- April 11, 2007
- 6 comments
Neil Daswani, Michael Stoppelman, and the Google Click Fraud Team released a fascinating report on a clickbot fraud network (pdf). The ‘bot network was named “Clickbot.A”. Kudos to Google for transparency. A few comments:
The Bad Guys
They’re clever.
Even though ClickBot.A was beta code (”v0.005″ and “v0.007″ were mentioned), the network was sophisticated. The bad guys employed a network of 100k+ ‘bots, each generating a very small number of bogus clicks, to collectively commit fraud against Google content advertisers. The network used redirectors and suppressed referrers to hide their tracks. Each ‘bot made at most 20 bogus clicks, with 15 minutes between them.
Most intriguingly, each ‘bot checked in with the ‘bot master before making a bogus click, as only the ‘bot master had the full perspective to keep traffic low enough to escape suspicion.
The bad guys code in PHP (oddly, Google provides code snippets for wannabe imitators), and used HTTP GET requests for communication between their ‘bots and the ‘bot master.
One surmises the bot authors may not be native-born English speakers due to some awkward verb use: “holded”, rather than “held” or “on hold”, and “ThisIPIsClick()” rather than “ThisIpIsClickable()” or “ThisIpCanBeClicked()”. Similarly, one surmises they’re not earning US rates for web programming talent — according to Google, this scheme didn’t generate much cash, even with 100k bots.
The Money Trail
Daswani et al. write
While the exact dollar amount of fraud impacting Google for the attack is proprietary, one might be interested in a back-of-the-envelope calculation of the scope of the attack … and one assumes an average cost per click (CPC) of $0.50… the upper bound of the damage to Google can be placed at … $50,000. (footnote: The average CPCs involved in the actual attack were less.)
Assuming Daswani et al. used the “an average cost per click (CPC) of $0.50″ in the conventional sense, that means the $50k number reflects payments from advertisers to Google.
If so, $50k in false clicks isn’t $50k of damage to Google. $50k in false clicks is $50k in fraud against Google content advertisers.
Google probably paid the bad guys 20% of that, or around $10k. (While Google’s Traffic Aquisition Costs were 79% for 2006q2, the big rev shares go to partners like AOL. Many typical small AdSense publishers estimate they receive 20% of the click fees.)
So, ClickBot.A likely generated $40k in additional revenue for Google.
If, on the other hand, Daswani et al. meant Google paid the bad guys $50k, then their $0.50 figure was an EPC (”Earnings Per Click”), not a CPC (”Cost Per Click”). If Google paid out $50k, then somewhere some Google content advertisers were frauded to the tune of $250k (again using the 20% payout estimate), with Google earning $200k.
Of course, in reality Google earned neither $40k nor $200k from ClickBot.A. The fraud was detected, so Google invalidated the clicks, and didn’t charge the content advertisers.
Who Stopped ClickBot.A?
ClickBot.A was detetected by Panda Labs back in May, 2006.
Panda is virus company, not a clickfraud company. ClickBot.A was detected because it was spreading through a Trojan.
Twice in the report (once in the abstract, and again in section 6 in italics), Google stresses that none of their content advertisers were harmed by this ‘bot-net.
Google identified all clicks on its ads exhibiting Clickbot.A-like patterns and marked them as invalid.
The report doesn’t say if Google invalidated these clicks before or after Panda detected the Trojan. After Panda had found this malware, Google could easily invalidate all the bogus clicks using the IPs of each ‘bots from the compromised ‘bot master.
Had not Panda detected this criminal software, would Google have noticed 20 bad clicks from 100k different machines? The report does not say. Neil or Michael, could you comment on that?
It’s All About Content, Isn’t It?
As an search marketing agency focused on generating revenue efficiently for our clients, we’re not giant fans of the content networks. We’ve found our clients get far better results using Google to put ads in front of searchers using the search networks, rather than in front of readers and ‘bots on the content networks.
Some advertisers like running content. Others don’t. Either way, it is good that Google has teams of smart engineers striving to keep the content networks clean. And again, kudos to Google for sharing this report in with the public.
If you like this post, consider subscribing to our RSS feed. You can also have new posts sent to you via email.
Similar Posts
- Shooting Fish In A Barrel: Google’s Third-Party Click Fraud Audit Report
- AdWords vs. AdSense Click Fraud — Why Do So Few Get It?
- Google’s Shuman Ghosemajumder on Click Fraud
- Quack, Quack: Made-For-AdSense Spam
- Comments on The Lane’s Gifts v. Google Report by Alexander Tuzhilin
Alan, thanks for the comment on my blog post about the clickbot report. That’s an interesting point about the timeline and whether or not Google would have even noticed the click fraud w/o external assistance. Makes you wonder how much they don’t catch, despite all of their handwaving. ;-)
BTW, I’m wondering if these clicks were actually on the search network as opposed to the content network. If that is the case, this is more serious of a problem than Google is letting on.
Clearly content. How could there be any doubt?
I didn’t see “content” or “contextual” mentioned in the paper. It talks about “a low-noise click fraud attack against syndicated search engines” and “how Clickbot.A attacked such search engines” and “it also issued HTTP requests to doorway sites, redirectors, and search engine result pages.” Sounds like the Search network and not the Content network. The paper doesn’t explicitly state, however, which network the click fraud originated from.
BTW, are you aware that there’s a fair amount of traffic on the Search network that does not, in fact, originate from actual search engines. For example (source): “Depending on the design of the site, a parked domain site will be classified as either a search site or a content site. That means your ads may show on parked domain sites if your campaign is opted in to the search or content networks.”
Why are you so sure the Clickbot.A click fraud was limited to the Content network?
Perhaps I misread, but I thought the bots pulled terms lists from a wide variety of verticals… as my sense was the attack wasn’t a competitor attacks against selected advertisers, my assumption it was fraud it was a content so as to benefit the (bogus) publishers…
Fraud like this does not have to be profitable: if it just breaks even it’s a great way to launder money.
Curious: how does one use clickfraud to launder money? Do the bad guys act as both advertiser and publisher, and moving funds through Google to obfuscate their origin? Crazy stuff.
So much cleverness put to bad ends. If the bad guys used a just a fraction of their wiles on legit pursuits, they’d likely end up doing better on all fronts.