Google Ads

More defenses roll out to thwart Clickjacking



At Google we defend our ad systems from fraud using technology in a variety of ways. Often our investment in these defenses goes beyond protecting against only known threats. Our engineering and operations teams are continually working to identify new and emerging threats. Once a new ad fraud threat is found, we move quickly to defend our systems against it using a combination of technology, operations, and policy.

Recently we identified “Clickjacking” (aka UI Redress) as an emerging threat to cost-per-click display ads, and we’ve rolled out new defenses to protect advertisers against this threat. Clickjacking is a type of web attack where the appearance of a website is changed so that a victim does not realize they are taking an important action, in this case clicking on one or more ads. For example, a user may intend to click on a video play button or menu item, but instead clicks an invisible ad unit.

gif1

Figure 1: An example of a clickable ad hidden behind a video playback button.


Moving quickly to thwart Clickjacking attempts 


Earlier this year when our operations team identified Clickjacking activity on our display network, they moved swiftly to terminate accounts, removing entities involved in or attempting to use this technique to trick users. Our engineering team worked in parallel to quickly release a filter to automatically exclude this type of invalid traffic across display ads.

This approach delivered a one-two punch to publishers who violated our policies: our operations team, which forms an early line of defense against invalid traffic, cleaned out publishers from our ad systems, while engineers built a new filter as a durable defense to protect against Clickjacking traffic.
gif2

Figure 2: An example of mouse-tracking, which leads to a page with lots of ads being opened regardless of where a user clicks.

Even as there are ongoing attempts to perpetrate this type of attack, our ongoing and proactive hunt for emerging types of invalid traffic has enabled us to move early and quickly to address Clickjacking threats on several occasions.

A combination of defenses

Our Clickjacking defenses operate at considerable scale, analyzing display ad placements across mobile and desktop platforms, evaluating a variety of characteristics. When our system detects a Clickjacking attempt, we zero-in on the traffic attributed to that placement, and remove it from upcoming payment reports to ensure that advertisers are not charged for those clicks.

This latest effort also is a great example of how our work against invalid traffic is at the intersection of technology, operations, and policy. Each piece plays a key role in keeping our ad systems clean and defended against ad fraud.

We’re proud of our work to protect our ad systems against emerging threats like Clickjacking, and we’ll continue to be vigilant as we fight the good fight against ad fraud.