Researchers reveal potential 'click fraud'

Informatics researchers at IU have revealed how scam artists could target online advertisers in a recent study. \nThe researchers, Associate Professor of Informatics Markus Jakobsson along with research assistants and computer science graduate students Jacob Ratkiewicz and Mona Gandhi, call the theft "click fraud." They studied the vulnerability of online advertisers, who could be losing money to online attackers. \nWhen someone places an ad on his or her own Web site, Jakobsson said, that person can display advertisements from search engines, including Yahoo! and Google, and then get paid if people click the ad on the page. \n"An advertiser will pay Yahoo! because its ad will be viewed, and Yahoo! will pay you because you provided the client who paid the ad," said Jakobsson, who also is an associate director at the IU Center for Applied Cybersecurity Research. "Click fraud is where you somehow cause Yahoo! to think that a person clicked on an ad, whereas they didn't." \nThough Jakobsson hopes his group is ahead of potential scammers, he said there is no way to know whether it has already happened or not. \n"We don't think (click fraud has been done) because we think we're a step ahead of the pack," Jakobsson said. "If it were done, nobody would have known that it was done. And that's the very sneaky thing." \nJakobsson said there are two approaches to click fraud that were reported in the study.\nThe social approach would involve the Web site owners telling all their friends to go to their site and click on the ads, so the owners would receive money for having people view the ad on their Web sites. \nThe technical approach, Jakobsson said, is called "badvertisements," whereby ads are placed on a Web site where they are so small the ads are actually invisible to the viewer, making it look like people viewed the ad when really they did not. \n"The user will never see the advertisement because it's displayed in such a teeny tiny window," Jakobsson said. "It's going to be invisible to the advertisement provider. They won't realize there's click fraud on your site." \nOther click fraud schemes have come up in the past, Jakobsson said, but his group has studied the first of its kind.\n"There have been many click fraud attacks," he said, "and as soon as advertisers find out about them, they change the way they do things so the attacks don't work anymore." \nRatkiewicz said smaller pay-per-click providers were susceptible to an attack. \n"AdBrite is one of them. Those guys, for instance, we could rip off," he said. "I could put an ad right in and make AdBrite think a million people clicked it, and AdBrite would pay me a ton of money." \nThe group's study was accepted at the Anti-Phishing Working Group's annual conference this November where it will present its information, Jakobsson said. \n"It was accepted there, and Jackobson just went and spoke at Stanford and at Google and at two other places presenting this research," Ratkiewicz said.\nJakobsson said what causes click fraud to be such a big threat is it could happen without anyone knowing.\n"It's so well camouflaged, and that's the danger of it," Jakobsson said. "So it could go on just by hiding itself from everybody"