Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame

Whereas the overall click fraud rate isn't increasing, it's not decreasing either, remaining flat for the first two quarters of

• The overall industry average click fraud rate was 16.2 percent for Q2 2008. That's down slightly from the 16.3 percent rate reported for Q1 2008 and up from the 15.8 percent click fraud rate reported for Q2 2007
• The average click fraud rate of PPC advertisements appearing on search engine content networks, including Google AdSense and the Yahoo Publisher Network, was 27.6 percent. That's down from the 27.8 percent rate reported for Q1 2008 and up from the 25.6 percent average click fraud rate reported for Q1 2007
• For the first time, traffic from botnets was responsible for more than 25 percent of all click fraud traffic in Q2 2008
• In Q2 2008, the greatest percentage of click fraud originating from countries outside North America came from China (4.3 percent), Russia (3.5 percent), and France (3.2 percent)

In previous Zero Day coverage for Q1 2008 (Botnets committing click fraud observed), we've already discussed the most common click fraud scheme in general, consisting of underground traffic exchange networks and renting botnet services, using an sampled activity from a single such affiliate based network showcasing that :

"1,264,204 bots that did 3,095,194 searches and 537,764 clicks made a total revenue of $5, 495, which when deducting percentage for the affiliate coordinating the campaigns, ends up with a profit of $3,605 -  this is a great example of greedy affiliate managers taking high commissions."

Let's discuss the dominating click fraud scheme in Q2, consisting of an ugly combination of botnet ownership and a huge portfolio of parked domains serving ads which deliver revenue to the person behind the scheme.

Click fraud in Q2 2008 is said to be getting more sophisticated due to several new developments that greatly contribute to increasing activity on multiple cybercrime fronts. The fact that the greatest percentage of click fraud clicks is coming from China, is the direct result of a growing infrastructure that cannot be properly secured, and with over 4 million new ADSL subscribers in China for the first half of the year, these very same folks shape the threatscape by suffering their first malware infection, whose first-timer always-on Internet experience is a juicy target for even the most obvious types of malware attacks.

The second, and perhaps most important key development leading to the increasing sophistication of click fraud done through botnets, is that the people behind these scams are starting to put more efforts into ensuring that the junk content created at their web sites would increase the probability of having their botnet click on highly popular and consequently very expensive keywords, thereby earning more on a per click basis. Coming up with an approximate price for a keyword is done through third-party services keeping track of popular keywords. In fact, sometimes keywords in the content are irrelevant if they start taking advantage of typosquatted domains so descriptive that they'll attract a great deal of relevant and high priced ad links on hundreds of thousands of parked domains.

The abuse of parked domains is among the main reasons why Google is facing another click fraud lawsuit :

"In the new lawsuit, online retailer RK West, which operates the online store Malibu Wholesale, alleges it purchased ads Google without realizing they would appear on parked domains. Parked domains typically have no content other than ads. RK West alleges that many of the clicks generated by parked domains are "invalid." The company said in its lawsuit that it had been charged for clicks from parked domains "that had little relation to its business."

"Despite indication that some of the clicks from parked domains were invalid, Google failed to disclose to the plaintiff specific domain names in which these ads were clicked on, making detection of invalid clicks difficult and even worse concealing any evidence of invalid clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered the source of the clicks, said Alfredo Torrijos, one of the company's attorneys. "

Botnets are doing what they've always been doing, committing click fraud on behalf of those who've researched and exploited news schemes and tactics. The problem can be at least partly minimized by ensuring that known malware infected hosts who've been spamming, phishing, and generally those who are not to be trusted, and any of their interactions not just on the authentication level in order to prevent them from registering a couple of hundred bogus email addresses, are either challenged, or their clicks flagged as highly suspicious.