/NCHOR lNTELLlGENCE REPORT:

/N/TOMY OF / FR/UDSTER
January 12, 2009
T/PLE OF CONTENTS
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Click Fraud
Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Click Fraudsters Toolkit
Forums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Computer Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fraudster Profiles
Click Fraud Farmers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pyramid Schemers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Money Launderers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kit Sophisticates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recommendations
Advertisers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ad Networks and Search Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
3
4
4
5
5
6
7
7
8
8
8
9
10
lNTRODUCTlON
The Anchor Intelligence Report: Anatomy of a Fraudster is a survey of click fraud and the
fraudsters behind malicious clicks. It includes a description of click fraud and the reasons for its
increasing prevalence. In addition to providing an overview of the tools fraudsters leverage in
order to successfully perpetrate click fraud, this report also introduces four of the most
common fraudster profiles encountered by Anchor Intelligence. Finally, Anchor offers a series of
recommendations for both advertisers and ad networks/search engines to help these parties
minimize payouts for fraudulent clicks. By educating the online advertising and security
industries on the motivations, tools, and profiles involved in click fraud, Anchor Intelligence
hopes to facilitate collaboration between the various industry players and ultimately improve
click fraud detection
CLlCK FR/UD
Click fraud constitutes a growing threat to the online advertising industry, particularly pay-per-
click (PPC) advertising systems. Much like spam which grew exponentially in volume in the
earlier half of this decade, and significantly outpaced the growth of email volume click fraud
will grow in volume as more dollars move online. As it stands, click fraud is the most prevalent
form of online advertising fraud in the marketplace today.
1
This section provides a comprehen-
sive definition of click fraud as well as the motivations of its perpetrators.
Definition
Anchor Intelligence defines click fraud as clicks or impressions originating from the malicious
intent of the clicker that have zero economic value to the advertiser. However, as it is impossible
to determine a clicker's intent with certainty, one must look at click/impression quality to
suggest a more practical definition of click fraud.
Click quality is a continuous spectrum of good and bad. Some clicks and impressions are
good because they have a high likelihood of conversion and are thus valuable to the adver-
tiser. For instance, if an individual purchases many books online, any click he/she makes on
book-related ads has real value to the advertiser because the individual has demonstrated
his/her propensity to purchase books online. Similarly, some clicks and impressions are poor
because they have a low likelihood of conversion and provide minimal value to the advertiser. If
a user has a strong aversion to making purchases online, his/her clicks are unlikely to result in a
purchase, and are therefore less valuable to the advertiser. Finally, some clicks and impressions
are fraudulent because the user has no intention of converting, thus giving the advertiser no
chance of reaping a return on their investment in that click or impression.
1
Bobji Mungamuru, Stephen Weis and Hector Garcia-Molina, Should Ad Networks Bother Fighting Click Fraud? (Yes, They Should.)
Stanford InfoLab 1 July 2008: 2.
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
3
Motivations
Motivations for click fraud primarily fall into two camps: a desire to handicap ones competitors
or intent to generate illegitimate revenue. In the first camp, malicious advertisers commit click
fraud in an effort to prevent their competitors ads from appearing to potential customers or to
drive up the competitors advertising costs. PPC services, such as Google AdWords, require
advertisers to set a daily budget on their ad spend. In order to accomplish his/her goal, the
malicious advertiser can theoretically click (or pay others to click) on the competitors ads
repeatedly, until the competitor exhausts its daily budget. Once the daily budget limit has been
reached, the competitors ads will no longer appear on search engines or publisher sites,
putting the malicious advertiser in a better position for potential sales. Meanwhile, the competi-
tor will see a reduction in its ROI on ad spend and may potentially make flawed optimization
decisions by pulling funds out of these campaigns.
More commonly, malicious individuals commit click fraud in order to boost revenue. Publisher
sites generally host ads in order to earn money; publishers earn a percentage of each ad click
or impression that occurs on their websites. The more clicks or impressions that occur on a
publishers site, the more money he/she will earn through that site. As such, many malicious
publishers generate fraudulent clicks on ads hosted by his/her site. They often take this fraud a
step further by creating multiple sites, through which they perpetrate click fraud, in order to earn
even more money, at the expense of advertisers and ad networks.
THE CLlCK FR/UDSTER'S TOOLKlT
In order to perpetrate click fraud, especially on a large-scale and/or in a sophisticated fashion,
fraudsters utilize an arsenal of tools. This section examines several of these tools in detail.
Forums
Internet forums, otherwise known as message boards, are online discussion sites.

Fraudsters
frequently leverage forums in order to facilitate communication. In particular, they are a popular
channel for trading stolen information, for the following reasons: forums are often organized
chronologically; they generally have decent search features; and postings, such as advertise-
ments for malware, are relatively permanent, remaining visible to any and all visitors until they
are removed. Internet forums have differing membership levels and range from being open to
anyone to open only to fraudsters with established reputations.
2
Once fraudsters successfully
join a forum, they can buy and sell fraudulent goods and services to interested parties.
One example of a prolific underground web forum was ShadowCrew. ShadowCrew was an
international crime syndicate, whose members were carders and hackers from the U.S. and
Eastern Europe looking to trade, buy, and sell a range of ill-gotten wares online.
3
Because it was a
large, openly available forum, it quickly attracted the notice of federal agents and was successfully
2
Symantec Report on the Underground Economy, July 07-08, Symantec Enterprise Security November 2008: 4.
3
Brian Grow with Jason Bush, Hacker Hunters, BusinessWeek 30 May 2005.
<http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm>.
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
4
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
4
Crime Boards Come Crashing Down, Wired 1 February 2007. <http://www.wired.com/science/discoveries/news/2007/02/72585>.
5
Symantec Report on the Underground Economy, July 07-08, Symantec Enterprise Security November 2008: 4.
6
Symantec Report on the Underground Economy, July 07-08, Symantec Enterprise Security November 2008: 52.
7
Computer Worm, Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Computer_worm>.
8
Gregg Keizer, New Windows worm builds massive botnet, Computerworld 1 December 2008.
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958>.
9
Ziv Mador, More MS08-067 Exploits, Microsoft

Malware Protection Center 25 November 2008.

<http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx>.
10
Gregg Keizer, New Windows worm builds massive botnet, Computerworld 1 December 2008.
shut down in October 2004 through a sting operation known as Operation Firewall.
4
IRC Servers
Internet Relay Chat (IRC) is an internet communications protocol that offers real-time internet
chat among groups. Communication occurs via channels, which are hosted on IRC servers.
Most IRC servers are established for legitimate purposes, but fraudsters use many public
servers covertly. IRC servers are another popular platform for fraudsters because they require
minimal bandwidth and can be accessed using one of many freely available IRC clients.
5
Contraband is readily, if secretly, available to fraudsters on IRC servers. For instance, identity
thieves can easily log in to IRC servers and acquire CVV numbers, determine the limits of stolen
credit cards, and locate customers for bulk credit card numbers. Similarly, click fraudsters can
buy and sell compromised machines to organize botnets in order to perpetrate sophisticated
click fraud.
Computer Worms
Worms are another tool used by click fraudsters. Computer worms are programs that
self-replicate by means of a network. They typically spread by exploiting vulnerabilities and bugs
in operating systems and outdated applications. Worms are often used to create zombie
computers; as a worm spreads, it creates a network of zombie computers known as botnets.
7
A recent example of a worm exploiting a bug in Microsoft Windows is the Win32/Conficker.a
worm. This worm served as a critical component in the construction of a new botnet.
8
According
to a post on the Microsoft Malware Protection Center, It opens a random port between port
1024 and 10000 and acts like a Web server. It propagates to random computers on the network
by exploiting MS08-067. Once the remote computer is exploited, that computer will download a
copy of the worm via HTTP using the random port opened by the worm. The worm often uses a
.JPG extension when copied over and then it is saved to the local system folder as a random
named dll.
9
As of December 1, nearly 500,000 PCs had been infected, and it was only begin-
ning to grow.
10
1 United States 41%
2 Romania 13%
3 Germany 11%
4 United Kingdom 6%
5 Canada 5%
6 Australia 4%
7 Brazil 3%
8 South Korea 2%
9 Netherlands 2%
10 Sweden 2%
Rank Country Percentage of Servers IRC servers are located around the globe,
although the locations change regularly, due
to fraudsters frequent use of compromised
computers and server proprietors regular
efforts to restrict fraudsters access.
6

According to a recent Symantec report, the
countries hosting the largest number of
underground IRC servers are the United
States, Romania, and Germany.
5
Table 1: Top countries by number of underground IRC servers
Source: Symantec Corporation
Another recent example is the Koobface worm, which has circulated through Facebook since
mid-November. The worm has spread by means of spam messages with links to compromised
sites.
11
These sites displayed a bogus error message prompting the user to download an Adobe
Flash update named flash_player.exe.
12
Users who did so downloaded an executable file that
installed the Koobface worm, which then installed a background proxy server.

This proxy server
redirects all search terms to find-www.net, which enables click fraudsters to make money
through the resulting ad clicks.
13
Botnets
Botnets are probably the most widely known tool in the click fraudsters toolkit. A botnet is a
network of compromised computers (aka Zombies). Bot programs are covertly installed on
computers by means of worms, backdoors, or Trojan horses.
14
According to the Shadowserver
Foundation, more desktop machines are becoming infected with malicious software than ever
before. For instance, the number of botnet-ensnared PCs has quadrupled in the past year.
15
The bot herder, e.g. the fraudster in charge of the botnet, issues commands to the zombie
computers via a common command-and-control infrastructure. The commands typically run
through IRC servers, providing a degree of separation and an additional layer of protection for
the herder. Botnets are used to wage distributed denial of service attacks, propagate spam, log
keystrokes, and perpetrate click fraud.
16
In the case of click fraud, herders command bots to visit websites which are either owned by
the herder or someone who pays the herder for the service and click on the ads hosted by
those sites. The site owner, be it the herder or customer, can thus generate a significant amount
of revenue, which is paid out by the ad network or search engine distributing the ads. With
particularly large, global botnets, clicks come from distinct IP addresses, giving the illusion of
legitimate traffic.
One of the most infamous click fraud botnets is Clickbot.A, which was discovered by Swa
Frantzen at SANS, in May 2006.
17
Over the course of one month, the botnet grew to encompass
more than 100,000 computers.
18
It conducted discreet, low-noise click fraud attacks against
syndicated search engines, by commanding each bot to issue one click roughly once every 15
minutes.
19
Investigations into its anatomy have helped to educate the online advertising and
security communities about botnets.
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
11
Gregg Keizer, Worm spreads on Facebook, hijacks users clicks, Computerworld 5 December 2008.
<http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122724>.
12
Jennifer LeClaire, Koobface Worm is Targeting Facebook Users, Enterprise Security Today 5 December 2008.
<http://www.enterprise-security-today.com/story.xhtml?story_id=63428>.
13
Gregg Keizer, Worm spreads on Facebook, hijacks users clicks, Computerworld 5 December 2008.
<http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122724>.
14
Botnet, Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Botnet>.
15
Brian Krebs, Number of Bot-Infected PCs Skyrockets, washingtonpost.com 4 September 2008.
<http://voices.washingtonpost.com/securityfix/2008/09/number_of_bot-infected_pcs_sky.html>.
16
Botnets, Shadowserver 12 November 2007. <http://www.shadowserver.org/wiki/pmwiki.php?n=Information.Botnets>.
17
Neil Daswani and Michael Stoppelman, The Anatomy of Clickbot.A, Google, Inc. 10 April 2007.
18
Clickbot.A, Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Clickbot.A>.
19
Neil Daswani and Michael Stoppelman, The Anatomy of Clickbot.A, Google, Inc. 10 April 2007.
20
June 2008 | Trend Micro Threat Roundup and Forecast1H 2008 Trend Micro, Inc. 7 July 2008.
<http://trendmicro.mediaroom.com/index.php?s=43&item=650>.
6
Adware
Finally, adware is a software package, which displays ads in an unexpected and often unwanted
fashion.
20
Adware can be a form of spyware when used to spy on users. It collects information
about a users web history in order to serve relevant ads.
21
Adware can be covertly installed on
computers through one of two methods: users can be tricked into clicking a spyware link; or
users may use a file-sharing program to install freeware that secretly includes adware.
22

According to research conducted by Professor Ben Edelman of Harvard University, some forms
of adware perform click fraud by automatically activating pay-per-click advertisement links.
23

Thus, adware can be used to perpetrate click fraud.
CLlCK FR/UDSTER PROFlLES
Over the past year, experts at Anchor Intelligence have studied clients traffic patterns and
gathered intelligence on four of the most prevalent fraudulent behavioral profiles, ranging in
levels of sophistication. This section describes the profiles in detail.
Click Fraud Farmers
to simulate regular traffic by viewing another members link, visiting the associated website for a
period of time, and moving on to the next members link. Newspapers around the world
advertise opportunities to participate in these groups as easy careers for people working from
home. Click farms often reflect the global nature of our economy, in which workers from
21
Spyware, Wikipedia 9 December 2008. <http://en.wikipedia.org/wiki/Spyware>.
22
Jerry Honeycutt, How to Protect your Computer from Spyware and Adware, Windows XP 20 April 2004.
<http://www.microsoft.com/windowsxp/using/security/expert/honeycutt_spyware.mspx>.
23
Ben Edelman, The Spyware Click Fraud Connection and Yahoos Role Revisited, benedelman.org 4 April 2006.
<http://www.benedelman.org/news/040406-1.html>.
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
The first profile applies to members of click farms, which use some
of the least sophisticated methods to perpetrate click fraud. Click
farms are often outsourced by an organization that is paid to
generate clicks on behalf of a third party. In some cases, click farms
are networks of people, who scratch each others backs by clicking
on ads appearing on the other members websites. These people try
developing nations seek an opportunity to easily earn a
few dollars a day, at the expense of advertisers looking
to attract legitimate business to their websites.
Click farm activity often appears as high volume traffic
bursts originating from a limited number of users with
no corresponding improvement in conversions or other
useful user sessions. Ad networks may be able to
identify these schemes by matching IP addresses of
publishers within the network with ad click logs.
7
Figure 1: Click farm ad from the Deccan Chronicle Classifieds
Source: Digital Inspiration
Pyramid Schemers
sation for their traffic, pyramid schemers are also compensated for recruiting users. As a result,
these users are less likely to come directly from publishers IPs.
Pyramid scheme participants often use services such as Bux.to and ClixSense to perpetrate
their fraudulent activities. For instance, Anchor Intelligence found the following pitch on one
publishers homepage: At Bux.to, you get paid to click on ads and visit websites. The process
is easy! You simply click a link and view a website for 30 seconds to earn money. You can earn
even more by referring friends. You'll get paid $0.01 for each website you personally view and
$0.01 for each website your referrals view. The minimum payout is $10.00.
Money Launderers
scale his operation. The registered address is also critical, as many networks are more suspi-
cious of international publisher accounts than of accounts based in the U.S. Once the websites
are registered to display ads, click fraudsters create bogus or copied content on these sites and
generate false clicks on their ads, often by means of botnets. The ad network unknowingly
makes payments to the various registrants, who manage the deposit. The registrants then
transfer the money to the fraudsters for a fee, ranging from 20% to 50% of the payment.
These profiles are generally difficult to detect, due to the sophisticated nature of their
techniques. Anchor Intelligence has worked directly with various ad networks to identify
launderers and link them together, even across multiple clients. The linking is often based on
traffic, reputation, and other proprietary data.
Kit Sophisticates
real readers by simply simulating normal ad traffic for $100. Similarly, cheatingnetwork.net,
another forum, offers pay-to-click kits for website owners to generate realistic-looking traffic.
A second fraudster profile applies to participants of pyramid
schemes. A pyramid scheme is a non-sustainable business model
that involves payment for recruiting new participants into the scheme
and fails to deliver a legitimate product or service. Click fraud pyramid
schemers are paid to click on ads and visit websites, much like
members of a click farm. However, in addition to receiving compen-
A final variety of fraudster, the kit sophisticate, purchases kits online
to commit fraud. Kits come in a variety of packages with proportion-
ate price tags. Fraudsters use kits to create hundreds of websites,
mass register accounts, generate ad clicks, and build botnets. For
instance, ClickingAgent, a notorious ad clicker kit by LoteSoft, saves
website owners the trouble of creating valuable content that attracts
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
Launderers are a more sophisticated version of the pyramid
schemer, and involve the use of money mules, individuals who are
used to funnel money from ad networks to fraudsters. The fraud-
sters behind these schemes recruit people to use the recruits
information to register various websites with ad networks. The use
of multiple "mules" and addresses is key in allowing the fraudster to

8
RECOMMEND/TlONS
Click fraud originating from kit sophisticates can be extremely difficult to identify. Anchor has
developed hundreds of signatures of fraudulent activity generated from these kits and has
worked with multiple ad networks to evict kit sophisticates from their networks.
While sophisticated instances of click fraud are difficult to detect, advertisers and ad networks
can take precautionary measures to reduce their payouts for fraudulent clicks
Advertisers
There are several rules of thumb advertisers can use to help recognize and identify instances of
click fraud. Anchor recommends the following ten tips:
1.
2.
3.
4.
5.
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
Watch for significant variations in campaign performance: Look at your reports to identify
sudden peaks and other anomalies in your daily traffic and costs. If you cannot determine the
cause and the peaks are not associated with corresponding lifts in performance, consider
stopping your campaign and/or asking your network to investigate further.
Prevent competitive click fraud: Do a few searches on your keywords to compile a list of
relevant competitors. Then open your Command Prompt on your PC (or Terminal on your
Mac) and ping each competitors domain (e.g. type ping www.COMPETITORDOMAINNAME
.com) to ascertain their company IP address. You can find their entire range of IPs by using
services such as www.arin.net. Be sure to check that the IPs are registered to the company
directly, as opposed to the companys hosting provider. If they are, add those IPs to your
account IP exclusion lists (when available).
Dont drain your own budget: If youre concerned about clicks coming from your own
employees, add your companys IPs to your account IP exclusion lists (when available).
Block poor performing referrers: Assuming your analytics package provides referral and
conversion information, start with your highest volume referrers and determine which sites fail
to drive any conversions or other useful user sessions. If you notice that your ads/keywords
are performing poorly on particular sites, reduce your bids for those publishers/channels. For
high volume sites that generate zero conversions, selectively use the domain/channel-
blocking feature to prevent your ads from appearing on those sites in the future.
Monitor high dollar CPC terms closely: Keywords with high CPCs have historically been
more vulnerable to click fraud attacks than those with low CPCs. So pay particular attention
to these keywords and the referrers that generate disproportionately more traffic to your site
through these keywords. Determine whether or not youre seeing a positive ROI on your bids.
If not, consider lowering your bids on poor-performing keywords/ads and allocating more
spend to higher performing keywords/ads.
9
6.
7.
8.
9.
10.
Ad Networks and Search Engines
For ad networks and search engines, Anchor Intelligence recommends outsourcing click fraud
monitoring to a 3rd party solutions provider. Ad networks and search engines face challenging
conditions when dealing with click fraud. The rate of adaptation for fraudsters often exceeds the
ability for a given network to keep its detection methods up to date. Changes in filtering rules
often result in only a short-term reduction of fraudulent activity. And large-scale click fraud rings
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
Geo-target your ads appropriately: If you do not sell products outside of North America,
be sure to limit your geo-targeting to North America. If you do sell products abroad, monitor
the performance of your international ads. If you find that your ads perform poorly in certain
geographies, update your geo-targeting preferences accordingly. Keep a critical eye out for
countries such as UAE, China, Vietnam, Thailand, and the Philippines. Anchor has seen
relatively high volumes of fraud originating from these countries.
Use ad scheduling: Monitor the quality of your traffic according to time of day and day of the
week. For instance, we find that humans typically use the internet during the day, while bots can
run 24 hours a day. If you find that your conversion rates are higher in the mornings than late at
night, you may want to daypart your bids to reduce exposure to lower-converting traffic.
Leverage a 3
rd
party traffic quality solution: Your ad network/search engine is not
infallible. In order to ensure that you are not being charged for fraudulent clicks, consider
using a 3rd party traffic quality solution, such as Anchor Intelligence. By providing deep
insight into the quality of each click/impression as well as the factors that contribute to each
click/impression score, Anchor Intelligence helps to educate you on click fraud and traffic
quality. Armed with this information, you'll be able to improve your ad spend allocation
decisions and ensure you are not paying for unwanted traffic.
Investigate your network: Before signing up with an ad network or search engine, do some
research into its policies. For instance, you should determine whether the network uses
frequency caps to prevent duplicate clicks originating from the same IP from being charged
to your account. Also check to ensure that they are using the IAB/ABCe International Spiders
& Bots List and not charging you for clicks from these robots. Finally, peruse their Terms of
Use to determine the extent to which they care about the quality of traffic you receive. For
example, look for restrictions against authorizing, encouraging, or generating fraudulent
clicks or impressions; editing, modifying, removing, or obscuring ads; and displaying ads on
error pages or thank you pages.
Encourage your ad network(s) to also use 3
rd
party scoring solutions: Your ad network
may not realize that you are concerned about click fraud. The more you and other advertisers
ask networks to take additional steps to prevent and filter click fraud, the more likely these
companies will be to proactively protect you. In particular, you should encourage your
network(s) to engage the services of 3
rd
party traffic quality solutions providers. These 3
rd

parties monitor the traffic quality within and across networks, to help ensure that you see the
highest possible ROI on your advertising spend while giving you confidence in the quality of
your clicks.
C
reappear within days of being discovered and shut down. As a result, the cost of dealing with
customer complaints and billing inquiries becomes significant with no systematic way of
responding to the changing behavior of fraudsters.
Anchor Intelligence offers cutting edge, proprietary solutions that have been developed to adapt
over time. Our models train against new instances of fraud detected within our network. With
the most comprehensive and exhaustive collection of network security intelligence, Anchors
click quality solutions enable our customers to focus on their core competencies while learning
from the collective intelligence of the entire web. Methods used by Anchor include the following:
Anchor Intelligence helps ad networks find and filter fraudulent clicks that the networks
themselves do not have the means to catch. For instance, Anchor can identify malicious actors
across its entire network. As an independent 3
rd
party, Anchor has knowledge of fraudsters that
operate within and across multiple ad networks, and can leverage this insight for the benefit of all.
Additionally, Anchor Intelligence can leverage its network forensics to classify compromised
machines. The company leverages honeypots, spam traps, and IRC channel monitors to improve
its ability to correctly identify computers infected with malware such as bots and worms. Finally,
Anchor intelligences 3rd party status enables it to look at user level sessions across multiple
networks to identify collusive behavior and velocity spikes in clicks. With its access to data
across multiple networks and its database of known fraudsters, Anchor Intelligence enables ad
networks and search engines to identify fraudulent clicks they would otherwise have missed.
Anchor Intelligence provides tools for ad networks to not only better manage the quality of
traffic on their network, but also capture and deliver more value to their advertisers. Anchors
traffic quality solutions provide networks with the intelligence they need to monetize the highest
quality users on their network, reward their best publishers, remove poor quality publishers, and
filter fraudulent clicks. Contact Anchor Intelligence today to learn more about our solutions.
Anchor Intelligence Inc., headquartered in Mountain View, CA, is a leading traffic quality
solutions provider for the online advertising industry. Anchor Intelligence provides search
engines, ad networks, and advertisers with cutting edge solutions to reduce click and impres-
sion fraud, identify high performing traffic, and ultimately maximize advertiser ROI.
/NCHOR lNTELLlGENCE REPORT: /N/TOMY OF / FR/UDSTER
Behavioral analysis: checking whether the volume of activity for a given user over any number
of time periods is unacceptably high
Reputational analysis: identifying clicks from users who have engaged in fraud or other
malicious activity on the web
Distributional analysis: monitoring the standard rhythm and flow of traffic to identify
unexplained spikes
Associational analysis: locating publishers who appear to be generating traffic artificially
through the same shared sources
Anomaly detection: detecting traffic anomalies, such as spikes in CTRs with no accompany-
ing improvement in conversion and unnatural popularity of particular ad placements
Network policy violations: pinpointing ad placements that violate network rules, such as
stacked ad tags and ad tags overlaid on video thumbnails
Fraud signature matching: looking for evidence that matches the signatures of known fraudsters

www.anchorintelligence.com
480 San Antonio Road, Suite 235
Mountain View, CA 94040
Phone: (650) 320-9100
Fax: (650) 320-9101
info@anchorintelligence.com
2008 Anchor Intelligence, Inc. All rights reserved.