Microsoft filed a civil lawsuit Monday against three people for their role in a massive click fraud campaign that included targeting ads on the popular online role playing game, World of Warcraft.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The lawsuit, filed in United States District Court in Seattle, named Eric Lam, Gordon Lam and Melanie Suen of Vancouver, British Columbia, along with several corporation names they were believed to have used and up to 50 other unnamed individuals.
Microsoft is seeking up to $750,000 in damages for the click fraud, which Tim Cranton, Microsoft's associate general counsel, said disrupted advertisers who were part of Microsoft's Media Network of associated website advertisers.
"Once we became aware of the click fraud attacks we quickly took action to address any impact on advertisers and to enhance safeguards to further protect our network," Cranton wrote on Microsoft's On the Issues blog. "Today's suit seeks an injunction to help stop this activity and to recover damages."
The group is believed to have hauled in at least $250,000 in profits from the alleged scheme.
Click fraud, in which software tools or a "click farm" of individuals are used to simulate thousands of clicks on particular advertisements, has become a nemesis to legitimate online advertisers and advertising networks. Studies have cited the fraud rate as being as high as 30%. It has become so ubiquitous that an entire market has formed around combating it. In addition to Microsoft, Google's AdSense program is frequently cited as being the target of fraudulent clickers.
ClickForensics, a firm that analyzes traffic quality for advertisers to detect click fraud, estimates the click fraud rate at 13.8% in the first quarter of 2009. The figure fluctuates throughout the year as search engines tweak their ad network algorithms.
"Like anything fraudsters that are out there are constantly working and trying to stay a step ahead of the activities to catch the fraudulent traffic so we see over time the ebb and flow of click fraud," said Paul Pellman, CEO of Click Forensics. "The cost-per-click business models have an inherent fraudulent aspect to them. When there's cost-per-click advertising spread throughout many sites in a network, people find out quickly they can generate clicks to make money at the expense of advertisers."
Making matters worse, click fraud is getting more sophisticated, making click fraud detection more difficult, Pellman said. Some fraudsters have spread ad clicking malware to create a botnet designed to click ads among other nefarious activities.
"It's not as simple as a room chuck full of people in a third-world country perpetrating click fraud," he said. "People are trying to do it in the most efficient way possible, to earn the most money and avoid detection."
According to the Microsoft lawsuit, the Lams and Suen used the "click farm" method, leading a massive click fraud ring that generated invalid clicks on links to online ads that were displayed in response to search requests on Microsoft's network. The group allegedly used an automated script that imitated the Web browser of a legitimate user to generate clicks.
Microsoft's advertising policy pays users of its search engine credits for clicking on links for certain keywords searches sponsored by advertisers. The fraud was discovered when advertisers began complaining of a suspicious amount of keyword searches for auto insurance and auto insurance quotes. Investigators traced the IP addresses back to proxy server networks rather than individual computers, indicating a major problem. They discovered Lam was running websites that referred people to auto insurers.
Microsoft tried to shut them down by detecting and blocking the fraudulent traffic, but the group was able to update their attack methods to bypass the fixes it implemented.
The click fraud ring also targeted World of Warcraft, which has its own set of advertisers and its own click policy for subscribers. The scheme resulted in netting "gold" currency for use in the online role-playing game. Once they amassed enough game credits, the group allegedly sold the credits to gamers for use in buying weapons and other items used in the game. The scheme began in 2007 and continued for the last two years.
Advertisers and search engine are finding new ways to combat click fraud, including hiring companies to monitor advertising traffic flows to detect fraudulent clicks.
Web application security expert Jeremiah Grossman, founder and chief technology officer at WhiteHat Security Inc., said some ad networks are moving to a pay-per-conversion plan to try to avoid click fraud altogether. But cybercriminals will likely find a way to defeat that method as well, he said.
"If everybody moves to pay-per-conversions, then there will be a lot of use of stolen credit card numbers, but then we're moving away from click fraud to credit card fraud," Grossman said. Pay-per-conversion is already being targeted. Thieves hacked iTunes recently, setting up a fake artist account to use stolen credit card numbers to buy their own music, pocketing more than $700,000.