Click fraud continues to be a major threat to the PPC ad model; make no mistake about it. An Outsell survey conducted last year reports that click fraud amounts to an estimated $1.3 billion, causing approximately 27 percent of advertisers to cut back on PPC campaigns or eliminate them altogether.

Some experts report that click fraud accounts for as much as 20 percent of the PPC clicks, while others estimate the fraud rate at 14 percent. Google claims estimates are overblown and asserts that click-fraud auditing firms use methodologies that inflate click fraud rates. Regardless of who's right, publishers have reported a drop in AdSense revenues due to a mistrust of PPC advertising.

CPA Model Alternative

Google is testing a cost-per-action (CPA) ad model where marketers pay a fee only when users perform the desired action (sale, subscription, download, etc.). While Google does not have serious concerns over click fraud, it wants to give advertisers more options and provide its publisher network with an additional means to earn revenue through AdSense. The CPA ads will be displayed on a different network (Content Referral Network) than the PPC ads.

Bill Gross introduced the CPA model on SNAP because he believes it is the only way to eliminate click fraud. SNAP CEO Tom McGovern believes other engines will embrace this model eventually because advertisers pay only for results.

Lack of Transparency Enables Click Fraud

Click fraud is difficult to document once identified. A major obstacle to tracking click fraud is the lack of transparency in the click fraud billing and tracking process. This lack of transparency on the part of major PPC providers is bizarre. Imagine your cell phone provider sticking you with a $20,000 bill and refusing to provide itemized billing for your calls. Yet, the major PPC providers defend this view.

Google Product Manager Shuman Ghosemajumder has stated, "Google is examining ways to make its fraud-fighting efforts more transparent without revealing crucial information that might help swindlers elude detection."

In the Auditing Paid Listings and Click Fraud Issues session at SES New York last year, Yahoo stated that it evaluates clicks along 20 to 50 data points, mentioning a few but not providing definitive information.

The argument that providing itemized per-click billing would disclose the inner workings of the PPC providers' anti-fraud system to the bad guys is foolhardy. Chances are the bad guys are already a step ahead.

At first search engines were dragging their feet on this issue. However, Google started providing advertisers with the number of invalid clicks on their ads last fall. Additionally, the IAB and Media Rating Council formed a Click Measurement Group to create Click Measurement Guidelines with cooperation from Google, Yahoo, Microsoft, Ask and LookSmart. These are both steps in the right direction, but the worst may be yet to come.

Invasion of the Botnets

I had the opportunity to speak with Dmitri Eroshenko, founder of Clicklab.com, an Internet marketing services company specializing in web analytics and click fraud audit. Eroshenko is known as a leading ecommerce efficiency expert who has written extensively on subjects such as PPC advertising, web metrics, click fraud and maximizing marketing ROI.

I asked Eroshenko what his single largest concern regarding click fraud is today. "The worst threat is currently coming from botnets. Botnet masters may have tens of thousands of zombie PCs on their networks. They can afford to use each PC only once in a lifetime (i.e., no repeat clicks whatsoever). Such a threat can only be stopped on the botnet level. It can not be detected by either search engines or on the advertiser side."

Runaway Crime Bots

Botnets are used as a weapon in online crime. From spam, phishing attacks, virus propagation, and now click fraud, these networks are an increasing threat to the Internet.

Symantec's third quarter 2006 Internet Security Threat Report identified increased use of click fraud and other evasive tactics by attackers, stating, "widespread internet worms have given way to smaller, more targeted attacks focusing on fraud, data theft, and criminal activity." The U.S. accounts for 26 percent of the world's bot-infected computers, higher than any other country.

Dealing with botnets is not an easy task because these networks are an illegal collection of hundreds, thousands, tens of thousands or even hundreds of thousands of compromised computers all being controlled with a common infrastructure by a master crook. One botnet in Holland was reported to consist of 1.5 million machines all under one group's control.

Defending Against Botnet Click Fraud

It is difficult to defend against a botnet attack because it requires complex tracking and research on how these armies of PCs communicate and how they receive their instructions from their botnet masters. Instructions from the masters direct the bots to various URL addresses that post AdSense or Yahoo Publisher Network contextual ads on their sites, and the bots click away.

There are informal voluntary groups as well as commercial companies that identify and track botnets. One method of detecting and responding to malicious network traffic is to implement a virtual honeypot (a software program designed to emulate a functioning network but is actually a decoy built to be probed and attacked by malicious users). Honeynets are set-up in laboratory PCs with botnet instructions. They collect lists of infected IP addresses and can cross-reference them; however, there is no current technology to detect the botnet clicks. The Honeynet Project, a volunteer organization dedicated to improving Internet security, states, "One of the challenges we are facing is the complexity of attackers and threats today. Several years ago it was relatively easy to capture and analyze cyber threats. You simply stuck out a honeypot and the bad guys came. Nowadays they use a variety of multiple vectors, advanced tools, and are always adapting and changing."

Internet security company Panda Software, working with RSA Security, recently reported dismantling a botnet control system threatening a pay-per-click provider's contextual network. The bot network was comprised of over 50,000 zombie computers infected by Clickbot-A, which was controlled remotely. The joint effort resulted in the detection and neutralization of a sophisticated online fraud attack. The ad network affected was not identified, but most likely it was Google AdSense or Yahoo Publisher Network. There are a number of click fraud service vendors doing this kind of work, including Alchemist Media, Click Assurance, Click Defense and Click Forensics, to name a few.

Fighting Click Fraud

For some advertisers, the return on investment is enough. This is the cornerstone that has kept PPC from collapsing overnight. Some companies receive 80 to 90 percent of their revenue from PPC so obviously they are not complaining about click fraud. They consider it the cost of doing business and are content to skim the cream off the top.

If you are not one of these companies, what can you do about click fraud? At the very least, install web analytics capabilities to track and monitor conversions and other key indicators that can reveal suspicious trends. If you track click fraud yourself, it can be tedious and time consuming. One solution is to outsource to a click fraud prevention agency. If you do search marketing through an interactive agency or search marketing vendor, these firms will usually provide tools and/or analytics for the detection of click fraud.

Discuss this article in the Small Business Ideas forum.