- STOP Clicking and Sharing Until You Have Read This
- What is Clickbaiting?
- What is clickjacking?
- What is “Likejacking”?
- What is Click Fraud?
- How Ad Fraud Ruins the Internet
- The Truth About Clicking Links in Email and What To Do Instead
STOP Clicking and Sharing Until You Have Read This
or if you prefer “Think Before You Start Clicking”
What is Clickbaiting?
Alternatively referred to as link bait, clickbait or click bait is a term used to describe a type of hyperlink on a web page that entices a visitor to click to continue reading an article. Typically click bait links will forward the user to a page that requires payment, registration, or is one in a series of pages to help drive page views for the site.
Most click bait type links have catchy or provocative headlines that are difficult for most users to resist and often have little or nothing to do with the actual web page. For example, consider the two example links below, which point to the same page.
Computer keyboard shortcut keys
- Miley Cyrus’ favorite keyboard shortcuts
- Why using shortcut keys can save you hundreds of dollars a day
- Keyboard shortcuts that wont make you look like an idiot
- Is not using shortcut keys making your gain weight?
What is clickjacking?
Clickjacking (also known as user-interface or UI redressing and IFRAME overlay) is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website.
Here’s one example, among many possible scenarios: A visitor to a site thinks he is clicking on a button to close a window; instead, the action of clicking the “X” button prompts the computer to download a Trojan horse, transfer money from a bank account or turn on the computer’s built-in microphone. The host website may be a legitimate site that’s been hacked or a spoofed version of some well-known site. The attacker tricks users into visiting the site through links online or in email messages.
Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here’s how they describe the issue:
Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […] Say you have a home wireless router that you had authenticated prior to going to a web site. [The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.
The issue is said to result from an integral flaw in browser software and affects Internet Explorer (IE), Firefox, Safari and Opera. In fact, only non-GUI browsers, such as Lynx, are protected, simply because there is nothing in the interface that’s clickable.
Facebook is a common venue for clickjacking. One example involves a status update: “OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend.” Users who click the link are presented with a fake CAPTCHA, which actually links to the Facebook “Like” and “Share” buttons. When the user responds, the bogus status update posts to his Facebook page, along with a notice that he liked the video. On Facebook, most clickjacking exploits are conducted to collect user information and disseminate spam, although phishing attacks have been reported.
Source: TechTarget WhatIs
What is “Likejacking”?
Facebook attackers present a web page that actually has two layers. The back layer is designed with a Facebook “Like” button configured to follow your mouse cursor. The front layer shows whichever lure you are unfortunate enough to be tricked by. No matter where you click on the webpage, whether it be “One of the craziest ways to eat a banana” or “101 Hottest Women in the World,” you are actually clicking the Facebook Like button and further spreading the spam.
The earliest instances of likejacking seemed to be a proof of concept that the attack would actually work. Since those first attacks, likejacking has evolved into a money-making scheme through a technique called affiliate marketing. Affiliate marketing pays the affiliate for every person who views an ad, signs up for a service or registers on a given site. We have yet to see these attacks lead to malicious content, but it is only matter of time until they do.
One reason this attack works is that Facebook does not require any confirmation when you click the Like button. Though confirmation would not entirely prevent the attack, it would complicate the attack and potentially discourage its active exploitation.
Users should carefully review their wall posts if they were tempted by and clicked through one of these scams. Reviewing installed Facebook applications periodically is also a smart idea to defend against many of the ways users are victimized on Facebook.
What is Click Fraud?
4 Powerful Ways to Eliminate Click Fraud in Your Account
When I speak with advertisers who are debating whether to explore paid search, one of the biggest sources of hesitation is click fraud. It may sound like paranoia, but it’s actually a very valid concern for many PPC practitioners. That said, fearfulness of click fraud is no reason to avoid PPC altogether. As long as you are cognizant of the phenomenon, committed to keeping a watchful eye on your account and have employed proactive measures to protect yourself, you’ll be in good shape!
Click fraud is a black-hat technique of falsely inflating the number of clicks on a pay-per-click ad. Click fraud is usually driven by one of two incentives:
- Advertisers are trying to sabotage their competitors by driving up their costs and meeting their budget caps early on in the day
- Ad publishers are clicking on the ads displayed on their own sites to generate more revenue for themselves.
What Are Search Engines Doing About It?
How to Identify Click Fraud in Your Account
Going the DIY Route
How to Eliminate Click Fraud in your Account
Here are my top 4 tips to protect yourself from click-happy criminals:
- Turn to Facebook/Twitter Ads: The great thing about utilizing these platforms is that your ads will ONLY show on these platforms (!)—meaning there are no third-party publishers involved in the process. This cuts out a significant source of click fraud. OK, so but what about malicious competitors’ clicks? Actually, this version of click fraud is also less prevalent on paid social networks because their advanced targeting options are so specific. Since ad placement is based on a keyword search, it’s much more difficult for competitors to find your ads.
- Set up IP Exclusions in AdWords: If you’ve done your due diligence and identified the IP address associated with fraudulent clicks, you can block your ad from being served to that IP in the future. To set up an exclusion, all you need to do is head to the Settings tab and scroll down to the IP Exclusions setting. From there, you just need to plug in the offending addresses and you’ll be good to go!
- Run GDN Remarketing Campaigns: If you’re concerned about publisher-based click fraud, this is the way to go. It is easily avoided with remarketing because ads are only displayed to those who have visited and displayed interest in the advertiser’s website. There’s no risk of publishers clicking on the ads, because they can’t see them!
- Adjust Your Ad Targeting: Sometimes all it takes is a small tweak to your targeting to weed out invalid clicks. If you suspect click fraud is coming from a specific geographic region (oftentimes “click farms” are based in poorer countries with low labor rates), it may be worthwhile to exclude these locations and their respective languages. Or, if you suspect that a competitor is committing click fraud, you can exclude their zip code, city, etc. One caveat to be mindful of here is that it is critical that you are not eliminating GOOD traffic as you do this. Only set these exclusions if you truly believe that the majority of the clicks generated in these areas are fraudulent.
How Ad Fraud Ruins the Internet
If you’re in the digital advertising industry, you’ve probably heard of ad fraud, but you likely haven’t done anything to protect yourself or prevent it from happening.
Billions will be lost to ad fraud this year, and anywhere from three percent to 37 percent of ad impressions will come from bots. In fact, ad fraud is on its way to possibly becoming the second largest organized crime enterprise. With the prospects of a high payout, low risk and relatively little effort needed, it’s easy to see why so many organized criminals are looking to profit from ad fraud.
It’s easy to think ad fraud will never affect you, but in fact, it can affect everyone. Even those just casually browsing the web. The more you know about ad fraud, the better you’ll be able to spot it. Here’s how ad fraud can affect the different types of Internet users.
You’ve heard it a bazillion times: “Don’t click links in email!” That’s usually for a very good reason. This is by far one of the biggest ways I see clients get bitten. But what makes email links bad? What’s the worst that could happen if I do click one? This topic is cloudy for most people, so let’s break it down once and for all.
How Email Links Work
Emails are typically formatted in a language known as HTML. It’s the same language that websites are made with. Emails are basically little web pages sent to your inbox. It’s possible to send plain text emails (without HTML), but that’s rarely done these days.
Practically anything you can do with a web page, you can do with an email. This includes linking. Hyperlinks (“links”) are possible because of the HTML working in the background. So what exactly is possible with hyperlinks?
Nothing new, right? So where is this link going to take you? It can be hard to tell. This particular link will take you to Google. But what about this next one?
This link takes you to Google as well. Why? Because the HTML code I made in the background told it to. You can never tell where a link will take you based on what it says. That goes for pictures and buttons, too.
This is an official PayPal button I got from a site somewhere. But it’s only an image (a “picture”). I can make it link anywhere I want. If you click this button, it actually goes to a special page I created.
What Are The Dangers of Email Links?
Phishing is the term for sending emails (considered the bait) with a link to a fake website. Once on the site, the user is tricked into giving sensitive information. For example, the link takes you to a fake site that looks like your bank, and you try to log in with your username and password. The bad guy has now captured your login info. And if he’s clever then it would redirect you to the real site afterward. You’d probably be none the wiser.
For an ongoing list of phishing alerts, check out FraudWatch International’s page.
Malware or “virus” downloads
The link may take you to a website that infects your computer with malware like ransomware or a keylogger (a “virus” that captures everything you type into your computer like passwords and credit card numbers). Or it might even download the virus directly without going to a web page. Malicious web pages are the most common way that I see computers get infected in my day job.
Why It’s Hard To Tell the Real from the Fake
Most of the emails you get will be fine. The trouble is, do you know which is which? Some bogus emails are obviously fake to most people, full of misspellings and shady suggestions. But some of them look very professional. Take these for instance. They’re both fake. Would you be able to tell the difference?
Phishing Example 2 Amazon Click to View Image
These would fool most people. But besides looking legitimate, there are other ways to fool us.
Hacked email account
If a spammer hacks an email account, he can send out an email blast to all the contacts stored in the account. This is dangerous because you may get a phishing email that’s actually sent from the real account of someone you know. Unless the email seems out of the ordinary, you’ll have no way of knowing.
Email address spoofing
Spoofing is essentially “faking”. It’s possible to spoof the sender’s address so it looks like it’s coming from someone you know, when in reality it’s coming from the bad guy’s email account. It can be very hard or impossible to tell if an email address is spoofed. It requires digging through the email header which is, itself, prone to tampering. But if that interests you then check out this guide for basic instructions.
Forwarding a phishing email
Sometimes people are just naive and forward an email to you that has a malicious link in it. They might not realize it’s there, and have possibly become a victim themselves. I see it happen.
Which Email Links Can I Click?
Well, if you don’t click any of them you won’t have a problem. But that’s not realistic. Very few people will ever take that advice. The good news is you don’t have to. I suggest treating links like attachments. Only click it if you’re expecting it.
Examples of when to click
Examples of when NOT to click
What To Do Instead of Clicking Links
Thanks for Your Support