Cenzic 232 Patent
Paid Advertising
web application security lab

Clickbot.a Writeup

I was sent this link today on Clickbot.a written by the Google adwords guys. It’s a pretty interesting high level read for the most part, if you don’t know much about click fraud, but does get into some of the technical stuff near the end on how the bot actually worked. While the conclusions of the paper are fine, I was struck that the authors failed to address the most important point.

The most important point being the only reason this bot existed, and the only reason the hackers used it to compromise 100,000+ machines - because it was economically lucrative to do so. That means Google’s detection was too slow to respond to and prevent the attackers from making enough money to make it worth their while. Also, it was at the expense of the advertisers as well as the poor web sites who were compromised for this purpose no less. Which means that Google’s detection methods need to improve to not just pick up this particular variant but also polymorphic versions that are far less easy to detect. So while it is commendable for Google to fix this one issue, it shows they are lacking the technology to pro-actively defend against future and less immature variants.

While Google’s executive management feels that economics will solve this issue I feel that Google is failing to see how detrimental this is to the advertisers who depend on quality click traffic. In lieu of this quality, alternative solutions must be in place to allow advertisers to recoup their costs while Google struggles to build new technology to defeat the issue. However, without access to the actual landing pages that the advertisers use, Google cannot have deep insight into the full picture. Ultimately, this will cause a bigger rift with time that the attackers can exploit on the vast majority of sites that don’t use alternative click quality tools. Until the time when Google can come up with a creative solution, companies like Click Forensics fill that void.

6 Responses to “Clickbot.a Writeup”

  1. GrunGee Says:

    Yeah I saw a couple of guys using a stealth version of firefox and with some code they were able to place the point they wanted clicked under the mouse at all time so when the person clicked they were actually clicking on the ad and then the trojan would click back on the link the person orginally clicked on. Not working 100% but was very interesting.

  2. Kyran Says:

    The anatomy of…
    I should have copyrighted that.

  3. Andrew Says:

    While they mentioned the greater ‘profit per compromised machine’ of exploiting someone’s key-logged bank details, they fail to discuss the relative illegality (and potential for prosecution) of click fraud and bank fraud. Click fraud is a lot less likely to land you in jail (or even under investigation), and so is much more attractive to the average profit-minded hacker.

  4. Dean Brettle Says:

    I think a large part of the answer to this issue lies in moving from Pay-Per-Click ads to Pay-Per-Action ads. Google has something (in beta of course). For details, see:

    http://services.google.com/payperaction/

  5. Blah Says:

    “While Google’s executive management feels that economics will solve this issue I feel that Google is failing to see how detrimental this is to the advertisers who depend on quality click traffic. In lieu of this quality, alternative solutions must be in place to allow advertisers to recoup their costs while Google struggles to build new technology to defeat the issue.”

    Two minor inaccuracies:
    1. Google’s executive management doesn’t have a “let it happen” approach. You’re taking a quote by their CEO out of context by omitting the first part of what he said: “Let’s imagine for purposes of argument that click fraud were not policed by Google and it were rampant …”. Both of these suppositions are false.

    2. They have been and continue to be fairly successful at combating click fraud. No one else is seriously working on the problem outside of academia. Their policy is to refund any suspicious clicks, yet less than 1 out of 5000 clicks are reactively deemed suspicious. False negatives rarely get through, and false positives? Oh, yeah. Advertisers get those for free.

    There are a lot of false claims out there about double-digit percentages of fraudulent clicks. The problem with these is that they don’t distinguish between clicks that Google actually bills for and overall clicks. There are a lot of invalid, non-fraudulent clicks that advertisers never get charged for. For instance, by crawlers and scrapers. These get counted as “fraudulent” by third-parties who don’t have enough data to make a distinction.

    Granted, when you’re making on the order of $10 billion, fraudsters stealing 0.0N% of revenue is still on the order of N millions. Bot networks are cheap to buy. It’s worth it to a lot of people to do an attack like Clickbot.A even if they only could make $10K out of it.

  6. RSnake Says:

    @Blah - while Google has made a commitment (at least on paper) it hasn’t exactly been forthcoming with it’s solutions to the problem, and further, the solution to the problem is a) economically beneficial for Google, as they get to charge more and b) obfuscation. From the Tuzhilin report:

    In other words, advertisers cannot know if a particular click on a particular ad was marked as valid or invalid by Google, and Google refuses to provide this information to advertisers.

    This is a source of contention and dispute between Google and the advertisers, and one can understand both parties in this dispute. On one hand, the advertiser has the right to know why a particular click was marked as valid by Google (when the advertiser thinks that it is invalid) because the advertiser pays for this click. On the other hand, if Google discloses this information, it opens itself to click fraud on a massive scale because, by doing so, it provides certain hints about how its invalid click detection methods work. This means that unethical users will immediately take advantage of this information to conduct more sophisticated fraudulent activities undetectable by Google’s methods.

    and

    An operational definition cannot be fully disclosed to the general public because of the concerns that unethical users will take advantage of it, which may lead to a massive click fraud. However, if it is not disclosed, advertisers cannot verify or even dispute why they have been charged for certain clicks.

    So while I believe Google is working on the problem, I would suspect that they have no clue how to solve the problem without super invasive recon tactics. I don’t think an objective third party has ever been amassed to look at Google’s logs as they themselves suggest (or at least the results of which have never been made public:

    Third-party auditors. Independent third-party vendors, who have no financial conflicts of interest, can work with advertisers and audit their clickstream files to detect invalid clicks.

    Further, your statement, “No one else is seriously working on the problem outside of academia” is completely false. I, in fact, am incredibly interested in solving this issue, so advertisers can start getting what they are paying for. That is why I was recently asked to be on the technical advisory board for Click Forensics - who I assure you are keenly interested in solving this problem.

    I happen to be a tad jaded about this topic and the technology as I’ve built many of the fraud systems these companies use (12 years ago) and I have learned a thing or two since that time. :) To be honest, from what I can see from the outside analytics have not advanced much in those 12 years since I have been out of the CPC market place. I think it’s about time to start making some changes.