The Microsoft Malware Protection Center (MMPC) has teamed up with the Microsoft Online Forensics team in AdCenter in light of the fact that 60% to 70% of malware today employs some form of click-fraud to monetize itself, the software giant noted, citing NSS Labs research. In fact, it has already identified three malicious software families monetizing themselves that way.
Click-fraud exploits the way online advertising works. Marketers only pay website publishers for ads on a per-click basis; that is, only when potential customers click on an advertisement's link. That’s allowed brands to tailor campaigns and better measure results and targeting efforts. And unlike, say, television advertising, it also means that they only pay for interested eyeballs.
Online click-fraud is simple to define: the intentional misappropriation of advertising revenue by generating a click that doesn’t originate from a potential customer, or by hijacking a click from the rightful publisher. Microsoft gives the example of a John Doe creating a website and selling advertising links, that he then spends time clicking on himself. The advertiser is paying him under the assumption that the clicks are from real customers. When it comes to malware-based click-fraud, the infected machine automatically generates fraudulent clicks, and in a botnet scenario can potentially set thousands of machines to the enterprise.
“This [team-up] is an important link to target in any comprehensive disruption plan,” said Nikola Livic, a MMPC software developer. “We are intersecting large data sets between malware telemetry and ad-clicks to detect anomalous behavior correlated to malware. And we are taking two relatively disparate domains of expertise and tools, namely malware and online advertising, and creating prevention systems and processes for identifying the entire chain of benefactors of click-fraud malware.”
Livic noted that since it is not a simple relationship of who benefits directly from a malicious click, nor is the advertising market structurally designed for accountability, it is challenging to detect and prevent this fraud.
“In the simple case of John Doe above, it would be easy to detect all of his clicks because they came from a single IP address and never yielded a ‘conversion,’” Livic said. “A conversion is defined by the advertiser as the desired action taken by the potential customer after clicking on an advertisement; this could include purchasing a product or signing up for a service. But if these fraudulent clicks were coming from various geographies all over the world, each behaving as unique as an individual while browsing the internet, it becomes much harder to detect them.”
Typically these fraudulent clicks go through many layers of publishers, affiliates and syndication schemes. Affiliates produce traffic to sites, and advertisements are syndicated from site A to site B to site C, where each site takes a cut of the advertisement's profit on a click. That's where the team will focus its efforts.
“The complexity and opaqueness of where traffic comes from, and who benefits from a single click, is a new digital Wild West, fertile for unscrupulous cyber-slingers,” Livic said. “And though the actual malware author may make a small fraction of money from a click, through this Gordian web of publishers, affiliates and syndications, done enough times it can all add up to be quite lucrative.”
Indeed it is if the rate of click-fraud is accurately determined. Microsoft said that the online advertising business was worth about $32 billion in 2011. A recent research paper out of Redmond found "incontrovertible evidence of dubious behavior for around half of the search ad clicks and a third of the mobile ad clicks,” so that overall, around 22% of clicks on ads were fraudulent, Microsoft noted.