Posts

banner-1000935_640

Google is continuing its efforts to combat online display advertising fraud, with new defenses against a scam technique known as clickjacking.

If you’ve ever tried to press play on a video, open a link, or start a song and wound up on another page unexpectedly, clickjacking is most likely the culprit.

This is done by overlaying an essentially transparent layer over a legitimate web page. This way everything looks normal, but as soon as you try to take any form of action you trigger a behavior on the transparent overlay. The action may be used to trigger one-click orders from Amazon, take you to malware-laden sites, gain Facebook or Twitter likes, commit ad fraud, or any number of malicious behavior.

To fight back against this, Google is removing publishers engaged in clickjacking from its network entirely. The company has also developed a new filter specifically to exclude invalid traffic on display ads from clickjacked pages on both mobile and desktop.

In a blog post about the new efforts to fight clickjacking, Andres Ferrate, Chief Advocate of Ad Traffic Quality at Google, explained:

When our system detects a Clickjacking attempt, we zero-in on the traffic attributed to that placement, and remove it from upcoming payment reports to ensure that advertisers are not charged for those clicks.

Google has made a big deal about its ability to prevent advertisers from paying for ads that aren’t seen by real human eyes, including on YouTube’s ad network, but a new study by a team of European researchers suggests something is amiss. According to their findings, advertisers are still being forced to pay for ads despite YouTube’s systems flagging the view as “suspicious” or fraudulently coming from a bot rather than a human.

The experiment from researchers at NEC Labs Europe, UC3m, Imdea, and Polito, was conducted in three stages. First the researchers uploaded videos to YouTbe and set up an AdSense account to monetize them. Then, the team set up AdWords accounts to run ads against the video, before creating and deploying bots designed to specifically view the videos with the ads.

While the researchers concluded that “among the studied online video portals, YouTube is the only one implementing a sufficiently discriminative fake view detection mechanism,” they also found “that YouTube only applies this mechanism to discount fake views from the public view counter and not from the monetized view counter.”

That means that YouTube filters out views it deems as fraudulent for the public view counter, but they are still charging advertisers for those views.

Throughout their experiment, the group observed the number of monetized views was consistently larger than the number of counter views and came to the realization that “views considered suspicious are removed from the public view counter, but monetized.”

public-viewcounter-v-monetized-youtube-dailymotion-e1443113264182-800x372

This isn’t the first time Google has been accused of charging for fraudulent clicks. When similar situations were brought up with YouTube, the company said the discrepancies are likely due to users watching the video ad, but not the video itself. That would lead to the view to be monetized but not included in the public counter.

However, the researchers say that cannot be what happened here because the bot was designed to “view” both the ads and the accompanying video all the way through.

The team also took the fact that YouTube performs part of its view validation after the fact into consideration, however after six months the team saw no compensation adjustments. That happened even after YouTube suspended the AdSense account due to the bots’ suspicious activity.

The team also found YouTube is vulnerable to relatively simple attacks. They say they have given their findings to Google and will continue to refine the tools used for the study and potentially make them widely available.

A Google spokesperson said, “We’re contacting the researchers to discuss their findings further. We take invalid traffic very seriously and have invested significantly in the technology and team that keep this out of our systems. The vast majority of invalid traffic is filtered from our systems before advertisers are ever charged.”