Security Watch | Matt Hines » Fighting click fraud through trust

August 08, 2007 | Comments: (0)

Fighting click fraud through trust

TAGS: Security

The issue of click fraud continues to haunt the online advertising space as advertisers and their distribution networks struggle with methods of verifying the legitimacy of the traffic they receive, but the situation could be improved quickly if the companies figure out a way to convince end users to offer small amounts of contextual information about themselves that would help weed-out automated hits and other problems, researchers said.

Presenting at the ongoing Usenix Security Symposium in Boston, Ari Juels, a researcher with EMC's RSA Labs division, outlined his concept for fighting click fraud through "premium clicks."

With shady syndicates using scripting programs to boost traffic using software that mimics user ad impressions, or tapping into botnets to carry out similar scams, online advertising remains as questionable as ever in terms of proving the legitimacy of its traffic, Juels said.

However, by simply shifting their model away from trying to determine which types of traffic appears to be fraudulent to a plan where advertisers can qualify hits as legitimate by correlating traffic with individual users or browsers, the industry could greatly improve its reputation, the researcher said.

"If people could use filters to identify browsers uniquely, things like rapid fire clicks from scripting programs could become easily detectable," Juels said. "We need something that doesn't rely on an IP address -- such as a token -- that could help identify honest users over click fraud."

As an example, Juels said that if end users could be convinced to keep some trace of their previous transactions in their browsers, such as proof that they have paid for a subscription to a site or carried out an online transaction of some kind, it would become infinitely easier for advertisers to determine which types of traffic are real, versus fake.

Truly ingenious botnets that are programmed to copy the tokens themselves might still prove troublesome using such a model, but companies could more easily identify who the truly valuable visitors to the sites may be.

In turn, the advertisers could financially reward syndicates that deliver them the highest quality traffic and lowest rates of click fraud, Juels proposed.

While many end users might be scared-off by the privacy concerns involved with sharing some of their Web surfing history, the researcher contends that people could be convinced to participate via marketing programs that offer discounts on e-commerce transactions or systems that promise to cloak any data made available in the browser.

Another manner of applying the model could involve qualifying certain online businesses to serve as "attesters" that provide secure proof that users are for real and not just spam-fueled botnet machines, he said.

As an example that some consumers might be open to participating in premium traffic programs the researcher pointed out that Google was able to convince large numbers of people to hand over their phone numbers to gain access to its Gmail Web mail application. Gmail also uses contextual information derived via data mining of end users' e-mail messages to present them with advertising.

"Unfortunately in advertising there is very little incentive to the user to participate, but it could be possible for users to engage voluntarily in attestation if they are somehow paid for sharing their information," said Juels. "I think some people could be convinced as it relates to trading demographic information for some commercial benefits, that sort of thing could easily be embodied in such a system."

Posted by Matt Hines on August 8, 2007 01:15 PM

RATE THIS ARTICLE: