In this article we explain click fraud, discuss one of the ways click fraud bots can be detected, and show how Google has made it more difficult to detect and prevent click fraud.
What is click fraud?
Click fraud is an online scam which steals at least USD $100 billion per year. Let's explain it using an example:
- A criminal creates a website, and uses an ad network like Google Ads to monetize the content. That means whenever someone clicks on one of the ads, he'll earn money.
- Instead of waiting for real people to visit his website, he uses bots. These bots are mini-programs built using a framework like Puppeteer Extra and its stealth plugin. The bots resemble real people, including using residential IPs and genuine-looking device fingerprints which are changed every few minutes. From a casual inspection, everything looks normal. Polygraph is able to identify these bots by tricking them to reveal their lies.
- The bots go to Google, search for high value keywords (e.g. "lawyer in New York"), and click on the ads and search results. The goal here is to get cookied by Google, so when the bots visit the scammer's website, they're retargeted with expensive ads. The bots click on these ads, earning money for the scammer. The flow of money is as follows: for every click on the ads on the scammer's website, the advertiser pays money to Google, and Google shares the money with the fraudster.
- To trick Google into thinking the fake clicks are high quality, and to train Google's algorithm to send advertisers more bot traffic, the bots generate fake conversions on some of the advertisers' landing pages. Typically, these will be fake leads, bogus app installs, signing up to mailing lists, creating accounts, and adding items to shopping carts. What all of these conversions have in common is they don't require the bot to buy anything.
- The bots repeat steps 4 & 5 tens of thousands of times every month, earning large amounts of money for Google and the scammer, and stealing advertisers' marketing budgets. There are 100,000s, possibly millions, of click fraud websites.
Why doesn't Google prevent click fraud?
Google makes some effort to detect and prevent click fraud, but not enough, considering their resources. For example, Polygraph is a small cybersecurity company, yet we’re significantly better at detecting and preventing click fraud compared to Google, and every other ad network. It comes down to motivation - Google gets paid for every click, real or fake, so they have a conflict of interest.
Around 12% of their ad clicks are from bots, and a significant number of the websites on their display network and search partner network are obvious click fraud scams.
A quick primer on WebDriver
In a moment we're going to show how Google is making decisions which makes it easier to commit click fraud - and more difficult to detect - but before that we need to quickly explain a standard called WebDriver.
Polygraph is able to verify if you're a human or a bot using a browser setting called navigator.webdriver
. We can even check this from within this blog article. Let's do that right now. The value of navigator.webdriver
in your browser is: .
If navigator.webdriver
is "false", that means WebDriver is telling us you're a human. If the value is "true", that means your browser is being controlled by a bot. It's that simple - we can check to see if you're a human or a bot by looking at the navigator.webdriver
value in your browser.
Click fraud bots need to lie about WebDriver
Click fraud bots need to lie about many things, including the value of navigator.webdriver
. Their goal is to simulate a real human, so they need to inverse the value of WebDriver so instead of saying "true" (this is a bot), it'll say "false" (this is a human). They do this using things like JavaScript tampering and JavaScript proxy objects. You don't need to understand what these complex-sounding JavaScript things are - just be aware they can be used to lie about things.
Polygraph is able to detect these lies, which means we can detect even the most cutting edge click fraud bots.
A (not so) helping hand from Google
Google added a feature to Chromium - the browser used by most click fraud bots - which makes it more difficult to detect click fraud. The feature lies about the value of navigator.webdriver
, and pretends bots are humans. The lie, as implemented by Google, cannot be detected using JavaScript tampering and JavaScript proxy objects, which makes it more difficult to detect click fraud.
Why did they add this feature? We asked, but Google wouldn't tell us. You've heard of million-dollar questions. Well, this one's probably a multi-billion-dollar question.
Using Google's feature is easy. If a bot launches Chromium using the setting --disable-blink-features=AutomationControlled
, the browser will pretend it's being used by a human.
Since we have access to the most commonly used click fraud bots' code, we can see they rely on Google's feature to pretend they're human. Notice the third-last line with --disable-blink-features=AutomationControlled
in the code below:
async beforeLaunch(options) {
const idx = options.args.findIndex((arg) => arg.startsWith('--disable-blink-features='));
if (idx !== -1) {
const arg = options.args[idx];
options.args[idx] = `${arg},AutomationControlled`;
} else {
options.args.push('--disable-blink-features=AutomationControlled');
}
}
What this means is the bot launches Google Chromium using --disable-blink-features=AutomationControlled
, so when companies like Polygraph check to see if navigator.webdriver
is "true", in other words, when we ask are you a bot?, the click fraud bot replies with "false", I'm a human.
Polygraph to the rescue
Our business is protecting advertisers from click fraud bots. We lower the number of fake clicks, increase the amount of real visitors, block fake conversions, and re-train the ad networks to send better quality traffic. Doing all this requires us to be experts at detecting fake clicks. We reverse engineer click fraud bots and figure out how to detect them, and we build cutting-edge click fraud systems and identify their weaknesses so we can be one step ahead of the fraudsters.
Google makes it easy to lie about WebDriver, but there are many other lies we can detect.
Conclusion
Click fraud is a hugely lucrative scam, with at least USD $100 billion being stolen from advertisers each year. None of the advertising networks are doing enough to stop the problem, and Google even added a feature to its Chromium browser which makes it more difficult to detect click fraud. Polygraph is able to work around this feature, and can detect even the most cutting edge click fraud bots.