Web Ads Present New Front in Hacker Wars

The rise of "pay-per-click" online advertising, celebrated for turning Google Inc. and Yahoo Inc. into enormous businesses, is proving a boon for cyberthieves.

Hackers are using increasingly sophisticated computer programs to automate phony clicks on Internet ads and then hide the click fraud from detection. This threat, though still small, poses a challenge for Google, Yahoo and other Internet companies that sell pay-per-click ads and need to assure advertisers that they are paying for legitimate clicks from potential customers.

A catalyst has been the explosion of "bots" – malicious software that hackers sneak onto thousands of home computers and network together into huge "botnets." The click-fraud programs can be changed quickly, making it easier for them to evade security software and to be customized for different fraud schemes.

Botnets are most commonly used to attack and shut down Web sites with floods of bogus traffic, often as part of extortion schemes, or to steal personal information for use in identity-theft scams.

But "bot masters" have also discovered pay-per-click advertising, in which advertisers pay anywhere from a few cents to $10 or more each time a consumer clicks on a keyword-generated ad. With bogus clicks, bots can help shady Web-site owners boost revenue from advertisers or aid businesses trying to drain competitors' ad budgets.

"We certainly are seeing that as the [pay-per-click] industry gets more sophisticated and fraudsters get more sophisticated that there are an increasing number of botnets," says Shuman Ghosemajumder, product manager for trust and safety at Google. But he said Google believes it has effective techniques to combat them.

That view is echoed by Yahoo. "We've always seen this as a challenge, but we've always seen this as a manageable one," Yahoo spokeswoman Gaude Paez said.

Security experts say click fraud remains a minor component of overall botnet activity, likely less than 5%. However, the allure of the pay-per-click advertising boom and the opportunity that bots offer to automate clicks in hard-to-detect ways provide reasons for worry.

"We do expect to see an increase over time," says Ken Dunham, a director of the Rapid Response Team at VeriSign Inc.'s iDefense unit. More "mature" criminal schemes, such as stealing personal information, remain hackers' prime focus, he said, but "every time we see some new venue where money can be made, you see fraud follow."

Last month, Panda Software International SL, a security-software maker in Bilbao, Spain, discovered a botnet designed solely for click fraud that targeted Google ads. The network grew to include more than 100,000 PCs – probably by luring unwitting home users to Web sites where the bot program was downloaded.

Panda and partner RSA Security Inc. dismantled its control system about a week ago. "It's a well-designed piece of software," Patrick Hinojosa, Panda's chief technology officer, said, "It's programmed to click and to obfuscate the machines that are doing it." Google and Yahoo both said they are aware of the botnet but declined to discuss the case.

It is unclear who profited from the scam, but the bot master, who appears to be in Russia, could have generated clicks for favored Web sites, according to Nicholas Albright, founder of Shadowserver.org, a volunteer group of security professionals that fights botnets.

How much of the click-fraud problem can be traced to botnets or to other methods such as "click farms," where cheap offshore workers manually click on ads, is unclear. Google and Yahoo declined to provide estimates.

They also declined to quantify the size of the click-fraud problem. Google's Mr. Ghosemajumder said estimates by companies selling anticlick-fraud services that as many as 30% of clicks on Internet ads are fraudulent were "greatly exaggerated." Yahoo's Ms. Paez also described many of the fraud estimates as "highly inconsistent with what we're seeing on our network."

Google and Yahoo say they catch the vast majority of bad clicks and they reimburse advertisers for charges on fraudulent clicks they miss. In March, Google agreed to pay about $90 million to settle a class-action lawsuit in which some advertisers claimed they were charged for fraudulent ad clicks.

Botnets are a worry because they can mimic legitimate clicking behavior better than other methods. That is because they can harness large numbers of home computers and use them sparingly, improving the chance they will evade defensive measures that look for unusual traffic patterns. Botnets are also increasingly being designed to grow and operate quietly, making them harder to discover.

Because of the difficulty in fighting botnets, Google's Mr. Ghosemajumder says the company focuses on identifying patterns of malicious activity so that it can filter out bad clicks. Google also helped create the Stop Badware Coalition to educate consumers about malicious software, including programs that enlist unsuspecting PC users into botnets.

"A lot of people may not be aware that they need to protect their PCs," Mr. Ghosemajumder said, "We don't rely on them being able to do that. We protect our advertisers regardless."