Hacker News new | past | comments | ask | show | jobs | submit login

I find this really interesting. We’re all familiar with exploiting vulnerable software, but this appears to be exploiting a vulnerable business model.

Does this attack work with Facebook as well? I think the difference in client authentication might prevent this attack on Facebook (just ban accounts that click too many ads). But, on the other hand, Google might be able to use IP-addresses to accomplish the same.

Taking it to the next (morally questionable) level would be a virus that infects regular consumer devices, and delivers fake clicks from seemingly honest clients.




> a virus that infects regular consumer devices, and delivers fake clicks from seemingly honest clients.

Click fraud has been one of the ways to profit from a botnet of virus-infected computers for years.


That should be relatively easy to detect, since the actors must have an account with Google, through which they receive payments for ad clicks. Google would just have to find a copy of the malware, and see which accounts the clicks are targeted at.

What I’m talking about would be impossible to detect, since it just amounts to regular users clicking regular ads. But it would also be more challenging to profit from, so it would amount to sabotage more than a profit scheme, unless somehow coupled with short-selling Google stock (a bit more far-fetched, admittedly).


Possibly profitable attack vector:

1) Accumulate short position in Google stock

2) Develop and deploy malware that delivers fraudulent clicks from regular users

3) Cash in on now-profitable short position, caused by negative media attention regarding Google’s business model

4) Repeat


Step 3 is actually "lose everything because Google announced something neat" or "lose everything because that quarter Google announced better fraud control and increased revenues".


A lot of people are perma logged into Google these days due to Gmail. They've got their claws in deep.


And even without the account, there are many ways to track users across sessions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: