Measuring, fingerprinting and catching click-spam in ad networks

Advertising plays a vital role in supporting free websites and smart- phone apps. Click-spam, i.e., fraudulent or invalid clicks on online ads where the user has no actual interest in the advertiser's site, results in advertising revenue being misappropriated by Click-spammers. This revenue also funds malware authors through adware and malware crafted specifically for click-spammers. While some ad networks take active measures to block Click-spam today, the effectiveness of these measures is largely unknown, as they practice security-through-obscurity for fear of malicious parties reverse-engineering their systems. Moreover, advertisers and third parties have no way of independently estimating or defending against Click-spam. This work addresses the click-spam problem in three ways. It proposes the first methodology for advertisers to independently measure Click-spam rates on their ads. Using real world data collected from ten ad networks, it validates the method to identify and perform in-depth analysis on seven ongoing Click-spam attacks not currently caught by major ad networks, high- lighting the severity of Click-spam. Next, it exposes the state of Click-spam defenses by identifying twenty attack signatures that mimic Click-spam attacks in the wild (from Botnets, PTC sites, scripts) that can be easily detected by ad networks, and implements these attacks, and shows that none of the ad networks protect against all the attacks. This also shows that it's possible to reverse engineer click-fraud rules employed by ad networks in spite of the security-through-obscurity practices prominent today. Finally, it shows that it is not just possible, but also desirable to create Click-spam algorithms that do not rely on security-through-obscurity but instead on invariants that are hard for click-spammers to defeat, as such algorithms are inherently more robust and can catch a wide variety of click-fraud attacks.