Combating Click Fraud via Premium Clicks Ari Juels Sid Stamm RSA Laboratories1 Indiana University, Bloomington [email protected] [email protected] Markus Jakobsson Indiana University, Bloomington and RavenWhite Inc. [email protected] Abstract A syndicator or publisher’s server observes a “click” We propose new techniques to combat the problem of simply as a browser request for a URL associated with click fraud in pay-per-click (PPC) systems. Rather than a particular ad. The server has no way to determine if adopting the common approach of filtering out seem- a human initiated the action—and, if a human was in- ingly fraudulent clicks, we consider instead an affirma- volved, whether she acted knowingly and with honest tive approach that only accepts legitimate clicks, namely intent. Syndicators typically seek to filter fraudulent or those validated through client authentication. Our sys- spurious clicks based on information such as the type of tem supports a new advertising model in which “pre- advertisement that was requested, the cost of the associ- mium” validated clicks assume higher value than ordi- ated keyword, the IP address of the request and the recent nary clicks of more uncertain authenticity. Click valida- number of requests from this address. In this paper, we tion in our system relies upon sites sharing evidence of propose an alternative approach. Rather than seeking to the legitimacy of users (distinguishing them from bots, detect and eliminate fraudulent clicks, i.e., filtering out scripts, or fraudsters). As cross-site user tracking raises seemingly bad clicks, we consider ways of authenticat- privacy concerns among many users, we propose ways ing valid clicks, i.e., admitting only verifiably good ones. to make the process of authentication anonymous. Our We refer to such validated clicks as premium clicks. premium-click scheme is transparent to users. It requires Our scheme involves a new entity, referred to as no client-side changes and imposes minimal overhead on an attestor, that provides cryptographic credentials for participating Web sites. clients that perform qualifying actions, such as pur- chases. These credentials allow the syndicator to distin- Key words: authentication, click-fraud guish premium clicks–corresponding to relatively low- 1 Introduction risk clients–from other, general click traffic. Such classi- Pay-per-click (PPC) metering is a popular payment fication of clicks strengthens a syndicator’s heuristic iso- model for advertising on the Internet. The model in- lation of fraud risks. volves an advertiser who contracts with a specialized en- The premium-click techniques that we describe in this tity, which we refer to as a syndicator, to distribute tex- paper are complementary to existing, filter-based tools tual or graphical banner advertisements to publishers of for validating clicks: The two approaches can can oper- content. These banner ads point to the advertiser’s Web ate side by side. site: When a user clicks on the banner ad on the pub- lisher’s webpage, she is directed to the site to which it Organization. We begin with a problem statement and points. Search engines such as Google and Yahoo are a description of the the related work in section 2, fol- the most popular syndicators, and create the largest por- lowed by a structural overview of our approach in sec- tion of pay-per-click traffic on the Internet today. These tion 3. In section 4, we outline our scheme and de- sites display advertisements on their own search pages in tail its technical foundations. We describe a prototype response to the search terms entered by users and charge implementation of our scheme in section 5 and discuss advertisers for clicks on these links (thereby acting as user privacy in section 6, proposing several privacy- their own publishers) or, increasingly, outsource adver- enhancing techniques. We provide a brief security analy- tisements to third-party publishers. Advertisers pay syn- sis in section 7, and conclude in section 8. The paper ap- dicators per referral, and the syndicators pass on a por- pendix describes design choices for premium-click sys- tion of the payments to the publishers. tems with multiple attestors. 2 Problem Overview and Related Work closure might prompt new forms of fraud [10]. To give one example, though, it is likely that syndicators use IP Click-fraud is a type of abuse that exploits the lack of tracing to determine if an implausible number of clicks verifiable human engagement in PPC requests in order to is originating from a single source. While heuristic fil- fabricate ad traffic. It can take a number of forms. One ters are fairly effective, they are of limited utility against virulent, automated type of click fraud involves a client sophisticated fraudsters, and subject to degraded perfor- that fraudulently simulates a click by means of a script mance as fraudsters learn to defeat them. or bot—or as the result of infection by a virus or Tro- jan. Such malware typically resides on the computer of the user from which the click will be generated, but can 3 Structural Overview also in principle reside on access points and consumer routers [8, 9, 7]. Some click-fraud relies on real clicks, Authentication. Our premium-click scheme is based whether intentional or not. An example of the former is on authentication of requests via cryptographic attesta- a so-called click-farm, which is a term denoting a group tions on client behavior. We refer to these attestations as of low-wage workers who click for a living; another ex- coupons. While a coupon could be realized straightfor- ample involves deceiving or convincing users to click on wardly using traditional third-party cookies, such cook- advertisements. An example of an unintentional click is ies are so commonly blocked by consumers that their use one generated by a malicious cursor-following script that is often impractical. Our scheme could alternatively in- places the banner right under the mouse cursor [6]. This volve traditional first-party cookies dispensed and har- can be done in a very small window to avoid detection. vested by a central authority. This architectural ap- When the user clicks, the click would be interpreted as proach, however, presents limitations that we explain in a click on the banner, and cause revenue generation to depth in section 4.1. As we explain, we instead focus in the attacker. A related abuse is manifested in an attack this paper on the alternative mechanism of cache cookies. where publishers manipulate web pages such that hon- Our premium-click scheme has two distinctive as- est visitors inadvertently trigger clicks [4]. This can be pects: done for many common PPC schemes, and simply relies on the inclusion of a JavaScript component on the pub- 1. Pedigree: Our scheme relies on designated Web lisher’s webpage, where the script reads the banner and sites called attestors to identify and label clients that performs a get request that corresponds to what would be appear to be operated by legitimate users—as op- performed if a user had initiated a click. posed to bots or fraudsters. For example, an attestor Click fraud can benefit a fraudster in at least three might be a retail Web site that classifies as legiti- known ways: First of all, a fraudster can use click-fraud mate any client that has made at least $50 of pur- to inflate the revenue of a publisher. Second, a fraudster chases. (Financial commitment here corroborates can employ click-fraud to inflate advertising costs for a legitimate user behavior.) We refer to such clients, commercial competitor. As advertisers generally specify the producers of premium clicks in our scheme, as caps on their daily advertising expenses, such fraud is es- premium clients. In a loose sense, we propose the sentially a denial-of-service attack. Third, a fraudster can creation of an implicit reputation network to com- modify the ranking of advertisements by a combination bat click-fraud, much like the seller reputation on of impressions and clicks. An impression is the viewing eBay [3]. of the banner, with no click; this causes the ranking of the associated advertisement to go down. This can be done 2. Traffic caps: Our scheme supports validation of to benefit own advertising programs at the cost of those clicks from clients that have not produced an ex- of competitors, and to manipulate the price paid per click cessive degree of click-traffic and thereby indicated for selected keywords. possible malicious activity. In our approach, a Syndicators can in principle derive financial benefit click is only regarded as valid if accompanied by from click fraud in the short term, as they receive revenue a coupon. Thus, we can detect multiple requests for whatever clicks they deem “valid.” In the long term, from the same origin by keeping track of coupon however, as customers become sensitive to losses, and presentation. In the standard approach in which at- syndicators rely on third-party auditors to lend credibility testations like coupons do not play a role, detection to their operations, click fraud can jeopardize syndicator- of same-source traffic is more challenging, and of- adverstiser relationships. Thus syndicators ultimately ten depends upon coarser origination data, such as have a strong incentive to eliminate fraudulent clicks. IP addresses, or more fragile markers of continuity, Today they employ a battery of filters to weed out sus- such as session identifiers. picious clicks. These filters are trade secrets, as their dis- Architecture. In a traditional scheme, as a user clicks 4 A Premium-Click Scheme on a banner placed on the site of a publisher, the cor- responding advertisement is downloaded from the ad- In a world of perfect transparency, in which a syndica- vertiser and the transaction recorded by the syndicator.