Feeds:
Posts
Comments

Archive for the ‘Click Fraud’ Category

In the wake of the alleged Chinese cyber assaults on Google earlier this year  the chatter in Washington, DC advocating for an increased U.S. presence in policing cyber crime around the globe and protecting U.S. interests is growing by the day.  And it could result in the formation of a new cyber security post, according to those close to the situation.

State Department officials began circulating a proposal to create the position shortly after Google was hit by a nasty wave of cyber attacks originating in the communist country in January, the latest in a long line of Chinese-based cyber crime affecting U.S. companies.   The ambassador-level post would be responsible for negotiating cyber policies at the United Nation and maintaining U.S. cyber security policy overall, as well as attending to Internet freedom issues and their effect on the economy.

As tends to be the case in Washington though, egos and posturing can hold up even the most well-intentioned policy ideas.  There has been some push back on the proposal from some in the State Department’s intelligence bureau, which is currently leading most overseas cyber security issues.   In fact, when State Department leaders convened recently to discuss the matter broadly, as many as twelve different groups within State itself argued their case for leading the department’s cyber security efforts.

Nevertheless, it would appear that a cyber security “czar” position is inevitable.  The Senate Foreign Relations Committee  is drafting its own proposal for it as well and the two government groups seem to be in agreement about the definition of the role—the position would need to be confirmed by the Senate (meaning they could be called to testify before Senate lawmakers at any time) and would report to either high-ranking State Department officials or a group of leaders from major government agencies that all have some hand in computer and security policy.  The proposal is modeled after State’s existing counterterrorism coordinator (also an ambassador-level position).  There will likely be some wrangling over whether State has the right to establish a cyber security czar on its own or if the job should be mandated by federal law.

Another measure being considered would tackle international cyber-security with a little more force, forming not only a cyber czar post at the State Department but also establishing attaches for cyber issues at all U.S. embassies around the world.  This proposal would also require the administration to identify which countries are havens for cyber crime and which ones are taking steps to fight it.  The findings of such research would dictate where foreign aid for combating cyber crime goes, and countries that don’t pull their weight in fighting cyber crime could face U.S. penalties.

All in all, it’s good to see Washington getting tough on international cyber crime, which many feel is just as dangerous a threat to the country as terrorism. We’ll keep you updated as new developments arise.

Read Full Post »

In the same week that Facebook celebrates yet again surpassing Google as the most-trafficked website in the U.S., many of its 400 million registered users are dealing with a cyber attack being disguised as an email from the social networking giant.   It’s yet another new example of the diverse and potent threat that botnets and other cyber criminals pose to everyday online users.

Millions of emails have been delivered to Facebook users this week as part of the spam run, according to McAfee, which caught wind of the attack through customers running its security software.  These messages, which appear to come from Facebook with a “spoofed” return address (help@facebook.com or customer@facebook.com) that seems legitimate as well, informs the recipient that their Facebook password has been reset and that they must download the email’s attachment to secure a new password.

Just to make the message seem even more real, the hackers have included a “Thanks, Your Facebook” closing at the end.  It’s grammatically and technically incorrect but it sure sounds nice, right?

In reality, that attachment that allegedly holds your new Facebook password is really a Trojan horse virus that will infect an individual’s computer without any visible warning signs.  This particular Trojan strain is believed to include malware, rogue anti-virus programs and a password-theft program, along with the potential to steal or corrupt sensitive data stored on a computer.

Analysts believe the spam run originated from two botnets, called Cutwail and Rustock.  Botnets, groups of hacker-controlled computers used for malicious activity, are increasingly becoming the biggest perpetrators of online fraud.  The stealth manner in which botnets infect computers and their ability to avoid anti-virus programs also make them the source of much consternation on the part of security experts trying to trace and shutter them.  This latest attack comes just a few weeks after Microsoft filed a lawsuit against another huge botnet called Waledac.

For the record, no reputable website would ever automatically reset a user’s password and then send them a new one in an email.  Most computer users are smart enough to realize this and spot a fraudulent email such as this one when it arrives in their inbox.  The sheer scope of this spam run, however, makes it likely that more than a few people have been duped and are now running high-jacked machines.

If you come across one of these emails, and a few of us have this week here at Junkie, it should immediately be deleted.  Don’t even open it.   Don’t send it to your spam folder.  Just delete it. Even if you have anti-virus and spam protections running on your computer, you must still remain diligent in paying attention to what messages are coming into your email accounts at any given time.

Remember, it’s ultimately on you to keep your computer clean and free of cyber attacks.  As always, leave us your thoughts and comments below.

Read Full Post »

A new study from a merchant industry trade association is offering up a snapshot of the effect online fraud is having on e-commerce and e-tailing outlets.

The Merchant Risk Council (MRC) conducted the survey, sponsored by CyberSource Corp., of 350 online merchants between Sept. 10 and Oct. 7 of last year.  The results suggest that, on average, online merchants lose about 1.2 percent of their annual revenue as a result on fraud.

MRC’s study mostly covers instances of fraud resulting from invalid and fradulent orders placed on retail websites, many of which originate from cyber crime rings overseas.  The trade association also tracks how effectively merchants review international and domestic orders for fraud and irregularities.

The losses seem to hit smaller, niche retailers more than the larger outlets.  Of the 350 companies surveyed, 81 fall into the MRC’s ‘platinum’ membership category.  These retailers make up some of the 200 largest online merchants in the world and take in at least $75 million in annual revenue. Platinum members reported fraud losses of only about 0.9 percent, compared to 1.2 percent of the overall sample and 1.1 percent for other non-MRC members that pull in at least $25 million in annual sales.

Those platinum members also reported rejecting about 6 percent of their international orders every year (compared to 8 percent of the total survey participants).

One major theme emerging from the data is that the more protection and review tools a merchant uses to obstruct fraud, the less revenue they’ll lose.  While this may seem fairly obvious, it’s apparently not standard operating procedure even for some of the retailers in this study—while platinum members reported using an average of almost 8 different automated fraud-screening tools, the remaining participants used only 4.5 on average.  That goes a long way towards explaining the disparity in fraud rates.

“The fewer tools that are used on the manual and automatic side, the higher the fraud rates are,” an MRC spokesperson said. “Also, collaboration is proving to work. We see that when retailers work with other retailers, the best practices they learn from each other are invaluable.”

According to the The Merchant Risk Council’s website, the MRC is a merchant-led trade association focused on electronic commerce risk and payments globally.  They lead industry networking, education and advocacy programs to make electronic commerce more efficient, safe and profitable.

You can read a bit more about their fraud study here.

Read Full Post »

If the issue of click fraud is a battlefield with advertisers and tech leaders on one side facing off against cyber criminals on the other, then it could easily be said that Microsoft has fired a very big shot for the good guys.

The software king opened a legal assault earlier this week against several networks of compromised computers being run by hackers, and a federal judge in Virginia agreed to the company’s request to deactivate 277 infringing domain names.

Microsoft’s suit, which was filed on Monday, specifically targets a botnet known as Waledec, as well as 27 “John Doe” defendants.  The company maintains this pool of cybercrooks broke federal laws with a scheme to create bot-herders.  Bot-herding is a process by which hackers use automated scans to look for vulnerable computers across several networks, which then become one of many zombie machines when infected by the  hacker.  Spam, click fraud, denials of service and malicious software can all be spread through the use of bot-herding, which gives the hacker complete control over an infected computer.

In the suit, Microsoft’s attorneys asked U.S. District Judge Leonie Brinkema to issue a restraining order to allow the company to cut communication channels to the botnet in stealth before its perpetrators had a chance to re-establish their links to its network.

Waledac is believed to be one of the 10 largest botnets in the U.S., with the ability to send approximately 1.5 billion spam email messages per day, while stealing sensitive information and establishing backdoor remote access on any machine it infects.  Online security experts estimate the botnet has infected hundreds of thousands of computers around the world.  Microsoft itself has analysis that shows more than 650 million spam emails attributed to Waledac were directed to Hotmail accounts between December 3-21 of 2009 alone.  Clearly, there was a need to act and Microsoft did just that.

“The takedown of the Waledac botnet that Microsoft executed this week — known internally as Operation b49 — was the result of months of investigation and the innovative application of a tried-and-true legal strategy,” said Tim Cranton, Microsoft Associate General Counsel.

Cranton went on to say that Operation b49 had effectively shut down connections with the vast majority of Waledac-infected machines within three days of implementation and that Microsoft was shooting to make the disruption permanent.  He did caution however that the effort would not thoroughly cleanse infected computers, which would still be hosting the original malware.

Industry experts have long agreed that online fraudsters will not be curbed merely by fighting them on a technology level.  As such, in opening a new front against cyber-crime, Microsoft is being lauded for finding a legal principle with which to challenge the bot-herders on this matter, which may open new opportunities in the future for others to more aggressively fight back against cyber crime.

Read Full Post »

Anchor Intelligence unveiled new data on click fraud rates for the fourth quarter of last year in conjunction with an overall report on click fraud throughout 2009, and the picture remains an ugly one.

Anchor, the California-based traffic quality provider that Ecommerce Junkie regards as the most reliable industry source of click fraud information, states in its 2009 Year in Review that click fraud rates jumped by nearly 40% between the third (18.6 percent) and fourth (25.7 percent) quarters last year—meaning that by the end of 2009, one out of every four ad clicks across the web constituted some attempt at click fraud.  That’s a percentage that should make all online advertisers very nervous.

Now, to be fair, some increase in Q4 rates probably should’ve been expected.  After all, it’s a time period that includes Cyber Monday and the holiday shopping season at large, when more ads are being bought and placed, and millions are using the web for holiday shopping.

But with that increase in ads and traffic came an even more expansive effort from fraudsters. Botnets, the automated ring leaders of click fraud activity, continue to grow in number, are increasingly hard to track, and are getting even more devious.  Anchor noted that newer advertisers, for example, saw an even higher rate of fraud towards the end of the year as these botnets and click fraud farms expanded to every corner of web advertising.

The report also noted that the U.S. and Canada continue to be the largest sources of attempted click fraud by volume, while warning that 2010 could be even worse as cyber criminals look to exploit the growth and popularity of social networks like Facebook and Twitter.

“As botnets become more flexible and resilient, click fraud will be increasingly difficult to identify without a collaborative and systematic, network-based approach,” said Ken Miller, Anchor’s CEO.  “By releasing this report, we hope to provide a barometer by which the industry can assess the level of threats to online advertising while also conveying the importance of advertising with ad networks and search engines that partner with third-parties to certify their traffic quality.”

As we said, a 25-plus percent rate of click fraud, as well as Anchor’s warning that things may not improve anytime soon,  should concern any web advertiser.  Many industry insiders privately say that click fraud will never completely be abolished and suggest that perhaps, budgetingfor losses because of click fraud will become standard practice.  While we’re not willing to give in quite that easily, it’s obvious that click fraud perpetrators are adapting and evolving faster than wecan counter.

That means that ultimately, the burden for dealing with click fraud is on you, the advertiser.  We’ve said time and again that it’s vital to educate yourself how click fraud works and keep constant tabs on your click logs to learn the signs consistent with botnet activity.  Doing so will put you in a better position to spot instances of fraud, and thus help you better determine which web advertising optionsare the safest.

As Anchor Intelligence’s report proves yet again, click fraud is not going anywhere anytime soon. Are you prepared to deal with it here in 2010 and beyond?  Feel free to leave us questions or tips in the comment section below.

Read Full Post »

Those who read Ecommerce Junkie regularly know our position on the issue of click fraud. It’s not just a pesky nuisance. It’s a major problem and a tangible threat to the bottom line for anyone involved in online advertising and marketing. And to this day, despite calls for change from many in the industry, it continues to wreck havoc without much resistance.

Now, as if click fraud itself wasn’t a big enough problem, we’ve come across competing data on click fraud rates from two separate “watchdogs”, which leaves us wondering who is really paying attention to the issue and who could be sugar-coating data to make things seem better or worse than they are.

Click Forensics, whose click fraud reporting has been referenced here before, recently unveiled their data on Q2 2009 click fraud rates that indicate a decrease in instances of click fraud—down to 12.7 percent from 13.8 percent earlier this year. Meanwhile, Anchor Intelligence released some of their own data which puts the rate of click fraud so far this year at 22.9 percent in Q2 and 21.7 percent in Q1.

We’d probably be willing to look the other way if the margin of difference in data was a point or two. But when we’re talking about variations of 8 to 10 points, then it becomes clear that something is truly off here.

Click Forensics’ click fraud reporting looks very skeptical especially given the close relationships they have with certain industry giants who, despite their public statements to the contrary, actually benefit from click fraud. It’s tough to buy the 12.7 percent rate issued by Click Forensics when, in the big picture, their data also shows an overall decrease in click fraud over the past 12-18 months (their data for Q2 2008 had click fraud at 16.2 percent, for example).

Simply put, not enough has been done preventatively in the past year to justify a nearly 4 percent decrease in overall click fraud. We’re more likely to subscribe to the data put forth by Anchor Intelligence, a group that works with companies to actually fight click fraud. Their research on the issue also seems to be a bit more comprehensive and in-depth, as they looked at click fraud rates not only in the U.S. but around the globe as well. And frankly, after talking to one e-commerce leader, a click fraud rate in the low 20s seems much more realistic than the numbers Click Forensics is putting out there.

If you’re an online retailer, advertiser or marketer, it is in your best interest to pay close attention to data like this when it is released. However, after tackling the competing information put out by Click Forensics and Anchor Intelligence, we strongly advise that you rely on the latter more than the former. Either way, it’s highly advisable that you diversify your online advertising as much as possible to avoid cost-per-click programs that can be wrought with click fraud. In addition, carefully monitor traffic and analyze click logs on a regular basis to spot the fraud and trends normally employed by botnets.

Got questions or comments on click fraud? Leave them below.

Read Full Post »

While bailouts and stimulus plans have largely dominated the economic headlines in early 2009, another recently released batch of quarterly click fraud data underscores what many of us in the industry have been saying for quite awhile–the severity of the threat click fraud poses to online advertisers and by extension, broader economic recovery, is growing by the day.

The picture painted by the Click Fraud Index, the industry’s barometer of click fraud activity compiled by Click Forensics, is not a pretty one. The overall industry average click fraud rate for Q4 2008 was up to a record-high 17.1 percent, while fraud on the CPC advertisements utilized by many small-budget internet advertisers on content sites like Google and Yahoo increased again as well. Perhaps most alarming, click fraud from ‘botnets’ swelled for an eighth straight quarter and now account for more than 30 percent of overall click fraud, another record high for the CFI’s monitoring.

In the aftermath of the CFI report, a debate has emerged over the legitimacy of the CFI’s data. The discussion, fueled largely by Google itself, focuses on what exactly constitutes a fraudulent click. Though the CFI stands by its numbers and the methods it uses to collect them, there are some who openly question if the data includes clicks that Google and others already account for as fraudulent, thus inaccurately inflating the overall click fraud rate.

Now, while this may be pertinent to the click fraud issue on the whole, unfortunately, it distracts us from the bigger picture. We are losing the battle against click-fraud at a most inopportune time and the economic expansion we seek as a nation will be that much harder to realize without a broad, concerted effort to fight back.

Whatever the numbers may ultimately be, click fraud has evolved into much more than just a pesky nuisance. Simply put, it equates to millions of dollars in lost revenue for advertisers and marketers at a time when many of them are scrambling to simply survive. Many of those are small and mid-sized businesses, whose success is crucial to job creation and strong economic performance. But as click fraud continues to expand, those that are relying on internet advertising to grow are finding their bottom lines severely diminished as a result.

As the data indicates, the botnets are faster and smarter than ever, hitting from different IP addresses at varying times and evading the filters designed to stop them. Link farms, groups of people hired exclusively to conduct fraudulent clicking, are also back in full force. As a result, online advertisers are going to be forced to allocate even more budgetary dollars towards combating the problem this year. And it doesn’t take a seasoned economist to understand the domino effect such actions will have on consumers and spending.

Absent any outside or government intervention, the onus for combating click fraud still lies with the advertisers themselves. A diligent and concentrated approach is crucial—one that carefully monitors traffic and analyzes click logs on a regular basis to spot the practices and trends normally employed by botnets. Advertisers must maintain strong relationships with their network providers as well, keeping them abreast of possible fraud with periodic reports and requests for investigations into suspicious activity. Finally, some may benefit from diversifying their advertising budgets with the incorporation of CPA (cost per acquisition) and ‘monthly flat rate’ models that can be just as effective while offering less risk.

Though these steps will likely result in higher short-terms costs and a greater time commitment, the continued high rate of click fraud leaves no real alternatives—our economic future, and the viability of our status as world leaders in technology and innovation depends on strong and swift action.

Read Full Post »

« Newer Posts

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: