Why CIOs should care about click fraud

The ancient Chinese military strategy guide The Art of War says that if you want to have a chance of prevailing in battle, you need to know your enemy. It’s good advice for the battlefield, and it’s also good advice if you want to beat hackers in their constant attempts to take over your network.

But in order to know these hackers you need to understand their motivations, and in many cases those motivations may not be what you expect. That’s according to Dan Kaminsky, the security expert who discovered a fundamental flaw in the Internet’s Domain Name System (DNS protocol in 2008 and who discovered flaws in the widely used SSL protocol a year later. Kaminsky is a frequent speaker at Black Hat Briefings, and now works as Chief Scientist at White Ops, a security firm specializing in detecting bot and malware fraud.

Cashing out compromised machines

“If you are a CIO you must ask why people are breaking in to your network. The answer is to get your data — eventually. But initially it is to defraud advertisers,” Kaminsky says. “The major motivator for hackers is to commit click fraud as it provides a way to cash out a compromised machine. Only once they have done that will they look at what else they can do with the machine.”

As companies catch on that a given machine is responsible for click fraud, that machine’s ability to generate cash for the fraudsters drops dramatically until it has no further use to them. It’s at that point that access to the compromised machine will be sold off to someone else to exploit, with servers in large enterprises commanding far higher prices than compromised run-of-the-mill consumer machines.

“There is a whole ecosystem out there,” says Kaminsky. “One guy finds vulnerabilities, one guy deploys them, and then there are the guys who buy (compromised machines) afterwards and do all kinds of things with them.” This, Kaminsky says, includes corporate data theft and the full gamut of other crimes.

No obvious victims

That leads to an interesting question about who the victims of click fraud really are, and Kaminsky says that it’s not immediately obvious. “When you rob a bank, people are angry. But when you rob an advertiser, their numbers are up, so they are happy,” he says. Many direct marketers also take the attitude that a certain amount of click fraud is factored into the price that they pay, so they may not be unduly worried or feel they are victims. In fact, on the advertising side very few people get angry, Kaminsky says.

But aside from the advertisers that have been defrauded, the other victims are the CIOs of large companies, says Kaminsky. “They are the victims as they are the people whose machines are taken over,” he says. “If you are a CIO and your job is to protect the network, click fraud is the cause of a major class of threat that you have to deal with.”

How click fraud works

Hackers can carry out click fraud in two ways. The first is to set up a website that is never intended to be viewed by humans and populating it with “word salad,” meaningless content made up of random words. These sites are filled with ads that are placed through automated ad exchanges, and the hackers then point their botnets at the site to generate clicks and “earn” advertising revenue.

The second way is simply to wait for a real site owner to contact them and pay to send a certain amount of bot traffic to their site. “A site owner may have sold a million hits to advertisers but only got a quarter of that. Do they give the money back? Never!,” says Kaminsky. “They will call someone with a botnet and the site will get those extra three quarters of a million hits,” he explains.

Click fraud fuels malvertising

To build botnets to carry out ad fraud, hackers need to compromise a steady stream of new machines to replace those that are no longer effective. To do this they are increasingly turning to malvertising: placing advertisements containing malware that infects viewers onto well known, reputable web sites, according to Kelley Mak, an analyst at Forrester Research.

“Malvertising will either deliver ransomware or compromise the machine and recruit it to a botnet,” Mak says. “Malvertising is fuelled by click fraud because a malicious ad can recruit the new bots hackers need, and malvertising is cheap if all you are trying to do is infect people, not actually sell them something.”

Hackers are more likely to use malvertising to recruit bots for click fraud rather than to deposit ransomware on a machine, Mak believes. One reason is that it’s easier to generate money from click fraud, but, more importantly, there’s also much less risk involved for the hackers. “People hit by click fraud will probably not try and enlist the help of a government agency — they are more likely just to try and block bots, so the risk is substantially lower,” he explains.

Threat to the Internet

There’s little doubt that click fraud represents a major headache for CIOs and their security teams, but Kaminsky believes that this type of hacker activity harms businesses in a more fundamental way: it plunges the economics of the Internet as a business tool into doubt.

“The entire ecosystem is threatened by click fraud,” he says. “Why? Because it costs money to build the web, and if money is being siphoned off by people who aren’t building it, then legitimate businesses have to work harder and harder for less and less.”

$7.2 billion problem

In terms of the scale of the click fraud problem, evidence suggests it’s a multi-billion dollar business. The 2015 Bot Baseline Study into fraud in digital advertising carried out by the Association of National Advertisers and White Ops found that click fraud will likely cost companies around the world a total of $7.2 billion in 2016, with advertisers unwittingly paying out an average of $10 million to fraudsters during the year. When it comes to the proportion of the clicks that are fraudulent, the study says advertisers were defrauded between 3 percent and 37 percent of the time.

So what can CIOs do to minimize the risk that an infected machine committing click fraud may be lurking on their networks? Kaminsky recommends keeping a close eye on the traffic generated by machines on the corporate network, and in particular monitoring DNS traffic. “No-one monitors DNS enough, but there are identifiable C&C (command and control) domains,” he says. “The benefit of monitoring DNS is that the info flow is relatively small, so the relative value of any data you analyze is high.”

He also recommends encouraging marketing departments to use specialist click fraud protection software, such as that sold by his employer White Ops as well as competitors PPCSecure and Distil Networks.