home   |   archives   |   about
 
 
SEARCH THIS SITE
Tips on how to avoid phishing attacks
Yahoo to add invalid clicks report
Back to Facebook
How Google uses log data to improve search results
Staying safe online
Kourosh's click fraud talk at CMU
I didn't really need 4 RSS feeds
How we use log data to protect against click fraud
How to unlist your phone number from Google
Our new Privacy Center
XML - RSS 2.0
Structure of a Click Fraud Botnet

By Shuman Ghosemajumder | Wednesday, April 11, 2007

One question I frequently get asked by some of our more advanced advertisers is "what is Google doing about click fraud from botnets?" Analyzing botnets is an important activity in both our Click Quality and Security Teams. Yesterday, Dr. Neil Daswani, a member of both teams, presented a paper at the HotBots 2007 workshop on a case study of one such botnet we examined last year called Clickbot.A. The paper provides an in-depth look at how a fraudster was attempting to utilize 100,000 machines to execute a low-noise click fraud attack through syndicated search ads.

Botnets have of course been around for many years, and have been used most commonly for activities like denial of service attacks. We have also seen them used for click fraud. There are many different ways that click fraud is attempted, and the use of botnets generally represents one of the more sophisticated methods. At a basic level, the main benefit of a botnet to fraudsters is the use of many diverse IP addresses and other machine-specific signals. By utilizing thousands of hijacked IPs, a fraudster hopes that their attack will be difficult to catch. Of course, IP address is only one of hundreds of factors we analyze when looking for evidence of click fraud. Some sophisticated fraudsters realize this, and program their botnets to behave in more complex and subtle ways than just randomizing IPs (as Clickbot.A demonstrates).

One reason we're publishing this paper is to continue to share more information on the types of analysis we do to protect our advertisers against click fraud. But an even more important reason is to provide greater understanding of a challenging area the entire Internet community should work together to manage. The bad guys share their information with each other, and so should we. We hope to be able to discuss more publicly in the future ourselves, and also we hope that other security-related companies will share similar case studies and findings, which will end up benefitting everyone. The concluding observations and recommendations from the paper are worth repeating here:

  • Search engines need to investigate botnets that might be used to issue automated, distributed click fraud attacks.
  • ISPs need to protect their web hosting and customer accounts from being compromised. Many of the domains and hosts involved in conducting the attack described in this paper were compromised.
  • Malware detection rates may need to be improved. Only 7 out of 24 of the anti-virus scanners run as part of Virus-TOTAL detected Clickbot.A around the time the attack was publicly reported.
  • Web site publishers, financial institutions, and advertisers can encourage their users and customers to proactively install anti-virus tools.
  • Users can run anti-virus software to help prevent their computer from participating in a botnet. There are several free offerings available to users in the market.
  • Security researchers and corporate IT departments can proactively and more agressively share data and publish results to help the white-hat community prevent, detect, contain, and recover from attacks conducted by miscreants in the underground Internet economy.
You can read more about the Clickbot.A case at our AdWords Blog post, and you can access Neil's paper, which he co-wrote with Mike Stoppelman and other team members, here. Incidentally, Neil is also the author of the recently published "Foundations of Security: What Every Programmer Needs to Know", which is a great reference as well as introduction to security methods.

   


Links: Links to this site
My speaking schedule for early 2008
ClickFraud Might Be Up
Blogs By Googlers
Google & Yahoo lanceren Ad Traffic Quality Center
Click Fraud, Google AdWords and gclid
Long Overdue Blogroll Updates
Google Dishonors War Dead
 
Copyright © 2003-2008 Shuman Ghosemajumder. All contents available under a Creative Commons License. Opinions on this web site are the author's own. Generated Friday, May 16th, 06:44:52 PM EST.