| Starting off from an Indian Security analyst’s claim, we try and look at exactly how secure Google’s AdSense programme is. | |
Now go to, for example, Yahoo! Search. Otago Daily Times. Not so helpful…? Next up: some world maps. Not so helpful…?
That example graphically demonstrates why Google is the most popular search engine. No-one can say it is “the best,” because that’s a much tougher question.
Now, back to the clicks: all this fabulous search technology, all the power that Google has come to be known for, all its great products, rest on one edifice—its advertising programmes, AdWords and AdSense. (We’re focusing here on AdSense.) It seems money is just a click away—to be precise, a few thousand clicks. Those clicks can be engineered.
The Working
For those of you hearing the word for the first time, AdSense is Google’s word for the programme whereby they place ads on a site or blog based on its content. Anyone can have an AdSense account, though to actually make money off it, you’ll probably need a blog or site with good, extensive content.
The concept is simple: after you sign up for an AdSense account, bots “look” at your page and place relevant ads on it. Those are the “Ads by Google” links you see. The advertiser pays Google when someone clicks on one of his ads (on your site). Google pays the “publisher”—that is, you—some of that money, and keeps some for itself.
The Problem
The obvious thing here is, if clicks on ads mean money, minds of the money-grubbing type find ways to generate clicks. Well, if you’re the publisher, you can’t just click on your own ads, sorry—Google just detects those as “invalid” clicks. Tell your office co-workers to click on them? Sorry again: same IP range, so they’re detected as invalid. Yes, Google does keep updating its technology to detect invalid clicks.
But it goes like this: someone—let’s call him a hacker—comes up with a new technique to make money off clicks. He uses his method and makes lots of money, in the time that Google fixes that newly-discovered problem with AdSense. And in that time, the advertiser loses money.
Which, naturally, leads to lawsuits. You’ve probably heard this headline at least once: “Google sued for click fraud.” Click fraud is it: the potential Google-killer. As a matter of fact, May 2004, there was this article by Garrett French (Managing Editor of Search Engine Lowdown) titled Click Fraud: The Google Killer. And the text went on: “Google listed click fraud as one of the potential ‘worries’ that would-be investors should consider. In fact, they admitted to regularly paying refunds because of Click Fraud and stated that they may have to make retroactive payments.”
Formally, from www.clickz.com, Yahoo! Sponsored Search defines click fraud as “clicks arising for reasons other than the good-faith intention of an Internet user to visit a Web site to purchase goods or services or to obtain information.”
Google is more specific, defining click fraud, “or invalid clicks, as any method used to artificially and/or maliciously generate clicks or page impressions,” as Salar Kamangar, Vice President of Product Management, once defined it.
Examples of invalid clicks, according to Kamangar, include manual clicks on an ad to purposefully increase the ad spend; deliberate clicks on an ad to increase profits by site owners hosting the ads; and clicks that arise from the use of automated clicking tools, bots, or other deceptive software.
The CEO
In May of 2005, Google CEO Eric Schmidt had said, in regards to click fraud, as reported by zdnet.com (emphasis placed by us): “One of the great technical challenges, which our computer scientists like, is detecting these at scale. We have been able to detect them, so it appears as though the problem, which I don’t think will ever go away, is both manageable and from a financial perspective at the company it’s not material.”
That was Google’s third lawsuit in the context of click fraud. But 9th August, 2006, at the Search Engine Strategies Conference, as reported by Google themselves at google.com, Schmidt was quizzed about click fraud by David Krane, then director of Corporate Communications at Google.
He had this to say: “As part of a litigation, which was settled, we produced a technical report which actually analysed this, which is now public information. We also have chosen to disclose what we estimate is the bad click rate on a per advertiser basis… I’ve also been misquoted by a number of people as somehow saying that this was not an important issue. It is an important issue that is under control. We have very good technical people. We have very good computers. We’re monitoring it. It’s not material to the company. It is important, and it’s not going to go away.
“It’s hard to know [the precise extent of click fraud] because we only know what we detect, but based on our estimates, the problem is manageable. And we have a lot of ways of detecting it, but I can’t make you an absolute guarantee, because you never really know.”
In other places, Schmidt has been reported as indicating that he didn’t think click fraud was a big deal in the long run. He is quoted as saying that the “perfect economic solution” to click fraud is “to let it happen.” This is perhaps what Schmidt was referring to when he said “I have been misquoted…”
Schmidt’s theory, as reported in July 2006 at blogs.zdnet.com: “Eventually, the price that the advertiser is willing to pay for the conversion will decline, because the advertiser will realise that these are bad clicks, in other words, the value of the ad declines, so over some amount of time, the system is in fact self-correcting. In fact, there is a perfect economic solution, which is to let it happen.”
We will not comment on Schmidt’s theory, but during that “eventually,” advertisers are paying for fraudulent clicks. Google gets “smarter” with each breach—at the cost of advertisers, of course.
And now, Manish Arora seems to have come up with something they haven’t gotten over yet...
Trying To Help
Arora is a security analyst. Google doesn’t seem to have been able to find a solution to his method of committing click fraud—which he’s reported to Google, and to no avail. It seems to us that Arora has been doing this with entirely benign intentions, but as a disclaimer, we must say that we cannot verify every single fact. However, we have little reason, from our interaction with him, that Arora ever had any intentions to make money off AdSense.
We looked up the Net—in fact, we Googled a lot—to see if anything similar to what Manish did has been done before by anyone, and it hasn’t, to the best of our knowledge. That said, here’s the story.
Manish Arora, a security analyst who claim it's very easy to make off Google AdSense
Naturally, we can’t tell you how Arora’s “AdSense Crack”—our term— works; but here’s what happens. You have a blog. You sign up for an AdSense that, Google first “approves” your blog for the programme. Once they confirm that your blog is fit for an account, your account is activated, and the “Ads by Google” start appearing on your page.
And then, if you have Arora’s script (a set of commands that automate a task), you run it on your site—any site you own. You then send out mails to people you know, inviting them to visit—not your blog—but just about anything they’ll find interesting, like a YouTube video, or pics of yours, etc. Those people you mail don’t even need to know about the existence of your blog(where the AdSense ads are).
When they click on your links and watch, say, the video you linked to, Google credits your AdSense account!
Yes, you read that right—read it again for the full impact. The AdSense ads are on your blog; you send links to, say, videos, to people you know; they click and watch that video; and you get paid.
Arora can control the scene, as it were: if he chooses to, he can stop all activity by ceasing to send out his mails. Google’s bots detect the drop in click activity—and usually disable the account. Arora can then open a new account, and get back into “business.”
When he first created and ran his script, he “made” thousands of dollars—“made” is in quotes because he never actually took any of the money.
Google says he was lying, and that what he claimed is impossible. Now Arora also tells us he received gifts from Google—two, to be precise—one of which is pictured on this page. It’s not for us to decide if the picture has been doctored, but let’s just leave it at “We don’t now.”
In November 2006, Arora to Google: “I would be glad to provide you the complete mechanism, which will take one hour a day to produce thousands of dollars a month from Adsense. I would like to explain this model to any of your representatives.” And later the same month, from Google to Arora: “We’ve investigated your claim. At this point, all we can verify is that our automated systems terminated your accounts as a result of your trying to inflate the clicks. This is exactly how the system is designed to work. If (sic) supply us with the code and technical details of the method you mention below, we will investigate further.” That was Cory Altheide, Incident Response Lead, Google Security Team. We’ll have more to say about this later.
The Test
Arora’s “earnings” screenshot—which Google claims is doctored—is the first screenshot below. Then, we tested the script; it works like Arora claimed it would. (Second screenshot below.) Our account was disabled when Arora stopped sending out his e-mail invitations to click on his links.
The total number of invalid clicks we detect—whether for suspected malicious or non-malicious intent—is in the single digit percentages”
Shuman Ghosemajumder, Business Product Manager for Trust And Safety Google
To prove that he had full control, Arora started yet another account into which money is still flowing in. See on the previous page a slightly outdated screenshot of where the clicks are coming from. Make no mistake: this method—which involves a simple script and lots of connections to people—is powerful.
Naturally, we contacted Google and told them about how we had tested a certain click fraud script. Andrew Kovacs, a Google spokesman, got back and told us he’d like to speak with us. The only thing he asked us was, “When you ran the script, was it Manish Arora’s?”
Clearly, his is a name they’re familiar with.
A map-followed by country-wise-figures-of what Arora claims is the report for September 2007 for his AdSense account
The Actual Rate…?
Click fraud happens all the time—it’s so easy. Some people quote it at a ridiculous high of 50 per cent; some say it is 10 per cent, some analysts quote figures in between. Shuman Ghosemajumder, Business Product Manager for Trust And Safety at Google, says… well, there’s a wee bit of controversy here. He has been quoted as saying that the click fraud rate is less than 2 per cent. But here’s how he clarifies what he actually said, at shumans.com:
A report of Arora's earning as of 18 December 2006-his screenshot
A report of our earning in the AdSense account we used to try our Arora's method
“… I never said that our click fraud rate is less than 2 per cent. Instead, what I said is that the quantity of invalid clicks which we detect as a result of reactive investigations is a ‘negligible proportion’ of the total number of invalid clicks. Andy (Beal) asked me if that percentage is less than 2%. I told him that I was not able to provide a bound, but yes, ‘negligible’ certainly means less than 2% of invalid clicks.
“So what is our overall ‘click fraud rate’? … it is virtually impossible to know the intent of every click. However, we can do a very effective job using statistical techniques to detect potentially malicious behavior, and the total number of invalid clicks we detect—whether for suspected malicious or non-malicious intent—is in the single digit percentages.”
(Andy Beal is a blogging and search engine marketing consultant. “Overall Click Fraud Rate” is commonly used to refer to the number of fraudulent clicks as a percentage of all clicks that happen, regardless of whether Google issues a refund or doesn’t bill, according to Danny Sullivan of searchengineland.com.)
Kovacs informs us: “Less than 0.02% of clicks that are billed to the advertiser turn out to be fraudulent.” That corroborates with a March 2007 claim by Google that less than 0.02% of all clicks slip past its filters and are caught after advertisers request reviews.
But there are plenty of things we can’t get into here—including the idea that there are sceptics who don’t like that figure. If you’re interested, you should visit http://tinyurl.com/ yrh87l for a detailed explanation by Sullivan.
But The Questions…
There are a lot of these, not entirely clear. Let’s take a look at all of them.
Q. Why has Google said Arora is lying?
Proposed answer: We don’t know. Arora could be lying. But then we tested his system ourselves and found that it works. Google categorically tells us it’s “impossibe” for Arora to have “earned” how much he did, but there’s no explanation—while they could have given us one: Arora spelt out on his blog what he’d been doing.
Q. How can Digit be sure that Arora’s system works?
A. We’re referring to the fact that we “got” paid, as in, the money accrued in our AdSense account. However, would the clicks have been later detected as invalid and we wouldn’t have been paid? We asked Kovacs about this, and there has been no response.
Q. Is Google taking Digit seriously?
A. We believe so. Kovacs has been our point of contact; he invited us to speak to Ghosemajumder about the issue. In one e-mail, he said our questions were “top priority.”
Q. Is Google taking Arora seriously?
A. On the one hand, consider the alacrity with which Kovacs called us to ask if it was Arora’s script we had been using. He said they had “dealt” with him before. On the other hand, when we got into the details and began e-mailing him, there has been only one concrete response. Why the reticence here?
Q. Why do they all say “that’s the way it’s supposed to work”?
A. (Our italics) Refer what Cory Altheide said to Arora: “This is exactly how the system is designed to work.” Then here’s what Kovacs said to us in the last communication we received: “When we learn about fraudulent accounts we terminate them before the individuals earn any money. This is exactly how the system is designed to work.” Then, like we’ve asked earlier, would our clicks have been later detected as invalid—and we would have ended up not being paid? Why have we not received a response on this? And second, if everything is working “exactly the way it’s supposed to work,” why does click fraud occur at all?
Q. Finally, does Google have a mechanism in place to prevent activity of the type Arora claims to have been successful in doing?
A. We’re not sure. Kovacs says: “Do we have (sic) multiple ways to distinguish between clicks that originate on a site approved for AdSense and those that originate on other sites.” There’s no further explanation, and we have to ask: how did money come into our account? Were we to try and cash into it, would we have been told that our clicks were fake? It doesn’t seem that way to us, but we don’t know.
Something’s missing along the way.
The Moral Of The Story
So what’s our point? Just this: that each time someone comes up with a new method to exploit a problem with AdSense, some people lose money. Each time Google fortifies its defences, and it gets better. But the programme, therefore, is far from perfect. Did we mention that click fraud is the potential Google-killer?
And that is the reason we’re reporting this: it’s not just to say “someone found an exploitable loophole in AdSense.” It is to inform you of the fact that AdSense is far from perfect—and that we think Google should not underestimate the gravity of the situation. Will it need one more class action suit to wake Google up? Should it?
We certainly hope—in fact, we’re almost sure—that Google will find a way to patch the AdSense exploitation method that Arora has found. For the sake of all of us—so that Google remains what it is today, a benign giant, organising the world’s information.
But in this instance, they’re taking rather a long time to respond—we wish them God Speed!
