Why CIOs should care about click fraud

Click fraud is more than just a marketing problem. It presents a real security risk to your organization, experts say. CIOs need to know their enemy.

The ancient Chinese military strategy guide The Art of War says that if you want to have a chance of prevailing in battle, you need to know your enemy. It’s good advice for the battlefield, and it's also good advice if you want to beat hackers in their constant attempts to take over your network.

But in order to know these hackers you need to understand their motivations, and in many cases those motivations may not be what you expect. That's according to Dan Kaminski, the security expert who discovered a fundamental flaw in the Internet's Domain Name System (DNS) protocol in 2008 and who discovered flaws in the widely used SSL protocol a year later. Kaminski is a frequent speaker at Black Hat Briefings, and now works as Chief Scientist at White Ops, a security firm specializing in detecting bot and malware fraud.

Dan Kaminsky White Ops

"If you are a CIO and your job is to protect the network, click fraud is the cause of a major class of threat that you have to deal with," says Dan Kaminsky, Chief Scientist, White Ops

Cashing out compromised machines

"If you are a CIO you must ask why people are breaking in to your network. The answer is to get your data — eventually. But initially it is to defraud advertisers," Kaminsky says. "The major motivator for hackers is to commit click fraud as it provides a way to cash out a compromised machine. Only once they have done that will they look at what else they can do with the machine."

As companies catch on that a given machine is responsible for click fraud, that machine’s ability to generate cash for the fraudsters drops dramatically until it has no further use to them. It's at that point that access to the compromised machine will be sold off to someone else to exploit, with servers in large enterprises commanding far higher prices than compromised run-of-the-mill consumer machines.

"There is a whole ecosystem out there," says Kaminski. "One guy finds vulnerabilities, one guy deploys them, and then there are the guys who buy (compromised machines) afterwards and do all kinds of things with them." This, Kaminski says, includes corporate data theft and the full gamut of other crimes.

No obvious victims

That leads to an interesting question about who the victims of click fraud really are, and Kaminski says that it's not immediately obvious. "When you rob a bank, people are angry. But when you rob an advertiser, their numbers are up, so they are happy," he says. Many direct marketers also take the attitude that a certain amount of click fraud is factored into the price that they pay, so they may not be unduly worried or feel they are victims. In fact, on the advertising side very few people get angry, Kaminsky says.

But aside from the advertisers that have been defrauded, the other victims are the CIOs of large companies, says Kaminski. "They are the victims as they are the people whose machines are taken over," he says. "If you are a CIO and your job is to protect the network, click fraud is the cause of a major class of threat that you have to deal with."

How click fraud works

Hackers can carry out click fraud in two ways. The first is to set up a website that is never intended to be viewed by humans and populating it with "word salad," meaningless content made up of random words. These sites are filled with ads that are placed through automated ad exchanges, and the hackers then point their botnets at the site to generate clicks and "earn" advertising revenue.

The second way is simply to wait for a real site owner to contact them and pay to send a certain amount of bot traffic to their site. "A site owner may have sold a million hits to advertisers but only got a quarter of that. Do they give the money back? Never!," says Kaminski. "They will call someone with a botnet and the site will get those extra three quarters of a million hits," he explains.

Click fraud fuels malvertising

To build botnets to carry out ad fraud, hackers need to compromise a steady stream of new machines to replace those that are no longer effective. To do this they are increasingly turning to malvertising: placing advertisements containing malware that infects viewers onto well known, reputable web sites, according to Kelley Mak, an analyst at Forrester Research.

"Malvertising will either deliver ransomware or compromise the machine and recruit it to a botnet," Mak says. "Malvertising is fuelled by click fraud because a malicious ad can recruit the new bots hackers need, and malvertising is cheap if all you are trying to do is infect people, not actually sell them something.”

Hackers are more likely to use malvertising to recruit bots for click fraud rather than to deposit ransomware on a machine, Mak believes. One reason is that it's easier to generate money from click fraud, but, more importantly, there's also much less risk involved for the hackers. "People hit by click fraud will probably not try and enlist the help of a government agency — they are more likely just to try and block bots, so the risk is substantially lower," he explains.

Threat to the Internet

There's little doubt that click fraud represents a major headache for CIOs and their security teams, but Kaminsky believes that this type of hacker activity harms businesses in a more fundamental way: it plunges the economics of the Internet as a business tool into doubt.

"The entire ecosystem is threatened by click fraud," he says. "Why? Because it costs money to build the web, and if money is being siphoned off by people who aren't building it, then legitimate businesses have to work harder and harder for less and less."

$7.2 billion problem

In terms of the scale of the click fraud problem, evidence suggests it's a multi-billion dollar business. The 2015 Bot Baseline Study into fraud in digital advertising carried out by the Association of National Advertisers and White Ops found that click fraud will likely cost companies around the world a total of $7.2 billion in 2016, with advertisers unwittingly paying out an average of $10 million to fraudsters during the year. When it comes to the proportion of the clicks that are fraudulent, the study says advertisers were defrauded between 3 percent and 37 percent of the time.

So what can CIOs do to minimize the risk that an infected machine committing click fraud may be lurking on their networks? Kaminsky recommends keeping a close eye on the traffic generated by machines on the corporate network, and in particular monitoring DNS traffic. "No-one monitors DNS enough, but there are identifiable C&C (command and control) domains," he says. "The benefit of monitoring DNS is that the info flow is relatively small, so the relative value of any data you analyze is high."

He also recommends encouraging marketing departments to use specialist click fraud protection software, such as that sold by his employer White Ops as well as competitors PPCSecure and Distil Networks.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickForrester Research

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Rubens

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place