Today we released our quarterly statistics regarding the rate of click fraud for Q4 2009, which came in at 15.3%.  We first began publishing industry data over four years ago, in 2006, which means we can now look at the trend for the same quarter over the past four years.  The fourth calendar quarter has traditionally been the annual high, and this year is no different.  15.3% is higher than any of the three previous quarters.  Like Willie Sutton who robbed banks because “that’s where the money is,” fraudsters find the increased search traffic during the Q4 holiday season to be a prime opportunity for illicit gain.

What’s different this year is that the trend of click fraud increasing annually, which we’ve observed for the past three years, has stopped.  For the first time, the Q4 click fraud rate has declined from 2008 to 2009.  Given that Q4 2008 was the highest click fraud rate we’ve ever reported, this isn’t too surprising.  But it’s still good news for the industry.  Even as fraud schemes become increasingly sophisticated with the advent of spyware, malware, adware, and botnets, the industry’s efforts to thwart fraud and protect advertisers seem to be working.  By the way, when I say “the industry,” I’m including the major search engines themselves.  Google, Yahoo!, and Microsoft all have active traffic quality programs in place to keep one step ahead of these new sources and methods of fraud.

Unfortunately, not every ad network, publisher, and advertiser can afford to build a team of PhD’s to constantly monitor and fight the problem.  That’s why we’re here.

On Tuesday Harvard Business School professor Ben Edelman blogged about a new form of click fraud that may be almost as insidious as the Bahama Botnet discovered by Click Forensics last year.  Andy Greenberg did a wonderful job summarizing and translating Professor Edelman’s findings into layman’s terms in his Forbes.com article Google Faces The Slickest Click Fraud Yet.

This new fraud scheme is really a compilation of  “Fraudster Greatest Hits,” but with a new twist.  It consists of spyware being installed on unsuspecting user’s machines and clicking on paid links to generate fees for the spyware author and intermediary ad networks, some of whom are complicit and most of whom are not.  Nothing new there.  The spyware that Prof. Edelman tracked, though, was smart enough to click on paid links for sites that the user is already visiting.  What a perfect way to disguise fraud as legitimate traffic!  A visitor to Finishline.com doesn’t notice that a pop-up browser was redirected to Finishline.com, because that’s where he intended to go in the first place.  Visitors browse, shop, and maybe even buy something (convert) at a perfectly normal rate.  The traffic looks completely legitimate to Finishline.com, and to Google.

So, is this it?  The perfect click fraud scheme that successfully foils all attempts at discovery and generates untold riches for the perpetrators?  Well, not quite.  First off, it was discovered.  Prof. Edelman’s blog has been written about on Forbes.com and his discovery will certainly garner some attention in Mountain View.  That’s good, because the spyware perpetrator, TrafficSolar, should be prevented from continuing this fraud.

But it was probably a fairly low-volume scheme to begin with.  It’s limited to machines of users that are infected with spyware who also visit select Google advertisers.  So some small percentage of the organic visitors to Finishline.com generated a click fee instead of visiting for free.  It’s a problem, but probably not a huge one.  What would make it more serious is if there were another version of the spyware that simply clicks on paid links in the background without the user’s knowledge (a la the Bahama Botnet).  By mixing the fraudulent clicks with the real end-user visitor behavior and conversions, a fraudster like TrafficSolar could give the impression of being 100% legitimate.

The concluding recommendation in Prof. Edelman’s report is for Google to fire InfoSpace, its ad syndication partner.  A better solution would be for Google and InfoSpace to deal only with reputable partners who provide verified, audited clicks to ensure advertisers get what they pay for.  Check our client list for some worthy candidates.

We’re constantly hard at work here at Click Forensics to continuously improve our ability to accurately predict overall traffic quality for our clients.  And, every now and then, we’re able to bundle a number of these enhancements into the tangible release.  We did just that last week; announcing an upgraded version of our Yahoo! TQ Forecast feature.  We’ve been testing these features with a handful of clients, with strong results so far – namely, much better predictive accuracy so that clients can be sure they’re sending high quality/high paying traffic into Yahoo.  And, we’re excited to now be rolling this out to all our clients.  Specific features include:

• YTQ Forecast Report – provides a summary of the likely Yahoo! TQ scores particular traffic sources will receive when they’re sent to Yahoo!;
• Dynamic Adjustments - continuously monitors and adjusts to changes in the YTQ score rankings so that clients can appropriately tune and filter traffic sources;
• Preemptive Traffic Source Blocking – enables publishers and ad networks to quickly identify and block certain online advertising traffic sources that are likely to deliver low Yahoo! TQ scores; and
• Enhanced Botnet Detection – delivers better detection of non-human clicks, both malicious and benign, while serving as an early warning system for advanced sources of fraud.

We also got some nice coverage in AdExchanger about the problems some of our CPC and performance-based ad network clients face and how these new enhancement will help solve these challenges.

While it’s easy to see how the recently discovered Bahama Botnet is cheating online advertisers out of free traffic and generating fraudulent fees for complicit parked domains and ad networks, it’s important to note that ad providers are being victimized as well.

We have conducted additional research into the behavior of the Bahama botnet and found that it acts as a sort of perverted “Robin Hood” among ad networks by robbing ad revenue from the top-tier players and delivering fraudulent traffic to second and third-tier ad networks and publishers.  Chief among the ad provider victims is the one with the biggest treasure to take: Google.

As we’ve seen in this video, when an infected user performs a search on Google.com, they get some peculiar results.  This is because, unbeknownst to the user, they’re not actually on Google.com.  The page looks like Google.com and even says Google.com in the browser’s address bar.  So how can it not be google.com?  The perpetrators behind the Bahama Botnet are able to steal traffic and revenue from Google using a trick called “DNS poisoning”.

All computers on the internet identify themselves with a set of numbers that we know as an IP address.  Computers can find one another using these numbers.  However, humans find words easier to remember than long sets of numbers, so the Domain Name System (DNS) was devised to translate these numbers into names.  When “Google.com” is typed into a browser, the computer uses DNS to translate that domain name into a number.  In the case of Google.com, that number happens to be 74.125.155.99.  The DNS method for translating domain names into numbers is fundamental to making the internet work.

However, in the case of the Bahama Botnet, this DNS translation method gets corrupted.  The Bahama botnet malware causes the infected computer to mistranslate a domain name.  Instead of translating “Google.com” as 74.125.155.99, an infected computer will translate it as 64.86.17.56.  That number doesn’t represent any computer owned by Google.  Instead, it represents a computer located in Canada.  When a user with an infected machine performs a search on what they think is google.com, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher.  Now the searcher is looking at a page that looks exactly like the Google search results page, but it’s not.  A click on the apparently “organic” results will redirect as a paid click through several ad networks or parked domains — some complicit, some not.  Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred.

An interesting side effect of this whole scheme is that while the perpetrators of the Bahama Botnet turn organic or natural search listings into paid links, they don’t seem to alter the final destination domains of the sponsored links that show up on a search results page.  When an infected user clicks on one of these sponsored links, they always seem to end up on the correct destination domain (so clicking a sponsored link for Dell.com, for example, will always take an infected user to dell.com).  However, due to the DNS poisoning, a click on a sponsored link will never go through Google’s own click-counting redirect.  Google never sees, and therefore never charges for, that click.   The advertiser gets a free click, instead of a paid one, and Google loses the revenue.  The Bahama Botnet strikes again.

Just when you thought the fraudsters couldn’t get any more sophisticated … they surprise you.  Click Forensics researchers have recently discovered one of the most advanced sources of click fraud we’ve seen.  We’ve named it the “Bahama botnet” because when first discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas.  It has since been reprogrammed to redirect through other intermediate sites hosted in Amsterdam, the U.K., and even San Jose, CA, but the Bahama name stuck.

Interestingly, the Bahama botnet appears to be closely related to the recent spate of “scareware” attacks, such as the one perpetrated against The New York Times digital site just a few days ago, reported by ComputerWorld.  Visitors to the NYTimes.com site were greeted with a pop-up informing them their computer was infected and directed to an authentic-looking site where they could install a program called Personal Antivirus.  Users duped into purchasing this phony software were then infected with a Trojan that gave control of their computer to an unknown third party that we now know to be part of a gang in the Ukraine.

We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street.  More info about the “Ukranian fan club” can be found in Dancho Danchev’s excellent security blog.  We’re pretty sure the Bahama botnet is related to the Ukranian fan club and the NYTimes.com scareware because they each phone back to a bogus “Windows protection” domain located on the same IP address.

These sources were originally identified by the Black Hat community, but we believe Click Forensics is the first to discover the breadth and depth of click fraud being perpetrated by the botnets it controls.  And the botnet is incredibly insidious.

As seen in this video of the botnet in action, caught on film and narrated by Click Forensic’s own Matt Graham, the infected machine will exhibit some really funky behavior.  Clicks on organic search results are redirected through a series of parked domains across a number of top-tier ad providers (search engines and ad networks), eventually arriving at an advertiser unrelated to the original query.  The user is momentarily confused, but likely just performs the search again, this time with easy success.

What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong.  Additionally, it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries.  And because the queries come from many different machines (IPs) across a broad segment of the Internet population, it is very difficult to find and identify these clicks as fraudulent.  But these auto-generated clicks were not able to disguise themselves well enough to escape Click Forensics anomaly detection algorithms.  Additionally, large amounts of non-converting clicks were spotted in the data we receive from advertisers.  From there, our team was able to hone in on the source of the Bahama botnet.

In February of 2006, Click Forensics was just getting off the ground.  We recognized the problem of click fraud was a big problem and that building a solution would be tough technical challenge.  We decided to bring in an expert in the field of data mining and anomaly detection in clickstream analysis.  That expert was Dr. Alex Tuzhilin.  Alex spent the day with us at our offices in San Antonio and provided us a roadmap for the evolution of our approach to indentifying invalid traffic. 

His contribution to us at that point was essential and provided tremendous insight.  After reviewing our approach he commented,

“Click Forensics has good data and this is a source of their advantage over the search engines. My role is to work with them to refine the scoring methodology to improve accuracy. Their approach is to incorporate as much data as possible to improve accuracy. The search providers simply don’t have enough data to have the most accurate approach.”

Shortly after Alex’s visit to Texas, I received a call from the lead attorney representing Lane’s Gifts in their lawsuit against Google.  He said, “Tom, I just hired your Ph.D!”  He told me that the judge in that case had mandated that an outside consultant review Google’s click fraud detection methods and publish a paper on the efficacy.  Alex spent many weeks at Google and wrote an insightful paper detailing their approach, ultimately describing it as “reasonable”.  The Lane’s Gift case was settled and Alex returned to his role as a professor at NYU.

Today we are thrilled to announce that Dr. Tuzhilin has joined the Click Forensics Advisory Board.  Few individuals have had more real-world and academic experience in the measurement of online traffic quality and its effect on advertisers.  His work has helped move the industry toward standards and cooperation.  After visiting us in Austin a few weeks ago and meeting with our technology team, Alex said,

“Having firsthand experience reviewing the state of the art in ad network traffic management, I was impressed with the level of technical sophistication the team exhibits and I was impressed with the directions they are going, Click Forensics has played a leadership role in helping the online advertising community to monitor quality of clicks on ads, including identification of invalid clicks. I look forward to continuing to work with the team.”

In addition to Dr. Tuzhilin, we have also added Dr. William Wright, the Chief Scientist at Paypal.  Dr.Wright, a Ph.D. in cognitive science, is an artificial intelligence expert who has built numerous analytical and predictive systems over the past twenty years, including the Falcon Credit Card Fraud Detection System at HNC, the Advanced Fraud Screen system at CyberSource, and numerous adversarial modeling systems for the U.S. military.  After spending time with our team, William concluded,

“Click Forensics has built a strong team of developers using very advanced machine learning and data mining techniques to detect fraud and measure traffic quality, they are pioneering a new area of fraud detection and I’m finding it satisfying to work closely with them on leveraging lessons from my past experience combating credit card and banking fraud.”

One out of every five employees at Click Forensics holds a Ph.D.  Adding the expertise of Alex and William dramatically enhances our ability to meet our goal of providing the state of the art approach to traffic quality management.  I appreciate their contributions and look forward to benefiting from their knowledge in the future.

While attendance at SES San Jose was definitely down this year, it was still a great show.  I enjoyed meeting people at our booth and appreciated the hard work of our team pulling that all together.  We met a lot of interesting folks and enjoyed hearing feedback on the new Click Forensics dashboard.

The big hit, of course, were the “Stress Einstein” squishys! Who wouldn’t want of these guys!  They reminded me of the bobble-heads in “Night at the Museum 2″  

I also enjoyed participating in a session titled, “Ads in a Quality Score World“.   Mike Grehan moderated the panel and both Yahoo (Tomaso Pozzi) and Google (Jonathan Alferness) participated.  WebProNews covered the session and wrote a nice recap. 

The other highlight of the week for me was our Click Quality Council dinner.  We had over 25 executives from ad networks, publishers, advertisers and search engines join us for a great dinner of conversation, networking and fun!

The conversation is always interesting when you have people representing all corners of the online advertising ecosystem.  It was the third year we have hosted the CQC dinner in San Jose and our 13th since the Council was formed in 2006.

Congratulations to the newlyweds… after a long, long courtship Microsoft and Yahoo finally managed to get together (the prenuptials are still being sorted out!).  I have been in favor of this union for sometime now.  Google owns a ridiculous share of the pay per click advertising market and desperately needs a competitor.  Microsoft + Yahoo = Competition.  As I have said for the last several years, the lens we look through at Click Forensics is that of the advertiser.  Competition is always good for the advertiser.  

The growth of online advertising, in particular pay per click advertising, has been meteoric. It is a great model and one that has proven hugely successful for hundreds of thousands of advertisers large and small.  It is a model that will continue to grow as large advertisers shift more dollars from unmeasureable and less effective traditional media.  It will grow because it uses context, targeting and relevancy to the highest level.  Yahoo’s audience enhanced by Microsoft’s technology will mean innovation and efficiency.  There is no doubt; Google will continue to have success.  But the new partnership will make the online world even more attractive for advertisers.

Today there are standards in place to help hold the search providers accountable.  There are better reporting, campaign management and keyword tools to add to the efficiency.  I see a world in the near future where display advertising will begin to make significant gains from the data that exists in search. Context, targeting and relevance can improve every medium and this partnership will leverage that data to a much higher level than before.

So congrats to you both for a new start.  The entire advertising community is pulling for you and expecting big things. I do need to warn you… expectations are high and the honeymoon is short.  

We recently launched a new reporting interface for our ad network customers to provide more actionable insights into downstream publisher sources. The early feedback from new adopters has been very positive. In this blog post, I will provide a brief overview of the new enhancements.

So, why did we decide to roll out a new reporting platform? As we are growing with our customers, we learned to better understand their most pressing business problems and how our products can help address those. Downstream publisher management and new publisher screening are critical to daily operations of ad networks. We were looking for new ways to tackle them in a more effective manner.

Based on insightful customer feedback we had received, we worked on the new reporting interface with the following design goals in mind:

• Present actionable insights into large volumes of click data to better highlight traffic quality from downstream publisher sources
• Easily handle daily click volumes of 10 million clicks and deliver sub-second interface response times
• Provide detailed background information about new publishers during the approval process before accepting traffic

Users of the new interface are greeted by the publisher dashboard that summarizes current network and publisher activity. It is the starting point for further investigation. At a glance, ad network staff find their top publishers sorted by different attributes, for example by volume and traffic. The “Movers and Shakers” sections highlight sources with significant traffic changes in certain dimensions. Here is a screenshot of the dashboard:

Throughout the interface, we added small sparklines to offer traffic information at a glance without having to leave the page. For example, an average click score is accompanied by a score histogram (see this previous post for more details) and a volume volatility graph. These cues help users to absorb the information more quickly and spot areas that warrant further investigation:

Another tab in the interface offers publisher screening capabilities. It supports ad networks in making better decisions about which publisher applications to approve before accepting any traffic. After entering a URL, a report will present detailed background information about the specific domain, combining reputation information from the Click Forensics community database and public sources like Alexa, Compete.com and whois.

Next to the highlighted features, we have added numerous other useful capabilities for our customers. The new reporting interface is now available to all of our ad network customers. If you would like to learn more please don’t hesitate to contact us.

Today we announced the pay-per-click (PPC) fraud figures for Q2 2009.  The data comes from the Click Fraud Index.  Traffic across more than 300 ad networks is also reflected in the data.

Key findings from data reported for Q2 2009 include:

-    The overall industry average click fraud rate was 12.7%. That’s down from 13.8% for Q1 2009 and from the 16.2% rate reported for Q2 2008.
-    Click fraud traffic from sophisticated sources and scripted programs rose again in Q2 2009. This included a rise in the incidents of publisher collusion fraud on ad networks.

The data in Q2 also showed that many of the new click fraud schemes identified last quarter continue to increase in number and sophistication. Publisher collusion fraud was one example. This scheme occurs when online publishers use rotating IP-addresses or botnets to click ads on their own sites in order to generate inflated commissions from unprotected ad networks. Ad networks have difficultly differentiating such attacks from valid clicks.