Click Fraud
I appreciate the fact the World Wide Web has its uses as far as selling stuff goes. Only the other day, when the washing machine broke down, did I use the internet to seek out recommendations and price ranges for a replacement. This is useful: it avoids having to drive to various horrific out-of-town shopping centres, traipsing through horrific electrical superstores and being accosted by horrific personell wishing to up their commission. I also understand the odd advert here and there to finance the running of a website or some such. It's expensive to run and I imagine that if you had to run off voluntary donations alone, you wouldn't be running at all. I have used Amazon a couple of times myself, and even eBay. I have to admit that I'd rather not think too hard about my credit card details sitting on unknown and untested servers in far-flung countries, but there you go.
So I'm not saying back to academia with the lot of it, far from it. But there is a murkier side to all this commerce too.
For the experiment Server was set up with a Wingate. This is a weird and wonderful bit of serving technology which I am not totally sure of the proper uses for, but it's amazingly easy to use anyway.
It listens on a shedload of ports, but for this experiment TCP port 8080 (www-chache) is the important one. This allows any computer on the internet to connect and then send out HTTP requests through the Wingate which will look as if they originated at the Wingate IP address rather than the original requester's. If you see what I mean.
04/01/07 15:31:21 Service started on interface 172.12.12.200:8080
04/01/07 15:31:21 Service started successfully
04/01/07 20:10:16 59.191.61.209 Guest 0000000003 Traffic 0 0 0 0 0s
04/01/07 22:44:05 222.169.209.8 Guest 0000000004 Requested: http://bidhill.com/flashegg/prx.php
04/01/07 22:44:08 222.169.209.8 Guest 0000000004 Traffic 948 223 181 967 3s
04/01/07 22:57:16 219.148.119.6 Guest 0000000005 Requested: http://www.lycsearch.com/index.php
04/01/07 22:57:17 219.148.119.6 Guest 0000000006 Requested: http://www.innab.com/index.php
04/01/07 22:57:20 219.148.119.6 Guest 0000000005 Traffic 16593 378 330 16612 4s
04/01/07 22:57:20 219.148.119.6 Guest 0000000007 Requested: http://www.buddah-search.com/index.php
04/01/07 22:57:23 83.27.13.77 Guest 0000000008 Requested: http://www.lycsearch.com/index.php
04/01/07 22:57:24 83.27.13.77 Guest 0000000008 Traffic 16593 401 353 16612 2s
04/01/07 22:57:29 219.148.119.6 Guest 0000000009 Requested: http://www.lycsearch.com/index.php
04/01/07 22:57:30 219.148.119.6 Guest 0000000009 Traffic 16583 440 392 16602 1s
04/01/07 22:57:31 219.148.119.6 Guest 0000000010 Requested: http://www.centered-search.com/index.php
04/01/07 22:57:32 219.148.119.6 Guest 0000000011 Requested: http://www.800-search.com/index.php
As you can see here, after 5 hours of indolence, there is a probe, but nothing happens. Two hours later, someone comes in to check the quality of the proxy. Well that is what you can do at bidhill.com/flashegg/prx.php. Check it out for yourself. Note that 222.169.61.209 doesn't come back after this, but within ten minutes there are dozens of distinct IP's using the proxy. News of open wingates must travel faster than light.
And they're all using it for the same reason. They are clicking. Automated clicking.
I am going to single out the most tenacious of the proxy users and have a closer look at what they are actually doing.
The culprit here is 60.2.107.38 which is an IP address in China:
inetnum: 60.0.0.0 - 60.10.255.255
netname: CNCGROUP-HE
descr: CNCGROUP Hebei Province Network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
Our Chinaman must have a program doing this for him, because the requests come in at a rate of knots. Here is one random sample packet:
Frame 137736 (359 bytes on wire, 359 bytes captured)
Hypertext Transfer Protocol
GET /ppv/?5426226C1415336069 HTTP/1.0\r\n
Request Method: GET
Request URI: /ppv/?5426226C1415336069
Request Version: HTTP/1.0
Referer: http://www.familyskill.com\r\n
Accept: image/gif, image/jpeg, image/x-xbitmap, image/pjpeg, application/vnd.ms-excel, */*\r\n
Accept-Language: en\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n
Host: ad.zanox.com\r\n
X-Forwarded-For: 60.2.107.38\r\n
The "referer" is what all the requests have in common. Chinaman is pretending to click on hundreds of adverts which are all supposedly on the familyskill.com website, without ever even having to view the website! It therefore comes as no surprise to find out that familyskill.com, despite its best efforts to look American, is in fact also hosted in China.
It took me a while to get my head round all this nonsense, but basically it seems to boil down to this:
There are so-called search engines which will allow you to "search" for something, and it has to be something commercially viable. A random selection of "search terms" that were used (out of the decent enquiries, that is):
legal help
conference call provider
decorating on a budget
homeowners insurance
credit card debt elimination
caribbean cruises
herb ritts
Herb Ritts? "Herb Ritts began his photographic career in the late 70's and gained a reputation as a master of art and commercial photography." according to his website. And he's not above a little bit of click-accumulation either then?
So there is this "query" "typed" into this "search" site. The "search" site serves a "result". Someone gets paid for that?
Nope, I'm still not getting my head around it.
Try again. I'll just imagine that I have a website, and it has a load of adverts on it. Every time someone clicks on the adverts, I get paid for that, to the tune of $0.01 per click. But nobody ever visits my webshite, much less clicks on the advertisments. So what I do is find open proxies, and run this program that pretends to click on the adverts, telling the advertiser that the traffic originates from my site. Quids in. Hmmm.
No, I still don't get it.
What of these "search engines" that presumably nobody ever uses (buddah-search.com as your Internet Explorer homepage anyone?) -- that is, apart from all the traffic generated by these automatic click machines? There may well be legitimate advertisers who get their monthly click bill running into hundreds of dollars none of which has actually had a real click on a real site ever. Do they wonder? All the money goes to China. There is a little proviso in most/all of these pay-per-click search sites: the traffic has to originate from Europe or the United States. Clicks from China don't count towards the total click-bill. This is of course a great incentive for the Chinese to use Western proxies, and that is exactly what they do. Shame about the "X-Forwarded for" field...
Update
After I got bored with all this clickety-click I closed port 8080 for good. Within a few hours the traffic subsided. All the scripts and bots and whatnot seemingly realised that they were wasting their time. All, apart from one, that is. Every couple of seconds that b*st*rd 60.2.107.38 comes knocking. My syslog cup overfloweth. Clearly he just doesn't know when to let go. Mate, it's not there anymore! It's gone! Get over it.
Nmap says: Device type: general purpose; Running: Microsoft Windows 2003/.NET|NT/2K/XP; OS details: Microsoft Windows 2003 Server or XP SP2, Microsoft Windows XP SP2