Vital+Vectors

Is Click Fraud Funding Terrorism?

synopsis

This article examines the links between online advertising through large US corporations and the practice of click fraud. Foreign nationals appear to be using American companies to defraud legitimate advertisers and funnel money to unknown individuals or groups in the Middle East.

content

How click fraud works

Whenever you advertise online, you hope that your dollars are well spent. You believe that large corporations have technology in place to ensure that you’re not being defrauded. You may even have your own system that tries to detect automated clicks, or robots, trying to drain your ad account.

All of that is well and good — but what if there was a way to steal your money using real people? What if I could pay someone 13¢ to steal $3 from you over and over?

Well, there is. That’s the exact premise behind click fraud using crowdsourced microworkers.

Click fraud may be financing terrorism and our own misery.
Click fraud may be financing terrorism and our own misery. Image by BaneStudios

There are websites where you can hire microworkers from all over the world to perform small tasks like searching and clicking on websites and ads.

Because microworkers are real people on real computers performing real searches for small sums of money, there is no way for your automated systems to spot and eliminate this fraudulent activity. They click and you pay. It’s that simple. The money is then neatly funneled into the fraudster’s account and you’re none the wiser.

Let’s take a look at a real-world example of how this is being done as of the publishing date of this article.

Real world example of personal injury lawyers being defrauded

The examples below are screenshots outlining the microworker process used to conduct searches and clicks on lawyer advertising. The reason the fraudsters are targeting this industry is because it’s a very competitive field with high cost-per-click (CPC) prices.

The scammer is able to pay his workers pennies in order to steal dollars. This kind of click fraud is also called search arbitrage. Traditionally it could, and still is, being done by paying a little money for ads which then result in higher payouts from the ad clicks on the hosting site. The advertiser then makes the difference on the spread between what he paid and what he got for the ad click on his site.

The difference between arbitrage and click fraud is that the workers in this example have no interest in obtaining legal services, and are only performing the action in order to be paid for the activity of clicking. It’s plain robbery.

A Microworkers task requesting people to search for key terms on a site and click on the displayed ads. Note that the criminal is requesting traffic from only English speaking western countries in order to maximize his take. Also note that the website is not placed in the task but is actually an image file showing the website address.
A microworker's task requesting people to search for key terms on a site and click on the displayed ads. Note that the criminal is requesting traffic from only English speaking western countries in order to maximize his take. Also note that the website is not placed in the task but is actually an image file showing the website address.
The image resulting from clicking on the Microworkers task showing the URL for the fraudulent website getcar.org. It's being hosted by the Russian search engine Yandex. Probably to further insulate the criminal from discovery and liability.
The image resulting from clicking on the microworker's task showing the URL for the fraudulent website getcar.org. It's being hosted by the Russian search engine Yandex. Probably to further insulate the criminal from discovery and liability.
Search result page on getcar.org showing advertisements from Australian lawyers. Conducting the search from a US IP address brings up US companies. Canadian searches show Canadian ads and so on.
Search result page on getcar.org showing advertisements from Australian lawyers. Conducting the search from a US IP address brings up US companies. Canadian searches show Canadian ads and so on.
A second click fraud task request. This one asks the user to click on the related links on the website. Again, we see that the actual website address is masked by an image.
A second click fraud task request. This one asks the user to click on the related links on the website. Again, we see that the actual website address is masked by an image.
The image showing the website the criminal wants the Microworkers to click on: asiamesothelioma.com
The image showing the website the criminal wants the microworkers to click on: asiamesothelioma.com
Click fraud website asiamesothelioma.com showing ads from health insurance companies and various other corporations. The user is requested to click the ad and then paste the URL of the sites he clicked on. Every ad click makes money for this website owner.
Click fraud website asiamesothelioma.com showing ads from health insurance companies and various other corporations. The user is requested to click the ad and then paste the URL of the sites he clicked on. Every ad click makes money for this website owner.
Rapidworker click fraud request. The site in question is being shown through a bit.ly link in order to prevent detection by Godaddy's, or Google's spam detection measures.
Rapidworker click fraud request. The site in question is being shown through a bit.ly link in order to prevent detection by Godaddy's, or Google's spam detection measures.
The Turkish site that showcases the click fraud site after the worker clicks on the Rapidworker fraud task. The worker is to click on www.globinsurance.info.
The Turkish site that showcases the click fraud site after the worker clicks on the Rapidworker fraud task. The worker is to click on www.globinsurance.info.
The Globinsurance.info Godaddy CashParking website showing ads for insurance companies which are being defrauded.
Globinsurance.info Godaddy CashParking website showing ads for insurance companies which are being defrauded.
The Godaddy CashParking account ID in the source code of globinsurance.info.
The Godaddy CashParking account ID in the source code of globinsurance.info.

US corporations are enabling fraudulent online theft from Australian and American companies

The scam highlighted above is being done through a service from Godaddy that allows domain name owners to monetize their unused website addresses. The service is called CashParking. Their FAQ describes the service as this:

CashParking® is a service that lets you earn money on your parked domain names. If you associate your domains with your CashParking account, our advertising partner places context-relevant advertisements on your page. Each time a visitor clicks a displayed advertisement, you receive a share of the generated click-through revenue based on your CashParking plan (60% to 80% of the generated revenue). The amount you receive and the price you pay for the CashParking service depends on the plan you select. You can add an unlimited number of domains to your CashParking account.

Parked domains are domains that display a temporary web page when someone enters your domain name in a web browser.

The advertisers on these pages are served primarily by Google and other affiliates of Godaddy. Below is a screenshot of a chat session where a Godaddy employee confirmed that the ads are being served by Google.

This is the source code from asiamesothelioma.com. You don't need to understand coding to see a few key things. Note the URL to the google.com Adsense website script near the top. Further down the page you see a second link from casalemedia.com. They are a second tier ad platform presumably serving remnant traffic ads known as RTB ads. The highlighted area at the bottom is the Godaddy script showing the criminals ID from Godaddy's CashParking service.
This is the source code from asiamesothelioma.com. You don't need to understand coding to see a few key things. Note the URL to the google.com Adsense website script near the top. Further down the page you see a second link from casalemedia.com. They are a second tier ad platform presumably serving remnant traffic ads known as RTB ads. The highlighted area at the bottom is the Godaddy script showing the criminals ID from Godaddy's CashParking service.
Live chat where a Godaddy employee confirms the advertising is being served by Google.
Live chat where a Godaddy employee confirms the advertising is being served by Google.

What this means for you as an advertiser is that if you’re paying to serve ads through Google’s search network, you’re likely being exposed to this kind of potential theft.

Since there are other advertising sources involved, it’s unclear exactly where you can advertise safely. Any online ad service that serves ads through these CashParking pages are susceptible to this kind of online theft.

This isn’t to say that these US corporations are aware of what’s going on. But the question has to be asked: are they profiting from this activity on purpose? It’s impossible to know for sure. We use Godaddy services and we’d like to think that they are simply not aware of what is happening in the underground world of blackhat click fraud.

Who is stealing your money?

The plot thickened as we dug deeper into the ownership status of the domains behind the scam.

The ownership details for the websites lead to an address in Turkey. The satellite imagery for the address shows an empty lot.

Full WHOIS record for getcar.org showing the ownership details and address in Turkey. The name appears to be fake since it is actually the name of a neighbourhood in the Turkish city. The DNS info further confirms that this is a CashParking website hosted by Godaddy.
Full WHOIS record for getcar.org showing the ownership details and address in Turkey. The name appears to be fake since it is actually the name of a neighbourhood in the Turkish city. The DNS info further confirms that this is a CashParking website hosted by Godaddy.
Additional click fraud domains owned by the same individual that owns getcar.org.
Additional click fraud domains owned by the same individual that owns getcar.org.
The physical address location identified by investigating the criminal's other domain holdings. The address is an empty lot in Turkey.
The physical address location identified by investigating the criminal's other domain holdings. The address is an empty lot in Turkey.

If we follow the apparent money trail, it goes like this:

  1. Two US corporations are serving ads from global businesses including Australian lawyers and US insurance companies.
  2. Those companies pay the corporations for the ad clicks.
  3. The US corporations then send the money to an undisclosed individual in Turkey.
  4. Once the stolen money arrives in Turkey, it’s anyone’s guess where it goes.

While we’d like to think that the fraudster is simply enjoying his ill gotten gains with a fast car and some delicious Turkish baklava, it’s just as easily converted to cash and transported across the Syrian border to the terrorist groups operating in the area.

If a vacant lot in a foreign country can be used to steal money this easily, the question is why are these large corporations not applying better corporate governance in validating their users’ details?

Why it seems like fraud protection is failing

At about this stage you may be thinking that Godaddy and Google already have fraud protection in place. In fact if you ask them, they would likely tell you all about the stringent measures they use to protect your advertising dollars.

The reason we believe the systems are failing is because of the money in play.

If you understand how criminals work, you understand that they are very good businessmen. Even if you don’t have an understanding of business, you can understand that if a person is not making money with an activity that costs money, that activity is not sustainable. The person would eventually run out of cash, and credit, and would have to stop.

The obvious reason behind our belief that the anti-fraud measure don’t work is simple. The websites above are still actively showing ads. This means that the advertiser's account was not banned. The Microworkers and Rapidworker tasks are active, and we can get paid from running the task. This means that the criminals have money to pay the workers.

Since the account is active, the scam is active, and there is money in play, it seems highly unlikely that any of the fraud mechanisms were effective in curbing this particular scam.

How you can protect yourself from click fraud

Click fraud is a complex topic that would need a series of full articles to discuss in depth. Without getting into the full details of the topic itself, here are some simple things you can do to protect your business against this kind of criminal activity.

Eliminate Google’s search network ads

The first step in protecting yourself is to eliminate all Search Network traffic in Google Adwords. Sites in the Search Network partner with Google to show ads. The examples above are such sites.

Start your advertising campaign by only advertising in Google Search directly until you can put phase two into place. Google Search ads are what you see after you type in a search term in the search engine and get the results page. Because only Google makes money from Google Search ads, you remove the financial incentive for the criminals from the equation. If the conmen don’t have a source of capital, they have no reason to pay workers to click on ads that only make Google money.

Run trackable direct-response ads instead of brand ads

The second step is to start running direct response ads instead of brand ads. Brand advertising is based around exposing people to your business name, or products, without asking the user to take direct action.

In contrast, direct response advertising asks people to take an action on the page which can be tracked and optimized. This action can be anything from filling out your contact form to downloading a free whitepaper, or starting a trial of your service. Any action that can be tracked gives you usable data for phase three.

There is something else called affiliate fraud which involves paying people to fill out your form, but as long as you’re not paying affiliate commissions, you’re safe from that activity. Perhaps we’ll tackle that subject in another article.

Track all activity from your advertising sources and eliminate what’s not working

Now that you’ve set up direct response ads, you can begin adding additional ad sources that are tracked and evaluated in real time.

To do this, you’ll need to set up proper tracking in your Analytics account or other ad monitoring tools. You can start turning on selective traffic sources and evaluating if they convert. If you have a solid direct response offer in place, you will know which sites are sending legitimate traffic and which sites are scams. You eliminate the ad sources that aren’t converting and put your money into the sites that give you real leads, which turn into cash for your business. Any ad source that is ROI positive, you then invest more into.

The key to this is constant vigilance. You need to stay on top of your ads on an ongoing basis — continue to optimize and find new sources that work for your offer. Then wash, rinse, repeat.

Why click fraud is bad for the economy and what corporations could do

Click fraud is like a series of hands reaching into the proverbial economic pocket and pulling money out to be relocated abroad.

It takes cash away from legitimate businesses and cripples them from being able to thrive and create jobs. Because the technology behind the ad services is largely mechanical, even the money the big companies are making is not necessarily reflected proportionally in job creation. Smaller businesses are defrauded on a large scale, which directly impacts local communities.

We admit that this kind of criminal activity is extremely difficult to combat. It would be impossible to eliminate the IP addresses of the real people performing the tasks. The reason is that they’re not defrauding 100% of the time. The microworkers are like you and me. They surf the internet legitimately when they’re not “working” for the crowdsourcing companies. That means that their cookies, user activity, and all other footprints, are legitimate. That’s the reason that the scam works so well.

This doesn’t mean that Godaddy, or Google, are helpless. One key area of governance that’s being overlooked is the validation and certification of the domains. It’s fairly clear to see that the Whois information for the sites is fake. Validating the domain ownership for a company that’s the largest domain registrar in the world should be very achievable.

Criminals are bold because they can hide. If Godaddy, Google, Bing, and all their other ad partners made sure that they’re doing business with real people that are accountable for their activities, the internet would be a much better and safer place. We would also all be a lot more prosperous because advertising spend would return more efficient results with a higher profit for the advertiser. This would then lead to job creation and more legitimate advertising. Everyone would win.

author

:

© 2018 Vital+Vectors by PepperVox PTY LTD

disclaimer

:

The material on vitalvectors.com is produced by Vital+Vectors. It is intended to provide general information in summary form on relevant topics, current at the time of first publication. The contents do not constitute advice and should not be relied upon as such. Formal advice should be sought in particular matters.

The information and views set out in this article are those of the author(s) and do not necessarily reflect the official opinion of the PepperVox Pty Ltd trading as VitalVectors.com. Neither PepperVox Pty Ltd nor any person acting on their behalf may be held responsible for the use which may be made of the information contained therein.

Reproduction is authorized provided the source is acknowledged.