What is Click Fraud?
There are many possible causes and sources of fraudulent clicks. In most cases
they’re not actually performed by humans. Sure, you might have bitter
competitors clicking on each others ads here and there, but computer generated
traffic is really the major concern here. The proliferation of ad exchanges and
programmatic buying and selling has opened the door for bad guys to use various
stealth techniques such as botnets or a distributed network of compromised
servers to generate fake impressions and clicks. If the potential profits are
high enough for them they might even purchase cheap cloud servers from smaller
providers all around the world to generate their traffic.
The first step to detecting click fraud is actually to prevent it from occurring
in the first place. AdvertServe employs a collaborative blacklist that combines
data from our own research, third-party researchers and feedback collected from
our customers. The blacklist stops your ads from even being served to the bad
guys, so it not only prevents click fraud but impression fraud as well!
This is all happening in real-time too. If we or one of our customers detects
some fraudulent activity we can respond and push out a blacklist update to all
of our customers instantly. Now that’s what we call being pro-active. It’s the
only way to stay ahead of the bad guys because they’re constantly switching
hosts, bouncing through different proxies and improving their methods.
How You Can Help
How can you help prevent impression and click fraud you might ask? Well, actually,
we’ve made it really easy for you to help out. Upon logging in to your AdvertServe
account you might some day happen to see a warning like the one in the following
What should you do? The first thing you should do is take a deep breath and
don’t panic because the situation isn’t bad at all. On the contrary, it’s
your chance to join in and help fight back!
First things first, click on the click here link to bring up the
Click Fraud Review Tool screen, which you can also access by going to
Tools > Fraud > Review from the main toolbar at any time.
What you’ll see will look like the following screen shot where we have 10
suspicious clicks to review.
The first thing you should notice is that these clicks all came from the same
IP address. This is the most common indicator of fraudulent activity. In fact,
the rank column shows the number of clicks for each given IP address to make this
easier to see.
Now, if you click on the IP address it will run an extended scan that checks
against some huge blacklists that we don’t include in our automated blacklist.
Then if you still aren’t sure you can click on the Whois Lookup and see who owns the
network range this IP address falls into. In this case the IP address was assigned to Global Crossing.
They are a large-scale bandwidth provider. The IP address was sub-leased by them to an enterprise
software company, which probably has some type of robot/spider running on their servers that generated
these clicks. That or their server was compromised and it’s participating in a botnet.
Take a step back and look at the UUID, which is the unique user ID that we
store in a cookie for each visitor. Notice each click has a different UUID.
This tells me that the bot in this case is not sophisticated enough to send
and receive cookies.
The next thing you want to look at is language. Many lazy bad guys forget to specify
an Accept-Language header in their bots. In such cases the language will
be detected as unknown so watch out for that.
The we have the User-Agent, which identifies the operating system and web browser
that supposedly performed the click. Now let’s look at this one here. We got
clicks from visitors using IE 4 and IE 5 on Windows 95 and 98? Seriously, this is 2014
and NOBODY is using those any more. Why the bad guys continue to use garbage like this
for their fake User-Agent’s is beyond me, but it sure makes our job easier so I’m not
Finally, we have the referrer and in this case we can see all of the bad clicks
came through AppNexus’s ad exchange. No surprise there. Seriously, the majority
of bad stuff you’re going to see will come through an exchange.
So, if you agree with me that these clicks look fraudulent, select all of them and
then press the Delete Selected button. It will take a little time to delete
them. The reports may also take a little longer to update, so don’t panic if you
don’t immediately see the changes reflected in your reports.
Once in a while we might detect some clicks as fraudulent that we shouldn’t have, but it’s pretty rare
since we only have a 0.57% false positive rate on average.
Most commonly these are clicks by you or some of your employees testing ads on your live web site.
There’s an easy fix for that. Simply go to Settings > Basic > Server and enter
your IP addresses into the Filtering section so your clicks aren’t counted.
Some mobile traffic may get detected as fraudulent if too many users behind the same proxy
are clicking ads around the same time. While this is rare it does happen. You can tell
when this happens because all of the User-Agent’s will be different mobile devices. Of
course, check the whois reports too and they’ll usually say AT&T or Verizon owns that IP
We hope that you never get hit with click fraud and we’re doing everything we possibly
can with our blacklist to ensure that. If you do get hit with some activity, hopefully
you’re now a little more prepared to deal with it. As always though, if you need our help
sorting it out just let us know!