8

We have a webapp. 3rd party websites put our banners on their pages (banner is a snippet of HTML). They are paid for it using "Pay per click" or "Pay per show" methods.
So 3rd party website's owners are interested in abusing this payment methods by e.g. clicking banner a lot of times/creating bots/etc.. I'd want to defend against such abuses.

How can I defend against such show/click fraud?

After reading some parts of AdWords help and this report I know that I should log some info about each click like exact time, IP address, user-agent, tracking cookie. And then apply some filters to those logs:

  1. Period between repetitive clicks. If it's too low, discard all but one of them
  2. Statistical analysis of clicks per time period. If number of clicks per current period is significantly larger than average, this activity should be reviewed
  3. Check banner environment for reality: cookie support, JS code execution, comparison of user-agent and browser JS detection, comparison of JS detected locale, timezone and source IP
  4. If percent of already detected invalid clicks originating from a particular IP address is significantly higher than from other IPs, and number of clicks is significantly large, then all clicks from this IP address should be discarded
  5. Shows/clicks coming from IPs in http:BL of Project Honeypot, countries not in areas where users live, datacenter IPs

Please, advice other filters that will be useful. Also I don't know proper settings that should be used in those filters. What are they?

Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73

5 Answers5

4

As with all fraud-detection mechanisms, this problem is inherently unsolvable in the absolute sense, as whenever you come up with a solution, the attackers will simply modify their attack to account for it. This is also why you simply cannot find a "ready-made" solution for this type of problem on a site like this. Once a solution is posted, it becomes the template for the fraudsters in determining how to avoid detection.

But that doesn't mean there's nothing you can do.

This is a classic data-mining problem. With a large enough sample set, you watch for patterns and statistical anomalies the attributes associated with the data. It could be the user agent, netblock, referrer, timing attributes, or just about anything that the attacker didn't think to compensate for. When you see an increase in traffic that all share some unusual attribute, there's a higher statistical likelihood that you're seeing non-normal (potentially fraudulent) traffic. The math behind what you'll need to implement will almost certainly be based on Bayesian analysis which will help you flag the outliers.

The larger your dataset the better you can eliminate errors, and therefore the more accurate your model will become. This is one of the primary reasons why very large ad networks can do a much better job at this than smaller ones; the sheer data volume can be a huge advantage in itself.

tylerl
  • 82,225
  • 25
  • 148
  • 226
2

Its a game of cat and mouse. There is not 100% fool proof way to detect clickfraud and there is no 100% fool proof way to carry out clickfraud.

At the end of the day a Botnet or Mechanical Turk could be made to look like legitimate traffic. There are plenty of hacked computers out there, and plenty of "unwanted popups."

There are things you can do to prevent you from being a very easy target. Tricking users into clicking on advertizements with Clickjacking or CSRF is a useful method of carrying CLickfraud in mass. HTML widgets need to protect themselves from these attacks.

Needless to say I don't think the defense side of this coin is favorable.

Community
  • 1
rook
  • 46,916
  • 10
  • 92
  • 181
2

Change your payment model to pay per sale rather than pay per click. That's what you really want anyway is sales, right?

ddyer
  • 1,974
  • 1
  • 12
  • 20
1

Here are some more filters/ideas from the top of my head:

  • Limit the payment to specific countries (if possible). Some countries with low labor rates employ people for the sole purpose of clicking on advertisements.
  • Set a limit on the sum of money each 3rd party owner can get from you.. (again only if possible) in this case, even if you failed to protect against fraud, you won't bankrupt.

Regarding your filters, keep a record of the following: the user IP address, User session information, User cookie information, the network to which an IP belongs, the user's browser information and the time of the click.

Also keep in mind there are commercial tools for protecting against PPC frauds, like: AdWatcher, ClickTracks, Click WatchDog etc.

Boaz Tirosh
  • 633
  • 2
  • 7
  • 18
1

My best suggestion is to outsource this problem to someone else.

This is a challenging problem. In many areas of security is possible to build strong, robust defenses ("Fort Knox security"), but this area is an exception: I don't know of any clean, robust defenses against click fraud. Instead, it seems to be an arms race, where defenders put in place some defenses against known attacks, but attackers come up with new methods of fraud from time to time, and neither side has an overwhelming advantage. Moreover, there's not much in the literature on solutions to this problem. I suspect that major ad networks have studied this problem in depth, but haven't published what they came up with (this is part of their secret sauce). You don't have the resources to do the same level of research and investigation that they've done. In addition, there are major economies of scale here that companies like Google and Yahoo can take advantage of, which you cannot. For all of these reasons, I suggest letting someone else deal with this problem for you.

In particular, I suggest that you choose someone else to be your ad broker, and let them deal with placing the ads, stopping click fraud and advertising fraud, and that sort of thing. For instance, you could use Google Ads -- or any other large ad network.

D.W.
  • 98,420
  • 30
  • 267
  • 572