COLUMN

Security Blog Log: Yahoo's click-fraud problem

By Bill Brenner 07 Apr 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

---------------------------------------------------------------------------------------------------------

Harvard University researcher and spyware hunter Benjamin Edelman has been critical of Yahoo's relationship with adware distributors in the past. In his blog last August, he posted several examples of what he calls syndication fraud -- cases where Yahoo placed advertisers' ads into spyware programs and charged advertisers for resulting clicks.

This week, Edelman outlined another, more serious problem. His latest research outlines how spyware "completely fakes a click -- causing Yahoo to charge an advertiser a 'pay-per-click' fee, even though no user actually clicked on any pay-per-click link." This, he said, is an example of click fraud.

"Many others have alleged click fraud at Yahoo," he said. "But others generally infer click fraud based on otherwise inexplicable entries in their Web server log files -- traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user)."

In contrast, Edelman said he has direct proof of click fraud and uses his latest blog entry to present a long list of evidence: videos, screenshots and packet logs "showing exactly what happened and who's responsible."

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Clues point to bot 'sleeper cells' The sobering scope of data fraud A DRM threat to lives and infrastructure?

He said that when advertisers buy pay-per-click advertising, they expect and intend to buy search-engine advertising. If someone visits Yahoo and types a search term, advertisers want their ads displayed. But he said those ads are supposed to be carefully targeted to specific keywords specificed by the advertisers. The advertiser is only supposed to pay Yahoo when a user actually clicks the ad.

"Click fraud attacks these promises," Edelman said. "In canonical click fraud, one advertiser repeatedly clicks a competitor's ads -- or hires others to do so, or builds a robot to do so. Deplete a competitor's budget, and he'll leave the advertisement auction. Then the first advertiser can win the advertising auction with a lower bid."

Edelman's research got a lot of attention in other blogs, including Techdirt, which noted that Yahoo's close relationship with adware vendors is no secret.

"There's even been talk about investigating Yahoo for its relationship with adware, including the fact that so much of Claria's old adware business was closely linked to Yahoo -- so much so that Yahoo's antispyware toolbar for a time ignored Claria," Techdirt said.

In its write-up on the whole affair, BusinessWeek Online quoted Yahoo as saying it takes the quality of its search-ad distribution network very seriously. "We are carefully investigating the claims that have been raised. Once we determine the sources of these implementations, we will take appropriate action, which could include terminating a feed, ending a relationship with a partner or taking legal action against an offending entity," Yahoo said.

Yahoo isn't the first search-engine giant to be accused of click fraud. The Techdirt blog notes, for example, that Google has had its problems as well. It recently agreed to shell out up to $90 million to end a lawsuit claiming thousands of advertisers were overcharged because they paid for bogus sales referrals generated through click fraud.

According to a report on the matter from The Associated Press, those who show evidence of improper charges dating back as far as four years would be eligible for an account credit that could be used toward future ads Google distributes.

Verizon pays price for aggressive spam blocking
Spam Kings author Brian McWilliams has an interesting write-up in his blog about the price Verizon Communications Inc. has had to pay for its aggressive attack on spam.

A little history: Late in 2004, Verizon -- tired of dealing with the spam its DSL customers were receiving -- implemented a massive blocklist that apparently blocked many e-mails from outside the country and offered no way for legitimate senders to circumvent the restrictions.

This angered some people who tried to use their Verizon e-mail addresses to communicate with colleagues in Europe and suddenly found they couldn't do so. Enough people were annoyed that Philadelphia law firm Kohn, Swift & Graf, P.C. filed suit against Verizon on behalf of a disgruntled DSL customer.

Now, McWilliams said, it appears Verizon has offered to settle the suit in a deal where affected customers may receive up to $49 if they failed to receive "legitimate e-mail" from Asia or Europe between October 2004 and May 2005. The lawyers who handled the case are asking for $1.4 million.

McWilliams said reaction to Verizon's spam blocking has been surprisingly critical and that the anger of people who don't get all their e-mails is misplaced.

"To be sure, Verizon certainly isn't perfect in blocking incoming spam," he said. "But unlike some other big U.S. providers, they're not on the Spamhaus list of the world's worst spam havens for facilitating outbound spam. In fact, the ISP currently has only nine listings on the Spamhaus block list, compared to 217 for MCI. So, in my book, the abuse team at Verizon seems to be getting the job done."

He added, "I also continue to be amazed at the ire I see directed at ISPs, including even free Web mail providers like Gmail, for misdirecting legitimate e-mails into users' spam folders (aka "false positives"). Folks, the delivery of e-mail, especially of the free kind, isn't guaranteed. Blame the spammers, not ISPs, when you find yourself caught in the crossfire of the spam wars."

Oracle CSO starts her own blog
It seems everyone is starting their own blog these days. Take Oracle CSO Mary Ann Davidson.

During a recent visit to Oracle's Web site, I accidentally tripped over Davidson's blog, which appears to be about a month old. But at this point it doesn't appear she'll be updating it much. She has one entry so far on IT lessons from military history dated March 13. Frequent updates would likely be quite welcome by the security community, which has chastised Oracle in the past for its tight-lipped stance on security issues.

Tags: Information Security Laws, Investigations and Ethics,  Security Industry Market Trends, Predictions and Forecasts,  Database Security Management,  Information Security Policies, Procedures and Guidelines,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary