Rampant fake Facebook ad clicks riddle hits dead end

Are you bot or not?

Build a business case: developing custom apps

Analysis After a startup claimed that 80 per cent of clicks on its ads in Facebook were bogus, sales of pitchforks and burning torches went through the roof as pundits circled in search of a scandal. However, the figures in the case lead to an unexpected dead end rather than to a smoking gun of unimaginable fraud.

Facebook charges advertisers every time someone clicks on an ad, so obviously companies want to be sure that those clicks are coming from real humans with some dosh to spend rather than rogue software that simulates clicks and ramps up charges for businesses.

E-commerce store builder Limited Run (previously known as Limited Pressing) quit Facebook after concluding a majority of its ad clicks were machine generated. The firm, which specialises in supplying online shopping carts to musicians, analysed its web logs and concluded that (in its experience, at least) the Facebook ad platform was subject to click fraud.

Although the small biz claimed that the majority of clicks came from web browsers that didn't have JavaScript enabled - something unheard of in this day and age - the social network insists that the vast majority of billable ad clicks come from browsers with the scripting language enabled.

In a now deleted Facebook post, Limited Run outlined its concerns:

A couple months ago, when we were preparing to launch the new Limited Run, we started to experiment with Facebook ads. Unfortunately, while testing their ad system, we noticed some very strange things. Facebook was charging us for clicks, yet we could only verify about 20% of them actually showing up on our site.

At first, we thought it was our analytics service. We tried signing up for a handful of other big name companies, and still, we couldn't verify more than 15-20 per cent of clicks. So we did what any good developers would do. We built our own analytic software.

Here's what we found: on about 80 per cent of the clicks Facebook was charging us for, JavaScript wasn't on. And if the person clicking the ad doesn't have JavaScript, it's very difficult for an analytics service to verify the click. What's important here is that in all of our years of experience, only about 1-2 per cent of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook.

So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80 per cent of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs.

Search Engine Watch added that the e-commerce platform firm wanted to change its name from Limited Pressing to Limited Run at around the time its doubts over click fraud flared up.

A Facebook representative apparently told Limited Run that it would need to spend $2,000 a month on advertising for this name change to be authorised.

This, it seems, is incorrect. Another firm already has a Facebook presence under the same title as Limited Run, so the name change would not have been possible - and Limited Run's initial ire at having its page name held to hostage by Facebook was therefore down to a misunderstanding.

In a statement, Facebook said it was looking into the click fraud issue:

We're currently investigating their claims. For their issue with the Page name change, there seems to be some sort of miscommunication. We do not charge Pages to have their names changed. Our team is reaching out about this now.

Limited Run, which wants to put the incident behind it, has dumped its Facebook page. In a blog post, it thanked supporters and stressed that it had no set out to start a controversy about the effectiveness of Facebook ads, or anything else:

We’d like to let everyone know how much we’ve appreciated their support. It’s meant a lot to us. When we posted about leaving Facebook on Monday, we only intended our small group of customers and followers to know what was happening, and why.

We had no clue it was going to explode like it did. But now, we’re just a very small company, that wants nothing more than to go back to work. We don’t want to be known for this, and we’re going to keep turning down requests for interviews.

Facebook's advertising system is designed so that punters can only see and click on ads when they are logged into the website; they are not shown to anyone just visiting or passing through without an account, we're told. And although someone could create a string of fake accounts to log into the network and click on the ads, the dominant social network claims it disables impostors as soon as it finds them.

This explanation is however somewhat undermined by revelations that 83 million of the site's 955 million users are reckoned to be bogus, according to documents filed with the Securities and Exchange Commission (SEC) earlier this week.

The fakes include 45 million duplicate accounts, 23 million misclassified accounts (such as businesses, pets and so on) and, most troublingly, 14 million accounts that are used to spread undesirable traffic, such as spam, malicious links and (potentially) click fraud.

Former Google click fraud tzar Shuman Ghosemajumder, VP of strategy at web security startup Shape Security, explained the scope of the click-fraud problem posed by fake accounts.

"The level of difficulty in getting those fake accounts to successfully click on ads without getting identified as spam depends on Facebook's click fraud detection systems," Ghosemajumder told El Reg. "If they are very sophisticated, then it would be difficult for attackers to do on a large scale. If they are not, then it could be relatively easy. But the fact that accounts are required to click on ads gives Facebook a great deal of data they can analyse to determine if click fraud is occurring."

Facebook already has systems in place to detect click fraud. These systems attempt to identify and filter certain things, including repetitive clicks from a single user, clicks that appear to be from an automated program or bot, or clicks that are obviously abusive. Its systems also look at whether JavaScript is enabled in the browser.

According to recent Facebook data, nearly all billable clicks resulting from desktop web browsers have JavaScript enabled, contrary to Limited Run's complaints that it was getting billed for clicks generated by bots.

"The difficult part is identifying them [classes of activity] accurately, especially when the attacker is attempting to mimic legitimate traffic," Ghosemajumder explained. "In the case of Limited Run, it was odd that browsers with JavaScript disabled were visiting the website at all, since visits to their site would not be required just to cost them money for clicks on Facebook.

"If it was a sophisticated adversary trying to harm them without getting caught, they would be trying to emulate real user behaviour and wouldn't send bots with JavaScript disabled. In any case, Facebook's response that nearly all billable clicks came from web browsers with JavaScript enabled suggests that they might have been looking at two separate samples of traffic."

Ultimately only a careful analysis of Limited Run log data will reveal what was actually happening, Ghosemajumder concluded.

"It's difficult to know what's going on with this case without seeing the log data from Limited Run. Google and other ad networks have mechanisms which allow advertisers to tie visits in their logs to clicks on ads directly. If there is a dispute, they can send those logs with the click ID's to the publisher for verification or investigation," he said.

"I'm not sure whether Facebook has a feature like that, but they should be able to verify whether Limited Run is looking at visits from billed clicks or not by comparing IP addresses and timestamps." ®

Next gen security for virtualised datacentres

More from The Register

next story
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Premier League wants to PURGE ALL FOOTIE GIFs from social media
Not paying Murdoch? You're gonna get a right LEGALLING - thanks to automated software
Online tat bazaar eBay coughs to YET ANOTHER outage
Web-based flea market struck dumb by size and scale of fail
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
XBOX One will learn to play media from USB and DLNA sources
Hang on? Aren't those file formats you hardly ever see outside torrents?
Class war! Wikipedia's workers revolt again
Bourgeois paper-shufflers have 'suspended democracy', sniff unpaid proles
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.