Advertising revenue has become one of the driving forces of business on the Internet, with many owners of websites accepting payment from advertisers in return for displaying their ads on their sites. Of course, the question then arises of "how do they determine how much the website owner (or "publisher") gets paid?" Well, because the goal of every advertiser is to have their ad viewed by as many human eyes as possible, a seemingly logical answer to this question is "the website owner gets paid more, based on how many people view the ad". Seems to make sense, right?
Because of the nature of the Internet, this quickly becomes problematic. First of all, a simple method is needed to measure the number of unique visits to a website and often, in computer security, the more simple a system is the more vulnerable it is to manipulation. In this case, it is possible to measure clicks on a webpage, but how much does this really reflect what the advertiser really wants to measure - which is the number of unique, human, potentially interested visitors viewing their ad?
One problem is that measuring "intent" is virtually impossible when just measuring clicks, so while they may know that a person clicked a link to the website, there is no way to tell whether this was done out of interest, or for more nefarious purposes (such as driving up ad revenue for the site). Another interesting problem is that is difficult to tell whether it is even a human viewing the site, or whether it is just some program mimicking the clicking behavior. Another problem is (at the risk of sounding cynical) that online, you can guarantee that any time there is money involved, there is the incentive for people to manipulate the system to manipulate the flow of that money. It is this problem that is behind the relatively new online phenomenon of "click fraud".
CLICK FRAUD - WHAT IS IT?
"Click fraud" is the act of clicking on links online or visiting websites with the specific goal of manipulating ad revenue connected to that site, typically in cases where the site makes use of "pay-per-click" advertising, where advertisers pay the owner of the website a cut based on the level of traffic to that site, ideally with the idea that the more traffic, the more viewers of the ad. If a website receives more "clicks", the advertiser has to pay more to the publisher, and click fraud can potentially interfere with this setup to manipulate that amount.
HOW?
Click fraud can be performed in a variety of ways, ranging from the very simple (for example a friend of the website owner clicking repeatedly on the site to help them raise money) to the complex (for example a competitor paying a botnet owner to perform massive, distributed, automated visits to the site).
Click fraud can be performed by real users out there in cyberspace by physically clicking on the site, however it does not have to be done this way. It can, like many things online, be automated, and computers can run scripts that will mimic the behavior of a user visiting the site. If done in a distributed way (for example using a botnet of compromised "zombie" computers), the click fraud can potentially be hidden well, as the IP addresses will not form an easily recognizable pattern as they may if just a few users are physically visiting the site. There are also ways for an attacker to manipulate Javascript to make it look like users are visiting the site when they are not.
WHO AND WHY?
So who would go to so much trouble and why? Well, the most obvious one is, of course, the website owner or "publisher" themself, as they stand to gain from increased traffic going to the site. This is not to say that all the ad publishers out there are doing this, because surely many or most are not, however there is an incentive for someone to do this if they are not ethically-opposed to it (or worried about getting caught, etc.).
There are also other, more interesting and strange scenarios in addition to the obvious one described above. One of these is the case in which friends of the publisher decide to "help" by clicking on the website. This helpful behavior can backfire if the publisher ends up being accused of click fraud due to the suspicious-looking IP traffic (coming repeatedly from the same IP addresses).
Another case involves the advertiser's competitors clicking on the site, in order to drive up traffic which they know their competitor will then have to pay for. This of course takes money away that could have been invested in their product, so benefitting the competitor who masterminded the whole thing. Of course, the publisher could end up being blamed if the advertiser becomes suspicious of them instead, and they could end up being caught in the crossfire but so it goes in the world of computer crime. Sometimes, this misunderstanding is engineered deliberately by a competitor of the publisher. The competitor, seeking to reduce the publisher's revenue and traffic, mounts a click fraud attack on their site in order to frame them, knowing they will likely be blamed first (because of the obvious incentive). The advertiser blames the publisher and maybe even discontinues their business with them, leading the publisher to lose money.
Because it is often so hard to tell where a complex attack is coming from even if you can trace it to IP addresses (you do not know who is behind the IPs), all of these shady scenarios are made possible. Add to this the many other players out there, for example the owners of botnets of compromised computers who will accept money in return for their help mounting attacks such as this, and you have all the ingredients for a very complex situation.
Just to make things even more complicated, we throw in other "human" motivations in addition to money, such as revenge or political motivations. Maybe you have nothing monetarily to gain from framing a publisher for click fraud - maybe you just don't like the owner of the website, or you object to their product, or you want to prove yourself and earn bragging rights.... and so on.
LEGAL ISSUES
Issues surrounding click fraud have made it into the courtroom ,including, for example; a class action lawsuit against Yahoo in 2005 by plaintiffs claiming that they did not do enough to prevent click fraud. Another example involved a case of Google against a company that they claimed was paying people to click on ads, costing advertisers large amounts of money.
CONCLUSION
New technology often brings with it not only new opportunities but also new forms of crime and new ways to defraud others of money and services. Some of these, like click fraud, would be difficult to predict beforehand but spring up where there are incentives present for the manipulation of the system.