Google Dissects a Clickbot, And Discusses The Cost Of Click Fraud

The Clickbot.A botnet described in the paper consisted of 100,000 machines when analyzed in June 2006, and Google's potential click fraud cost was put at approximately $50,000.
By Thomas Claburn
InformationWeek
Apr 12, 2007 09:00 AM

Over the past year, Google has been reaching out to the media and the public to allay fears that click fraud represents a serious threat to its business. Its executives have repeatedly said the problem is under control and not significant for Google. Its engineers have released internal statistics, previously withheld, in support of that contention and published blog posts attacking the statistics and credibility of click fraud auditing companies. They have also added click fraud reporting tools to Google's AdWords advertising service.
Google on Tuesday published "The Anatomy of Clickbot.A," an analysis of malicious software used to commit click fraud. Despite Google CEO Eric Schmidt's past insistence that click fraud is "immaterial," the paper argues that more needs to be done to protect search engines and computers in general against botnet attacks.

"We believe that it is important to disclose the details of how such botnets work to help the security community, in general, build better defenses," the paper states, adding that Google identified and invalidated all the clicks originating from the Clickbot.A botnet in question.

The particular Clickbot.A botnet described in the paper consisted of 100,000 machines when analyzed in June 2006. The Clickbot.A software was designed to conduct "a low-noise click fraud attack against syndicated search engines." The authors of the paper, Neil Daswani and Michael Stoppelman, put Google's potential click fraud cost at approximately $50,000.

A Google spokesperson was not immediately available to clarify whether this potential cost might be incurred daily, weekly, monthly, or otherwise. But even if that's a possible daily loss, costing some $18 million annually, it's hardly a significant figure for a company with Google's revenue.

"It's unclear as to whether or not botnet-based click fraud is as profitable as keylogging and other applications of botnets," the paper states. "Having a botnet log all keystrokes, including passwords used to login to online banking sites, may allow a bot operator to obtain some average dollar profit per compromised machine. On the other hand, the bot operator could attempt to make that amount of profit by having a bot simply click on ads."

But even if click fraud is less profitable than electronic bank robbery, it probably carries a much lower risk of investigation and imprisonment.

The paper concludes that search engines need to investigate botnets, that ISPs need to better protect Web hosting customers, and that malware detection rates need to be improved. It calls for Web businesses to encourage customers to use anti-virus software and for security researchers and corporate IT department to share more security-related data. And with the publication of this paper, Google appears to be leading by example.