There has been some comment, in recent editions of risks, on the subject of
online advertising as seen from the perspective of a Web surfer.
From the viewpoint of a Webmaster seeking ad income, there are some
interesting aspects including what seems to be a novel form of DOS attack.
I'll focus on one particular advertising model known as Cost Per Click or
CPC.
In this mechanism, a Web site will display a banner for an advertiser and,
when a surfer clicks on the banner, the advertiser will pay a small sum to
the publisher of the Web site. Thus the publisher will receive an income
dependent on the CPC multiplied by the Click Through Ratio or CTR.
A simple click may cost an advertiser somewhere between two and fifty US
cents and there is normally an agency of some sort between the two parties
to see fair play, count the clicks, handle payments etc.
One fairly obvious risk is that an advertiser who wants brand awareness and
not clicks can get free advertising by running ads that will not get clicked
but which will enhance brand recognition.
From the advertisers viewpoint, fraud is the main risk. A Web site owner may
use an automated system to generate bogus clicks to claim money that was not
properly earned. There are thousands of http proxy servers that suffer from
the same weakness that allows spam e-mail to exploit open smtp relays. Using
these, a Web site owner bent on fraud can generate thousands of bogus mouse
clicks.
Of course, advertisers or, more commonly, the agencies with whom they deal
take whatever steps they can to combat such fraud. One route used by many is
just to have a cut off point for the CTR and say that a Web site with a high
CTR will be automatically barred for fraud. Clearly this leads to the normal
risk of false positives where a legitimate site with a high CTR is excluded.
Interestingly, the false positives will here work to exclude the sites which
are the best ones for the advertiser to use. For example, suppose that a
dating agency, specialising in women from Russia seeking men from the West,
uses an agency to run its banner ads on the Web sites represented by the
agency. Most of the time, such ads will attract a CTR of about 0.2%. But
what if one of the sites in the ad agency network happens to specialise in
advice on exactly this topic? (Fiancee visas, how to address a letter to a
country the uses the Cyrillic alphabet etc.) That site may see a CTR of over
5% which will rapidly earn it exclusion for fraud. Of couse, that is exactly
the site on which the advertiser would like to run its ads.
And the novel DOS attack?
Recent reports on the Web publisher forums at geekvillage.com have focussed
on another problem. Suppose that two sites are in competition as they cover
the same subject area and target the same pool of surfers and advertisers.
Site A runs banner ads and site B would like to get those ads for itself and
perhaps even close down site A and get the surfers too. The operator of site
B could set up a click-bot to cause open proxy servers to send thousands of
clearly false clicks to the advertiser: seemingly on behalf of site A. Site
A will soon be flagged for fraud and will lose its advertising income and
may well close.
John O'Connor http://www.jpoc.net ["John O'Connor" via risks-digest Volume 21, Issue 57]
0:00
#
G!
