ClickForensics released a new study yesterday which said that “The overall industry average click fraud rate was 22.3 percent. That’s up from the 18.6 percent reported for Q2 2010 and the 14.1 percent rate reported for Q3 2009.” Read more from the release.
ClickForensics CEO Paul Pellman discussed his company’s latest findings.
AdExchanger.com: You note in the release that during the past quarter you saw click fraud occurring through “mobile proxies.” What is a mobile proxy? Why is it being used by fraudsters?
PP: All Internet traffic from mobile devices flows through proxy servers located at the mobile service provider (e.g., AT&T, Verizon). So all traffic from these devices appear to come from a single, or very few, IP addresses. This is similar to the way that traffic from all AOL users appears to come from one household in Vienna, VA, because that’s where the AOL proxy servers are located. Fraudsters use these mobile proxies to disguise their true identity and location, mixing fraudulent clicks in with lots of valid mobile traffic. Since no one would ever be willing to block the IP address of 50 million AT&T customers, they’re ensured the clicks will flow through the system and they’ll get paid. Simply put, fraudsters are using mobile proxies in an attempt to mask the true source of their invalid traffic and/or make it appear more legitimate. This will definitely be an area of further investigation for us in the coming quarters.
Why does click fraud continue to rise? What’s driving it?
Without getting too philosophical, there is just so much money being spent on PPC advertising that there are always bound to be unscrupulous players looking to make a quick buck. Combine the opportunity for easy profit with the advances in technology and you’ve got a recipe for increasing fraud. The rise in click fraud traffic we’ve seen over the past year has come primarily from sophisticated botnet sources, so the sheer volume of invalid traffic has increased. Years ago human click farms played a greater role but now the biggest perpetrators of fraud generally use botnets, malware and other advanced programs to attempt click fraud. Collusion fraud is one example of a botnet scheme we’ve seen grow over the past year as well. It’s quite sophisticated and difficult for most to detect.
What about malvertising? Any findings or thoughts?
Well, the only way to make money from malvertising is to commit fraud of some type, either credit card fraud, identity theft, or click fraud. Click fraud is sometimes viewed as the least serious threat, and so we see malvertising being used to infect machines with auto-clickers and botnets that are the primary source of click fraud. This isn’t a new finding, but an unfortunate fact of online life.
How is social media shaking out in terms of click fraud these days? Is it a safer place than it used to be?
Actually, much of social media is a very safe place to advertise. For example, we reported in Q1 2010 that we found a much lower rate of click fraud and invalid traffic on popular social networks. Closed networks like Facebook or LinkedIn don’t provide much opportunity or motivation for click fraud. However, user-generated content that exists in more open places on the web may be more vulnerable to click fraud and invalid traffic because it doesn’t have the same registration requirements that traditional social networks do. This is definitely something we saw corroborated in the Q3 data and we’ll be tracking it going forward.
By John Ebbert
