The bad news: Spammers are already spoofing IPv6 addresses because it is easy for them to bypass mail spam filters and launch phishing attacks on a new protocol.
When Google launched their Adwords advertising program in 2000, few predicted that the major challenge for the company would be preventing what’s known as click fraud. While every service provider is obligated to stay on top of spamming trends to protect their customers, the industry is on high alert to protect their networks and prevent breaches in the new IPv4/IPv6 environment.
At any given search marketing conference, advertisers and affiliates alike complain that they are the consistent victims of click fraud.
Even with NAT (network address translation) spammers have notoriously been able to hide behind constantly changing IP addresses - this is not going to improve with an IPv6 deployment! With IPv6, every device has a unique identifying address. You can expect to find new devices - including servers, desktops and mobile devices - that automatically turn on and configure IPv6 out of the box.
We know that some (but not all) of the primary ways service providers attempt to identify click fraud are:
- Logging where the IP Addresses clicks are coming from – including the Source IP address
- Timing of click frequency
- Measuring the volume shape patterns of clicks
- Assessing search terms that led to clicks
- Watching the navigation pattern of clicks on a site after the ad has been clicked
- Identifying and Blacklisting “Bad” IP addresses (blocks or single hosts).
1. Logging where the IP Addresses clicks are coming from - There are so many possible v6 addresses that, with some creative coding, a spammer could use their allocation and create randomized IP lists to further obscure their actions.
Google has stated publicly that it does not consider multiple clicks from a single IP address necessarily fraudulent as potential customers may come back several times before purchasing. That makes sense in a v4 World, but when multiplied by the sheer size of the IPv6 address schema, this can become challenging for even the search giant to monitor.
2. Timing of click frequency - Again, just the sheer number of v6 addresses means that spammers have the luxury of not having to repeat click activity from a limited number of IP addresses or even A blocks of addresses.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.