Google Dissects a Clickbot, And Discusses The Cost Of Click Fraud

The Clickbot.A botnet described in the paper consisted of 100,000 machines when analyzed in June 2006, and Google's potential click fraud cost was put at approximately $50,000.

Thomas Claburn, Editor at Large, Enterprise Mobility

April 11, 2007

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Over the past year, Google has been reaching out to the media and the public to allay fears that click fraud represents a serious threat to its business. Its executives have repeatedly said the problem is under control and not significant for Google. Its engineers have released internal statistics, previously withheld, in support of that contention and published blog posts attacking the statistics and credibility of click fraud auditing companies. They have also added click fraud reporting tools to Google's AdWords advertising service.

Google on Tuesday published "The Anatomy of Clickbot.A," an analysis of malicious software used to commit click fraud. Despite Google CEO Eric Schmidt's past insistence that click fraud is "immaterial," the paper argues that more needs to be done to protect search engines and computers in general against botnet attacks.

"We believe that it is important to disclose the details of how such botnets work to help the security community, in general, build better defenses," the paper states, adding that Google identified and invalidated all the clicks originating from the Clickbot.A botnet in question.

The particular Clickbot.A botnet described in the paper consisted of 100,000 machines when analyzed in June 2006. The Clickbot.A software was designed to conduct "a low-noise click fraud attack against syndicated search engines." The authors of the paper, Neil Daswani and Michael Stoppelman, put Google's potential click fraud cost at approximately $50,000.

A Google spokesperson was not immediately available to clarify whether this potential cost might be incurred daily, weekly, monthly, or otherwise. But even if that's a possible daily loss, costing some $18 million annually, it's hardly a significant figure for a company with Google's revenue.

"It's unclear as to whether or not botnet-based click fraud is as profitable as keylogging and other applications of botnets," the paper states. "Having a botnet log all keystrokes, including passwords used to login to online banking sites, may allow a bot operator to obtain some average dollar profit per compromised machine. On the other hand, the bot operator could attempt to make that amount of profit by having a bot simply click on ads."

But even if click fraud is less profitable than electronic bank robbery, it probably carries a much lower risk of investigation and imprisonment.

The paper concludes that search engines need to investigate botnets, that ISPs need to better protect Web hosting customers, and that malware detection rates need to be improved. It calls for Web businesses to encourage customers to use anti-virus software and for security researchers and corporate IT department to share more security-related data. And with the publication of this paper, Google appears to be leading by example.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights