."

Who benefits from click fraud?
Simple! The hackers.

You see, third party web site owners are able to get paid for the clicks they receive on their web site. For instance, if you allow Google to put in advertising on your web site, they will pay you XX amount of cents for every click you receive on those advertisement links.

There are legitimate sites that have these advertisements; however, there is a growing number of web sites that's used simply as placeholders and hackers use "raw browsers" to create false clicks from different IP addresses.

Step by step illustration:
1. COMPANYDOE has paid for first position placement for the keyword "foobar" for $1.00 per click.

2. The hacker uses a tool to falsely take advantage of that first position placement. They have tools that allow them to falsely act like a customer and click on the first position advertising of COMPANYDOE.

3. The search engine records the click and charges COMPANYDOE for $1.00. They keep $0.90 cents and gives the web site owner $0.10 (hacker).

Is this extremely hard to detect?
There are several ways to detect these types of clicks automatically. Google and other pay for click companies use referers, a list of known bad IP addresses, and a variety of other methods to combat this problem. The true problem comes from an old peer-to-peer idea. When you have a group of Internet users allowing their browsers and connections to be used as zombies, then technically the clicks themselves are undetectable by normal fraud control.

There are peer-to-peer networks out there that is taking thousands of dollars from search engines totally based on false clicks. Some also use vulnerable servers on the Internet to launch false browser request and imitate Internet Explorer/Netscape headers.

How do I know this? Simple, in 1999, I worked as the Director of Operations for Team Asylum. We released an advisory about this problem. In fact, we were published in the Industry Standard about how we exposed the weaknesses of Microsoft LinkExchange, DoubleClick, and other banner advertisers. (The author of the article, Jacob Ward, wrote that we were the hackers that built the click fraud tool. Wrong! We were the security analysts hired to expose it.) We were also hired to do other fraud analysis for companies like (Teknosurf at the time) and Banner Brokers.

Click fraud is real, and unfortunately it is only growing worst as more ideas and technologies are developed to combat anti-fraud measures.

My only advice to Google, the Miva team, and whoever else is in the pay per click business is to follow my one rule about online security and anti-fraud measures:

Security requires manual vigilence --Don Sausa.

No comments: