èƵ

How hackers use tricks to make money from your clicks

Online clicks are worth big money. Now hackers are using a cunning set of click-tricks to make money from people visiting websites without them realising
Click here
Click tricks appear on hundreds of websites
Donna Lu

In the attention economy of the internet, clicks are a hot commodity. They’re used to drive engagement in the form of likes and viewer numbers, but now online attackers are also tricking unsuspecting internet users into clicking for their profit.

Wei Meng at the Chinese University of Hong Kong and colleagues found that third-party programs are secretly changing hyperlinks and inserting URLs into seemingly ordinary websites, leading to click-driven profit and malware that could put users’ computers at risk.

The scam works like this. A common form of online advertising is pay-per-click, where an advertiser pays a website to display an ad, and the payment varies according to the number of website visitors who click on it.

The price an advertiser pays for a single click depends on factors like the popularity of a target audience, with a single click worth between a few cents up to more than a dollar.

Fraudulent clicks can be made by bots or click farms, where hundreds of smartphones are directed to watch videos or click certain links. But many advertising companies can detect clicks made by computers.

So certain websites contain tricks to get people to click. For example, an apparent link to a news story may actually take users to an advertising site earning the owner ad money, invisible objects that cover parts of a page could register as ad clicks when clicked, and hyperlinks that open an ad first before redirecting to the intended website also result in stolen clicks without the clicker realising.

Clicks for fees

The team scoured the internet’s top 250,000 most popular websites and found 613 sites with so-called clickjacking code. Though this totalled less than 1 per cent of the websites they looked at, it amounted to a total daily traffic of 43 million visits. On these pages, more than 3000 hyperlinks had been secretly inserted.

One third of the inserted hyperlinks were advertising related. In some cases, the codes were inserted deliberately by the websites themselves, suggesting a financial motivation – the website would earn commission from advertisers for artificially boosting their click numbers.

But in others, third-parties had secretly inserted the codes and there was no way of knowing whether the website owner was aware of the problem, says Meng.

“It’s a design problem that is very difficult to fix,” says Yanick Fratantonio at French research centre Eurecom. Although it is almost impossible for users to detect, click manipulation isn’t a cause for major alarm yet, he says. A similar issue is now emerging on mobiles, where dodgy apps drive fake clicks to ads, making money for the app developer.

Click manipulation reflects a fundamental web security issue, says Meng. In order to run ads on a website, owners have no choice but to give permissions to third-party JavaScripts.

JavaScript codes enable interactive effects in web pages – for example, some text that changes colour when you roll your mouse over it. “Lots of websites host ads, and those are dynamically generated by JavaScript by other networks, including Facebook and Google,” says Meng.

These codes can change or create hyperlinks across an entire webpage, even if the code itself only appears in a limited area – an ad in the sidebar, say. It means that any website that runs ads is potentially at risk of tampering by third parties. “This is a bad design and should be improved in the future,” says Meng.

The team will present the research at the in California in August.

Topics: Internet