Neil Daswani, Michael Stoppelman, and the Google Click Fraud Team released a fascinating report on a clickbot fraud network (pdf). The ‘bot network was named “Clickbot.A”. Kudos to Google for transparency. A few comments:

The Bad Guys

They’re clever.

Even though ClickBot.A was beta code (”v0.005″ and “v0.007″ were mentioned), the network was sophisticated. The bad guys employed a network of 100k+ ‘bots, each generating a very small number of bogus clicks, to collectively commit fraud against Google content advertisers. The network used redirectors and suppressed referrers to hide their tracks. Each ‘bot made at most 20 bogus clicks, with 15 minutes between them.

Most intriguingly, each ‘bot checked in with the ‘bot master before making a bogus click, as only the ‘bot master had the full perspective to keep traffic low enough to escape suspicion.

The bad guys code in PHP (oddly, Google provides code snippets for wannabe imitators), and used HTTP GET requests for communication between their ‘bots and the ‘bot master.

One surmises the bot authors may not be native-born English speakers due to some awkward verb use: “holded”, rather than “held” or “on hold”, and “ThisIPIsClick()” rather than “ThisIpIsClickable()” or “ThisIpCanBeClicked()”. Similarly, one surmises they’re not earning US rates for web programming talent — according to Google, this scheme didn’t generate much cash, even with 100k bots.

The Money Trail

Daswani et al. write

While the exact dollar amount of fraud impacting Google for the attack is proprietary, one might be interested in a back-of-the-envelope calculation of the scope of the attack … and one assumes an average cost per click (CPC) of $0.50… the upper bound of the damage to Google can be placed at … $50,000. (footnote: The average CPCs involved in the actual attack were less.)

Assuming Daswani et al. used the “an average cost per click (CPC) of $0.50″ in the conventional sense, that means the $50k number reflects payments from advertisers to Google.

If so, $50k in false clicks isn’t $50k of damage to Google. $50k in false clicks is $50k in fraud against Google content advertisers.

Google probably paid the bad guys 20% of that, or around $10k. (While Google’s Traffic Aquisition Costs were 79% for 2006q2, the big rev shares go to partners like AOL. Many typical small AdSense publishers estimate they receive 20% of the click fees.)

So, ClickBot.A likely generated $40k in additional revenue for Google.

If, on the other hand, Daswani et al. meant Google paid the bad guys $50k, then their $0.50 figure was an EPC (”Earnings Per Click”), not a CPC (”Cost Per Click”). If Google paid out $50k, then somewhere some Google content advertisers were frauded to the tune of $250k (again using the 20% payout estimate), with Google earning $200k.

Of course, in reality Google earned neither $40k nor $200k from ClickBot.A. The fraud was detected, so Google invalidated the clicks, and didn’t charge the content advertisers.

Who Stopped ClickBot.A?

ClickBot.A was detetected by Panda Labs back in May, 2006.

Panda is virus company, not a clickfraud company. ClickBot.A was detected because it was spreading through a Trojan.

Twice in the report (once in the abstract, and again in section 6 in italics), Google stresses that none of their content advertisers were harmed by this ‘bot-net.

Google identified all clicks on its ads exhibiting Clickbot.A-like patterns and marked them as invalid.

The report doesn’t say if Google invalidated these clicks before or after Panda detected the Trojan. After Panda had found this malware, Google could easily invalidate all the bogus clicks using the IPs of each ‘bots from the compromised ‘bot master.

Had not Panda detected this criminal software, would Google have noticed 20 bad clicks from 100k different machines? The report does not say. Neil or Michael, could you comment on that?

It’s All About Content, Isn’t It?

As an search marketing agency focused on generating revenue efficiently for our clients, we’re not giant fans of the content networks. We’ve found our clients get far better results using Google to put ads in front of searchers using the search networks, rather than in front of readers and ‘bots on the content networks.

Some advertisers like running content. Others don’t. Either way, it is good that Google has teams of smart engineers striving to keep the content networks clean. And again, kudos to Google for sharing this report in with the public.