Browse archive

Latest news

Information security executives need to be strategic thinkers

U.S. tech companies sharing bug info with U.S. govt before releasing fixes

Facebook, Microsoft and Apple disclose little on U.S. government data requests

Account takeover attempts have nearly doubled

It takes 10 hours to identify a security breach

Guccifer hacks U.S. nuclear security agency chief

British GCHQ spied on G20 delegates to gain advantage in talks

Cisco teams with IBM, Lancope, LogRhythm, Splunk and Symantec

Secure automated archiving from Imation

Red Hat unveils OpenStack certification and solution marketplace

Asia-wide targeted campaign drops backdoor, RAT

ISC-CERT warns about medical devices with hard-coded passwords

Hacking charge stations for electric cars

IPv6 and click fraud

by John Sung Kim - Co-founder, 6connect - Tuesday, 17 July 2012.

The good news: To accommodate the ever-increasing demand for IP Addresses around the world, every network will eventually transition to IPv6 from IPv4.

The bad news: Spammers are already spoofing IPv6 addresses because it is easy for them to bypass mail spam filters and launch phishing attacks on a new protocol.

When Google launched their Adwords advertising program in 2000, few predicted that the major challenge for the company would be preventing what’s known as click fraud. While every service provider is obligated to stay on top of spamming trends to protect their customers, the industry is on high alert to protect their networks and prevent breaches in the new IPv4/IPv6 environment.

At any given search marketing conference, advertisers and affiliates alike complain that they are the consistent victims of click fraud.

Even with NAT (network address translation) spammers have notoriously been able to hide behind constantly changing IP addresses - this is not going to improve with an IPv6 deployment! With IPv6, every device has a unique identifying address. You can expect to find new devices - including servers, desktops and mobile devices - that automatically turn on and configure IPv6 out of the box.

We know that some (but not all) of the primary ways service providers attempt to identify click fraud are:

Logging where the IP Addresses clicks are coming from – including the Source IP address
Timing of click frequency
Measuring the volume shape patterns of clicks
Assessing search terms that led to clicks
Watching the navigation pattern of clicks on a site after the ad has been clicked
Identifying and Blacklisting “Bad” IP addresses (blocks or single hosts).

Let’s look at how IPv6 changes the dynamics of each of the 6 ways identified above:

1. Logging where the IP Addresses clicks are coming from - There are so many possible v6 addresses that, with some creative coding, a spammer could use their allocation and create randomized IP lists to further obscure their actions.

Google has stated publicly that it does not consider multiple clicks from a single IP address necessarily fraudulent as potential customers may come back several times before purchasing. That makes sense in a v4 World, but when multiplied by the sheer size of the IPv6 address schema, this can become challenging for even the search giant to monitor.

2. Timing of click frequency - Again, just the sheer number of v6 addresses means that spammers have the luxury of not having to repeat click activity from a limited number of IP addresses or even A blocks of addresses.