"Ad networks today, sadly, rely primarily on security through obscurity to defend against click-spam," noted the researchers, and introduced ViceROI, an algorithm that detects click-spam attacks by working on the premise that click spammers are looking for a higher ROI than ethical business models to offset the risk of getting caught.
"Ad networks today filter click-spam reactively and in an ad-hoc manner — when a specific attack is detected (often by the impacted advertiser), the ad networks creates a filter tuned to the detected attack," they explain. "Reactive filtering harms advertisers since attacks may go undetected for months [...] Furthermore, ad-hoc point-solutions are quickly circumvented by attackers, e.g., avoiding the IP blacklist by using a distributed botnet, potentially adding months before the attack is rediscovered by a more savvy advertiser."
In addition to this, the ad networks' tendency to guard their filtering techniques is easily annulled by the never-ending evolution of click-spam malware.
So, the researchers have had the interesting idea of hitting spammers where it hurts - their wallet.
"Viceroi, in essence, flags publishers with anomalously high ROI. While publisher ROI is hard to estimate, in practice we found per-user revenue a close proxy," the researchers explain. "To avoid detection by Viceroi, click-spammers must reduce their per-user revenue to that of an ethical publisher. At which point, without the economic incentive to offset the risk of getting caught (by approaches complementing Viceroi), the net effect is a disincentive to commit click-spam."
And it works. They have tested the algorithm by cooperating with a large real-world ad network, and say that the technique spots six different classes of click-spam attacks - malware-driven, search-hijacking, arbitrage, conversion- fraud, ad-injection, and parked-domains - without additional tuning (for detailed case studies, read the whitepaper).
Viceroi can't "say" for sure that the publishers it spots are definitely click-spammers, but it allows the ad networks to manually review and investigate a much smaller number of potential fraudulent enterprises.