Archive for October 19th, 2007
Click Fraud - A Story of Intrigue
Friday, October 19th, 2007
The transcript of this click fraud investigation reads like the story from a spy novel, agents in Somalia were posing as legitimate users from Amsterdam attacking the secretive operation in England, or was is double agents based in Somalia attacking the political dissident. This was not the plot line from the latest Le Carre novel, rather it is the story of a click fraud attack I was subject to. In this post I will document the whole story from detection, to reporting and ending up at a follow up visit to the culprits website.
The events in this story are all true, and happened during September 2007, the name have NOT been changed to protect the guilty.
During September I was running an Adwords campaign to drive traffic to this blog, the campaign was bidding on click fraud related keywords and had a relatively low max cost per click of 0.25 (GBP). The campaign was running worldwide with no time zone limitation and it was also running on the content network. All of the points noted are against much of the anti-click fraud advice I give, probably because I was keen to capture a real click fraud attempt with my newly installed click fraud software.
Sure enough, not long after the campaign was launched, I began to receive repeated clicks from a number of IP addresses which were registered to an Amsterdam address. I am happy to say that my click fraud software works and I began receiving e-mail alerts.
Interested in who was attacking me, I went to whois.org and performed a lookup against an IP address. The offending address whois lookup is shown below:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NLReferralServer: whois://whois.ripe.net:43
NetRange: 193.0.0.0 - 193.255.255.255
CIDR: 193.0.0.0/8
NetName: RIPE-CBLK
NetHandle: NET-193-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1992-08-12
Updated: 2005-08-03
I THEN QUERIED THE RIPE DATABASE
inetnum: 193.219.242.0 - 193.219.242.255netname: GTC-NET-SO descr:Golis Telecommunication country:SO admin-c: YMA6-RIPEtech-c: YMA6-RIPEstatus: ASSIGNED PAremarks: --------------remarks: T-IP-20040728remarks: --------------mnt-by: TAIDE-NOCsource: RIPE # Filteredperson: Yahye Mohamud Ahmedaddress: Bosaso,Somalia phone: +252 5 722002phone: +252 5 822016fax-no: +252 5 822011e-mail: yahye@golis.nete-mail: meecad@hotmail.comnic-hdl: YMA6-RIPE source:RIPE # Filtered
Upon further investigation, I noticed in the refer information of all the attacks were coming from a single Adsense account and website. From this I made the deduction:
1) That someone trying to boost their Adsense earnings was clicking on their own links.
2) In a much more interesting turn of events, to add to the intrigue of this whole story I like to think that the website owner was being attacked as the site, which is based in Somalia, was showing political cartoons alongside Adsense and other banner ads. Some dark agents of the Somalian government were clicking on this dissidents links to cut of his or her income which was being used to fuel anti-government propaganda (always the conspiracy theorist I go for this possibility :-))
The Adsense account ID is ca-pub-0558200840132548 and the offending website is www.aminarts.com
I collected the appropriate information and lodged an invalid click investigation from the form at Google, in a previous post I have documented getting a refund from your PPC supplier, check that out for more details.
I provided the following to Google, please note the actual report was much longer, and has been abridged for clarity
TO: Google Adwords Support,
My name is Neil Matthews. My account ID is xxx-xxx-xxxx.
I would like to report the following suspicious activity that I
have detected during 09/2007.In particular I am seeing a lot of problems emanating from an Amsterdam IP address via www.aminarts.com
using Adsense ID ca-pub-0558200840132548===============================
IP ADDRESS: 193.219.242.40
===============================
Number Of Suspicious Clicks: 22
Time Of The First Click: September 18, 2007, 1:45 pm
Time Of The Last Click: September 22, 2007, 2:15 am
Referring URL:
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=946656542941&lmt=1189488293&prev_fmts=468×60_as&;
format=728×90_as&output=html&correlator=946656541359&url=http%3A%2F%2Fwww.aminarts.com%2Fsep_7_07.htm&color_bg=FFFFFF&color_t
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1190210567593&lmt=1187337021&prev_fmts=468×60_as&;
format=468×60_as&output=html&correlator=1190210566484&url=http%3A%2F%2Fwww.aminarts.com%2Faug_12_2007.htm&color_bg=FFFFFF&co
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1190176577359&lmt=1186642883&prev_fmts=468×60_as&;
format=468×60_as&output=html&correlator=1190176577328&url=http%3A%2F%2Fwww.aminarts.com%2Faug_6_2007.htm&color_bg=FFFFFF&col
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1171908513015&lmt=1186130281&prev_fmts=468×60_as&;
format=728×90_as&output=html&correlator=1171908512937&url=http%3A%2F%2Fwww.aminarts.com%2Faug_2_2007.htm&color_bg=FFFFFF&col
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1190224766859&lmt=1186133881&prev_fmts=468×60_as&;
format=728×90_as&output=html&correlator=1190224766812&url=http%3A%2F%2Fwww.aminarts.com%2Faug_2_2007.htm&color_bg=FFFFFF&col
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1190228742765&lmt=1186133878&prev_fmts=468×60_as&
format=728×90_as&output=html&correlator=1190228742640&url=http%3A%2F%2Fwww.aminarts.com%2Faug_1_2007.htm&color_bg=FFFFFF&col
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1190234317156&lmt=1190174273&prev_fmts=468×60_as&
format=728×90_as&output=html&correlator=1190234317140&url=http%3A%2F%2Fwww.aminarts.com%2Fsep_15_2007.htm&color_bg=FFFFFF&co
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1190256870736&lmt=1190174273&prev_fmts=468×60_as&;
format=728×90_as&output=html&correlator=1190256870666&url=http%3A%2F%2Fwww.aminarts.com%2Fsep_15_2007.htm&color_bg=FFFFFF&co
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1190262102421&lmt=1190013894&prev_fmts=468×60_as&f;
ormat=234×60_as&output=html&correlator=1190262102343&url=http%3A%2F%2Fwww.aminarts.com%2Fgolis_new.htm&color_bg=FFFFFF&colo
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1041461065515&lmt=1186130281&format=468×60_as&output=html&correlator=1041461065484&url=http%3A%2F%2Fwww.aminarts.com%2Faug_2_2007.htm&color_bg=CCFFFF&color_text=000000&color
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1041461286484&lmt=1187333424&format=468×60_as&output=html&correlator=1041461286437&url=http%3A%2F%2Fwww.aminarts.com%2Faug_15_2007.htm&color_bg=CCFFFF&color_text=000000&colo
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1041461425031&lmt=1187333424&prev_fmts=468×60_as&;
format=728×90_as&output=html&correlator=1041461424765&url=http%3A%2F%2Fwww.aminarts.com%2Faug_15_2007.htm&color_bg=FFFFFF&co
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1041461425031&lmt=1187333424&prev_fmts=468×60_as&;
format=728×90_as&output=html&correlator=1041461424765&url=http%3A%2F%2Fwww.aminarts.com%2Faug_15_2007.htm&color_bg=FFFFFF&co
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1041461562718&lmt=1187890854&format=468×60_as&output=html&correlator=1041461562718&url=http%3A%2F%2Fwww.aminarts.com%2Faug_19_07.htm&color_bg=CCFFFF&color_text=000000&color_
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-0558200840132548&dt=1172774004749&lmt=1188167485&prev_fmts=468×60_as&;
format=728×90_as&output=html&correlator=1172774004398&url=http%3A%2F%2Fwww.aminarts.com%2Faug_17_07.htm&color_bg=FFFFFF&colo
THE REPORT GOES ON BUT HAS BEEN CUT SHORT FOR CLARITYI then sat down to wait. The expected reply in three working days did not arrive, I was not until 4th October that the following reply was received from the Googleplex:
Hello Neil,
We received your report regarding suspicious clicks from IP address
193.219.242.40. Thank you for your patience while we researched this
issue.
It appears that the activity you noticed was a result of invalid clicks
your ads received on a site in our content network. Thank you for bringing
this issue to our attention.
You should receive a credit to your AdWords account within a few weeks for
any charges for clicks we believe were invalid. Please also know that this
site’s AdSense account has been disabled and the publisher will not be
allowed further participation in the Google Network.
We strive to upgrade our detection mechanisms to pro-actively combat
invalid click activity. Thank you for your assistance with our
investigation. We apologise for any inconvenience.
Sincerely,
Andrew
The Google Ad Traffic Quality Team
In previous reports to Google they are quick to say that their filters have captured the clicks and that I have not been charged for them, but in this reply there is no mention of capture, from this I assume the filters did not capture the problem. I was awarded a refund of 24.96 (GBP). This is not an earth shaking click fraud, but in context to my monthly adwords spend of approximately 200 (GBP) this is a substantial percentage.
During the writing of this article, I revisted www.aminarts.com and I was glad to see they were no longer running Adsense ads.
In conclusion to this post, I would like to add that it is highly unlikely that I would spot a click fraud attempt like this without the use of click fraud monitoring software. The monthly charge of the click fraud monitoring software would easily be covered by refunds like mine.
Tags: Click Fraud
Posted in Features | 3 Comments »