What is Click Fraud?
There are many possible causes and sources of fraudulent clicks. In most cases they're not actually performed by humans. Sure, you might have bitter competitors clicking on each others ads here and there, but computer generated traffic is really the major concern here. The proliferation of ad exchanges and programmatic buying and selling has opened the door for bad guys to use various stealth techniques such as botnets or a distributed network of compromised servers to generate fake impressions and clicks. If the potential profits are high enough for them they might even purchase cheap cloud servers from smaller providers all around the world to generate their traffic.
Collaborative Blacklist
The first step to detecting click fraud is actually to prevent it from occurring in the first place. AdvertServe employs a collaborative blacklist that combines data from our own research, third-party researchers and feedback collected from our customers. The blacklist stops your ads from even being served to the bad guys, so it not only prevents click fraud but impression fraud as well!
This is all happening in real-time too. If we or one of our customers detects some fraudulent activity we can respond and push out a blacklist update to all of our customers instantly. Now that's what we call being pro-active. It's the only way to stay ahead of the bad guys because they're constantly switching hosts, bouncing through different proxies and improving their methods.
How You Can Help
How can you help prevent impression and click fraud you might ask? Well, actually, we've made it really easy for you to help out. Upon logging in to your AdvertServe account you might some day happen to see a warning like the one in the following screen shot.
What should you do? The first thing you should do is take a deep breath and don't panic because the situation isn't bad at all. On the contrary, it's your chance to join in and help fight back!
- First things first, click on the click here link to bring up the Click Fraud Review Tool screen, which you can also access by going to Tools > Fraud > Review from the main toolbar at any time.
- What you'll see will look like the following screen shot where we have 10 suspicious clicks to review.
- The first thing you should notice is that these clicks all came from the same IP address. This is the most common indicator of fraudulent activity. In fact, the rank column shows the number of clicks for each given IP address to make this easier to see.
- Now, if you click on the IP address it will run an extended scan that checks against some huge blacklists that we don't include in our automated blacklist.
- Then if you still aren't sure you can click on the Whois Lookup and see who owns the network range this IP address falls into. In this case the IP address was assigned to Global Crossing. They are a large-scale bandwidth provider. The IP address was sub-leased by them to an enterprise software company, which probably has some type of robot/spider running on their servers that generated these clicks. That or their server was compromised and it's participating in a botnet.
- Take a step back and look at the UUID, which is the unique user ID that we store in a cookie for each visitor. Notice each click has a different UUID. This tells me that the bot in this case is not sophisticated enough to send and receive cookies.
- The next thing you want to look at is language. Many lazy bad guys forget to specify an Accept-Language header in their bots. In such cases the language will be detected as unknown so watch out for that.
- The we have the User-Agent, which identifies the operating system and web browser that supposedly performed the click. Now let's look at this one here. We got clicks from visitors using IE 4 and IE 5 on Windows 95 and 98? Seriously, this is 2014 and NOBODY is using those any more. Why the bad guys continue to use garbage like this for their fake User-Agent's is beyond me, but it sure makes our job easier so I'm not complaining!
- Finally, we have the referrer and in this case we can see all of the bad clicks came through AppNexus's ad exchange. No surprise there. Seriously, the majority of bad stuff you're going to see will come through an exchange.
- So, if you agree with me that these clicks look fraudulent, select all of them and then press the Delete Selected button. It will take a little time to delete them. The reports may also take a little longer to update, so don't panic if you don't immediately see the changes reflected in your reports.
False Positives
Once in a while we might detect some clicks as fraudulent that we shouldn't have, but it's pretty rare since we only have a 0.57% false positive rate on average.
Most commonly these are clicks by you or some of your employees testing ads on your live web site. There's an easy fix for that. Simply go to Settings > Basic > Server and enter your IP addresses into the Filtering section so your clicks aren't counted.
Some mobile traffic may get detected as fraudulent if too many users behind the same proxy are clicking ads around the same time. While this is rare it does happen. You can tell when this happens because all of the User-Agent's will be different mobile devices. Of course, check the whois reports too and they'll usually say AT&T or Verizon owns that IP network range.
Final Thoughts
We hope that you never get hit with click fraud and we're doing everything we possibly can with our blacklist to ensure that. If you do get hit with some activity, hopefully you're now a little more prepared to deal with it. As always though, if you need our help sorting it out just let us know!