Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University Joint Work With Ari Juels † , RSA Laboratories, RSA/EMC Corp Markus Jakobsson , RavenWhite Inc. † Research Performed at RavenWhite Inc. 1
Click Fraud: Old Scam N N o o w w w w i i t t h h M M e e x x i i c c a a n n J J u u m m p p i i n n g g B B e e a a n n s s ! ! 2
Click Fraud: Old Scam Advertiser 3
Click Fraud: Old Scam Advertiser Publisher 3
Click Fraud: Old Scam Now with Now with Now with Now with Mexican Mexican Mexican Mexican Jumping Beans! Jumping Beans! Jumping Beans! Jumping Beans! Advertiser Publisher 3
Click Fraud: Old Scam Advertiser Publisher 4
Click Fraud: Old Scam Now with Now with Mexican Mexican Jumping Beans! Jumping Beans! Now with Now with Mexican Mexican Jumping Jumping Beans! Beans! J J u u Mexican Mexican m m p p i i n n Jumping Beans! Jumping Beans! g g Mexican Mexican B B e e a a Now with Now with n n Now with Now with s s ! ! Advertiser Publisher 4
Click Fraud: Old Scam Now Now with with Mexic Mexic Now with Now with Now with Now with Mexican Mexican an an Jumpi Jumpi Jumping Beans! Jumping Beans! Mexican Mexican ng ng Beans Beans Jumping Beans! Jumping Beans! Jumping Beans! Jumping Beans! Now with Now with ! Mexican Mexican TRASH Advertiser Publisher 4
Other Forms of Fraud • Dishonest Publisher gives handbills to people who are not potential customers • Dishonest Competitor takes all of (honest) Publisher’s flyers • How is the handbill problem solved? Approach to Think About: What if the Advertiser requires the Publisher to get business cards from each recipient? 5
Click Fraud • New Technology not necessarily to blame (Automation makes it worse, however) • Problem: Advertiser has limited control and knowledge about Publisher behavior 6
Advertiser Syndicator Publisher S.com P.com J.com Customer (Alice) 7
Advertiser Syndicator Publisher S.com P.com J.com Mexican Mexican Customer (Alice) 7
Advertiser Syndicator Publisher S.com P.com J.com Mexican Mexican Mexican Mexican Customer (Alice) 7
Advertiser Syndicator Publisher S.com P.com J.com Mexican Mexican Mexican Mexican Welcome To P.com! Mexican Mexican Customer (Alice) 7
Advertiser Syndicator Publisher S.com P.com J.com Mexican Mexican Mexican Mexican Welcome To P.com! Mexican Mexican Click! Customer (Alice) 7
Advertiser Syndicator Publisher S.com P.com J.com Welcome To P.com! Mexican Mexican Customer (Alice) 8
Advertiser Syndicator Publisher S.com P.com J.com Customer (Alice) 8
Advertiser Syndicator Publisher S.com P.com J.com Customer (Alice) 8
Advertiser Syndicator Publisher S.com P.com J.com Click! M M e e x x i i c c a a n n $$$ $$ Customer (Alice) 9
Syndicator Publisher S.com P.com Click! M M e e x x i i c c a a n n $$ Welcome To P.com! Mexican Mexican Click! Customer (Alice) 10
Syndicator Publisher S.com P.com Click! M M e e x x i i c c a a n n $$ Welcome To P.com! Mexican Mexican Click! Customer (Alice) 11
Eliminate Bad Clicks? • Industry’s Responsibility - Unusual Economic Incentives - Tuzhilin Report (Lanes Gifts v. Google) • Conceptual Shifts: per-impression > per-click > per-conversion? • Another approach: embrace good, don’t only filter bad. 12
Token Approach Customer (Alice) 13
Token Approach Publisher P.com Syndicator S.com Click! M M e e x x i i c c a a n n Click! Customer (Alice) 13
Token Approach Publisher P.com Syndicator S.com Click! M M e e x x i i c c a a n n Click! Customer (Alice) 13
Token Approach Publisher P.com Syndicator S.com Click! M M e e x x i i c c a a n n Click! Customer (Alice) 13
Token Approach • Token can be used to identify unique visit • Double-Clicks detectable • ... Doesn’t Work! - Attacker can delete tokens, but we have to support browsers without them! - Bots can have tokens too... 14
Token Approach Attestor A.com Customer (Alice) 15
Token Approach Attestor (some transaction A.com of value) $$$ Customer (Alice) 15
Token Approach Attestor (some transaction A.com of value) $$$ Customer (Alice) 15
Token Approach Publisher P.com Syndicator S.com Click! M M e e x x i i c c a a n n Click! Attestor (some transaction A.com of value) $$$ Customer (Alice) 15
Token Approach • Token tells a bit about the clicker - E.g., “Alice just bought a new computer” - Must be a rare/one-time event - Like the Business card idea - Unforgeable Tokens (MAC) • Still Doesn’t Work - What about tokenless clicks? 16
Token Approach • Token gives a user special “value” - User doesn’t care (or notice) • Users without tokens treated normally • “Premium” clicks are those with tokens - Considered more “valuable” 17
First Challenge: Cross-Domain Token-Passing • Possibility: Cookies - Third Party Cookies - First party + web bugs - Often Blocked! • Possibility: Cache Cookies - JJJ [Oakland ‘06] - Widely Supported - Cache Purging 18
Sidebar: Cache Cookies CC: served once for caching 304’ed thereafter X.com/cc.html Y.com/img[id].gif 19
Second Challenge: Privacy • User (not click) Profiling • Token Data as Covert Channel • How to eliminate profiling and covert disclosure? - Client-Readable Tokens - Shared MAC key 20
Our Implementation • Advertiser, Syndicator, Attestor, Publisher at different sites/IPs/domains • Experience same as current systems • Engineering Challenges: • Need to couple token with Publisher ID: obtained from the referrer (via JavaScript) • Token Freshness 21
Mobile Implementations? • Web + Mobile = Popular • Iframes vs. Object tag • Wild & Crazy Mobile Browsers 22
Mobile Caches? Internet 23
Mobile Caches? Internet 24
Mobile Caches? Internet 24
Mobile Caches? Internet 24
Mobile Caches? Internet 24
Limitations • Far from Perfect... - Malware-driven Clicks - Publisher Scripting Clicks - Token-Harvesting Clicks (not as strong) - Fraudulent or Dishonest Attestor • Better than Just Filtering - Tokens provide positive indicators 25
Conclusions • Shift from rejecting to embracing - Turns click payments into authentication • Techniques applicable to other forms (conversions, impressions) • Future Work: - Which Attestors are Useful? - Mobile Ad Deployment? - Client-side Software? - New Advertising problems? - How much does privacy matter? 26
Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University Joint Work With Ari Juels † , RSA Laboratories, RSA/EMC Corp Markus Jakobsson , RavenWhite Inc. † Research Performed at RavenWhite Inc. 27
Recommend
More recommend