At Google we defend our ad systems from fraud using technology in a variety of ways. Often our investment in these defenses goes beyond protecting against only known threats. Our engineering and operations teams are continually working to identify new and emerging threats. Once a new ad fraud threat is found, we move quickly to defend our systems against it using a combination of technology, operations, and policy.
Recently we identified “Clickjacking” (aka UI Redress) as an emerging threat to cost-per-click display ads, and we’ve rolled out new defenses to protect advertisers against this threat. Clickjacking is a type of web attack where the appearance of a website is changed so that a victim does not realize they are taking an important action, in this case clicking on one or more ads. For example, a user may intend to click on a video play button or menu item, but instead clicks an invisible ad unit.
Recently we identified “Clickjacking” (aka UI Redress) as an emerging threat to cost-per-click display ads, and we’ve rolled out new defenses to protect advertisers against this threat. Clickjacking is a type of web attack where the appearance of a website is changed so that a victim does not realize they are taking an important action, in this case clicking on one or more ads. For example, a user may intend to click on a video play button or menu item, but instead clicks an invisible ad unit.
 | |
| Figure 1: An example of a clickable ad hidden behind a video playback button. |
Moving quickly to thwart Clickjacking attempts
Earlier this year when our operations team identified Clickjacking activity on our display network, they moved swiftly to terminate accounts, removing entities involved in or attempting to use this technique to trick users. Our engineering team worked in parallel to quickly release a filter to automatically exclude this type of invalid traffic across display ads.
This approach delivered a one-two punch to publishers who violated our policies: our operations team, which forms an early line of defense against invalid traffic, cleaned out publishers from our ad systems, while engineers built a new filter as a durable defense to protect against Clickjacking traffic.
 | |
| Figure 2: An example of mouse-tracking, which leads to a page with lots of ads being opened regardless of where a user clicks. |
Even as there are ongoing attempts to perpetrate this type of attack, our ongoing and proactive hunt for emerging types of invalid traffic has enabled us to move early and quickly to address Clickjacking threats on several occasions.
A combination of defenses
Our Clickjacking defenses operate at considerable scale, analyzing display ad placements across mobile and desktop platforms, evaluating a variety of characteristics. When our system detects a Clickjacking attempt, we zero-in on the traffic attributed to that placement, and remove it from upcoming payment reports to ensure that advertisers are not charged for those clicks.
This latest effort also is a great example of how our work against invalid traffic is at the intersection of technology, operations, and policy. Each piece plays a key role in keeping our ad systems clean and defended against ad fraud.
Equally important, our efforts also promote a level playing field for good publishers on our ad systems. And while our Ad Traffic Quality team works hard to keep our ad systems clean, we also rely on publishers to do their part in contributing to a healthy ads ecosystem.
Best practices for publishers
Publishers play a crucial role in delivering a good ads experience. We’ve included some relevant best practices below to remind publishers of ways that they can improve the ads experience on their web properties.
- Double and triple-check implementations to verify that your sites contain no programming errors, conform to AdSense policies, and display correctly across different browsers and platforms.
- For mobile devices, plan your layout carefully to accommodate limited screen real estate.
- Avoid placing ads close to other clickable content to prevent accidental clicks. For more guidance on how to implement banner ads see our best practices video.
- Monitor analytics often to spot traffic anomalies. For example, setting up Analytics alerts can show if an unusual amount of traffic comes from a particular ad placement or site.
- Lastly, if you find suspicious activity, please report it via the Invalid Clicks Contact Form.
We’re proud of our work to protect our ad systems against emerging threats like Clickjacking, and we’ll continue to be vigilant as we fight the good fight against ad fraud.
Posted by: Andres Ferrate, Chief Advocate, Ad Traffic Quality
