The clever hacking of online advertisements has quietly grown into a multi-million dollar criminal industry showing no signs of slowing.

The big losers: online advertisers.

One of the fastest growing forms of this type of thievery is click fraud, specifically bot-net generated click fraud. To understand what a lucrative endeavor this has become requires a basic grasp of how “contextual” advertising — ads that chase certain keywords — appear alongside search results and on blogs and web pages.

Contextual advertising 101

Advertisers pay for each click to those “sponsored” ads that appear alongside Google search results. (Microsoft Bing and YahooSearch use similar systems to generate ad revenues.) The advertisers bid for placement next to “keywords” that relate to their product or service. This same “keyword” bidding process delivers those Google adSense ads that appear on hundreds of thousands of blogs and websites.

It’s this latter arrangement that cyber gangs are intensively targeting.

U.S. companies paid a record $14.2 billion for paid keyword-driven contextual ads in 2009, with Google commanding 55% of that revenue, Yahoo 9% and Microsoft 6%, says tech research firm IDC.

Meanwhile, click fraud rates rose to 17.4 % to 29.4% in the first three months of this year, according to separate estimates by Click Forensics and Anchor Intelligence, respectively. That’s up from 15.4% to 25.7% in the final three months of 2009, according to the two leading suppliers of click fraud detection and filtering technology. (The click fraud rates are derived from the fraudulent clicks filtered out by Click Forensics’ and Anchors’ respective technologies.)

“The click fraud rate is rising because there are more dollars available for the taking now,” says Anchor CEO Ken Miller. “Online advertising isnÃ¢â‚¬â„¢t cute and new anymore, itÃ¢â‚¬â„¢s ubiquitous. Consequently, this growth can also make the system incredibly vulnerable because it invites in new levels of sophistication and technology from the fraudsters.”

The simplest type of click-fraud occurs when someone puts up a webpage, signs up to become a Google adSense affiliate, and then clicks on the ads to collect the affiliate revenue. Another form occurs when someone repeatedly clicks on the ads of a business rival to maliciously waste the rival’s ad budget.

Botnet-driven attacks

But the exponential growth of click-fraud is being driven by automated attacks. Cyber criminals have become adept at putting up web pages designed primarily to carry contextual ads, with no other content. They sign up to become Google adSense affiliates and begin posting ads. They then hire cyber gangs in control of massive networks of compromised PCs, called botnets, to click on the ads triggering payments from the advertisers, routed through Google.

Advertisers typically pay 30 cents to as much as $10 per click, depending on the keyword, industry sector and popularity of the webpage on which their ad appears, says Kevin Lee, CEO of search consultancy Didit.com. For each dollar the advertiser pays for clicks, the search engine gets the full dollar if the click comes from a sponsored ad on a search results page. But if the click routes through adSense ads on a blog or other webpage, Google typically keeps 25cents, and the webpage owner gets 75 cents.

“There are lots of ways for fraudsters to generate clicks, but the ones most concerning to the industry are the highly sophisticated and automated ones that can generate huge volumes of clicks, and huge fees,” says Paul Pellman, CEO of click Forensics.

Other ways include work-from-home schemes that pay workers to click on ads, and click-farms set up with rooms full of people clicking on ads, says Pellman.

Last July, Radar Research ran a test of 11 different “run-of-network” ad campaigns. These are “remnant” ads that are not routed through Google, Microsoft or Yahoo, but through smaller ad networks. Radar found an astounding 95% of clicks were fraudulent.

“The test was fairly wide-ranging and statistically significant in terms of looking at the incidence of click fraud across these ad networks,” says Marissa Gluck, managing director of Radar Research. “Artificially boosting clicks means advertisers are paying much more than they should and getting literally nothing in return. It’s theft – plain and simple.”

Google, Yahoo and Microsoft take the problem of click fraud very seriously and are working hard to mitigate it, says Didit.com CEO Lee.

“It can be hard to tell the difference between bona fide click fraud, a click from an innocent searcher who decided not to convert on an advertiserÃ¢â‚¬â„¢s website, a robotic click, or even one from a bot/virus infested computer,” says Lee. “All are forms of clicks that donÃ¢â‚¬â„¢t convert, costing advertisers money that wonÃ¢â‚¬â„¢t bring returns.”

Google uses automated filters and lets advertisers the ability screen clicks through a system called AdWords Report Center. Advertisers can dial up “the exact number of clicks we are filtering out on each advertiser campaign,” says Google spokeswoman Rachel Nearnberg.

Highly motivated scammers

But stopping click-fraud is proving as difficult as stopping e-mail spam; and click-fraud artists may be more highly motivated. “Spam generates a few cents per thousand emails sent, but a click-fraud criminal may make several dollars per thousand fraudulent clicks,” says Gunter Ollmann, research director at security firm Damballa.

Botnets, both specialized and generic, are being used to conduct click fraud. Here’s how Ollmann describes it:

Criminals can rent or purchase an existing botnet (with all of its centralized command and control already in place) and then install a specialized click-fraud tool or agent on these bot-infected victims. This specialized agent is designed to use either a predefined list of URLÃ¢â‚¬â„¢s or a series of customized scripts, and perform an automated sequence of virtual Ã¢â‚¬Å“clicksÃ¢â‚¬Â on any advertising that may be on those pages. Some click-fraud agents will simply replay a long list of HTTP GET requests without even using the Web browser present on the bot victims computer. Many techniques have been developed by advertizing companies to detect click-fraud. However there is an escalating arms-war between the fraudsters and the detectors. This armÃ¢â‚¬â„¢s war parallels that of spam, with the criminals constantly switching to the next Ã¢â‚¬Å“low hanging fruitÃ¢â‚¬Â rather than a linear tit-for-tat progression (as seen in malware evasion/detection). This means that tactics change rapidly – probably faster than that of spam campaigns – because there appears to be more money involved. While spam may generate a few cents per thousand emails sent, a click-fraud criminal may make several dollars per thousand fraudulent clicks.

Click fraud is just one way advertisers are getting ripped off, says Harvard professor Ben Edelman, an online advertising and privacy expert. There is a whole cottage industry of “typo-squatters.” These crooks intentionally register misspellings of popular website addresses. So anybody who mistypes a URL trying to get to a major advertisers home page, will end up at the crook’s page, generating a payment to the scammer.

Beyond that cyber criminals have developed ways to receive payments for pop-up ads, spyware and adware that really doesn’t return any benefit to the paying advertiser.

“Advertisers are buying through a channel that was promised to be highly accountable and transparent,” says Edelman. “In fact, time and time again advertisers find themselves overcharged for things they never agreed to pay for.”

By Byron Acohido

April 23rd, 2010 | For consumers | For technologists | Imminent threats