Massive Chinese click fraud ring uncovered

Tuesday 20 October 2009 | By Heidi Scott, Gosh! Media Copywriter

It's pretty obvious that as long as there's pay per click (PPC) advertising, there will be click fraud. The two just go hand-in-hand in today's world. Click fraud occurs when a person sets up a website, signs up with an ad network and then clicks on the ads to generate ad revenues with false clicks. Click fraud has evolved into set-ups that are more and more sophisticated and the most recent ring to be discovered is thought to be the largest ever seen.

On October 9, the leading click fraud and traffic quality solutions provider, Anchor Intelligence, announced that it had identified and stopped DormRing1, a massive click fraud ring operating out of China. So called because it involved students in dormitories at the Shanghai Technology Institute, as well as from other technical universities in China, DormRing1 involved some 200,000 compromised IP addresses. According to Anchor Intelligence, DormRing1 traffic was programmed to generate fraudulent clicks on the ads of almost 2,000 advertisers across multiple ad networks, every two weeks. Anchor estimates that, if it had remained undetected, DormRing1 would have cost advertisers over $3 million over the course of a year.

Richard Sim, Vice-President of Anchor Intelligence, said, "We have seen 200 fraud rings and this one by far trumps them all. I think it is indicative of how sophisticated the click fraud is getting. We are seeing the sheer scale and size of these rings growing." Anchor Intelligence claims to have identified and eliminated over 200 click fraud rings, involving some five million distinct IP addresses, by identifying suspicious overlaps in audience segments and click behaviour. In the case of DormRing1, Anchor worked with the US authorities – the National Cyber-Forensics & Training Alliance (NCFTA) and the Federal Bureau of Investigation (FBI) – to shut down the ring.

DormRing1 is believed to have involved more than 1,000 people, who between them set up more than 10,000 websites. Spreading the fraud over so many sites makes it more difficult to detect, but it also needs many more people to perpetrate the crime. DormRing1 had successfully recruited student fraudsters by using several Chinese social networking sites. Some were found to have posts containing photos of students parading the cheques of their ill-gotten gains and bragging about their intended purchases. As with pyramid sales networks, those in the highest tiers of the operation earned significantly more than those lower down the ladder, who had to prove themselves in order to be trusted with promotion to the higher rungs.

The DormRing1 students each set up dozens of websites and successfully registered them with multiple ad networks. The fraudsters then hired the services of several botnet controllers to click systematically on ad links that were displayed on these sites. For each ad click, the publisher made a percentage of what the advertiser paid for that click. The ring members were able to contract 'money mules' – people with US addresses to which cheques could be sent – as well as traffic generators or 'botnet herders', website template developers and other contractors who were wired money in return for their services.

Although DormRing1 was stopped, nobody was actually arrested. The advertisers simply ceased making payments to the fraudulent websites. We can be reasonably certain of one thing – these criminals have by now set up another fraud ring elsewhere, which is awaiting discovery. As Ken Miller, CEO of Anchor Intelligence, warns, "Click fraud rings are active across the Internet and constantly evolving their tactics while trolling for vulnerable networks and advertisers."

Back to industry news