Sofizar received an official response from a Google representative regarding the two issues highlighted in the press release.>

Carlsbad, CA, 1/16/2006 –

Sofizar received an official response from a Google representative regarding the two issues highlighted in the press release. They have clarified their position regarding "location based targeting" and have acknowledged the problem regarding Clicks without impressions. Google has also refunded the PPC charges for testing the bug.

CLICKS OUTSIDE TARGETED REGION Although Internet Protocol(IP) addresses are one method we use to determine where a user is located, a location-specific query can trump the IP address. For example, if a user in California will be traveling to New York, they may search 'New York hotels' on Google. Although an ad which appears may be targeted to only New York, it is relevant to, and showing to, an interested user. At this time, we are unable to fully prevent clicks outside of a targeted region. However, I've forwarded on your feedback to the rest of our team. We appreciate hearing from our advertisers and are always interested in making improvements to the program to maintain a high quality of service for our advertisers.

CLICKS WITHOUT IMPRESSIONS I've confirmed that the keyword 'Minimalist Jukebox: Reich Tickets' received 1 click and 0 impressions, and that you've been charged US$0.05 for this click. I had our team review this issue and they determined that the click should not count to your costs. I understand you're unconcerned about the US$0.05 charge, but would like to let you know that I'd be happy to credit your account in this amount if you wish.

Sofizar's initial test: Our initial testing shows that Clicks without recording Impressions bug has indeed between fixed. Our test shows 0 Click with 1 Impression when we tried it with a different keyword. While this result is not consistent with Google's response, which should have implied 1 Click and 1 Impression, will will continue testing before releasing official results. Sofizar will release official results after more rigorous testing.

Sofizar Finds Security Flaw in Google AdWords Pay Per Click Service

Geotargeting or location based advertisement display vulnerability allows malicious robots or users to commit PPC Click Fraud

Carlsbad, CA, 1/6/2006 –

Sofizar Inc – Sofizar, a company specializing in Click Fraud Detection Services announced today that it has identified a vulnerability in Google’s Pay Per Click (PPC) location based advertisements. The Google location based service is meant to display Pay Per Click (PPC) advertisements only in the advertiser designated locations. However, a back door allows a malicious user or automated programs in a non designated area to click on the advertisement, potentially causing grievous losses. Furthermore, Google charges the advertisers for these clicks, even though Google does not record the advertisement impression. This vulnerability has been reported to Google.

The location based Google service is designed to display targeted advertisements to users from a certain region. For example, a ticket broker who needs to sell wicked tickets in New York City does not want her advertisement to be displayed in New Delhi. The pay per click advertisements to a non target audience can be extremely costly, and AdWords PPC advertisers use Google’s facilities to designate countries (and in some cases cities) where their advertisements can be displayed. However, this vulnerability allows a hacker in Beijing to see and click on advertisements meant for a Las Vegas audience. Some advertisers pay up to $35 every time a user clicks on their advertisement, and a hacker can run up the tab for such  advertisers quite fast. Sofizar’s internal testing shows that Google not only charges for these clicks, but due to a software glitch in Google’s reporting interface, does not record the impression.

“PPC advertisement has become very popular due to their instant traffic results, and control over the composition of the traffic” said Ron Arthur, Program Manager of Sofizar managed service. “Given that there is about $7 Billion at stake with Google PPC advertising in 2006, malicious hackers are always on the look out to get a piece of the pie. An advertiser may feel secure in the knowledge that his advertisements are being displayed only in the US, while his advertisements may be getting unwanted clicks(and a massive bill) from a hacker in East Europe”.

“There is essentially an arms race between the click fraudsters and us,” said Zafar Khan, CEO of Sofizar. “We see ever insidious tactics by hackers to deplete the budget of advertisers, and unless the advertiser is really keeping close tabs on their PPC advertising they are a prime target for fraud. The location based vulnerability allows hackers to fly under the radar, and hit unsuspecting advertisers. We have reported this flaw to Google and we are confident that they will fix the glitch in their software. Our previous experience in dealing with Google customer support regarding glitches has been outstanding”.

Testing methodology used:

The vulnerability was tested on Sofizar’s test account (tickets website) where a US targeted AdWords campaign for a keyword with no searches was selected. Sofizar’s testers in their test center in Pakistan then used the back door to display and click their test advertisement  that was only supposed to show in the US. When the account was checked, Google had charged Ticket Luck campaign for the click, even though it did not report the impression.

KeywordMinimalist Jukebox: Reich TicketsCTR0.00%
Current Bid$0.05Cost$0.05
Max CPC$0.05Avg.Pos1.0
Destination URLhttp://www.ticketluc...nk_concertConv.Rate0.00%

About Sofizar:

Sofizar uses its traffic analysis and pattern matching software to detect fraudulent PPC clicks. This software is adaptive, and stores patterns for certain websites as well as deviations from recognized patterns. Sofizar manually audits the accounts which are flagged by this software as possible frauds and then works with search engines to obtain refunds and credits against future advertising spending. Sofizar proactively looks for vulnerabilities in Overture and Google, in order to better protect its clients.

Editorial Contacts:
Ron Arthur, Sofizar
4010 Crescent Point Road, Carlsbad, CA
92008 United States
Toll Free (US): 1-877-844-5435

XML version of this article