Rampant fake Facebook ad clicks riddle hits dead end

Are you bot or not?

Security for virtualized datacentres

Analysis After a startup claimed that 80 per cent of clicks on its ads in Facebook were bogus, sales of pitchforks and burning torches went through the roof as pundits circled in search of a scandal. However, the figures in the case lead to an unexpected dead end rather than to a smoking gun of unimaginable fraud.

Facebook charges advertisers every time someone clicks on an ad, so obviously companies want to be sure that those clicks are coming from real humans with some dosh to spend rather than rogue software that simulates clicks and ramps up charges for businesses.

E-commerce store builder Limited Run (previously known as Limited Pressing) quit Facebook after concluding a majority of its ad clicks were machine generated. The firm, which specialises in supplying online shopping carts to musicians, analysed its web logs and concluded that (in its experience, at least) the Facebook ad platform was subject to click fraud.

Although the small biz claimed that the majority of clicks came from web browsers that didn't have JavaScript enabled - something unheard of in this day and age - the social network insists that the vast majority of billable ad clicks come from browsers with the scripting language enabled.

In a now deleted Facebook post, Limited Run outlined its concerns:

A couple months ago, when we were preparing to launch the new Limited Run, we started to experiment with Facebook ads. Unfortunately, while testing their ad system, we noticed some very strange things. Facebook was charging us for clicks, yet we could only verify about 20% of them actually showing up on our site.

At first, we thought it was our analytics service. We tried signing up for a handful of other big name companies, and still, we couldn't verify more than 15-20 per cent of clicks. So we did what any good developers would do. We built our own analytic software.

Here's what we found: on about 80 per cent of the clicks Facebook was charging us for, JavaScript wasn't on. And if the person clicking the ad doesn't have JavaScript, it's very difficult for an analytics service to verify the click. What's important here is that in all of our years of experience, only about 1-2 per cent of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook.

So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80 per cent of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs.

Search Engine Watch added that the e-commerce platform firm wanted to change its name from Limited Pressing to Limited Run at around the time its doubts over click fraud flared up.

A Facebook representative apparently told Limited Run that it would need to spend $2,000 a month on advertising for this name change to be authorised.

This, it seems, is incorrect. Another firm already has a Facebook presence under the same title as Limited Run, so the name change would not have been possible - and Limited Run's initial ire at having its page name held to hostage by Facebook was therefore down to a misunderstanding.

In a statement, Facebook said it was looking into the click fraud issue:

We're currently investigating their claims. For their issue with the Page name change, there seems to be some sort of miscommunication. We do not charge Pages to have their names changed. Our team is reaching out about this now.

Limited Run, which wants to put the incident behind it, has dumped its Facebook page. In a blog post, it thanked supporters and stressed that it had no set out to start a controversy about the effectiveness of Facebook ads, or anything else:

We’d like to let everyone know how much we’ve appreciated their support. It’s meant a lot to us. When we posted about leaving Facebook on Monday, we only intended our small group of customers and followers to know what was happening, and why.

We had no clue it was going to explode like it did. But now, we’re just a very small company, that wants nothing more than to go back to work. We don’t want to be known for this, and we’re going to keep turning down requests for interviews.

Facebook's advertising system is designed so that punters can only see and click on ads when they are logged into the website; they are not shown to anyone just visiting or passing through without an account, we're told. And although someone could create a string of fake accounts to log into the network and click on the ads, the dominant social network claims it disables impostors as soon as it finds them.

This explanation is however somewhat undermined by revelations that 83 million of the site's 955 million users are reckoned to be bogus, according to documents filed with the Securities and Exchange Commission (SEC) earlier this week.

The fakes include 45 million duplicate accounts, 23 million misclassified accounts (such as businesses, pets and so on) and, most troublingly, 14 million accounts that are used to spread undesirable traffic, such as spam, malicious links and (potentially) click fraud.

Former Google click fraud tzar Shuman Ghosemajumder, VP of strategy at web security startup Shape Security, explained the scope of the click-fraud problem posed by fake accounts.

"The level of difficulty in getting those fake accounts to successfully click on ads without getting identified as spam depends on Facebook's click fraud detection systems," Ghosemajumder told El Reg. "If they are very sophisticated, then it would be difficult for attackers to do on a large scale. If they are not, then it could be relatively easy. But the fact that accounts are required to click on ads gives Facebook a great deal of data they can analyse to determine if click fraud is occurring."

Facebook already has systems in place to detect click fraud. These systems attempt to identify and filter certain things, including repetitive clicks from a single user, clicks that appear to be from an automated program or bot, or clicks that are obviously abusive. Its systems also look at whether JavaScript is enabled in the browser.

According to recent Facebook data, nearly all billable clicks resulting from desktop web browsers have JavaScript enabled, contrary to Limited Run's complaints that it was getting billed for clicks generated by bots.

"The difficult part is identifying them [classes of activity] accurately, especially when the attacker is attempting to mimic legitimate traffic," Ghosemajumder explained. "In the case of Limited Run, it was odd that browsers with JavaScript disabled were visiting the website at all, since visits to their site would not be required just to cost them money for clicks on Facebook.

"If it was a sophisticated adversary trying to harm them without getting caught, they would be trying to emulate real user behaviour and wouldn't send bots with JavaScript disabled. In any case, Facebook's response that nearly all billable clicks came from web browsers with JavaScript enabled suggests that they might have been looking at two separate samples of traffic."

Ultimately only a careful analysis of Limited Run log data will reveal what was actually happening, Ghosemajumder concluded.

"It's difficult to know what's going on with this case without seeing the log data from Limited Run. Google and other ad networks have mechanisms which allow advertisers to tie visits in their logs to clicks on ads directly. If there is a dispute, they can send those logs with the click ID's to the publisher for verification or investigation," he said.

"I'm not sure whether Facebook has a feature like that, but they should be able to verify whether Limited Run is looking at visits from billed clicks or not by comparing IP addresses and timestamps." ®

Security for virtualized datacentres

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.