Hello, im new here. As i was writing a question in the "Google Adsense Spam" thread i realized, that this is off topic and too long and it would be better off in a new thread.

I im just wondering, how can google and other companies protect themselves against fraud? I mean all that they can monitor as far as i know can be spoofed except the ip. Consider this scenario:

The attacker gets IP's (people to visit his url though invisible iframes) through defaced sites (not visible defaced, it might take ages for someone to notice), making a worm on big easy to XSS communities (like myspace/youtube) or send a lot of spam (like: The new addition of the my little pony newsletter, click here to unsubscribe). Or maybe (i dont know if this would work) he could simply do some CSRF with avatar pictures or stuff like that and do .htaccess to get the referrer right. If this is not possible flash could be used instead (although not on nearly as many sites) to spoof the referrer.

Also, i can see one way that the "sponsor" or whatever you want to call it, that gets the "hits" can recognize that some thing is wrong, because the users only requests the front page and only once. Then again, if you change the redirect site (that is opened in a hidden iframe)to put random keywords together with every request, then the "oddness" of the user always only requesting the front page would be spread over a lot of different pages.

Of cause google will know about this, if your account one day has 0 hits and half a mil the next. But you could create a page that looked like an online game site for example. Then have the top news item say "Due to an huge rise in popularity subscription has been closed for the rest of this season". And the next news item could say something like "SuperGame9000-UltraWarZ hits 2million users!". And then start using Adsense AFTER you have people start coming to your site.

And lastly the redirect script should have a maximum of users to redirect each 30 min quotas based on the time of day and claimed amount of users. If you were to use one day instead of 30mins then the google logs might end up showing you having a lot of clicking all morning but 0 clicks later. Of cause the maximum number of clicks should be random, but within 10% of the amount that fits the traffic for that 30mins of the day (and the amount should be rising very slowly). At last the redirect script should randomly (not totally randomly) redirect to other redirect scripts named stuff like "heroladder.php" and every other name that the game page you try to impersonate would have, so that the referrers look good.

Sorry this is too long, i just kind of brainstormed while writing and this looks like a guide, but its not. Its a question: How can any advertising company guard themselves from this?

b0dil

It would take me weeks to explain how the systems can be used to detect the spam (I wrote a huge chunk of those systems when I worked for ValueClick). I honestly knew about 1/100th of what I know now and I would have built them totally differently now, but nevertheless, there's a lot more going on under the hood than meets the eye. The real question is why? Is there something you were trying to do?

- RSnake
Gotta love it. http://ha.ckers.org