Click Fraud: The Business of Cyberstealing

Dec. 6, 2006 — -- It's that time of year, when Santa is making his list and checking it twice. Like Santa, millions of Americans are checking their lists too -- and then heading to the Internet to do more and more of their Christmas shopping.

Retailers, giddy with the prospect of more online business, try to get customers' attention and have turned to Yahoo or Google for help with Internet advertising.

But many businesses have found that advertising on the Net can be an expensive prospect, especially if they fall victim to a criminal practice called click fraud.

When online retailers want to advertise on Web sites that appear on Google or Yahoo, they set up advertising accounts with a set amount of money in them. Every time someone clicks on their ads, a little bit is taken out of the account and goes directly to either Google or Yahoo, or a portion of it may go to the site that hosted the ad.

Click fraud occurs when people click on ads with no intent of becoming customers. Their only interest is in generating clicks so that money moves out of the advertiser's account.

An estimated average of 14.6 percent of the clicks advertisers are billed for are fraudulent, according to Outsell Inc., an information industry research group.

Outsell estimates that click fraud is a $1.3 billion problem: $800 million wasted on fraudulent clicks plus $500 million no longer spent on pay-per-click online advertising.

Though it hits small businesses with small advertising budgets the hardest, even the host companies like Google, Yahoo and other search engines are threatened by savvy computer users, like Michael Andrew Bradley, looking to exploit the online advertising system.

Bradley allegedly planned to blackmail Google, the Internet search engine and online media empire. He is accused of building software that would make advertisers pay for fraudulent clicks on their Web ads that he planned to unleash across the Web.

That is, he allegedly would unleash it unless Google paid him $100,000 to keep his weapon off the cyberstreets.

But Bradley was nabbed before he could carry out the plan he's accused of hatching. He was arrested in May 2004 and later released on a $50,000 bond, with the condition that he refrain from using any computer or the Internet and avoid all contact with Google employees.

One potentially key piece of evidence is a video tape of Bradley on a visit to Google's Mountain View, Calif., headquarters. During a March 10, 2004, meeting with Google, Bradley demonstrated his click fraud software, dubbed "Google Clique," and demanded the cash that would stop him from releasing it.

"Why am I so confident this works?" Bradley wrote of his product, Google Clique, according to the indictment. "Because I was personally invited to visit Google and demo the software for them.

"They were very nice to me and we sat down and I did the demo of Google Clique. … They found Google Clique to be a serious threat to their company," the 2004 indictment quotes him as saying.

Google filed a criminal complaint against Bradley, who was subsequently indicted in California for extortion and mail fraud. He was charged with 11 criminal counts, each one carrying a maximum penalty of 20 years in prison and a fine of $250,000.

The Charges Dropped

But last month, seemingly out of nowhere, the case against Bradley was tossed. Why were the charges dropped after a one-year investigation and more than two years of legal wrangling since his arrest?

His attorney, public defender Jay Rorty, confirmed to ABC News that the charges were dropped on Nov. 22, but he refused to say why.

Google, whose complaint originally launched the investigation, said the decision came from the U.S. Attorney's office.

"We didn't drop the case. It was dismissed by the prosecution," Google spokesman Barry Schnitt told ABC News.

"The case was dismissed … at our request," said Matt Parrella, chief of the Computer Hacking and Intellectual Property Unit at the U.S. Attorney's Office in San Jose, Calif.

But as far as the reasons for the dismissal, Parrella had no comment.

Nor was there any clue from the Secret Service, which spent roughly a year investigating Bradley and ultimately arrested him in May 2004.

The Secret Service, in addition to protecting U.S. leaders and visiting diplomats, is responsible for criminal investigations into various types of fraud and money laundering.

One theory: Google didn't want the case to go to court. Fiercely secretive about its methods of curbing click fraud, Google might have feared that if the case went to trial, those methods would have been up for examination -- and a matter of public record.

"I think that the one plausible explanation is that Google did not want any information about its technology to get out into the public," said Brian Kabateck, a class action attorney who represented thousands of small businesses in a lawsuit against both Google and Yahoo.

Schnitt admits that concern about revealing company secrets played a role in the decision.

"We can be asked for information that reveals too much to potential fraudsters," the Google spokesman said. "We need to weigh the benefit of catching one perpetrator against the risk of engendered other perpetrators."

Another possibility, suggested by Schnitt, is that Bradley wasn't as much of a threat as he portrayed himself to be.

"To prove extortion, you have to prove the technology he had could have caused damage," Schnitt told ABC News.

Although Bradley tried to use click fraud as a weapon against media monolith Google, it's mostly affecting small businesses across America.

Click fraud affects a business in two ways.

The first is when someone repeatedly clicks an advertiser's link, essentially blowing its advertising budget with no sales to show for it.

The other, more complicated, occurs when a third party Web site posts an advertiser's link and thus benefits every time someone clicks on a link from that page.

It stems from the practice of pay-per-click advertising or PPC. When computer users click on a sponsored link, the company has to pay a fee to both the search engine and the Web site.

The search engine makes money, the Web site makes money. But the business advertising loses.

It's called "content match," a term Jim Hill is all too familiar with.

Hill, an athletic equipment retailer in Eugene, Ore., quickly recognized that something was fishy when his entire advertising budget for the week was blown in an hour.

"In literally one hour [my whole advertising budget] was wiped out," he said. "I dug deeper and deeper, and I found out that all those clicks came through their content match."

Not only does Hill lose money, but valuable retail ad space is taken away.

Click fraud is particularly a problem for small companies with fierce competitors, disgruntled employees or customers seeking revenge. Their vengeance, with the click of a mouse, is to make that company pay.

So that he wouldn't be a victim again, Hill got some help.

"I partnered with a company called ClickFacts, a startup based out of San Francisco, and they are able to track all of our click-throughs -- where people are coming from," he said.

"They have fairly sophisticated analytics to help you identify what is click fraud and what is not," Hill said. "So we are in a process of tracking with them month by month to watch for it."

According to Mikhail Ledvich, chief strategy officer for ClickFacts, stopping click fraud takes vigilance and high technology.

"We look for abnormal traffic patterns and abnormal user behavior to figure out when there is someone potentially gaming the system to con the advertiser," Ledvich said.

"I'm working with it every day, spending an hour-plus a day doing it," Hill said.

A company victimized by click fraud could also be the target of consumer revenge.

"The person who has a motive for click fraud … could be someone who's upset at J.C. Penney and clicks enough times to make them pay enough that it adds up to the $10 refund [they wanted]," said Dallas attorney Stephen Malouf.

To prevent advertisers from paying for fraudulent clicks, Google and other search engines filter Web traffic, not charging advertisers for some percentage of the hits on their advertisement. The exact methods they use to filter the traffic, however, remain a closely guarded trade secret.

"They are fiercely protective of what they do to prevent against click fraud, but for good altruistic reasons," Kabateck said.

"They believe that the minute someone learns their methods ... it's like a smart virus. They'll find a new way to commit click fraud."

Despite those protections, in 2005 click fraud led to roughly $800 million lost on fraudulent clicks.

ABC News' Maxwell Sandgrund contributed to this article.