News Stay informed about the latest enterprise technology news and product updates.

Security Blog Log: Yahoo's click-fraud problem

This week, security bloggers examined Yahoo's relationship with adware vendors, and the price Verizon paid for aggressive spam blocking. Also: Oracle's CSO starts a blog.


Security Blog Log
Harvard University researcher and spyware hunter Benjamin Edelman has been critical of Yahoo's relationship with adware distributors in the past. In his blog last August, he posted several examples of what he calls syndication fraud -- cases where Yahoo placed advertisers' ads into spyware programs and charged advertisers for resulting clicks.

This week, Edelman outlined another, more serious problem. His latest research outlines how spyware "completely fakes a click -- causing Yahoo to charge an advertiser a 'pay-per-click' fee, even though no user actually clicked on any pay-per-click link." This, he said, is an example of click fraud.

"Many others have alleged click fraud at Yahoo," he said. "But others generally infer click fraud based on otherwise inexplicable entries in their Web server log files -- traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user)."

In contrast, Edelman said he has direct proof of click fraud and uses his latest blog entry to present a long list of evidence: videos, screenshots and packet logs "showing exactly what happened and who's responsible."

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent columns:
Clues point to bot 'sleeper cells'

The sobering scope of data fraud

A DRM threat to lives and infrastructure?

He said that when advertisers buy pay-per-click advertising, they expect and intend to buy search-engine advertising. If someone visits Yahoo and types a search term, advertisers want their ads displayed. But he said those ads are supposed to be carefully targeted to specific keywords specificed by the advertisers. The advertiser is only supposed to pay Yahoo when a user actually clicks the ad.

"Click fraud attacks these promises," Edelman said. "In canonical click fraud, one advertiser repeatedly clicks a competitor's ads -- or hires others to do so, or builds a robot to do so. Deplete a competitor's budget, and he'll leave the advertisement auction. Then the first advertiser can win the advertising auction with a lower bid."

Edelman's research got a lot of attention in other blogs, including Techdirt, which noted that Yahoo's close relationship with adware vendors is no secret.

"There's even been talk about investigating Yahoo for its relationship with adware, including the fact that so much of Claria's old adware business was closely linked to Yahoo -- so much so that Yahoo's antispyware toolbar for a time ignored Claria," Techdirt said.

In its write-up on the whole affair, BusinessWeek Online quoted Yahoo as saying it takes the quality of its search-ad distribution network very seriously. "We are carefully investigating the claims that have been raised. Once we determine the sources of these implementations, we will take appropriate action, which could include terminating a feed, ending a relationship with a partner or taking legal action against an offending entity," Yahoo said.

Yahoo isn't the first search-engine giant to be accused of click fraud. The Techdirt blog notes, for example, that Google has had its problems as well. It recently agreed to shell out up to $90 million to end a lawsuit claiming thousands of advertisers were overcharged because they paid for bogus sales referrals generated through click fraud.

According to a report on the matter from The Associated Press, those who show evidence of improper charges dating back as far as four years would be eligible for an account credit that could be used toward future ads Google distributes.

Verizon pays price for aggressive spam blocking
Spam Kings author Brian McWilliams has an interesting write-up in his blog about the price Verizon Communications Inc. has had to pay for its aggressive attack on spam.

A little history: Late in 2004, Verizon -- tired of dealing with the spam its DSL customers were receiving -- implemented a massive blocklist that apparently blocked many e-mails from outside the country and offered no way for legitimate senders to circumvent the restrictions.

This angered some people who tried to use their Verizon e-mail addresses to communicate with colleagues in Europe and suddenly found they couldn't do so. Enough people were annoyed that Philadelphia law firm Kohn, Swift & Graf, P.C. filed suit against Verizon on behalf of a disgruntled DSL customer.

Now, McWilliams said, it appears Verizon has offered to settle the suit in a deal where affected customers may receive up to $49 if they failed to receive "legitimate e-mail" from Asia or Europe between October 2004 and May 2005. The lawyers who handled the case are asking for $1.4 million.

McWilliams said reaction to Verizon's spam blocking has been surprisingly critical and that the anger of people who don't get all their e-mails is misplaced.

"To be sure, Verizon certainly isn't perfect in blocking incoming spam," he said. "But unlike some other big U.S. providers, they're not on the Spamhaus list of the world's worst spam havens for facilitating outbound spam. In fact, the ISP currently has only nine listings on the Spamhaus block list, compared to 217 for MCI. So, in my book, the abuse team at Verizon seems to be getting the job done."

He added, "I also continue to be amazed at the ire I see directed at ISPs, including even free Web mail providers like Gmail, for misdirecting legitimate e-mails into users' spam folders (aka "false positives"). Folks, the delivery of e-mail, especially of the free kind, isn't guaranteed. Blame the spammers, not ISPs, when you find yourself caught in the crossfire of the spam wars."

Oracle CSO starts her own blog
It seems everyone is starting their own blog these days. Take Oracle CSO Mary Ann Davidson.

During a recent visit to Oracle's Web site, I accidentally tripped over Davidson's blog, which appears to be about a month old. But at this point it doesn't appear she'll be updating it much. She has one entry so far on IT lessons from military history dated March 13. Frequent updates would likely be quite welcome by the security community, which has chastised Oracle in the past for its tight-lipped stance on security issues.

Dig Deeper on Information security laws, investigations and ethics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.