Langsung ke konten utama

More defenses roll out to thwart Clickjacking

At Google we defend our ad systems from fraud using technology in a variety of ways. Often our investment in these defenses goes beyond protecting against only known threats. Our engineering and operations teams are continually working to identify new and emerging threats.  Once a new ad fraud threat is found, we move quickly to defend our systems against it using a combination of technology, operations, and policy.

Recently we identified “Clickjacking” (aka UI Redress) as an emerging threat to cost-per-click display ads, and we’ve rolled out new defenses to protect advertisers against this threat. Clickjacking is a type of web attack where the appearance of a website is changed so that a victim does not realize they are taking an important action, in this case clicking on one or more ads. For example, a user may intend to click on a video play button or menu item, but instead clicks an invisible ad unit.

Figure 1: An example of a clickable ad hidden behind a video playback button.

Moving quickly to thwart Clickjacking attempts
Earlier this year when our operations team identified Clickjacking activity on our display network, they moved swiftly to terminate accounts, removing entities involved in or attempting to use this technique to trick users. Our engineering team worked in parallel to quickly release a filter to automatically exclude this type of invalid traffic across display ads.

This approach delivered a one-two punch to publishers who violated our policies: our operations team, which forms an early line of defense against invalid traffic, cleaned out publishers from our ad systems, while engineers built a new filter as a durable defense to protect against Clickjacking traffic.

Figure 2: An example of mouse-tracking, which leads to a page with lots of ads being opened regardless of where a user clicks.

Even as there are ongoing attempts to perpetrate this type of attack, our ongoing and proactive hunt for emerging types of invalid traffic has enabled us to move early and quickly to address Clickjacking threats on several occasions.


A combination of defenses
Our Clickjacking defenses operate at considerable scale, analyzing display ad placements across mobile and desktop platforms, evaluating a variety of characteristics. When our system detects a Clickjacking attempt, we zero-in on the traffic attributed to that placement, and remove it from upcoming payment reports to ensure that advertisers are not charged for those clicks.

This latest effort also is a great example of how our work against invalid traffic is at the intersection of technology, operations, and policy.  Each piece plays a key role in keeping our ad systems clean and defended against ad fraud.

Equally important, our efforts also promote a level playing field for good publishers on our ad systems.  And while our Ad Traffic Quality team works hard to keep our ad systems clean, we also rely on publishers to do their part in contributing to a healthy ads ecosystem.


Best practices for publishers
Publishers play a crucial role in delivering a good ads experience.  We’ve included some relevant best practices below to remind publishers of ways that they can improve the ads experience on their web properties.

  • Double and triple-check implementations to verify that your sites contain no programming errors, conform to AdSense policies, and display correctly across different browsers and platforms.
  • For mobile devices, plan your layout carefully to accommodate limited screen real estate.
  • Avoid placing ads close to other clickable content to prevent accidental clicks. For more guidance on how to implement banner ads see our best practices video.
  • Monitor analytics often to spot traffic anomalies. For example, setting up Analytics alerts can show if an unusual amount of traffic comes from a particular ad placement or site.
  • Lastly, if you find suspicious activity, please report it via the Invalid Clicks Contact Form.

We’re proud of our work to protect our ad systems against emerging threats like Clickjacking, and we’ll continue to be vigilant as we fight the good fight against ad fraud. 


Posted by: Andres Ferrate, Chief Advocate, Ad Traffic Quality


Label:

Komentar

Posting Komentar

Postingan populer dari blog ini

Introducing a new user consent policy

Today we’re launching a new  user consent policy . This policy requires publishers with site visitors from the European Union to ask their permission for using their data. Why are we doing this? European Union data protection authorities requested some changes to current practices for obtaining end user consents. It has always been Google’s policy to comply with privacy laws, so we’ve agreed to make certain changes affecting our own products and partners using Google products. What do you need to do? If your websites are getting visitors from  any of the countries in the European Union , you must comply with t he EU user consent policy . We recommend you start working on a policy-compliant user consent mechanism today. There’s guidance from data protection authorities and IABs across Europe on what is required to comply with relevant laws; the IAB's IAB Europe Guidance: Five Practical Steps to help companies comply with the E-Privacy Directive is a good place to start. T...
Posting Komentar
Baca selengkapnya

The AdSense app has a fresh new look

We’ve recently updated the AdSense app with a fresh new look using material design and added some new features. Based on your feedback, we’ve added the following functionality to make it even better: New metrics: View impressions, impression RPM, and CTR of your ads. Support for Hindi and Malay: Use your AdSense app in Malay and Hindi , which have recently joined the AdSense family, as well as in 31 other languages . New reports for Android: Check the performance of different ad sizes, ad types, ad networks, targeting, bid types, and custom date ranges. Today widget for iOS: Check your earnings even quicker on your iPhone in the Today view. If you haven’t tried the AdSense app yet, download the iOS or Android version today and start checking your AdSense account on the go. Let us know what you think about the new design and what new features you’d like to see in the future. Subscribe to AdSense blog posts Posted by Daniel Kenyon-Jones AdSense Product Manager
Posting Komentar
Baca selengkapnya

Demystifying AdSense policies with John Brown: What to do if you receive a warning message (Part 4)

Editor’s note: John Brown, the Head of Publisher Policy Communications, is explaining what to do if you receive a policy warning message. In this post, I’d like to talk about policy warning messages and what steps you should take if you receive one. I’ll also answer some of the most common questions around warning messages. What is a warning message? We send out warning messages to our publishers if their site, or a page of their site, violates our AdSense policies. For minor policy violations that can be fixed fairly easily, our first step is to issue a warning. Where can I see my warning message? Warning messages are sent to the email address associated with your AdSense account. You can manage your contact email address under Personal Settings in your account. You can also check out outstanding policy violations by visiting the Status page in your AdSense account. What do I do if I get a warning? If you receive a warning message, follow these steps to fix the violation as quickly...
Posting Komentar
Baca selengkapnya