Click fraud is a major threat to the PPC ad model, make no mistake about it. An Outsell survey conducted in May reports that click fraud amounts to an estimated $1.3 billion, causing approximately 27 percent of advertisers to cut back on PPC campaigns or eliminate them altogether.
Some experts report that click fraud accounts for 20 percent of the PPC clicks and others put the fraud rate at 14 percent. Google claims estimates are overblown and presented its own study at Search Engine Strategies San Jose showing that click-fraud auditing firms use methodologies that inflate click fraud rates. Regardless of who's right, publishers have reported significant drops in AdSense revenues over recent months.
Yahoo's click fraud class action settlement
Yahoo! Inc. recently settled a click fraud class action suit, giving a better deal to advertisers than Google. Not only is Yahoo paying up to $4.95 million in attorney fees, it will give advertisers the choice of cash refunds or ad credits for the entire amount overpaid. Google only promised ad credits for a percentage of the overpayment.
Another important settlement term is that Yahoo agreed to work with a third party to develop a definition of click fraud and a comprehensive list of known perpetrators of click fraud. Yahoo will also host a click fraud protection center with a full time person to act as liaison between advertisers and Yahoo Search Marketing.
Why was Yahoo so generous? Maybe they realized that protecting advertisers and users against click fraud goes a long way toward preserving the integrity of the PPC ad model.
CPA model alternative
Perhaps because it is worried about the impact of click fraud, Google recently announced it is testing a cost-per-action (CPA) ad model where marketers pay a fee only when users perform the desired action (sale, subscription, download, et cetera). Google didn't admit concern, but said it wants to give its advertisers more options and provide its publisher network with an additional means to earn revenue through AdSense. The CPA ads will be displayed on a different network (the Content Referral Network) than the PPC ads.
Bill Gross introduced the CPA model on SNAP last year because he thinks it is the only way to eliminate click fraud. SNAP CEO Tom McGovern believes this model will be embraced by other engines eventually because advertisers only pay for real business.
Lack of transparency enables PPC click fraud
Click fraud is difficult to document once identified. A major obstacle to tracking click fraud is the lack of transparency in the click fraud billing and tracking process. This lack of transparency on the part of major PPC providers is bizarre. Imagine your cell phone provider sticking you with a $20,000 bill and refusing to provide itemized billing for your calls. Yet, the major PPC providers defend this view.
Google Product Manager Shuman Ghosemajumder recently stated, "Google is examining ways to make its fraud-fighting efforts more transparent without revealing crucial information that might help swindlers elude detection."
In the Auditing Paid Listings and Click Fraud Issues session at SES New York in February, Yahoo stated that it evaluates clicks along 20 to 50 data points, mentioning a few but not providing definitive information.
The argument that providing itemized per-click billing would disclose the inner workings of the PPC providers' anti-fraud system to the bad guys is foolhardy. Chances are the bad guys are already a step ahead.
Back then, everyone was dragging their feet. By SES San Jose in August, Google announced that it would be providing advertisers with the number of invalid clicks on their ads. Additionally, the IAB and Media Rating Council formed a Click Measurement Group to create Click Measurement Guidelines with cooperation from Google, Yahoo, Microsoft, Ask and LookSmart. These are both steps in the right direction, but the worst may be yet to come.
Invasion of the botnets
Recently, I had the opportunity to speak with Dmitri Eroshenko, founder of Clicklab.com, an internet marketing services company specializing in web analytics and click fraud audit. Eroshenko is known as a leading ecommerce efficiency expert who has written extensively on subjects such as PPC advertising, web metrics, click fraud and maximizing marketing ROI.
I asked Eroshenko what his single largest concern regarding click fraud is today. "The worst threat is currently coming from botnets. Botnet masters may have tens of thousands of zombie PCs on their networks. They can afford to use each PC only once in a lifetime (i.e. no repeat clicks whatsoever). Such a threat can only be stopped on the botnet level. It can not be detected by either search engines or on the advertiser side."
Runaway crime bots
Botnets are used as a weapon in online crime. From spam, phishing attacks, virus propagation, and now click fraud, these networks are an increasing threat to the internet.
Symantec's latest Internet Security Threat Report indicates that bot networks now dominate the threat landscape. Symantec identified an average of 9,163 bot-infected computers per day from June to December 2005. The U.S. accounted for 26 percent of the world's bot-infected computers, higher than any other country.
Dealing with botnets is not an easy task because these networks are an illegal collection of hundreds, thousands, tens of thousands or even hundreds of thousands of compromised computers all being controlled with a common infrastructure by a master crook. One botnet in Holland was reported to consist of 1.5 million machines all under one group's control.
Defending against botnet click fraud
It is difficult to defend against a botnet attack because it requires complex tracking and research on how these armies of PCs communicate and how they receive their instructions from their botnet masters. Instructions from the masters direct the bots to various URL addresses that post AdSense or Yahoo Publisher Network contextual ads on their sites, and the bots click away.
There are informal voluntary groups as well as commercial companies that identify and track botnets. One method of detecting and responding to malicious network traffic is to implement a virtual honeypot (a software program designed to emulate a functioning network but is actually a decoy built to be probed and attacked by malicious users). Honeynets are set-up in laboratory PCs with botnet instructions. They collect lists of infected IP addresses and can cross reference them; however, there is no current technology to detect the botnet clicks.
The Honeynet Project, a volunteer organization dedicated to improving internet security, states, "One of the challenges we are facing is the complexity of attackers and threats today. Several years ago it was relatively easy to capture and analyze cyber threats. You simply stuck out a honeypot and the bad guys came. Nowadays they use a variety of multiple vectors, advanced tools, and are always adapting and changing."
Internet security company Panda Software, working with RSA Security, recently reported dismantling a botnet control system threatening a pay-per-click provider's contextual network. The bot network was comprised of over 50,000 zombie computers infected by Clickbot-A, which was controlled remotely. The joint effort resulted in the detection and neutralization of a sophisticated online fraud attack. It was not reported which ad network was affected but most likely it was Google AdSense or perhaps Yahoo Publisher Network to a lesser degree. A sampling of click fraud service vendors includes Alchemist Media, Click Defense and Click Forensics.
Skimming the cream off the top
For some advertisers, ROI is enough. This is the cornerstone that has kept PPC from collapsing overnight. Some companies receive 80 to 90 percent of their revenue from PPC so obviously they are not complaining about click fraud. They can afford to skim the cream off the top.
If you are not one of these companies, what can you do about click fraud? At the very least, install web analytics capabilities to track and monitor conversions and other key indicators that can reveal suspicious trends. For more information, see Kevin Ryan's excellent article, How to Fight Click Fraud.
Paul Bruemmer is director of search marketing at Red Door Interactive. Read full bio.
