anatomy of a fraudster

ANCHOR INTELLIGENCE REPORT:ANATOMY OF A FRAUDSTER

January 12, 2009

Sponsored by

TABLE OF CONTENTS

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Click Fraud Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Click Fraudster’s Toolkit Forums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Fraudster Profiles Click Fraud Farmers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pyramid Schemers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Money Launderers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kit Sophisticates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Recommendations Advertisers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ad Networks and Search Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3

34

45567

7888

910

INTRODUCTION

The Anchor Intelligence Report: Anatomy of a Fraudster is a survey of click fraud and the fraudsters behind malicious clicks. It includes a description of click fraud and the reasons for its increasing prevalence. In addition to providing an overview of the tools fraudsters leverage in order to successfully perpetrate click fraud, this report also introduces four of the most common fraudster profiles encountered by Anchor Intelligence. Finally, Anchor offers a series of recommendations for both advertisers and ad networks/search engines to help these parties minimize payouts for fraudulent clicks. By educating the online advertising and security industries on the motivations, tools, and profiles involved in click fraud, Anchor Intelligence hopes to facilitate collaboration between the various industry players and ultimately improve click fraud detection

CLICK FRAUD

Click fraud constitutes a growing threat to the online advertising industry, particularly pay-per-click (PPC) advertising systems. Much like spam – which grew exponentially in volume in the earlier half of this decade, and significantly outpaced the growth of email volume – click fraud will grow in volume as more dollars move online. As it stands, click fraud is the most prevalent form of online advertising fraud in the marketplace today.1 This section provides a comprehen-sive definition of click fraud as well as the motivations of its perpetrators.

DefinitionAnchor Intelligence defines click fraud as clicks or impressions originating from the malicious intent of the clicker that have zero economic value to the advertiser. However, as it is impos-sible to determine a clicker's intent with certainty, one must look at click/impression quality to suggest a more practical definition of click fraud.

Click quality is a continuous spectrum of good and bad. Some clicks and impressions are “good” because they have a high likelihood of conversion and are thus valuable to the adver-tiser. For instance, if an individual purchases many books online, any click he/she makes on book-related ads has real value to the advertiser because the individual has demonstrated his/her propensity to purchase books online. Similarly, some clicks and impressions are “poor” because they have a low likelihood of conversion and provide minimal value to the advertiser. If a user has a strong aversion to making purchases online, his/her clicks are unlikely to result in a purchase, and are therefore less valuable to the advertiser. Finally, some clicks and impres-sions are fraudulent because the user has no intention of converting, thus giving the advertiser no chance of reaping a return on their investment in that click or impression.

1 Bobji Mungamuru, Stephen Weis and Hector Garcia-Molina, “Should Ad Networks Bother Fighting Click Fraud? (Yes, They Should.) Stanford InfoLab 1 July 2008: 2.

ANCHOR INTELLIGENCE REPORT: ANATOMY OF A FRAUDSTER

3

MotivationsMotivations for click fraud primarily fall into two camps: a desire to handicap one’s competitors or intent to generate illegitimate revenue. In the first camp, malicious advertisers commit click fraud in an effort to prevent their competitor’s ads from appearing to potential customers or to drive up the competitor’s advertising costs. PPC services, such as Google AdWords, require advertisers to set a daily budget on their ad spend. In order to accomplish his/her goal, the malicious advertiser can theoretically click (or pay others to click) on the competitor’s ads repeatedly, until the competitor exhausts its daily budget. Once the daily budget limit has been reached, the competitor’s ads will no longer appear on search engines or publisher sites, putting the malicious advertiser in a better position for potential sales. Meanwhile, the competitor will see a reduction in its ROI on ad spend and may potentially make flawed optimization decisions by pulling funds out of these campaigns.

More commonly, malicious individuals commit click fraud in order to boost revenue. Publisher sites generally host ads in order to earn money; publishers earn a percentage of each ad click or impression that occurs on their websites. The more clicks or impressions that occur on a publisher’s site, the more money he/she will earn through that site. As such, many malicious publishers generate fraudulent clicks on ads hosted by his/her site. They often take this fraud a step further by creating multiple sites, through which they perpetrate click fraud, in order to earn even more money, at the expense of advertisers and ad networks.

THE CLICK FRAUDSTER’S TOOLKIT

In order to perpetrate click fraud, especially on a large-scale and/or in a sophisticated fashion, fraudsters utilize an arsenal of tools. This section examines several of these tools in detail.

ForumsInternet forums, otherwise known as message boards, are online discussion sites. Fraudsters frequently leverage forums in order to facilitate communication. In particular, they are a popular channel for trading stolen information, for the following reasons: forums are often organized chronologically; they generally have decent search features; and postings, such as advertisements for malware, are relatively permanent, remaining visible to any and all visitors until they are removed. Internet forums have differing membership levels and range from being open to anyone to open only to fraudsters with established reputations.2 Once fraudsters successfully join a forum, they can buy and sell fraudulent goods and services to interested parties.

One example of a prolific underground web forum was ShadowCrew. ShadowCrew was an international crime syndicate, whose members were carders and hackers from the U.S. and Eastern Europe looking to trade, buy, and sell a range of ill-gotten wares online.3 Because it was a large, openly available forum, it quickly attracted the notice of federal agents and was successfully

2 “Symantec Report on the Underground Economy, July 07-08,” Symantec Enterprise Security November 2008: 4.3 Brian Grow with Jason Bush, “Hacker Hunters,” BusinessWeek 30 May 2005. <http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm>.


4


4 “Crime Boards Come Crashing Down,” Wired 1 February 2007. <http://www.wired.com/science/discoveries/news/2007/02/72585>.5 “Symantec Report on the Underground Economy, July 07-08,” Symantec Enterprise Security November 2008: 4.6 “Symantec Report on the Underground Economy, July 07-08,” Symantec Enterprise Security November 2008: 52.7 “Computer Worm,” Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Computer_worm>.8 Gregg Keizer, “New Windows worm builds massive botnet,” Computerworld 1 December 2008. <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958>.9 Ziv Mador, “More MS08-067 Exploits,” Microsoft® Malware Protection Center 25 November 2008. <http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx>. 10 Gregg Keizer, “New Windows worm builds massive botnet,” Computerworld 1 December 2008.

shut down in October 2004 through a sting operation known as “Operation Firewall.”4

IRC ServersInternet Relay Chat (IRC) is an internet communications protocol that offers real-time internet chat among groups. Communication occurs via channels, which are hosted on IRC servers. Most IRC servers are established for legitimate purposes, but fraudsters use many public servers covertly. IRC servers are another popular platform for fraudsters because they require minimal bandwidth and can be accessed using one of many freely available IRC clients.5 Contraband is readily, if secretly, available to fraudsters on IRC servers. For instance, identity thieves can easily log in to IRC servers and acquire CVV numbers, determine the limits of stolen credit cards, and locate customers for bulk credit card numbers. Similarly, click fraudsters can buy and sell compromised machines to organize botnets in order to perpetrate sophisticated click fraud.

Computer WormsWorms are another tool used by click fraudsters. Computer worms are programs that self-replicate by means of a network. They typically spread by exploiting vulnerabilities and bugs in operating systems and outdated applications. Worms are often used to create zombie computers; as a worm spreads, it creates a network of zombie computers known as botnets.7

A recent example of a worm exploiting a bug in Microsoft® Windows is the Win32/Conficker.a worm. This worm served as a critical component in the construction of a new botnet.8 According to a post on the Microsoft® Malware Protection Center, “It opens a random port between port 1024 and 10000 and acts like a Web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll.”9 As of December 1, nearly 500,000 PCs had been infected, and it was only beginning to grow.10

1 United States 41%

2 Romania 13%

3 Germany 11%

4 United Kingdom 6%

5 Canada 5%

6 Australia 4%

7 Brazil 3%

8 South Korea 2%

9 Netherlands 2%

10 Sweden 2%

Rank Country Percentage of ServersIRC servers are located around the globe, although the locations change regularly, due to fraudsters’ frequent use of compromised computers and server proprietors’ regular efforts to restrict fraudsters’ access.6 According to a recent Symantec report, the countries hosting the largest number of underground IRC servers are the United States, Romania, and Germany.

5

Table 1: Top countries by number of underground IRC serversSource: Symantec Corporation

Another recent example is the Koobface worm, which has circulated through Facebook since mid-November. The worm has spread by means of spam messages with links to compromised sites.11 These sites displayed a bogus error message prompting the user to download an Adobe Flash update named flash_player.exe.12 Users who did so downloaded an executable file that installed the Koobface worm, which then installed a background proxy server. This proxy server redirects all search terms to find-www.net, which enables click fraudsters to make money through the resulting ad clicks.13

BotnetsBotnets are probably the most widely known tool in the click fraudster’s toolkit. A botnet is a network of compromised computers (aka Zombies). Bot programs are covertly installed on computers by means of worms, backdoors, or Trojan horses.14 According to the Shad-owserver Foundation, more desktop machines are becoming infected with malicious software than ever before. For instance, the number of botnet-ensnared PCs has quadrupled in the past year.15

The bot herder, e.g. the fraudster in charge of the botnet, issues commands to the zombie computers via a common command-and-control infrastructure. The commands typically run through IRC servers, providing a degree of separation and an additional layer of protection for the herder. Botnets are used to wage distributed denial of service attacks, propagate spam, log keystrokes, and perpetrate click fraud.16

In the case of click fraud, herders command bots to visit websites – which are either owned by the herder or someone who pays the herder for the service – and click on the ads hosted by those sites. The site owner, be it the herder or customer, can thus generate a significant amount of revenue, which is paid out by the ad network or search engine distributing the ads. With particularly large, global botnets, clicks come from distinct IP addresses, giving the illusion of legitimate traffic.

One of the most infamous click fraud botnets is Clickbot.A, which was discovered by Swa Frantzen at SANS, in May 2006.17 Over the course of one month, the botnet grew to encompass more than 100,000 computers.18 It conducted discreet, low-noise click fraud attacks against syndicated search engines, by commanding each bot to issue one click roughly once every 15 minutes.19 Investigations into its “anatomy” have helped to educate the online advertising and security communities about botnets.


11 Gregg Keizer, “Worm spreads on Facebook, hijacks users’ clicks,” Computerworld 5 December 2008. <http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122724>. 12 Jennifer LeClaire, “Koobface Worm is Targeting Facebook Users,” Enterprise Security Today 5 December 2008. <http://www.enterprise-security-today.com/story.xhtml?story_id=63428>. 13 Gregg Keizer, “Worm spreads on Facebook, hijacks users’ clicks,” Computerworld 5 December 2008. <http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122724>.14 “Botnet,” Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Botnet>.15 Brian Krebs, “Number of Bot-Infected PCs Skyrockets,” washingtonpost.com 4 September 2008. <http://voices.washingtonpost.com/securityfix/2008/09/number_of_bot-infected_pcs_sky.html>. 16 “Botnets,” Shadowserver 12 November 2007. <http://www.shadowserver.org/wiki/pmwiki.php?n=Information.Botnets>.17 Neil Daswani and Michael Stoppelman, “The Anatomy of Clickbot.A,” Google, Inc. 10 April 2007.18 “Clickbot.A,” Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Clickbot.A>. 19 Neil Daswani and Michael Stoppelman, “The Anatomy of Clickbot.A,” Google, Inc. 10 April 2007.20 “June 2008 | Trend Micro Threat Roundup and Forecast—1H 2008” Trend Micro, Inc. 7 July 2008. <http://trendmicro.mediaroom.com/index.php?s=43&item=650>.

6

AdwareFinally, adware is a software package, which displays ads in an unexpected and often unwanted fashion.20 Adware can be a form of spyware when used to spy on users. It collects information about a user’s web history in order to serve relevant ads.21 Adware can be covertly installed on computers through one of two methods: users can be tricked into clicking a spyware link; or users may use a file-sharing program to install freeware that secretly includes adware.22 According to research conducted by Professor Ben Edelman of Harvard University, some forms of adware perform click fraud by automatically activating pay-per-click advertisement links.23 Thus, adware can be used to perpetrate click fraud.

CLICK FRAUDSTER PROFILES

Over the past year, experts at Anchor Intelligence have studied clients’ traffic patterns and gathered intelligence on four of the most prevalent fraudulent behavioral profiles, ranging in levels of sophistication. This section describes the profiles in detail.

Click Fraud Farmers

to simulate regular traffic by viewing another members’ link, visiting the associated website for a period of time, and moving on to the next members’ link. Newspapers around the world advertise opportunities to participate in these groups as easy careers for people working from home. Click farms often reflect the global nature of our economy, in which workers from

21 “Spyware,” Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Spyware>.22 Jerry Honeycutt, “How to Protect your Computer from Spyware and Adware,” Windows XP 20 April 2004. <http://www.microsoft.com/windowsxp/using/security/expert/honeycutt_spyware.mspx>. 23 Ben Edelman, “The Spyware – Click Fraud Connection – and Yahoo’s Role Revisited,” benedelman.org 4 April 2006. <http://www.benedelman.org/news/040406-1.html>.


The first profile applies to members of click farms, which use some of the least sophisticated methods to perpetrate click fraud. Click farms are often outsourced by an organization that is paid to generate clicks on behalf of a third party. In some cases, click farms are networks of people, who scratch each others’ backs by clicking on ads appearing on the other members’ websites. These people try

developing nations seek an opportunity to easily earn a few dollars a day, at the expense of advertisers looking to attract legitimate business to their websites.

Click farm activity often appears as high volume traffic bursts originating from a limited number of users with no corresponding improvement in conversions or other useful user sessions. Ad networks may be able to identify these schemes by matching IP addresses of publishers within the network with ad click logs.

7

Figure 1: Click farm ad from the Deccan Chronicle ClassifiedsSource: Digital Inspiration

Pyramid Schemers

receiving compensation for their traffic, pyramid schemers are also compensated for recruiting users. As a result, these users are less likely to come directly from publishers IPs.

Pyramid scheme participants often use services such as Bux.to and ClixSense to perpetrate their fraudulent activities. For instance, Anchor Intelligence found the following pitch on one publisher’s homepage: “At Bux.to, you get paid to click on ads and visit websites. The process is easy! You simply click a link and view a website for 30 seconds to earn money. You can earn even more by referring friends. You'll get paid $0.01 for each website you person-ally view and $0.01 for each website your referrals view. The minimum payout is $10.00.”

Money Launderers

scale his operation. The registered address is also critical, as many networks are more suspicious of international publisher accounts than of accounts based in the U.S. Once the websites are registered to display ads, click fraudsters create bogus or copied content on these sites and generate false clicks on their ads, often by means of botnets. The ad network unknowingly makes payments to the various registrants, who manage the deposit. The registrants then transfer the money to the fraudsters for a fee, ranging from 20% to 50% of the payment.

These profiles are generally difficult to detect, due to the sophisticated nature of their techniques. Anchor Intelligence has worked directly with various ad networks to identify launderers and link them together, even across multiple clients. The linking is often based on traffic, reputation, and other proprietary data.

Kit Sophisticates

content that attracts real readers by simply simulating “normal” ad traffic for $100. Similarly, cheatingnetwork.net, another forum, offers pay-to-click kits for website owners to generate realistic-looking traffic.

A second fraudster profile applies to participants of pyramid schemes. A pyramid scheme is a non-sustainable business model that involves payment for recruiting new participants into the scheme and fails to deliver a legitimate product or service. Click fraud pyramid schemers are paid to click on ads and visit websites, much like members of a click farm. However, in addition to

A final variety of fraudster, the kit sophisticate, purchases kits online to commit fraud. Kits come in a variety of packages with proportionate price tags. Fraudsters use kits to create hundreds of websites, mass register accounts, generate ad clicks, and build botnets. For instance, ClickingAgent, a notorious ad clicker kit by LoteSoft, saves website owners the trouble of creating valuable


Launderers are a more sophisticated version of the pyramid schemer, and involve the use of “money mules,” individuals who are used to funnel money from ad networks to fraudsters. The fraudsters behind these schemes recruit people to use the recruits’ information to register various websites with ad networks. The use of multiple "mules" and addresses is key in allowing the fraudster to

$ $ $

8

RECOMMENDATIONS

Click fraud originating from kit sophisticates can be extremely difficult to identify. Anchor has developed hundreds of signatures of fraudulent activity generated from these kits and has worked with multiple ad networks to evict kit sophisticates from their networks.

While sophisticated instances of click fraud are difficult to detect, advertisers and ad networks can take precautionary measures to reduce their payouts for fraudulent clicks

AdvertisersThere are several rules of thumb advertisers can use to help recognize and identify instances of click fraud. Anchor recommends the following ten tips:

1.

2.

3.

4.

5.


Watch for significant variations in campaign performance: Look at your reports to identify sudden peaks and other anomalies in your daily traffic and costs. If you cannot determine the cause and the peaks are not associated with corresponding lifts in performance, consider stopping your campaign and/or asking your network to investigate further.

Prevent competitive click fraud: Do a few searches on your keywords to compile a list of relevant competitors. Then open your Command Prompt on your PC (or Terminal on your Mac) and ping each competitor’s domain (e.g. type “ping www.COMPETITORDOMAINNAME.com”) to ascertain their company IP address. You can find their entire range of IPs by using services such as www.arin.net. Be sure to check that the IPs are registered to the company directly, as opposed to the company’s hosting provider. If they are, add those IPs to your account IP exclusion lists (when available).

Don’t drain your own budget: If you’re concerned about clicks coming from your own employees, add your company’s IPs to your account IP exclusion lists (when available).

Block poor performing referrers: Assuming your analytics package provides referral and conversion information, start with your highest volume referrers and determine which sites fail to drive any conversions or other useful user sessions. If you notice that your ads/keywords are performing poorly on particular sites, reduce your bids for those publishers/channels. For high volume sites that generate zero conversions, selectively use the domain/channel-blocking feature to prevent your ads from appearing on those sites in the future.

Monitor high dollar CPC terms closely: Keywords with high CPCs have historically been more vulnerable to click fraud attacks than those with low CPCs. So pay particular attention to these keywords and the referrers that generate disproportionately more traffic to your site through these keywords. Determine whether or not you’re seeing a positive ROI on your bids. If not, consider lowering your bids on poor-performing keywords/ads and allocating more spend to higher performing keywords/ads.

9

6.

7.

8.

9.

10.

Ad Networks and Search EnginesFor ad networks and search engines, Anchor Intelligence recommends outsourcing click fraud monitoring to a 3rd party solutions provider. Ad networks and search engines face challenging conditions when dealing with click fraud. The rate of adaptation for fraudsters often exceeds the ability for a given network to keep its detection methods up to date. Changes in filtering rules often result in only a short-term reduction of fraudulent activity. And large-scale click fraud rings


Geo-target your ads appropriately: If you do not sell products outside of North America, be sure to limit your geo-targeting to North America. If you do sell products abroad, monitor the performance of your international ads. If you find that your ads perform poorly in certain geographies, update your geo-targeting preferences accordingly. Keep a critical eye out for countries such as UAE, China, Vietnam, Thailand, and the Philippines. Anchor has seen relatively high volumes of fraud originating from these countries.

Use ad scheduling: Monitor the quality of your traffic according to time of day and day of the week. For instance, we find that humans typically use the internet during the day, while bots can run 24 hours a day. If you find that your conversion rates are higher in the mornings than late at night, you may want to daypart your bids to reduce exposure to lower-converting traffic.

Leverage a 3rd party traffic quality solution: Your ad network/search engine is not infallible. In order to ensure that you are not being charged for fraudulent clicks, consider using a 3rd party traffic quality solution, such as Anchor Intelligence. By providing deep insight into the quality of each click/impression as well as the factors that contribute to each click/impression score, Anchor Intelligence helps to educate you on click fraud and traffic quality. Armed with this information, you'll be able to improve your ad spend allocation decisions and ensure you are not paying for unwanted traffic.

Investigate your network: Before signing up with an ad network or search engine, do some research into its policies. For instance, you should determine whether the network uses frequency caps to prevent duplicate clicks originating from the same IP from being charged to your account. Also check to ensure that they are using the IAB/ABCe Interna-tional Spiders & Bots List and not charging you for clicks from these robots. Finally, peruse their Terms of Use to determine the extent to which they care about the quality of traffic you receive. For example, look for restrictions against authorizing, encouraging, or generating fraudulent clicks or impressions; editing, modifying, removing, or obscuring ads; and displaying ads on error pages or “thank you” pages.

Encourage your ad network(s) to also use 3rd party scoring solutions: Your ad network may not realize that you are concerned about click fraud. The more you and other advertisers ask networks to take additional steps to prevent and filter click fraud, the more likely these companies will be to proactively protect you. In particular, you should encourage your network(s) to engage the services of 3rd party traffic quality solutions providers. These 3rd parties monitor the traffic quality within and across networks, to help ensure that you see the highest possible ROI on your advertising spend while giving you confidence in the quality of your clicks.

10

reappear within days of being discovered and shut down. As a result, the cost of dealing with customer complaints and billing inquiries becomes significant with no systematic way of responding to the changing behavior of fraudsters.

Anchor Intelligence offers cutting edge, proprietary solutions that have been developed to adapt over time. Our models train against new instances of fraud detected within our network. With the most comprehensive and exhaustive collection of network security intelligence, Anchor’s click quality solutions enable our customers to focus on their core competencies while learning from the collective intelligence of the entire web. Methods used by Anchor include the following:

Anchor Intelligence helps ad networks find and filter fraudulent clicks that the networks themselves do not have the means to catch. For instance, Anchor can identify malicious actors across its entire network. As an independent 3rd party, Anchor has knowledge of fraudsters that operate within and across multiple ad networks, and can leverage this insight for the benefit of all. Additionally, Anchor Intelligence can leverage its network forensics to classify compromised machines. The company leverages honeypots, spam traps, and IRC channel monitors to improve its ability to correctly identify computers infected with malware such as bots and worms. Finally, Anchor intelligence’s 3rd party status enables it to look at user level sessions across multiple networks to identify collusive behavior and velocity spikes in clicks. With its access to data across multiple networks and its database of known fraudsters, Anchor Intelligence enables ad networks and search engines to identify fraudulent clicks they would otherwise have missed.

Anchor Intelligence provides tools for ad networks to not only better manage the quality of traffic on their network, but also capture and deliver more value to their advertisers. Anchor’s traffic quality solutions provide networks with the intelligence they need to monetize the highest quality users on their network, reward their best publishers, remove poor quality publishers, and filter fraudulent clicks. Contact Anchor Intelligence today to learn more about our solutions.


Behavioral analysis: checking whether the volume of activity for a given user over any number of time periods is unacceptably highReputational analysis: identifying clicks from users who have engaged in fraud or other malicious activity on the webDistributional analysis: monitoring the standard rhythm and flow of traffic to identify unexplained spikesAssociational analysis: locating publishers who appear to be generating traffic artificially through the same shared sourcesAnomaly detection: detecting traffic anomalies, such as spikes in CTRs with no ompanying improvement in conversion and unnatural popularity of particular ad placementsNetwork policy violations: pinpointing ad placements that violate network rules, such as stacked ad tags and ad tags overlaid on video thumbnailsFraud signature matching: looking for evidence that matches the signatures of known fraudsters

1 1

www.anchorintelligence.com480 San Antonio Road, Suite 235

Mountain View, CA 94040

LookSmart is a trusted provider of pay-per-click text advertising with 13 years experience and over a billion daily queries on its network of quality partners. LookSmart uses Anchor Intelligence’s ClearMark traffic scoring system across the network to enhance its ability to safeguard advertisers and partners against illegitimate or fraudulent traffic and further improve advertiser ROI through the enhanced performance. LookSmart has provided insights based on historical experience with publishers, advertisers, and other partners that helped shape the content of this report.

www.looksmart.com625 Second Street

San Francisco, CA 94107

© 2009 Anchor Intelligence, Inc. All rights reserved.

Anchor Intelligence Inc., headquartered in Mountain View, CA, is the traffic quality solutions provider of choice among ad networks, search engines, and advertisers. Using Anchor Intelligence's ClearMark, the industry's first and only real-time traffic scoring system, industry players obtain the necessary intelligence to fight click and impression fraud, efficiently manage traffic sources, and capitalize on high quality clicks while maximizing advertiser ROI. For more information, visit: www.anchorintelligence.com.

anatomy of a fraudster

Technology