How to detect click fraud?

October 30, 2022 ∙ 5 minute read

In this short article we explain the basics of click fraud, and describe two click fraud techniques and how to detect them. We then tell you the easiest and most cost effective way to detect and prevent click fraud.

What is click fraud?

Click fraud is an online scam which steals at least one hundred billion dollars from advertisers every year. It typically works like this:

  1. A criminal creates a website which can display search results. For example, the website might contain articles about technology, and at the top of the page will be a search box for finding content on the website.
  2. The criminal contacts an advertising network like Microsoft Ads, and requests a publisher advertising account. The publisher advertising account allows the scammer to monetize his website by displaying advertisements every time someone does a search. For example, if a visitor searches for "antivirus software" on the criminal's website, adverts relating to antivirus software will be shown.
  3. Instead of waiting for real people to visit his website, the scammer hires a bot programmer to create a click fraud bot. The programmer uses bot software such as Puppeteer-Extra to mimic a real internet user, and a residential proxy service to disguise the fact the bot is running on a server in a data centre.
  4. The bot visits the criminal's website and searches for high value ad keywords, such as "buy laptop online". The bot maintains a list of high value ad keywords, and randomly selects one every time it does a search. The bot visits the website thousands of times per day, and clicks on an ad roughly 10% of the time.

For every ad click, the advertiser pays money to the advertising network, and the money is then shared with the scammer. If the bot is well made, the criminal can earn six figure pay-outs every month.

Part of the problem is most advertising networks have less than ideal click fraud detection capabilities, with some doing no click fraud detection at all. It is a mistake to rely on the advertising networks to protect you from click fraud.

How to detect click fraud?

Detecting click fraud isn't straightforward, and typically requires programming and cybersecurity skills. Let's discuss the two simplest forms of click fraud, and how to detect them.

It's possible to automate your browser using a technology called webdriver. For example, you might automate your browser to visit your website and repeatedly click on the ads. Detecting webdriver is easy.

When a browser is being controlled by webdriver, a setting in your browser called navigator.webdriver is set to true. We can query this value using the following JavaScript:

if (window.navigator.webdriver && window.navigator.webdriver === true) console.log("Browser is being controlled by webdriver");

The second click fraud technique we'll detect is when an iframe and JavaScript are used together to click on ads. In the box below, you can see the Polygraph website displayed in a 50 x 50 pixel iframe:

We can even use a 0 x 0 pixel iframe to display the Polygraph website:

You can't see it, but it's there.

Criminals purchase cheap online ads where they can control the iframe that displays the ad. For example, imagine you go to a website and see a banner advert for a laptop. The banner image is being displayed inside an iframe. If the criminal is allowed control the iframe, which many advertising networks allow, they're not limited to only placing a banner image inside the iframe. They can also load their website in a 0 x 0 pixel iframe, and then use JavaScript to click on the ads on their website.

What's clever about this technique is it tricks genuine internet users into loading the scammer's website, since the website is loaded inside an innocent-looking banner advert. Additionally, the JavaScript-controlled fake clicks look like they're coming from real internet users, since the IP address of the click will belong to whoever saw the scammer’s banner advert.

Detecting iframe related click fraud is easy, as you can check if the advertiser's website has been loaded inside an iframe, and can also check the size of the iframe:

if (window.parent.location && window.self == window.top) console.log("Advertiser page is not inside an iframe");

if (window.innerHeight === 0 && window.innerWidth === 0) console.log("Advertiser page is not visible (page is 0 x 0 pixels)");

Although the two examples above are the most basic forms of click fraud, a major advertising network is unable to detect them.

Polygraph is able to detect every click fraud technique, including bots created using Puppeteer-Extra.

The easiest way to detect click fraud

Instead of building your own click fraud detection system, it's much simpler - and cheaper - to use a click fraud detection service.

Polygraph are experts at detecting click fraud, and can even detect "undetectable" click fraud bots. Additionally, Polygraph provides strategies for avoiding future click fraud, including:

Conclusion

Detecting fake clicks on your ads is a requirement if you advertise online. The advertising networks often have less than ideal click fraud detection capabilities, so it’s important you don’t rely on them to protect your ads from fake clicks.

Polygraph are experts at detecting and preventing click fraud, and can protect your advertising budget from being stolen by online scammers.

Try Polygraph today.