I find this really interesting. We’re all familiar with exploiting vulnerable software, but this appears to be exploiting a vulnerable business model.
Does this attack work with Facebook as well? I think the difference in client authentication might prevent this attack on Facebook (just ban accounts that click too many ads). But, on the other hand, Google might be able to use IP-addresses to accomplish the same.
Taking it to the next (morally questionable) level would be a virus that infects regular consumer devices, and delivers fake clicks from seemingly honest clients.
That should be relatively easy to detect, since the actors must have an account with Google, through which they receive payments for ad clicks. Google would just have to find a copy of the malware, and see which accounts the clicks are targeted at.
What I’m talking about would be impossible to detect, since it just amounts to regular users clicking regular ads. But it would also be more challenging to profit from, so it would amount to sabotage more than a profit scheme, unless somehow coupled with short-selling Google stock (a bit more far-fetched, admittedly).
Step 3 is actually "lose everything because Google announced something neat" or "lose everything because that quarter Google announced better fraud control and increased revenues".
Does this attack work with Facebook as well? I think the difference in client authentication might prevent this attack on Facebook (just ban accounts that click too many ads). But, on the other hand, Google might be able to use IP-addresses to accomplish the same.
Taking it to the next (morally questionable) level would be a virus that infects regular consumer devices, and delivers fake clicks from seemingly honest clients.